> For the complete documentation index, see [llms.txt](https://copilot-docs.bugbase.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://copilot-docs.bugbase.ai/enterprise/how-to-trigger-an-external-scan.md).
# How to Trigger an External Scan
External scanning is normally launched from the guided **New Assessment** flow, then configured in **Modules -> External Assessment**. The guided flow helps new users complete the required steps in order; the module pages expose the full scan configuration.
{% hint style="info" %}
**Video walkthrough:** [Configure an external assessment](https://www.youtube.com/watch?v=O5AbZoO-uP4)
{% endhint %}
## External Scan Flow
1. Add a root domain.
2. Confirm a SANDBOX runner is available.
3. Run external discovery.
4. Run external assessment.
5. Review attack paths and generate reports.
## 1. Add the Root Domain
From **New Assessment**, select **External** and enter the approved root domain, for example `example.com`.
Enter only the domain name. Do not include `https://`, a path, or query parameters. Subdomains and paths are discovered later.
You can also add domains from **Settings -> Domains** or **Dashboard -> Target Entities**.
## 2. Confirm SANDBOX Capacity
External discovery and browser-based testing require a SANDBOX runner. Your deployment can use managed SANDBOX capacity or infrastructure attached to your environment, depending on how it was deployed.
Check **Dashboard -> Agents** or **Settings -> Agent** to confirm the SANDBOX runner is connected before a scan.
## 3. Run External Discovery
Open **Modules -> External Assessment -> Discovery Phase**.
1. Select one or more target domains.
2. Open the target settings drawer if you need authenticated sessions, custom headers, discovery type, rate limits, or browser options.
3. Choose the discovery type:
* **Run Full Discovery** crawls reachable pages and APIs and can feed the attack phase.
* **Discover Domains only** maps the domain surface without deep crawling.
4. Optionally enable **Trigger Attack Phase automatically after discovery**. This forces full discovery and starts the external assessment when discovery finishes.
5. Save the target configuration.
6. Click **Run Assessment** to open the final configuration review.
7. Review duration and credit estimates, saved config status, authentication readiness, target scope, and settings.
8. Click **Run assessment** to start the run.
## 4. Run External Assessment
Open **Modules -> External Assessment -> Attack Phase**.
1. Select one or more target domains.
2. Open the settings drawer for each target or apply settings to selected targets.
3. Choose authentication mode:
* **Unauthenticated** for public pages and APIs.
* **Authenticated** to reuse one or more browser sessions.
* Both modes if public and logged-in surfaces should be tested.
4. Choose attack vectors. Leaving all vectors unselected is treated as broad coverage.
5. Set rate limits, custom headers, trajectory scope, and browser options as required.
6. Save configuration for selected assets.
7. Review estimates and warnings.
8. Click **Run assessment**.
{% content-ref url="/pages/JqTFyGv6qHEq1MBlbEzs" %}
[Configure Scan Settings for External Assessment](/enterprise/how-to-trigger-an-external-scan/configure-scan-settings-for-external-assessment.md)
{% endcontent-ref %}
## 5. Monitor the Run
Open **Activity -> Activity** to follow module and submodule status. The Activity detail page shows the module timeline and can be used to understand which stages are pending, running, completed, failed, cancelled, or scheduled.
{% content-ref url="/pages/QJ9ahgjtOWQNnN87Ivzs" %}
[Activity](/enterprise/activity.md)
{% endcontent-ref %}
## 6. Review Results
After assessment completes:
* Open **Modules -> External Assessment -> Statistics** for aggregate severity and category views.
* Open **Modules -> External Assessment -> Attack Paths** for validated findings.
* Open a finding detail page to review evidence, AI reasoning, remediation, status, retest controls, and the graph drawer.
* Generate reports from **Reports**.
{% content-ref url="/pages/yIa5DS9u5uSEnjRhi5DZ" %}
[Analysing Scan Results](/enterprise/analysing-scan-results.md)
{% endcontent-ref %}
## Common Blocks
| Block | What to check |
| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------- |
| Domain cannot be scanned | Confirm it is added as a root domain and allowed by **Settings -> Domains** scope rules. |
| Authenticated scan cannot start | Select **Authenticated** and at least one browser session; validate session readiness. |
| Target is blocking traffic | Set a lower rate limit, run auto-calibration, allowlist SANDBOX IPs, or enable residential browser traffic. |
| No actionable trajectories | Run discovery first, record or import a browser session, or use Manual Crawler to capture user flows. |
| Schedule does not behave as expected | Review saved scan config for the selected target. Schedules reuse the configuration sent when the schedule is created. |
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://copilot-docs.bugbase.ai/enterprise/how-to-trigger-an-external-scan.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.