Skip to main content
Phase 1 of Indie Security’s assessment process focuses on mapping your entire application surface. This comprehensive crawling phase discovers endpoints, parameters, and application flows before security testing begins.

Overview

The Spider Phase uses a combination of human researchers and AI crawlers to maximize coverage:

Human Researchers

Use the Burp Extension to capture traffic from manual exploration of complex workflows.

ECHO-01 Crawler

AI-powered crawler that navigates applications intelligently and discovers hidden endpoints.

Spider Modes

Duration: 15-30 minutesFast surface mapping for rapid assessment. Best for:
  • Known applications with simple architecture
  • Quick verification scans
  • CI/CD pipeline integration
# API equivalent
POST /api/assessments
{
  "target_id": "target_123",
  "phase": "spider",
  "mode": "quick"
}

What Gets Discovered

  • All accessible pages and routes
  • REST API endpoints
  • GraphQL operations
  • WebSocket connections
  • Hidden admin panels
  • Query string parameters
  • POST body fields
  • HTTP headers
  • Cookie values
  • File upload points
  • Authentication sequences
  • Multi-step forms
  • State machine transitions
  • Business workflows
  • Framework detection
  • Server identification
  • JavaScript libraries
  • API patterns (REST, GraphQL, gRPC)

Burp Extension Integration

Capture authenticated sessions and complex user flows:
1

Install Extension

Download and install the Indie Security Burp extension from the dashboard.Download Extension →
2

Connect to Session

Enter your API key and target ID to link the extension with your assessment.
API Key: is_live_xxxxxxxxxxxxx
Target ID: target_123
3

Capture Traffic

Browse your application normally. All traffic is captured and sent to the knowledge graph.
Focus on authenticated areas and complex workflows that automated crawlers might miss.
4

Mark Auth Flows

Use the extension to mark login sequences so the AI can replicate authentication.

Spider Results

After completion, you’ll have access to:

Surface Map

Visual representation of discovered endpoints and their relationships.

Parameter Inventory

Complete list of all discovered input points.

Tech Stack Report

Identified technologies, frameworks, and potential attack vectors.

Coverage Metrics

Statistics on pages visited, endpoints found, and code coverage.

Best Practices

Always use dedicated test accounts for crawling. Never use production admin credentials.
Maximize coverage by:
  • Completing complex workflows manually with Burp Extension
  • Providing multiple user roles for testing
  • Including API documentation if available

Next Steps

Once the Spider Phase completes, proceed to the Analysis Phase:

Analysis Phase

Begin AI-powered vulnerability testing on your mapped surface.