Hey! These docs are for version 1.1, which is no longer officially supported. Click here for the latest version, 1.2!

Now, once your project has been created, there are few things left. Firstly, you need to onboard a target before you start.

  • Target - is the aim of your testing. It might be anything, whether Web Apps, APIs (REST & SOAP, GraphQL & more).
  • Onboarding - is a process of preparing targets for a testing, looking for Entrypoints. Onboarding is held once, and it will be relevant as long as your target is the same.

How to onboard a target

Bright provides the following methods of finding Entrypoints:


Bright can crawl your web application to define the attack surface. This option does not require any details that might get you tangled. To run a security scan using a crawler, you simply need to specify the target URL in the URL field. Learn more about a Crawler.


An HTTP Archive File (.HAR file) is a recorded session of user interaction with an application. The .HAR file keeps all the HTTP requests and responses between the web client and web application.
You can use a pre-recorded .HAR file when running a security scan. Using the data contained in the .HAR file, Bright defines the attack surface and ensures complete coverage of the scan scope. Learn more about .HAR-files in Bright.

API Schema

Bright supports the following versions of the API schemas: Swagger 2+, OpenAPI 3+, Postman 2+. You don't need to have an ideal API-schema, you can upload the one that you have. All you need to do is to fix it once. Learn more about API Schemas.

Single Entrypoint

You can manually add a single Entrypoint using an in-app tool, and then fix it in case if it has connectivity problems. Learn more about how to add fix Entrypoints.

Relevant articles

To prepare your target in a better way, see the relevant articles: