Step 1 — Add a target

Add target page — form with IPv4/URL, Label, and Tags fields filled in with an example target.

  1. Go to Targets in the left navigation.
  2. Click + Add target in the top-right corner.
  3. Enter the domain, subdomain, or IP address you want to scan (the IPv4/URL field).
  4. Topscan sets the target type automatically from what you enter — an IP address becomes Infrastructure, a domain or URL becomes Web Application. An Infrastructure target is checked for open ports, services, and network-level vulnerabilities; a Web Application target also gets web security testing.
  5. Optionally add a Label and Tags to organize targets by team, environment, or project.
  6. Click Add targets.

**Tip:** Not sure which hosts you own? Use [Discovery](../../Discovery/) to automatically find subdomains and related assets from a root domain, then add them as targets in one click.

Step 2 — Run a scan

New scan page — the selected target, the Summary block listing what will run, and the "Deep web application testing" toggle.

Once your target is saved, you're ready to scan.

  1. Click New scan — the button is always visible in the top-right corner of the app.
  2. Select the target(s) or a tag you want to scan.
  3. The Summary block shows exactly what will run based on your selection (e.g. Port scan and Web application security testing for a web app).
  4. Optionally enable Deep web application testing for active OWASP Top 10 checks (SQL injection, XSS, SSRF, CSRF …). It sends real attack payloads and can take up to 3 hours — run it in off-hours or against staging.
  5. Click Run scan.

The scan appears under Scans → In progress with a progress indicator. When it finishes it moves to Completed scans.

Step 3 — Review the results

When the scan completes, it moves to Completed scans on the Scans page.

  1. Go to Issues to see all findings across your workspace, ordered by severity.
  2. Click any issue to see:
  • Severity and CVSS score
  • Affected target and specific location
  • CVE references (where applicable)
  • Remediation advice
  1. Issues marked Overdue have exceeded their SLA deadline and are affecting your Security Score.

What's next