Risk Focus Blackbox Assessment Now Available via Takumi API
Risk Focus Assessment, previously available only through the web console, is now supported in Takumi API blackbox assessments.
Risk Focus Assessment lets you start with the highest-risk areas, review results, and incrementally expand the assessment scope — all within a credit limit. You can set priorities explicitly or let Takumi prioritize automatically based on risk analysis. When the credit limit is reached, the assessment outputs results up to that point and stops. You can then add more credits and resume where you left off.
This is useful when you want predictable credit consumption or need to prioritize critical areas within a budget.
Usage Examples
Assess within a Credit Limit
To assess within a credit limit with automatic prioritization, specify crawl_credit_limit and/or scan_credit_limit when dispatching the workflow. Each can be set independently. The following example sets a crawl credit limit of 20 and a scan credit limit of 50 (consuming at most 70 credits total).
const { workflow_run_id } = await fetch(
`${TAKUMI_API}/v1/o/${TAKUMI_ORG}/workflows/blackbox-assessment/dispatch`,
{
method: "POST",
headers,
body: JSON.stringify({
input: {
language: "english",
target_urls: ["https://app.example/"],
crawl_credit_limit: 20, // Credit limit for crawling (optional)
scan_credit_limit: 50, // Credit limit for scanning (optional)
},
}),
},
).then((r) => r.json());
When crawl_credit_limit is set and the limit is reached during crawling, the crawl stops and scanning begins on the features discovered so far.
After crawling, Takumi automatically determines the priority of each feature-perspective combination based on risk analysis and scans them in priority order. When scan_credit_limit is reached, the assessment outputs the results collected so far and stops.
When the assessment finishes, you receive the assessment report and findings, along with a scan_progress artifact that shows which feature-perspective combinations were completed.
{
// Combinations that were scanned
"completed": [
{ "feature_name": "authentication", "perspective": "Injection" },
{ "feature_name": "user_settings", "perspective": "Authorization" },
// ...
],
// Combinations skipped because they were deemed unnecessary
"skipped": [
{ "feature_name": "Apex", "perspective": "CSRF" },
// ...
],
}
To assess more combinations, see Resume an Assessment with Additional Credits.
Assess within a Credit Limit with Custom Priorities
You can also set priorities explicitly for each feature-perspective combination. This lets you adjust priorities based on business impact, recent code changes, or other factors. Specify the priority field in the pairs parameter used for scoped assessments and retests.
const { workflow_run_id } = await fetch(
`${TAKUMI_API}/v1/o/${TAKUMI_ORG}/workflows/blackbox-assessment/dispatch`,
{
method: "POST",
headers,
body: JSON.stringify({
input: {
language: "english",
target_urls: ["https://app.example/"],
scan_credit_limit: 50, // Credit limit for scanning (optional)
// Reuse features discovered by a previous crawl workflow
resume: {
kind: "assess_crawled_features",
assess_crawled_features: {
workflow_id: "blackbox-crawl",
workflow_run_id: "TWR...", // workflow_run_id of the crawl
},
},
pairs: [
// feature_name must match a name from the crawl workflow's `features` artifact
{
feature_name: "authentication",
perspective: "Injection",
priority: "high",
},
{
feature_name: "user_settings",
perspective: "Authorization",
priority: "medium",
},
{
feature_name: "product_catalog",
perspective: "XSS",
priority: "low",
},
// When priority is omitted, Takumi assigns one automatically based on risk analysis
{ feature_name: "checkout", perspective: "BusinessLogic" },
],
},
}),
},
).then((r) => r.json());
When the credit limit is reached, you can check which combinations were completed using the scan_progress artifact, as described in Assess within a Credit Limit.
Setting custom priorities requires that features have already been discovered by a Takumi API workflow (blackbox-crawl or blackbox-assessment). Specify the feature names from the features artifact of that workflow in pairs, and provide the corresponding workflow_run_id in resume.assess_crawled_features.
Resume an Assessment with Additional Credits
You can resume an assessment that stopped due to a credit limit or was scoped to a subset of combinations. The resumed assessment inherits the previous results and continues scanning unscanned combinations in priority order.
const { workflow_run_id: next_workflow_run_id } = await fetch(
`${TAKUMI_API}/v1/o/${TAKUMI_ORG}/workflows/blackbox-assessment/dispatch`,
{
method: "POST",
headers,
body: JSON.stringify({
input: {
language: "english",
target_urls: ["https://app.example/"],
scan_credit_limit: 50, // Credit limit for the additional scan (optional)
resume: {
kind: "continue_assessment",
continue_assessment: {
workflow_id: "blackbox-assessment",
workflow_run_id: workflow_run_id, // workflow_run_id of the assessment to resume
},
},
// Optionally scope or reprioritize (omit to let Takumi prioritize all remaining combinations)
pairs: [
// feature_name must match a name from the resumed assessment's `features` artifact
{
feature_name: "authentication",
perspective: "Injection",
priority: "high",
},
// ...
],
},
}),
},
).then((r) => r.json());
You can optionally specify pairs to scope the resumed assessment to specific combinations or adjust priorities. If omitted, Takumi automatically prioritizes all remaining unscanned combinations.
You can repeat this cycle — assess, review results, resume — to incrementally expand your assessment scope while reviewing findings along the way.
Limitations
This feature is only available for assessments dispatched via the Takumi API. You cannot resume a web console assessment from the API, or vice versa. For details, see Relationship with the Web Console's "Assessment" Feature in the API user guide.
Getting Started
See the API documentation for full details.