> For the complete documentation index, see [llms.txt](https://copilot-docs.bugbase.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://copilot-docs.bugbase.ai/enterprise/enterprise-onboarding-checklist.md).

# Enterprise Onboarding Checklist

Use this checklist before your first enterprise scan. It is written for operators who will configure and run scans, and for security stakeholders who need to approve scope.

## Access and Tenant Setup

* Sign in to the deployment URL through your configured identity provider.
* Confirm the initial users have the correct roles for scans, reports, settings, API keys, and user management.
* Confirm who owns scan approvals, agent installation, and cleanup.

<figure><img src="/files/pyfNuw9bIDzz9zEETe9s" alt=""><figcaption></figcaption></figure>

## External Assessment Prerequisites

* Collect approved root domains and any explicitly excluded third-party domains.
* Add root domains in **Settings -> Domains** or from the New Assessment flow.
* Verify root-domain ownership in **Settings -> Domain Verification** when required by your deployment.
* Confirm your team understands that subdomains are discovered automatically from the root domain.
* Decide whether target WAF/CDN/firewall rules should allowlist the scanner IPs, use residential browser traffic, or both.
* Record browser sessions for each role that should be tested, such as admin, manager, regular user, read-only user, or support user.
* Validate browser sessions before running authenticated scans.
* Define rate limits for fragile, rate-limited, or production-sensitive targets.
* Define domain and trajectory deny rules before scanning sensitive paths.

## Internal Assessment Prerequisites

* Identify the network segment where the local agent will run.
* Confirm the agent host can reach the approved subnets and required services.
* Confirm endpoint protection, EDR, firewall, and proxy expectations for the agent host.
* Confirm which exploit families are authorized, especially AD write operations, ADCS abuse, RCE, credential dumping, relay, and data-copy paths.
* Confirm cleanup ownership for AD/ADCS changes, host implants, service changes, credential rotation, and copied files.
* Decide whether PCE Intercept/Inveigh may be enabled, and which interfaces it may bind to.
* Run internal discovery before internal assessment so subnets, hosts, services, users, and groups are visible.

{% content-ref url="/pages/Wo8uaAQGOpoDSX3mEaRZ" %}
[Internal Assessment Destructive Actions](/enterprise/how-to-trigger-an-internal-scan/internal-assessment-destructive-actions.md)
{% endcontent-ref %}

## First Scan Plan

For the first run, start narrow:

1. Run external discovery on one root domain.
2. Review discovered pages, APIs, trajectories, and services.
3. Record and validate one low-risk authenticated browser session.
4. Run an external assessment with a conservative rate limit and only the approved attack vectors.
5. Review **Activity** and **Attack Paths** with your security stakeholders.
6. Generate an executive report and a comprehensive report.
7. Expand scope only after your team is comfortable with volume, traffic shape, and results.

For internal assessment, start with one subnet and a small exploit set. Add destructive categories only after your team signs off on impact and cleanup.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://copilot-docs.bugbase.ai/enterprise/enterprise-onboarding-checklist.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.