Filling assets

Asset types, accepted formats and best practices.

Assets are the pentest targets: URLs, IPs, domains or mobile apps that will be tested. This guide shows accepted formats, how to group by category and what to avoid.

Asset categories

HAS splits assets into 3 categories. You can pick one or combine several in the same test:

Application

Websites, APIs and mobile apps. Examples:

https://app.company.com — web application
https://api.company.com/v1 — REST API
play.google.com/store/apps/details?id=com.company — Android app
apps.apple.com/us/app/my-app/id123456789 — iOS app

Infrastructure

Servers, cloud and networks. Examples:

192.168.1.100 — internal server (requires access grant)
server.company.com — server with public hostname
s3.amazonaws.com/my-bucket — cloud resource
firewall.company.com:8443 — endpoint with specific port

Specialized

AI/LLM, IoT and others. Examples:

https://chat.company.com — LLM-based chatbot
https://api.company.com/gpt — AI endpoint
10.0.0.50:1883 — MQTT broker for IoT

Accepted formats

HAS accepts the formats below. Use only a-z 0-9 . - / : _ characters:

Full URL: https://app.company.com/login
Domain: company.com or app.company.com
IP: 203.0.113.45
IP with port: 203.0.113.45:8080
Subnet / CIDR: 192.168.1.0/24 (validate with our team first; some ranges require additional authorization)

Invalid assets show up highlighted in red. Check for spaces, commas or special characters. One entry per asset — separate by Enter or comma when pasting.

Assets per test limit

The limit depends on your company plan:

Pay-per-test: no fixed limit, each additional asset increases the price.
Monthly or Annual: the monthly quota (e.g., Starter 2/mo, Essential 4/mo, Business 8/mo).

If you need to test more assets in a single test, you can: (a) reduce the scope, (b) buy an extra Pay-per-test, or (c) upgrade your continuous plan.

Best practices

Be specific. Instead of company.com, prefer app.company.com/dashboard if the focus is the authenticated area.
One asset per entry. Don't combine URLs on a single line separated by commas — each line is one asset.
Don't put assets in the "Goal" field. The goal field is for describing what you want validated, not for listing URLs. The system blocks submissions if addresses are detected there.
Group correctly. A website and its API can be tested together, but list both addresses explicitly.

Multiple categories

You can mix categories in the same test. For example: Application (public site) + Infrastructure (internal server) + Specialized (chatbot). Pricing uses per-asset progressive discount.