# Quickstart {#quickstart} This page walks you through running your first Takumi assessment after you have purchased a Takumi plan. ## Prerequisites {#prerequisites} Before you run your first assessment, the following needs to be in place: - A Shisho Cloud organization with an active [base subscription](/docs/t/management/subscribing.md). - You are a member of that organization. ## Run Your First Assessment {#first-assessment} Pick the assessment type that matches what you want to test, then follow the steps below. ### Whitebox Assessment {#first-whitebox} A whitebox assessment reads source code and specifications and runs a focused security review against the repository. 1. Open **Assessments** from the Shisho Cloud console sidebar. 2. Click **New Assessment** and choose **Whitebox**. 3. Upload the source you want to assess as a file. 4. Click **Start**. The configuration screen looks like this: ![Whitebox assessment start dialog](/docs/_md-assets/19f46ab7bc-ui-whole-en.png) Instead of uploading a file, you can select one of the GitHub repositories connected to Takumi. To do this, complete the [GitHub integration](/docs/t/assessment/features/integrations/github.md) first. The run continues in the background, so closing the screen does not stop it. ![Whitebox assessment pending state](/docs/_md-assets/1eb0248a14-ui-pending-1.png) For details on what consumes credits, see [Whitebox Assessment](/docs/t/assessment/features/whitebox-assessment.md). ### Blackbox Assessment {#first-blackbox} A blackbox assessment crawls a target URL and probes for vulnerabilities without reading source code. 1. Open **Assessments** from the Shisho Cloud console sidebar. 2. Click **New Assessment** and choose **Blackbox**. 3. Enter the target URL and any authentication details. 4. Click **Start**. The configuration screen for blackbox assessments looks like this: ![Blackbox assessment start dialog](/docs/_md-assets/d853a2d4c2-ui-simple.png) For authentication options and crawl-result editing, see [Blackbox Assessment](/docs/t/assessment/features/blackbox-assessment.md). Before you can target a URL for the first time, complete the [organization or ownership verification](/docs/t/assessment/features/assessment-authentication.md) flow: ![Successful ownership verification](/docs/_md-assets/af5381ce89-successful_auth_result.png) ## Completing an Assessment {#completing-an-assessment} Both whitebox and blackbox assessments currently use a **risk-focus** model. Takumi assesses cells (functions, endpoints, and other fine-grained units of the target) in order of risk score, and a run transitions through these states depending on the credit limit and other conditions: ```mermaid stateDiagram-v2 [*] --> Running: Start Running --> AwaitingResume: Credit limit reached AwaitingResume --> Running: Raise the limit and resume Running --> Completed: All cells assessed / Complete button AwaitingResume --> Completed: Complete button Running --> Cancelled: Cancel AwaitingResume --> Cancelled: Cancel Completed --> [*] Cancelled --> [*] ``` ### Run until every cell is assessed {#run-until-complete} When you start an assessment, you can set a **credit limit** that caps how much the run may consume. Setting an appropriate initial limit caps unintended consumption and lets you commit more credits incrementally as you watch progress. When the limit is reached and the assessment enters **Awaiting Resume**, raise the limit on the assessment detail page and resume the run. You can repeat this as many times as needed until every cell has been assessed. ### Mark as completed midway {#complete-midway} Once you have the findings you need, press **Complete** on the assessment detail page to mark the run as completed even if not every cell has been assessed. Findings produced so far are preserved and the assessment moves to the **Completed** state. ### Stop midway {#cancel-midway} If the scope turns out to be wider than intended, cancel the run from **Cancel** on the assessment detail page. Findings produced up to the cancellation point are preserved. ### Preview interim results {#preview} While the assessment is **Running** or **Awaiting Resume**, the findings produced so far are visible from **Preview**, so you can act on critical issues before the run finishes. ## Review Findings {#review-findings} Once the assessment completes, open the assessment from the **Assessments** sidebar entry to view findings, evidence, and remediation suggestions. ![Whitebox assessment result list](/docs/_md-assets/4086c3c9d8-ui-result-1-en.png) Each finding has its own detail page with the impacted code/endpoint, severity, and the recommended fix. ![Whitebox finding detail](/docs/_md-assets/eccc2b7a7f-ui-result-2-en.png) Severity assignment is described in [Severity](/docs/t/assessment/references/severity.md). For findings you want Takumi to fix automatically, use [Autofix](/docs/t/assessment/features/autofix.md) to generate a fix pull request. ![Autofix entry from a finding](/docs/_md-assets/3b0cc328c9-select-menu.png)