All Collections
Setting up surface monitoring (DAST)
Surface Monitoring: Scan 3rd party applications that you host with Nuclei
Surface Monitoring: Scan 3rd party applications that you host with Nuclei

How to scan your web-available services (GitLab servers, WordPress websites, hosted Confluence servers) for known defects with Nuclei.

Maarten De Schuymer avatar
Written by Maarten De Schuymer
Updated over a week ago

Aikido's surface monitoring is built on top of ZAP and Nuclei, a tool designed to provide an attacker's point of view on your hosted infrastructure. It probes your web-available services for known vulnerabilities, enhancing the security of your digital assets.

What is Surface Monitoring Scanning?

Surface monitoring with Nuclei inspects all the externally-facing components of your infrastructure. It focuses on services like your GitLab server, WordPress website, and hosted Confluence server, among others. This approach helps identify vulnerabilities from an attacker's perspective, ensuring robust security.

Overview of Checks Performed by Nuclei

To understand the checks performed by Nuclei, visit our checks overview page. Here, you will find a comprehensive list of all the vulnerabilities and misconfigurations that Nuclei can detect.

Add a domain to be scanned with Nuclei

  1. Enter the service URLs of your web-available services in the configuration form. You can specify full paths.

  2. Choose 'Scan via Nuclei'

  3. Select technologies that you want to scan for

    How to select the technologies

    Example. If your webshop is built in Magento, you can select Magento, PHP and nginx. You can select up to 4 technologies to scan for. If you want to have more information on the checks done for each technology group, visit the checks overview page.

Once you've completed the form. simply start a scan for your this domain. The Surface Monitoring Scanner will then get to work, scanning your software surface for any signs of potential threats and report the issues in your feed. All issues can also be viewed in the domain detail page.

Did this answer your question?