Skip to main content
Scope and guardrails tell MindFort what it is authorized to test and which actions require extra care. Configure them before starting assessments or directed tasks.

What Scope Controls

Use scope configuration to define:
  • primary domains and application URLs
  • additional allowed domains or routes that are part of the same target
  • in-scope systems agents should include
  • out-of-scope systems agents should exclude
  • important tenant, workspace, account, or environment values
  • authentication context and credential role boundaries
Keep the target scope as specific as possible. A precise scope gives agents stronger context and reduces noisy exploration.

Common Scope Patterns

PatternUse When
Single application domainThe target lives under one domain such as https://app.example.com.
Marketing plus app domainLogin begins on one domain and redirects into another application domain.
Tenant-specific appThe application requires an org slug, tenant ID, workspace ID, or account selector.
Authenticated-only areasSensitive routes should only be tested after the agent is signed in with an approved test credential.
Excluded operational pathsRoutes such as billing, destructive admin actions, production email sends, or customer-impacting workflows must be excluded or constrained with rules.

Guardrail Types

MindFort agents use guardrails to keep testing inside approved boundaries:
  • Rate Limiting controls agent request pacing with Auto, Aggressive, Reduced, and Extreme Stealth modes.
  • Scope stores Include and Exclude entries for domains, IPs, CIDRs, routes, or other testing boundaries.
  • Rules store additional constraints for agent behavior.
  • Custom Values store target-specific context agents should know while testing.

Configure Scope

  1. Open Target Inventory.
  2. Select the target.
  3. Open the Guardrails tab.
  4. Set Rate Limiting if the default automatic pacing is not appropriate.
  5. Add Include entries for systems that agents should test.
  6. Add Exclude entries for systems that agents must avoid.
  7. Add Rules for behavior constraints such as avoiding destructive actions.
  8. Add Custom Values for context such as tenant_slug, workspace_id, organization_id, or environment.
  9. Save changes before starting an assessment or task.
The Scope modal supports bulk entry for Include and Exclude items. Add one domain, IP, CIDR, route, or other scoped item per line.

Examples

Tenant-Aware SaaS App

Target: https://app.example.com
Login route: https://app.example.com/login
Tenant slug: acme-security
Include: /dashboard, /settings, /api
Exclude: /billing, /admin/delete-account
Rule: Do not trigger production emails or payment flows.

Multi-Domain Login Flow

Target: https://app.example.com
Login starts at: https://login.example.com
Include domains: app.example.com, login.example.com
Expected post-login page: https://app.example.com/dashboard

Before Launch

Confirm:
  • the target is verified
  • stored credentials are dedicated test accounts
  • login instructions include every redirect and required intermediate step
  • include and exclude entries are current
  • behavior rules cover sensitive workflows
  • WAF allowlisting is complete if your infrastructure filters automated traffic
For authentication setup, see Authentication & Credentials. For firewall setup, see WAF Whitelisting.