Combining Spider and Active Scan

Effective security testing combines Spider discovery with targeted active scanning. Run the Spider first to build a comprehensive site map. Review discovered content before active scanning, removing unnecessary targets. This two-phase approach provides control over what gets tested while ensuring broad coverage. Configure contexts to maintain scope throughout both phases.

Incremental scanning strategies work well for large or evolving applications. Spider and scan new features as they're developed rather than waiting for complete applications. Use ZAP's session comparison to identify new URLs between scans. Focus active scanning on changed content where new vulnerabilities most likely exist. This incremental approach integrates security testing into development workflows.

Authenticated scanning requires coordination between Spider and scanner components. Ensure both use the same session handling configuration. Monitor authentication status during long scans, implementing re-authentication if needed. Test both authenticated and unauthenticated perspectives, as different vulnerabilities may be exposed. Some vulnerabilities only appear when transitioning between authentication states.