These docs are for v1.1. Click to read the latest docs for v1.2.

Now, once your project has been created, there are few things left. Firstly, you need to onboard a target before you start.

  • Target - is the aim of your testing. It might be anything, whether Web Apps, APIs (REST & SOAP, GraphQL & more).
  • Onboarding - is a process of preparing targets for a testing, looking for Entrypoints. Onboarding is held once, and it will be relevant as long as your target is the same.

How to onboard a target

Bright provides the following methods of finding Entrypoints:


Bright can crawl your web application to define the attack surface. This option does not require any details that might get you tangled. To run a security scan using a crawler, you simply need to specify the target URL in the URL field. Learn more about a Crawler.


An HTTP Archive File (.HAR file) is a recorded session of user interaction with an application. The .HAR file keeps all the HTTP requests and responses between the web client and web application.
You can use a pre-recorded .HAR file when running a security scan. Using the data contained in the .HAR file, Bright defines the attack surface and ensures complete coverage of the scan scope. Learn more about .HAR-files in Bright.

API Schema

Bright supports the following versions of the API schemas: Swagger 2+, OpenAPI 3+, Postman 2+. You don't need to have an ideal API-schema, you can upload the one that you have. All you need to do is to fix it once. Learn more about API Schemas.

Single Entrypoint

You can manually add a single Entrypoint using an in-app tool, and then fix it in case if it has connectivity problems. Learn more about how to add fix Entrypoints.

Relevant articles

To prepare your target in a better way, see the relevant articles: