Running Scans
Learn the three scan modes and pick the right one for your workflow.
Flowpatrol has three scan modes. Each trades off speed for depth.
Probe
A fast, surface-level check that runs in about 2 minutes. No authentication, no crawling — it hits your URL and looks for obvious issues.
Cost: 1 credit | Time: ~2 min | Available on: All plans (including free)
What it checks
| Check | What it finds |
|---|---|
| JS bundle analysis | API keys, service role keys, and secrets leaked in client-side JavaScript |
| Security headers | Missing HSTS, CSP, X-Frame-Options, overly permissive CORS |
| Exposed paths | .env files, .git/config, admin panels, debug endpoints, backup files |
| Supabase RLS | Tables readable without authentication (extracts your Supabase URL and anon key automatically) |
When to use it
- Before every deploy as a quick sanity check
- When you've just added a new API key or environment variable
- As a first pass on any app you want to evaluate
- To verify that a fix you made actually resolved the issue
Standard Scan
A comprehensive security test that logs in as a test user, crawls your app, and tests for real vulnerabilities. Includes screenshot evidence of findings.
Cost: 5 credits | Time: ~15 min | Available on: All paid plans
What it checks
| Category | Examples |
|---|---|
| Authentication | Login bypass, weak session tokens, missing brute-force protection, OAuth misconfig |
| Access control | IDOR (accessing other users' data), privilege escalation, unauthenticated endpoints, missing RLS |
| Injection | SQL injection, XSS, SSRF, command injection |
| Business logic | Payment manipulation, webhook forgery, rate limit bypass, state tampering |
| Data exposure | Leaking internal fields in API responses, verbose errors, unprotected admin routes |
| Screenshot evidence | Visual proof of each finding captured by a headless browser |
When to use it
- Before launching to production
- After major feature changes (new auth flows, payment integration, admin panels)
- As a periodic check on running apps
- When a probe surfaces issues and you want the full picture
Deep Scan
Everything in Standard, plus multi-user IDOR testing, chained attacks, and an optional aggressive mode. The most thorough scan available.
Cost: 8 credits | Time: ~30 min | Available on: All paid plans
What it adds over Standard
| Capability | Description |
|---|---|
| Multi-user IDOR | Authenticates as multiple users simultaneously and tests cross-user data access |
| Chained attacks | Combines findings from earlier phases to test multi-step exploit chains |
| Aggressive mode | Optional — enables more intensive testing patterns (higher request volume, edge-case payloads) |
When to use it
- Pre-launch audits on critical apps
- Apps with multi-tenant data (orgs, teams, workspaces)
- When Standard found access control issues and you want exhaustive coverage
- Periodic deep audits on your most important properties
Standard and Deep scans require domain verification for custom domains. Localhost URLs always work without verification.
How to start a scan
From the dashboard
- Go to Scans in the sidebar
- Click New Scan
- Enter your target URL
- Choose your scan mode — Probe, Standard, or Deep
- Toggle any options (auth testing, injection, aggressive mode, etc.)
- Click Start
The results page updates automatically when the scan finishes. You can navigate away — the scan runs in the background.
From your AI editor (MCP)
If you've set up MCP integration, ask your assistant directly:
Run a Flowpatrol probe on https://myapp.vercel.appRun a standard Flowpatrol scan on https://myapp.vercel.appRun a deep Flowpatrol scan on https://myapp.vercel.appResults appear inline in the chat.
How scans work under the hood
- Reconnaissance — the agent discovers routes, APIs, and auth flows
- Planning — an LLM analyzes the app structure and generates targeted attack hypotheses
- Execution — each hypothesis is tested with real HTTP requests (and browser interactions when needed)
- Reporting — findings are validated, deduplicated, and ranked by severity
Limits
- One scan runs per account at a time. If you start a new scan while one is running, it queues.
- Free accounts get 3 probes per month (probes only). Builder and Pro accounts get 30 and 120 credits respectively.
Next
Now that you know how to run scans, learn how to read the results.