All Collections
Setting up surface monitoring (DAST)
Surface Monitoring: scan your domain names with ZAP
Surface Monitoring: scan your domain names with ZAP

This article explains how to scan your domain names for weaknesses.

Bert Coppens avatar
Written by Bert Coppens
Updated over a week ago

Aikido's surface monitoring is built on top of ZAP and Nuclei. Aikido uses these to monitor your app's public attack surface by probing your domain names for weaknesses.

What is Surface Monitoring Scanning?

Surface monitoring, sometimes better known as Dynamic Application Security Testing (DAST) inspects all the externally-facing components of your software, including the application programming interfaces (APIs), web pages, data transfer protocols, and other user-facing features.

Overview of checks performed

To see the checks performed by the Surface Monitoring Scanner, visit our checks overview page. Here, you'll find a detailed list of all the checks performed during the scan. Aikido will only perform safe, non-destructive automated test (eg no automated SQL injection attempts,..).

Add a domain to be scanned with ZAP

  1. Fill in the service URL for the repositories which have public-facing domains by filling out the configuration form. You can specify full paths.

  2. Choose Self-Built (scan via ZAP)

  3. Optional: link your domain to a repository or domain

  4. Optional: set the sensitivity of the data

Once you've completed the form, simply start a scan for your this domain. The Surface Monitoring Scanner will then get to work, scanning your software surface for any signs of potential threats and report the issues in your feed. All issues can also be viewed in the domain detail page.

Did this answer your question?