Engagements

An engagement is the multi-scan unit a customer signs the SOW for. A single engagement spans one or more scans against a shared scope (web app + API + cloud, run weekly, all under one project). Reports, retest history, and SOC detection-rule bundles all hang off the engagement, not the individual scan.

Why engagements

• Scope declared once — every scan launched under an engagement is validated against its declared scope (domains, URLs, CIDRs) before dispatch. Out-of-scope targets are refused at the API tier with HTTP 451 and an audit-log entry.
• OPSEC posture inherited — set stealth_mode on the engagement once and every scan inherits it. See OPSEC stealth mode.
• Retest grouping — open the engagement detail page and you see every scan, every attack chain across them, and the detection-rule bundle aggregated at the engagement level.
• Auditor evidence — the engagement record carries the rules-of-engagement document, the contact list, and the start / end dates. SOC2 + PCI auditors read this as the legal record of work.

Create an engagement

1. Sidebar → Engagements → New engagement (admin role required — the scope contract is the legal foundation for every scan run under it).
2. Name + client name (the client name appears on reports).
3. Pick the engagement type: Web App, API, Network, Cloud, Mobile, or Mixed.
4. Scope — one entry per line, format kind:value:

   domain:acme.com
   domain:api.acme.com
   cidr:10.0.0.0/24

   Supported kinds: domain (matches host + every subdomain), url (matches host), cidr (matches any IP in the network).
5. OPSEC posture — Off (default), Moderate (skip LOUD detectors), or Quiet (passive recon only).
6. Rules of engagement — optional free text. Window, blackout dates, contacts, anything else the customer agreed to in writing.

Launch a scan under an engagement

On the New scan page, pick the engagement from the dropdown. The scan inherits the engagement's stealth posture and is validated against its scope before dispatch. To override the engagement's stealth posture for one specific scan, pass an explicit stealth_mode on the scan-create form — operator value wins.

Attack chains across an engagement

The engagement detail page lists every attack chain identified across all its scans, ordered by descending score. A chain that spans multiple targets (e.g. SSRF on one host → IMDS credentials that authenticate to a different host) surfaces here as a single record-of-work artefact, not buried in one scan's detail page.

Closing an engagement

From the engagement list, click Close. Existing scans + findings are preserved; new scan launches against the closed engagement are rejected with a 400. Use this to lock the engagement after final report delivery.

Related

• OPSEC stealth mode
• Attack chains
• SOC detection rules
• Hard-refusal policy