# Settings ### Usage #### Credits Credits represent the total number of scan runtime hours available to your account. These credits determine how long you can operate and execute scans. **Key Features:** * View your total available credits * Monitor runtime hours you have consumed * Track remaining scan time * Credits are consumed based on actual scan execution time **Example:** If you have 100 credits, this equals 100 hours of total scan runtime across all your assessments. #### Usage Timeline The Usage Timeline feature provides visibility into your historical scan activity and credit consumption patterns. **Key Features:** * Filter scan runtime by custom date ranges * View detailed breakdown of past scan activity * Track credit consumption over time * Analyze usage patterns to optimize scan scheduling Use the date range selector to view specific periods and understand how your credits have been utilized. *** ### External Assessment Settings #### Rate Limit The Rate Limit setting controls the maximum number of HTTP requests per second that the scanner will send to the target application during an assessment. **Purpose:** * Prevent overwhelming target systems * Avoid triggering rate-based security defenses (WAF, IPS) * Ensure stable and controlled testing * Comply with target system capacity constraints **Example:** Setting a rate limit of 15 requests/second ensures the scanner sends no more than 15 HTTP requests per second to the target application. #### Attack Vectors Attack Vectors define the security vulnerability categories that will be tested during your scan. Select specific vulnerability types to prioritise during assessments. **Common Attack Vector Categories:** * **Authentication** - Tests for authentication bypass, weak credentials, and session management issues * **CSRF (Cross-Site Request Forgery)** - Validates anti-CSRF token implementation * **SQL Injection** - Detects database injection vulnerabilities * **XSS (Cross-Site Scripting)** - Identifies reflected, stored, and DOM-based XSS * **Command Injection** - Tests for OS command injection flaws * **Path Traversal** - Checks for directory traversal vulnerabilities * **XXE (XML External Entity)** - Tests for XML injection attacks * **SSRF (Server-Side Request Forgery)** - Identifies SSRF vulnerabilities, **Usage:** * Enable all vectors for a thorough security assessment. Selecting None will also test all vectors. * Select specific vectors to focus on particular vulnerability classes * Disable certain vectors if they're not relevant to your application #### Custom Headers Custom Headers allow you to specify additional HTTP headers (key-value pairs) that will be included with every request made to the target application during scanning. *** ### Domain Whitelist and Blacklist The Domain Whitelist and Blacklist feature allows you to control which Domains is the crawler ran on within external assessments {% content-ref url="/pages/0ajjGH6BFpdgg11q6axz" %} [Domains](/enterprise/settings/domains.md) {% endcontent-ref %} ### Trajectory Whitelist and Blacklist The Trajectory Whitelist and Blacklist feature allows you to control which API endpoints are included or excluded during vulnerability assessments. {% content-ref url="/pages/M0MfkR8EXMrAeSyOno1b" %} [Trajectories](/enterprise/settings/trajectories.md) {% endcontent-ref %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://copilot-docs.bugbase.ai/enterprise/settings.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.