Quick Start Guide

Welcome to the Quick Start Guide for our application. This guide will walk you through the primary features and functionalities available in our app, ensuring a smooth start for new users.

1. Autonomous Security Wizard

The Autonomous Security Wizard in our application automates the security assessment process for cloud resources.

Key Features and Steps

  • Resource Crawling: Automatically identifies cloud resources for security assessment.
  • CSPM Testing: Conducts Cloud Security Posture Management tests to evaluate resources against security best practices.
  • Pentestable Resource Identification: Isolates resources suitable for penetration testing.
  • PAC Config File Generation: Generates configuration files for identified resources to facilitate penetration testing.
  • Automated Penetration Testing: Performs comprehensive penetration testing on identified resources (If enabled).

Using the Wizard

  1. If you want select a cloud environment or just use domains.

  2. Enter cloud details and choose between 'Auto Discover' or 'Auto Discover and Emulate Attacks'.

  3. Initiate the process to assess vulnerabilities. Cloud connectors will be displayed if associated.
  4. Navigate to Collection Management for cloud collection pentest and Inventory Management to view domain tests and subdomain attack emulation.

Link to full page

2. PAC Configuration Wizard

The PAC Configuration Wizard in our application simplifies the security assessment and penetration testing process for cloud environments.

Key Features

  • Cloud Security Posture Management (CSPM): Scans cloud resources for misconfigurations, vulnerabilities, and compliance issues.
  • Pentesting Instance: Uses existing cloud accounts to run penetration testing, generating a detailed manifest for the pentesting job.
  • Automated Pentest Findings: Presents findings in a report, enabling quick actions for security improvement.

Using the Wizard

  • Cloud Connection:

    1. Select your cloud provider and establish a connection, either using an existing connection or creating a new one.
    2. Fill in the necessary details like tenant ID, service principal name, and key to connect to your cloud tenant.
    3. Ensure the service principal has appropriate permissions for resource reading, pentest resource creation, and key vault access.

  • Application Information:

    1. Enter details about the application to be pentested, including name, type, risk level, compliance requirements, and pentesting schedule.
    2. Decide the action for the scanner instance post-pentesting (stop or delete).

  • Scanner Setup:

    1. Choose between using an existing scanner or creating a new instance.
    2. Specify the type of pentest (External or Internal) and relevant cloud details like subscription, region, and resource group.

  • Target Selection:

    1. Specify the target for pentesting, either by manually entering the URL endpoint or using the auto-discovery feature.
    2. The target can be hosted on your cloud environment or be an external publicly available endpoint.

  • Authentication:

    1. Configure the authentication for the application, selecting from various methods like form-based, NTLM, JSON-based, Azure AD, JWT Token.
    2. For cloud-based authentication, specify the vault holding the authentication secrets.

  • PAC File Generation:

    1. Review and edit the generated PAC manifest file detailing the pentesting configurations.
    2. Submit the file to initiate the pentesting job.

What Happens Next

Once the PAC file is submitted, the system initiates the pentesting process, with results displayed on the "Pentest Findings" page.

Link to full page

3. Infra Wizard

The Infra Wizard in our application assists in connecting to cloud services for subscription management, resource monitoring, and compliance.

Key Steps and Features

  • Connection Setup: Provide details like Tenant ID, Service Principal Name, Service Principal ID, and Key to establish a cloud connection.
  • Security Mode Selection: Choose between 'Monitor' for compliance reporting or 'Monitor and Remediate' for both compliance reporting and automated policy issue resolution.
  • Scheduler Configuration: Set up one-time or continuous compliance monitoring.
  • Load Subscriptions: Load cloud subscriptions by providing the required details.
  • Subscription Selection and Finalization:
    • Select a specific subscription to manage.
    • Create connector, snapshot, and compliance configurations.
    • Run a crawler to fetch cloud resources and assess policy compliance.

Using the Wizard

  • Security Wizard Type:

    1. Choose the collection name and select the wizard type (adapted for your cloud provider).
    2. Proceed to the next steps for detailed configurations.

  • Connection Details:

    1. Enter cloud-specific connection details such as tenant ID and service principal information.
    2. Create a new service principal if required.

  • Select Security Mode:

    1. Opt for either 'Monitor' or 'Monitor and Remediate' based on your compliance and remediation needs.

  • Set Scheduler:

    1. Choose between a one-time run or continuous compliance monitoring schedule.

  • Account Loading and Selection:

    1. Load the relevant subscriptions and select the desired one for configuration.
    2. Complete the process by creating the necessary configurations and initiating resource crawling and compliance checks.

After completing the setup, you can view compliance results in the 'Infra findings' screen and access logs in the 'Log' screen.

Link to full page

4. Custom Attacks Overview

The PAC application provides features that allow you to write and upload custom attacks into the platform. This feature can be leveraged for the development of unique business logic attacks that can be effectively deployed across all enterprise applications.

Key Items

  • CVE: Custom Attacks will be categorized and referred to in the CVE section of the PAC configuration file.
  • Git Conector File: The Git Connector file will be how the Prancer platform connects to your repository that hosts the custom attack.
  • Vault: Secure storage of keys and tokens to allow scanning of internal resources or repositories.

Getting Started with Custom Attacks

To view templates of the files mentioned below, please visit the full page.

  • Upload Attack to Git Repository:

    1. Custom attacks require two files to work properly; the custom attack script file and the metadata YAML file.
    2. Upload these two files to a Git repository of your choosing that will be connected later with the Git Connector.

  • Store Git Key in the Vault:

    1. Generate the Git access token and be sure the permissions all full read access to the repositories needed for the attack.
    2. Navigate to the Vault in

  • Create a Git Connector File:

    1. Create and name your Git connector file. This file will be in JSON format.
    2. Upload the newly created Git Connector file to the Collection.

  • Create a PAC Configuration File:

    1. Use the PAC Wizard to create a PAC config file for the attack. If using an existing PAC file, this can be found in Inventory Mangement or visible under the assigned Collection.

  • Add Custom Attack PAC Configuration File:

    1. Click the PAC Configurations option in Inventory Management to open the PAC config editor.
    2. Add the custom attack CVE section to the file and select Keep Changes to save.

Link to full page

5. User Management Overview

The User Management feature in our application allows Admin users to effectively manage staff access to the Prancer web application.

Key Features

  • Role Management: Admins can create, edit, and delete different roles, assigning specific permissions to each.
  • Inviting Users: Admins can invite new staff users via email. Invited users can set their password and access the application upon registration.
  • Managing Permissions: Newly registered users initially have no access permissions. Admins can assign roles to these users, granting them the necessary access to various features.

Role Assignment and User Invitation

  • To add a new role, click on "Add Role," define the role, and assign permissions.
  • Send invitations to new users by email. Once a user sets up their account, their status updates from "Pending" to "Registered."

Changing User Permissions

  • Admins can change the permissions of a user by selecting their name from the staff list and adjusting their role.
  • Updated permissions allow staff users access to more features as defined by their roles.

Link to full page