Skip to main content
This guide walks through the recommended first-run workflow for CyStack VulnScan. The default operating model is the Web UI because it gives teams shared asset inventory, scan history, finding triage, reports, members, mail notification, and license visibility in one workspace. A full CLI guide is available in CLI Reference. If this is your first VulnScan deployment, read Key Concepts before scanning. It explains how workspaces, assets, targets, scan runs, findings, evidence, reports, and AI-assisted analysis relate to each other.

Step 1: Get the Binary and License

CyStack VulnScan is distributed as a binary application for Windows, macOS, and Linux. To receive the program file and the matching license, contact CyStack Sales at sales@cystack.net. CyStack will provide:
  • The VulnScan binary for the required operating system.
  • A license key or offline activation file.
  • The licensed target scope, target limit, activation limit, and any deployment notes.
  • Optional offline update packages if the scanner will run in a restricted network.

Step 2: Prepare the Host

Choose a host that can reach the assets you are allowed to assess. For a production workspace, prepare:
  • A stable data directory for the workspace database, exports, logs, and runtime state.
  • Outbound network access for license activation and intelligence updates, unless your deployment uses offline activation and offline updates.
  • Network access from the VulnScan host to the target domains, IP addresses, CIDR ranges, and web applications.
  • SMTP, SendGrid, or AWS SES credentials if you want invitation, scan completion, and report-ready emails.

Step 3: Activate VulnScan

For online activation, run: 
vulnscan activate --license CYSTACK-XXXX-XXXX-XXXX-XXXX
For offline activation, generate the host identifier, send it to CyStack, then activate with the file provided by CyStack: 
vulnscan fingerprint
vulnscan activate --file activation.dat
Check the activated license: 
vulnscan license
After activation, the license screen shows the allowed target scope, capacity, expiration, and available features.

Step 4: Start the Web UI

Start the Web UI on the default local address: 
vulnscan web
For a shared server, bind to an explicit interface and data directory: 
vulnscan web --bind 0.0.0.0:8080 --data-dir /var/lib/cystack-vulnscan
Open the URL printed in the terminal. On first run, create the initial administrator account. The first administrator can add workspace members, configure mail delivery, manage license settings, and start scans. VulnScan dashboard after setup

Step 5: Complete Personal Details

Open the user menu and review personal settings:
  • Set the display name used in member lists, invitations, and email notifications.
  • Confirm the email address used for report-ready and scan-completed emails.
  • Choose the interface language.
  • Change the password if the account was created with a temporary password.
  • Use Log out from the same user menu when leaving a shared workstation.
Personal settings affect only the current user. Workspace settings such as mail provider, license, and members are managed separately by administrators.

Step 6: Add the First Asset

Go to Assets and choose Add asset. Start with a root domain, public IP address, or CIDR range that is explicitly included in your license. Add an asset Recommended first asset examples:
Asset TypeExampleUse When
Domainacme.comYou want subdomain discovery, web discovery, TLS checks, and application checks across a business domain.
URLhttps://app.acme.comYou want to focus on a specific application entry point.
IP address203.0.113.21You want service exposure and known-CVE detection for one host.
CIDR203.0.113.0/28You want to inventory and scan a small public network range.
After saving, VulnScan normalizes the target, validates it against the active license, and stores it in the workspace asset inventory. Asset inventory

Step 7: Review Discovery

Open the asset detail page before starting a vulnerability scan. Use this page to confirm that VulnScan has the right target context:
  • Discovered subdomains and live hosts.
  • Open web services and protocol services.
  • WAF/CDN signals such as Cloudflare, where detected.
  • TLS version, certificate validity, issuer, expiry, and configuration health.
  • Technologies, frameworks, CMS, plugins, themes, and service banners.
Asset detail with discovery signals If discovery shows unexpected hosts, check the asset scope before scanning. If expected hosts are missing, verify DNS, firewall rules, and whether the host is reachable from the VulnScan server.

Step 8: Start a Vulnerability Scan

From the asset detail page, choose Start scan. Review the scan name, target list, and options before submitting. Start a vulnerability scan For authenticated web applications, add the required request context before scanning:
  • Cookie string for logged-in web sessions.
  • Custom headers for API keys, bearer tokens, tenant routing, or staging access.
  • HTTP Basic Auth credentials where the application uses Basic Auth.
Authenticated context should be limited to a test account with permission to access the areas you want assessed. Do not use personal production administrator sessions unless your internal testing policy explicitly allows it.

Step 9: Monitor Scan Progress

Open the scan detail page while the scan is running. The scan view shows the target, source, current status, discovered services, findings, severity distribution, and scan metadata. Scan detail VulnScan records standard Web UI, scheduled, and CLI scans in the same database. The scan source is tracked so teams can distinguish findings created from interactive web scans, automation, and scheduled jobs.

Step 10: Triage Findings

Start with Critical and High findings, then review Medium and Low findings based on business exposure. Open a finding to review evidence, affected endpoint, severity, risk score, confidence, CWE, OWASP mapping, references, and remediation. Finding detail Use the finding detail page to answer these questions:
  • What system and URL, port, or component is affected?
  • What evidence did VulnScan collect?
  • Is there a known CVE, CVSS score, EPSS probability, or CISA KEV signal?
  • Which OWASP Top 10 and OWASP WSTG category does the weakness map to?
  • What concrete remediation should the owner perform?
  • Should the finding remain open, be marked fixed, accepted as risk, or classified as a false positive after review?

Step 11: Export a Report

Open Reports or use the scan detail export action. VulnScan supports CSV, JSON, and PDF exports. Export report CSV and JSON are generated for technical workflows. PDF exports are created as background jobs because large scans can take time. While a PDF is being generated, the export action remains locked for that report. When the job is ready, VulnScan sends an email notification to the report creator if mail delivery is configured.

Step 12: Configure Workspace Operations

Before running the scanner for a broader team, complete the workspace setup:
  • Add workspace members and assign either Admin or Member roles.
  • Configure SendGrid, AWS SES, or custom SMTP for email delivery.
  • Confirm license target scope, target limit, activation limit, and expiration.
  • Define an internal process for reviewing scan results and confirming fixes.
  • Schedule recurring scans for critical external assets where continuous visibility is required.

First Production Checklist

Use this checklist before the first production scan:
  • License activated and target scope verified.
  • Workspace administrator account created with a real display name.
  • Mail provider tested successfully.
  • At least one asset added and discovery reviewed.
  • Authenticated scan credentials prepared where needed.
  • Report recipients and remediation owners agreed.
  • CSV/JSON/PDF export tested on a small scan.
  • CLI automation configured only after the Web UI workflow is validated.