Your first pentest in five minutes

This guide walks through running your first scan in Violet. You will paste a target URL, click Start, and receive a security report in about an hour.

Before you start

1. A target URL — the public-facing URL of the application you want tested.
2. Optional: login credentials, if the application requires authentication.
3. About 60 to 90 minutes for the scan to run.

Sign up

Open https://tryviolet.ai and click Sign up. Enter your email and choose a password. There is no email-verification gate — your account works immediately.

Once signed in, you land on the dashboard. The first time, it is empty: an empty state with a Start free trial scan call-to-action.

The wizard, step by step

Click Start free trial scan. A four-step wizard opens.

Step 1 — Target

Paste the URL of the application you want tested. Optionally add a short description to give the agents context.

URLs must be publicly reachable from the internet. Violet runs from external IPs and cannot reach localhost or VPN-only addresses.

Step 2 — Auth

Choose a login type. The options:

• None — the app is fully public. Violet scans as an anonymous user.
• Login form — the app has a username/password login form. Provide the login URL, username, and password. Violet writes the credentials to a scan-local file the recon agent reads at runtime; credentials never enter agent prompts.
• API key — the app uses an API key. Provide the header name and value; Violet sends the header on every request.
• Username & password — HTTP Basic auth. Violet synthesizes theAuthorization: Basic … header for you.

SSO, 2FA, and TOTP flows are not supported in this release. Use a service account, an API key, or a session cookie injected via custom HTTP headers (Advanced settings on the Review step) if your app requires one of those.

Step 3 — Source code (optional)

Connect a GitHub or GitLab repository if you want Violet to read your source. Up to five repos per scan. See Source code: on or off? for when this matters.

Step 4 — Review

Confirm the configuration. Acknowledge that you have authorization to test the target. Click Start scan.

Click Start

Once you click Start, you are redirected to the live progress page. The progress page shows:

• A six-phase pipeline sidebar — Pre-Recon, Recon, Orchestration, Vulnerability Analysis, Exploitation, Reporting. Each phase shows a status indicator and elapsed time.
• A live findings tally — counts of critical, high, medium, low, and informational findings as the agents discover them. Numbers update in near-real-time.
• A live findings table — populates as findings are confirmed. Each row links to the finding's detail page.

A typical scan takes 60 to 90 minutes. You can close the browser tab — the scan continues. You will get an email when it completes.

Reading the report

When the scan completes, you will receive an email with a link to the report. The report is also accessible from the dashboard under Scans → [Your scan] → View report.

The report is a single page — also downloadable as PDF — containing:

• Executive summary
• Methodology and scope
• Risk overview
• Observation notes (one section per security domain)
• Findings summary table
• Vulnerability details (one detailed entry per finding)
• Remediation roadmap with SLAs

The companion guide How to read a pentest report walks through every section.

Trial credit

Every new account starts with one free trial scan. The trial credit is consumed when you start your first scan. Subsequent scans require purchased credits.

Trial scans run the full six-phase pipeline but skip the exploitation phase to keep operator costs low. The trial report contains real findings from the analysis phase, marked with their confidence level.

To purchase additional scans, open Settings → Billing.

Once your first scan is running, the next thing to read is How to read a pentest report. It walks through every section of the report you will receive in about an hour.