Skip to main content

Per-Target Ownership Verification for Takumi Blackbox Assessment

· 2 min read
Taiga Ono
Taiga Ono
Software Engineer @ GMO Flatt Security Inc.

Takumi Blackbox Assessment now supports per-target ownership verification.

Users can now verify ownership of individual target applications and use features involving dynamic network connections against them, without requiring organization-level authentication.

Overview

Previously, using features that involve dynamic network connections against targets such as production environments (such as Takumi's blackbox assessment) required completing organization authentication—a process that involves submitting an application and waiting for approval (typically 2-3 business days).

With per-target ownership verification, you can now prove ownership of specific targets and start using these features immediately.

If your organization is already authenticated, you can use features that involve dynamic network connections without per-target ownership verification.

This feature is particularly useful for:

  • Testing specific applications before completing organization authentication
  • Scenarios where organization authentication is difficult to complete

How It Works

Ownership verification confirms that you control the target application through one of two methods:

  1. DNS TXT Record: Add a TXT record to _takumi-ownership.<your-domain> containing your verification token
  2. HTTP Well-Known: Place your verification token at /.well-known/takumi-ownership on your target server

Once verified, features involving dynamic network connections can be used against the target by any member of your organization with Takumi access.

Getting Started

This feature is available to all Takumi by GMO users at no additional cost.

Only users with either the organization owner role or Takumi manager role can perform verification. Users without those roles can dispatch assessments against already-verified targets, but will not be able to verify the ownership of new targets.

For detailed instructions, see Organization Verification and Ownership Verification.

Organization Authentication

If you prefer to use features involving dynamic network connections against any target without per-target verification, organization authentication remains available. Once your organization is authenticated, all targets can be used without individual ownership verification.

For more information, see Organization Authentication.