Skip to content

3. Creating a Project

Jump to bottom
“samuele edited this page Feb 21, 2026 · 1 revision

Creating a Project

Projects are the core organizational unit in RedAmon. Each project represents a single target domain and contains all the configuration for how to scan, analyze, and test it. This page walks you through creating a project with the 11-tab configuration form.

Starting a New Project

  1. Make sure you have a user selected (see User Management)
  2. On the Projects page, click the "New Project" button in the top-right area
  3. You'll be taken to the New Project form at /projects/new

Create Project

The Project Form: 11 Tabs

The project form is organized into 11 tabs, each controlling a different aspect of the scanning and analysis pipeline. Default values are loaded automatically from the server — you only need to fill in the required fields and adjust what you want.

Project Form Tabs

For the complete list of all 180+ parameters, see the Project Settings Reference.

Tab 1: Target & Modules

This is the only tab with required fields. Everything else has sensible defaults.

Required Fields

Field Description
Project Name A descriptive name for your assessment (e.g., "Example Corp Q1 2026")
Target Domain The root domain to scan (e.g., example.com). RedAmon checks for conflicts with existing projects

Target Options

Field Default Description
Subdomain Prefixes (empty) Specific subdomain prefixes to scan (e.g., www, api, mail). Leave empty to discover all subdomains automatically
Include Root Domain true Whether to include the root domain itself in the scan
Stealth Mode false Forces passive-only techniques. Disables active scanning, brute force, and GVM

Domain Ownership Verification

Optional feature to prove you own the target domain before scanning:

Field Default Description
Verify Domain Ownership false Require a DNS TXT record proof before scanning starts
Ownership Token (auto) A unique token to place in a TXT record
TXT Record Prefix _redamon The DNS record name prefix (e.g., _redamon.example.com)

Scan Modules

A hierarchical tree of modules you can enable/disable. Disabling a parent automatically disables all children:

Domain Discovery (root — always on)
  └── Port Scan
       └── HTTP Probe
            ├── Resource Enumeration (Katana, GAU, Kiterunner)
            └── Vulnerability Scanning (Nuclei)

General Options

Field Default Description
Update Graph Database true Auto-import results into Neo4j
Use Tor for Recon false Route all recon traffic through Tor
Use Bruteforce for Subdomains true Enable Knockpy active subdomain brute-forcing
WHOIS Max Retries 3 Retry attempts for WHOIS lookups
DNS Max Retries 3 Retry attempts for DNS resolution

Tab 2: Port Scanning (Naabu)

Controls how open ports are discovered on target hosts using Naabu. Key settings include scan type (SYN vs. CONNECT), top-N port selection, rate limiting, thread count, CDN exclusion, and passive mode via Shodan.

See Project Settings Reference > Port Scanner for all parameters.

Tab 3: HTTP Probing (httpx)

Controls what metadata is extracted from live HTTP services. Over 25 toggles for probe types: status codes, content analysis, technology detection, TLS/certificate inspection, favicon hashing, JARM fingerprinting, and more.

See Project Settings Reference > HTTP Prober for all parameters.

Tab 4: Resource Enumeration

Three tools for discovering web endpoints:

  • Katana — active web crawling with configurable depth and URL limits
  • GAU — passive URL discovery from web archives (disabled by default)
  • Kiterunner — API endpoint brute-forcing with REST/GraphQL wordlists

See Project Settings Reference > Resource Enumeration for all parameters.

Tab 5: Vulnerability Scanning (Nuclei)

Template-based vulnerability scanning with 9,000+ templates. Controls severity filters, DAST mode, Interactsh for blind vulnerability detection, and template management.

See Project Settings Reference > Vulnerability Scanner for all parameters.

Tab 6: CVE & MITRE

  • CVE Enrichment — enrich findings with CVSS scores, descriptions, and references from NVD or Vulners
  • MITRE Mapping — automatically map CVEs to CWE weaknesses and CAPEC attack patterns

See Project Settings Reference > CVE Enrichment for all parameters.

Tab 7: Security Checks

25+ individual toggle-controlled checks grouped into six categories:

  • Network Exposure — direct IP access, WAF bypass detection
  • TLS/Certificate — certificate expiry warning
  • Security Headers — missing Referrer-Policy, Permissions-Policy, COOP, CORP, COEP, Cache-Control, CSP unsafe-inline
  • Authentication — login forms over HTTP, insecure session cookies, Basic Auth without TLS
  • DNS Security — missing SPF, DMARC, DNSSEC, zone transfer
  • Exposed Services — admin ports, databases, Redis, Kubernetes API, SMTP open relay

See Project Settings Reference > Security Checks for all parameters.

Tab 8: GVM Scan

Configure the GVM/OpenVAS network-level vulnerability scanner. Choose scan profiles (from Host Discovery to Full and very deep ultimate), target strategy, and timeout settings.

See Project Settings Reference > GVM Vulnerability Scan and the GVM Vulnerability Scanning guide.

Tab 9: Integrations

GitHub Secret Hunting — configure GitHub API access for scanning repositories and gists for leaked secrets. Requires a Personal Access Token.

See GitHub Secret Hunting for a step-by-step setup guide.

Tab 10: Agent Behaviour

Configure the AI agent that performs autonomous pentesting:

  • LLM Model — select from 400+ models across 5 providers
  • Phase Control — enable/disable post-exploitation, choose statefull vs. stateless mode
  • Custom System Prompts — inject custom instructions per phase
  • Payload Configuration — LHOST, LPORT, bind port, HTTPS toggle
  • Agent Limits — max iterations, trace memory, tool output truncation
  • Approval Gates — require user confirmation before exploitation/post-exploitation
  • Retries & Logging — Cypher retries, log rotation settings

See Project Settings Reference > Agent Behavior for all parameters.

Tab 11: Attack Paths

Configure attack path settings:

  • Hydra Brute Force — threads, timeouts, extra checks, verbose output
  • Tool Phase Restrictions — matrix controlling which tools are available in each phase (Informational, Exploitation, Post-Exploitation)

See Project Settings Reference > Hydra Brute Force for all parameters.

Saving the Project

Once you've configured your settings:

  1. Click the "Create Project" button at the bottom of the form
  2. RedAmon checks for domain conflicts (no two projects can target the same domain)
  3. If successful, the project is created and you're redirected to the Projects page
  4. Your new project appears as a card in the project grid

Editing an Existing Project

To modify a project's settings after creation:

  1. Go to the Projects page
  2. Click on the project card you want to edit
  3. You'll be taken to the project settings page (/projects/{id}/settings)
  4. Make your changes across any of the 11 tabs
  5. Click "Save" to apply

Domain Conflict Detection

RedAmon prevents multiple projects from targeting the same domain. When you enter a target domain:

  • The system checks against all existing projects (with a 500ms debounce)
  • If a conflict is found, you'll see a warning message
  • You cannot create or save a project with a conflicting domain

Next Steps

With your project created, head to the Graph Dashboard to explore the main interface, then run your first reconnaissance.

RedAmon GitHub Repository | Report an Issue | Back to Home

Home

User Guide

  1. Getting Started
  2. User Management
  3. Creating a Project
  4. The Graph Dashboard
  5. Running Reconnaissance
  6. GVM Vulnerability Scanning
  7. GitHub Secret Hunting
  8. AI Agent Guide

Reference

  1. Project Settings Reference
  2. AI Model Providers
  3. Attack Surface Graph
  4. Data Export & Import

Help

  1. Troubleshooting

Clone this wiki locally