How to Scope Effectively
A well-defined scope helps Cipher focus on what matters. This guide covers how to choose assessment types, set targets, and organize projects for the best results.
Assessment Types
Each type covers a different attack surface. You can combine multiple types in a single project. See What Does Each Assessment Cover? for detailed framework coverage.
| Type | Targets | Limit |
|---|---|---|
| API | URLs (REST / GraphQL) | Max 3 URLs total (shared with Web) |
| Web | URLs | Max 3 URLs total (shared with API) |
| Mobile | App IDs (Bundle ID / Package Name) | Max 1 app |
| Network | IPs / CIDR ranges | Max 32 IPs |
One Project or Many?
Each project is one assessment ($999). Two things to consider when deciding whether to split:
Size — Each assessment is roughly equivalent to a 2-week human pentest — time spent understanding your application, testing it, and producing a verified report. If your application is large, that time spreads thin. Cipher prioritizes critical-severity tests first, then high, then medium, and so on — but lower-severity tests may never get created as the budget runs out. Split large applications into focused projects (e.g., by module, domain, or service) so each gets full-depth coverage.
Context — Mixing unrelated systems in one project forces Cipher to switch between different authentication flows, business logic, and user roles — just like a human pentester, switching context means losing depth. Keeping each project focused lets Cipher build a deeper understanding of how that specific area works, leading to more meaningful findings.
Setting Targets
API Targets
Provide the base URL of your API:
https://api.example.comhttps://api.example.com/v2
Upload API documentation (OpenAPI spec, Postman collection, or similar) so Cipher knows what endpoints exist. Without docs, Cipher can only discover endpoints if the API exposes a spec or has a web frontend to reverse-engineer.
Web Targets
Provide the URL of your web application:
https://app.example.comhttps://staging.example.com
Cipher will crawl the application, discover pages, and test for web-specific vulnerabilities.
- Add credentials: Without login credentials, Cipher can only test public-facing pages. Add credentials for each role you want tested.
- Disable MFA: Multi-factor authentication is not supported. Disable MFA on all test accounts provided to Cipher.
Mobile Targets
Provide the app identifier:
- iOS: Bundle ID (e.g.,
com.example.myapp) - Android: Package name (e.g.,
com.example.myapp)
Upload the app binary (IPA or APK) in the Documents tab.
Network Targets
Provide IP addresses or CIDR ranges:
192.168.1.110.0.0.0/24
Network assessments typically don't require credentials or documents.
Staging vs. Production
Start with staging or test environments. This lets Cipher run full-access tests (including write operations) without affecting real users or data.
If you must test production:
- Create dedicated test accounts
- Manually start your assessment during low-traffic windows
- Make sure you have explicit authorization
Credentials
Add a credential for each role in your app. If users have private data, add two per role so Cipher can test whether one user can access another's data.
Example — app with user + admin roles:
| Name | Role | Purpose |
|---|---|---|
read-only-user-1 |
Regular user | Primary test account |
read-only-user-2 |
Regular user | Tests cross-user data access |
admin-1 |
Admin | Tests privilege escalation |
admin-2 |
Admin | Tests cross-admin data access |
Credential types supported: API keys, username/password, OAuth2, and web login.
Documents
Upload anything that helps Cipher understand your application:
| Assessment | What to upload |
|---|---|
| API | OpenAPI spec, Postman collection, Bruno export, or any API documentation |
| Web | Login/logout flow documentation, sitemap, HAR recordings |
| Mobile | IPA or APK binary, plus API docs if the app uses backend APIs |
Max file size: 50 MB per file. Zip multiple files together if needed.
Need Help?
See Common Setup Mistakes to avoid configuration errors.
- Discord Community — Ask questions
- Email Support — Technical assistance