> For the complete documentation index, see [llms.txt](https://copilot-docs.bugbase.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://copilot-docs.bugbase.ai/enterprise/scan-noise-and-safety.md). # Scan Noise and Safety Pentest Copilot can run quiet discovery, browser-based crawling, contextual web/API testing, and active internal exploitation. The right configuration depends on your engagement rules, production sensitivity, target defenses, and appetite for proof-of-impact. ## Noise Levels | Activity | Typical noise | Notes | | --------------------------------- | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | | External domain discovery | Low to medium | DNS, certificate, search, and service enumeration. Volume depends on domain size. | | External web crawling | Medium | Sends browser and HTTP requests to discovered pages and APIs. Use rate limits for fragile targets. | | External authenticated assessment | Medium to high | Replays logged-in sessions and tests application-specific flows. Multiple roles increase traffic. | | External attack vectors | Medium to high | Injection, authorization, upload, SSRF, XSS, business-logic, and related tests may trigger WAF/EDR/app alerts. | | Manual crawler | Operator-controlled | Traffic is generated by the operator's manual navigation through a proxied browser. | | Internal discovery | Medium | Scans reachable hosts/services from the selected agent. May be visible to NDR/EDR. | | Internal assessment | High when exploit categories are enabled | Can authenticate, attempt lateral movement, run commands, relay NTLM, copy files, deploy callbacks, or change AD/ADCS state depending on selected categories. | ## External Safety Controls * **Domain whitelist:** Approved domains that may be tested. * **Domain blacklist:** Domains that must not be tested. Blacklist wins over whitelist. * **Trajectory scope:** Per-host path rules and per-run trajectory selection restrict which APIs/user flows are tested. * **Authentication mode:** Choose unauthenticated, authenticated, or both. Authenticated mode requires browser sessions. * **Browser-session readiness:** The scanner warns when selected sessions lack usable login state or validation data. * **Rate limit:** Caps request volume for the target. * **Auto-calibration:** Sends probe traffic to estimate a sustainable rate. This can send up to 400 requests in short bursts. * **Residential browser IP:** Routes browser traffic through a residential proxy when bot defenses block datacenter traffic. * **Custom headers:** Adds required test headers, API keys, tenant selectors, or WAF bypass headers where approved. * **Max module runtime:** Cancels remaining work if the configured runtime limit is reached. ## Internal Safety Controls * **Agent placement:** Internal scans run from your network through a connected agent. * **Subnet selection:** Operators select specific subnets before running internal assessment. * **Agent assignment:** Each selected subnet has an assigned agent. Agents in the same subnet are prioritized. * **Entity exclusion:** Hosts, users, groups, and services can be excluded from a selected subnet. * **Allowed exploits:** Exploit families are enabled or disabled per subnet. * **Destructive-action warnings:** High-impact categories are highlighted in the final review. * **PCE Intercept/Inveigh:** NTLM capture/relay is opt-in and requires selected network interfaces. * **RCE skip controls:** Operators can skip RCE when the graph already marks the host or user as compromised. ## When to Slow Down Use conservative settings when: * the target is production and has strict SLOs; * the application has aggressive WAF, bot, or rate-limiting controls; * login sessions expire quickly or allow only one active session; * user flows trigger emails, payments, state transitions, or external integrations; * internal testing touches domain controllers, ADCS, privileged groups, production databases, or file shares; * your team wants discovery-only evidence before active exploitation. ## Edge Cases to Plan For * **Bot detection during recording:** Enable residential browser traffic or allowlist SANDBOX IPs. * **Single-session applications:** Enable browser isolation options when multiple tabs or shared state cause forced logout. * **Expired browser sessions:** Re-record or validate sessions before running authenticated scans. * **Manual crawler windows:** Keep the proxied browser open until trajectories are saved. Cancel the crawler from the UI if needed. * **Internal route mismatch:** If no hosts appear after internal discovery, verify the agent's route to the subnet and local firewall rules. * **Responder interface mismatch:** PCE Intercept/Inveigh cannot start until at least one valid interface is selected for the chosen agent. * **Scheduled scans:** Schedules reuse saved scan configuration. Review saved configs when scope, sessions, or agent availability changes. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://copilot-docs.bugbase.ai/enterprise/scan-noise-and-safety.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.