How to set up your integration with a webhook

Setting up your integration with a webhook allows you to post alerts directly to any application supporting webhooks. Here's how to set it up:

1. Head over to your Detectify dashboard and select your scan profile, then click on Scanning Settings and Integrations where you can find the webhook card

2. Expand the card and enter your webhook endpoint and secret key into their respective fields.

3. Optionally you can fill out the secret key for creating a message signature (see Message Signature below)

4. Select which notification types you are interested in receiving and click Save settings.

5. That's it! Next time you start a test and Detectify finds something that matches your settings, a POST message will be sent to your webhook.

How to consume a Detectify webhook

The webhook messages are sent using POST request to the endpoint specified by the subscription. All messages are in JSON format.

The following types or messages are available:

  • event_scan_started: Indicates a scan was started.
  • event_scan_finished: Indicates a scan was finished.
  • event_finding_high: Indicates the scan found a high-level vulnerability (CVSS 6 and up)
  • event_finding_medium: Indicates the scan found a medium level vulnerability (between CVSS 3 and 6)


There are limitations to the number of messages sent out in order to not flood the remote endpoint.

  • Per scan limit: limits the number of finding messages per scan. The limit is 100.
  • Per finding limit: limits the number of finding messages per finding type (e.g. SQL injection). The limit is 10.


Message signature

To enable identification of messages sent by Detectify, a signature is written to each message using the X-Detectify-Signature header. The signature is a hash value using the keyed-hash message authentication code (HMAC) with the SHA-256 compression function. The secret key specified for the subscription is used for the encryption. For secret key use of a random string with high entropy is suggested.

In short: HMAC_SHA256({secret key}, {message content}) = {X-Detectify-Signature value}

The signature is omitted if the secret key is not specified for the subscription.

Scan started
Contains the domain (domain) and the report URL for the scan (report_url).
Example message:
 "type": "event_scan_started",
 "domain": "my.domain",
 "report_url": ""

Scan finished
Contains the domain (domain), the report URL for the scan (report_url) and the number of finding in the three categories (critical_findingsmedium_findingsnotice_findings).
Example message:
 "type": "event_scan_finished",
 "domain": "my.domain",
 "report_url": "",
 "critical_findings": 1,
 "medium_findings": 2,
 "notice_findings": 4

Contains information about findings, including vulnerability title (title), severity (severity), CVSS score (cvss_score). domain (domain), report URL for the finding (finding_url) and additional information in the form of tags (tags).
Example message:
 "type": "event_finding_high",
 "domain": "my.domain",
 "cvss_score": 6.2,
 "severity": "high",
 "title": "Login Cross Site Request Forgery (CSRF/XSRF)",
 "finding_url": "",
 "tags": [ "new" ]