Authenticated Testing with SpartanX

This guide walks you through how to perform authenticated testing using the SpartanX platform. Authenticated testing allows security professionals to test applications as a logged-in user, enabling discovery of vulnerabilities such as cross-tenancy issues, privilege escalation, and unauthorized access that would only be visible after login. Instead of launching an engagement immediately, you save it first, then provide your credentials and knowledge context before kicking off the automated red team agents.

Navigate to Red Teaming > Engagements in the left sidebar and click "Launch New Engagement" to open the 5-step wizard. On Step 1, select "Full-Scope Operation" as your engagement type, then click Next to proceed.

Figure 1: Step 1 of the engagement wizard — selecting the engagement type

On Step 2, paste your target URL into the "Paste Targets" field. The platform will validate and resolve the target address. Choose "Strict" mode to scan only the provided targets. Wait for validation to complete, then click Next.

Figure 2: Step 2 — pasting the target URL and validating the asset

On Step 5 (Schedule & Launch), instead of clicking "Launch Engagement" or "Start Now", click "Save & provide secrets". This saves the engagement in Pending state and takes you to the detail page where you can add credentials before running.

Figure 3: Step 5 — choosing "Save & provide secrets" instead of launching immediately

Before adding credentials to SpartanX, capture your session cookie from Burp Suite. In HTTP history, locate the POST /login request or any authenticated GET request. In the request panel, find the Cookie header containing your session token (e.g., session=aCGcwU6x...) and copy the value.

Figure 4: Burp Suite HTTP history showing an authenticated session cookie to copy

In the engagement detail page, go to the Secrets tab and click "+ Secret". In the Add Secret modal: set Secret Type to "Cookie", provide a Name (e.g., "logged in cookie"), add a Description, and paste your session cookie value into the Cookies field. Click "Add Secret" to encrypt and save it.

Figure 5: The "Add Secret" modal — entering the cookie name, description, and value

After clicking "Add Secret", a green "Secret created" notification will appear in the top right corner. The Secrets tab will now show your cookie entry with Type: Cookie, Origin: Provided by User, and Scope: Engagement. You can add multiple secrets if your application requires more than one cookie.

Figure 6: The Secrets tab confirming the "logged in cookie" secret was created successfully

Navigate to the Knowledge tab and click "+ Knowledge". Give the entry a descriptive name (e.g., "Where to use logged in cookie") and write instructions for the agents in plain English: "For any browsing on the internal app, this cookie is required." You can also specify specific endpoints or domains. Click "Add Knowledge" to save.

Figure 7: The "Add Knowledge" modal — documenting when and how to use the session cookie

The Knowledge tab will now show your entry with Type: Knowledge and Origin: Provided by User. This tells the AI agents exactly where and how to apply the session cookie during testing. Agents can also discover and add their own knowledge entries automatically (Origin: Discovered by Agent).

Figure 8: The Knowledge tab showing the saved knowledge entry for cookie usage

Return to the engagement overview. The engagement will be in "Pending" status. Click "Start Now" to begin the authenticated red team engagement. The platform will progress through: Pending > Scheduled > Setting Up > In Progress > Completed. The AI agents will use your provided credentials and knowledge to perform fully authenticated testing.

Figure 9: The engagement overview in Pending state — click "Start Now" to launch