Skip to content

Concepts and Glossary

The vocabulary Escape uses across the platform, the docs, and the CLI. Bookmark this page; every other guide assumes you know these terms.

Asset Model

  • Domain: a top-level DNS name Escape discovers or that you added in scope (api.example.com, staging.example.com).
  • Asset: a concrete target Escape tracks over time. Could be a domain, an IP, a repository, an API, a web application, or an LLM-backed endpoint. Every asset has a type, a classification, and a lifecycle.
  • Endpoint: a single path served by an asset. An OpenAPI spec with 40 routes produces 40 endpoints under one asset.
  • Schema: the contract an asset exposes (OpenAPI, GraphQL SDL, gRPC proto). Schemas are either provided, inferred, or reconstructed during a scan.

Scanning Model

  • Profile (Application): a saved scan configuration. Profiles bind an asset (or set of assets) to authentication, scope rules, scanner settings, and the scanner that runs them.
  • Scan: one execution of a profile. Scans have a status, a duration, an authenticated run, and a result set.
  • Security Test: one check in the scanner's catalog. Each test targets a specific vulnerability class (BOLA, SSRF, prompt injection, and so on) and produces findings when its conditions match.
  • Issue (Finding): the result of a security test firing. Issues have severity, exploitability evidence, affected endpoints, and a remediation guide.

Operations Model

  • Location: where the scan runs from. Public Locations are Escape-operated egress points; Private Locations run inside your network.
  • Main User: the authenticated user a scan runs as. Multi-user scans introduce more users with different roles to exercise access-control checks.
  • Sensitive Data (Scalar): a typed class of value Escape tracks across traffic (PII, credentials, tokens). Escape raises exposure findings when sensitive data leaves a context it shouldn't.

Classification

  • Severity: low, medium, high, critical. Escape's severity blends CVSS, exploitability in context, and the data class touched.
  • Compliance Category: the control a finding maps to in a framework (OWASP API Top 10, PCI-DSS, SOC 2). One finding can map to many.

Every concept above has a dedicated page under the relevant product section. When a term shows up in a guide, the first use links back here.