Continuous Monitoring¶
Schedules periodic re-scans of targets to detect regressions, new vulnerabilities, and attack surface drift. Each schedule runs on a cron expression and can alert via webhooks when something changes.
How it works¶
- Create a monitoring schedule tied to an engagement and target URL
- The scheduler evaluates the cron expression and triggers scans at the configured times
- Each scan runs either a
lightweight(surface scan only) orstandard(nuclei + headers + surface snapshot) check - If
alert_on_changeis enabled and the scan detects differences from the previous run, amonitor_alertevent fires
Scan types¶
| Type | What it runs | Duration | Use case |
|---|---|---|---|
lightweight |
Surface snapshot + header check | ~2 min | Weekly drift detection |
standard |
Nuclei + nikto + surface snapshot | ~15 min | Monthly regression check |
API endpoints¶
List schedules¶
Returns all monitoring schedules, newest first.
Create schedule¶
{
"engagement_ref": "acme-2026-q1",
"target": "https://acme.example.com",
"cron_expression": "0 3 * * 1",
"scan_type": "lightweight",
"alert_on_change": true
}
| Field | Type | Default | Description |
|---|---|---|---|
engagement_ref |
string | required | Engagement this schedule belongs to |
target |
string | required | Target URL to scan |
cron_expression |
string | 0 3 * * 1 |
Standard cron (default: Monday 03:00) |
scan_type |
string | lightweight |
lightweight or standard |
alert_on_change |
bool | true |
Fire webhook events when changes are detected |
Get / Update / Delete schedule¶
GET /api/v1/monitor/{schedule_id}
PUT /api/v1/monitor/{schedule_id}
DELETE /api/v1/monitor/{schedule_id}
Update accepts partial payloads. You can pause a schedule by setting is_active: false.
Trigger on-demand scan¶
Runs the scan immediately, outside the regular cron schedule. Useful for post-deployment verification.
Response:
{
"status": "triggered",
"schedule_id": 5,
"target": "https://acme.example.com",
"scan_type": "lightweight",
"message": "Scan dispatched. Results will be available in the engagement directory."
}
Schedule response¶
{
"id": 5,
"engagement_ref": "acme-2026-q1",
"target": "https://acme.example.com",
"cron_expression": "0 3 * * 1",
"is_active": true,
"scan_type": "lightweight",
"last_run_at": "2026-03-10T03:00:12Z",
"next_run_at": "2026-03-17T03:00:00Z",
"last_status": "completed",
"alert_on_change": true,
"created_at": "2026-02-01T09:15:00Z"
}
CLI equivalent¶
The /monitor skill creates and manages monitoring schedules from the command line. The dashboard API provides the same functionality with a web interface.
Connections to other features¶
- Surface Drift: each monitoring scan creates a surface snapshot. The diff between consecutive snapshots determines whether a
surface_changedevent is fired - Webhooks: when
alert_on_changeis enabled and changes are detected, amonitor_alertevent is delivered to all matching webhooks - Cost & ROI: monitoring scans consume resources. The Cost & ROI feature tracks these costs alongside engagement costs for a complete picture