Common Setup Mistakes
How to fix the most common configuration errors that lead to incomplete assessments.
Why are my results shallow or incomplete?
Cipher works best with a focused scope. Putting too many targets in a single project spreads the testing budget thin — critical issues get caught, but lower-severity tests may never run.
Fix: Split large applications into multiple projects. See How to Scope Effectively for guidance.
Why didn't Cipher find all my endpoints?
If the API doesn't expose a spec (like Swagger), Cipher has no way to discover endpoints on its own.
Fix: Upload an OpenAPI spec, Postman collection, or similar so Cipher knows what to test.
Why is Cipher only testing public pages?
Cipher could not authenticate. This happens if you didn't provide login credentials, or if the accounts you provided require multi-factor authentication (MFA).
Fix: Add credentials for each role you want tested, and ensure MFA is disabled on those accounts.
Why can't Cipher reach my targets?
Cipher makes requests from a fixed IP address (shown in the scope editor). If your firewall or WAF blocks it, the assessment can't reach your targets.
Fix: Allowlist Cipher's IP address in your firewall or WAF before starting.
Why is Cipher getting rate limited?
If your target throttles or blocks rapid requests, Cipher may miss endpoints or get incomplete results.
Fix: Relax or disable rate limits for Cipher's IP during the assessment.
Need Help?
- Discord Community — Ask questions
- Email Support — Technical assistance