# Engagement Workflow

You can launch a pentester engagement through the web console, CLI, or automation pipelines.

## Web Console

1. Navigate to **Explore → API Engagements**.
2. Click **New Engagement** and provide the application name, target host, and OpenAPI specification.
3. Optional: attach authentication headers or recorded traffic to bootstrap deeper testing.
4. Submit to start the hands-off assessment. Progress and findings stream back into the console and configured connectors.

![Launch a new engagement](https://3946391995-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FId2OtLCL6O6V3XSRYxtr%2Fuploads%2Fgit-blob-d30234dfdaf1f30cf1dfb3d4b4e1e464123f9290%2Flaunch-api-engagement.png?alt=media)

## CLI

Use the CLI when you want to run engagements locally or wire them into custom pipelines. Generate a service-account token first (see [API Configuration](https://github.com/Nullify-Platform/nullify/blob/main/public-docs/getting-started/configuration-api.md)).

```bash
nullify dast \
  --app-name      "Payments API" \
  --spec-path     "./openapi.json" \
  --target-host   "https://api.example.dev" \
  --github-owner  "my-org" \
  --github-repo   "payments-service" \
  --header        "Authorization: Bearer 1234, X-Custom-Header: abcxyz"
```

> ℹ️ The CLI command retains the `dast` verb for backwards compatibility; upcoming releases will alias it to `pentester`.

## GitHub Action

Automate engagements in CI by adopting the [Nullify Pentester Action](https://github.com/Nullify-Platform/dast-action) (published as `dast-action`). Configure it to run on release branches, nightly jobs, or bespoke workflows. Findings are routed back through the Nullify API and any connected ticketing systems.