> ## Documentation Index
> Fetch the complete documentation index at: https://pentest-tools.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Notifications

> Get alerted about scan results based on custom conditions

## What are notifications?

Notifications let you receive alerts when scan results match specific conditions. Instead of checking every scan manually, you set up rules and only hear about what matters.

## How notifications work

<Steps>
  <Step title="Create a notification rule">
    Define what conditions should trigger an alert.
  </Step>

  <Step title="Choose a trigger type">
    Select what type of scan results to monitor (vulnerability, ports, scan status, etc.).
  </Step>

  <Step title="Set conditions">
    Specify the exact criteria (e.g., risk level is at least High).
  </Step>

  <Step title="Select destinations">
    Choose where to send the notification (email, Slack, webhook, etc.).
  </Step>
</Steps>

## Trigger types

Notifications can be triggered based on different types of scan results:

| Trigger              | Description                                                  |
| -------------------- | ------------------------------------------------------------ |
| **Vulnerability**    | Findings from vulnerability scans                            |
| **Scan status**      | Scan completion status (finished, failed, timed out, etc.)   |
| **Port Scanner**     | Open ports discovered by the Port Scanner or Network Scanner |
| **Technology found** | Technologies detected by Website Scanner or Website Recon    |
| **Subdomains**       | Subdomains discovered by the Subdomain Finder                |
| **URL Fuzzer**       | Items found by the URL Fuzzer                                |
| **Password Auditor** | Credentials found by the Password Auditor                    |
| **Domains**          | Domains found by the Domain Finder                           |

## Condition examples

### Vulnerability conditions

| Condition         | Operators          | Example                                     |
| ----------------- | ------------------ | ------------------------------------------- |
| **Risk level**    | is at least        | Alert when risk is at least High            |
| **Finding name**  | contains, is       | Alert when finding contains "SQL Injection" |
| **Confirmed tag** | is confirmed       | Alert only for confirmed findings           |
| **Diff**          | from previous scan | Alert when new vulnerabilities appear       |

### Scan status conditions

| Status               | Description                  |
| -------------------- | ---------------------------- |
| Finished             | Scan completed successfully  |
| Timed out            | Scan exceeded time limit     |
| Stopped by user      | Scan was manually stopped    |
| Failed to start      | Scan could not start         |
| VPN connection error | VPN agent connectivity issue |
| Authentication error | Login credentials failed     |
| Connection error     | Target unreachable           |
| Aborted              | Scan was aborted             |

### Port Scanner conditions

| Condition     | Operators                                                            | Example                     |
| ------------- | -------------------------------------------------------------------- | --------------------------- |
| **Open port** | is any of, is not one of, is greater than, in top N, contains all of | Alert on port 22, 23, 3389  |
| **Protocol**  | is, contains                                                         | Alert when SSH is detected  |
| **Diff**      | from previous scan                                                   | Alert when new ports appear |

### Subdomains conditions

| Condition          | Operators          | Example                               |
| ------------------ | ------------------ | ------------------------------------- |
| **Subdomain name** | contains           | Alert when subdomain contains "admin" |
| **Netname**        | contains           | Alert when netname contains "AMAZON"  |
| **Country**        | contains           | Alert when country contains "US"      |
| **Diff**           | from previous scan | Alert when new subdomains appear      |

### URL Fuzzer conditions

| Condition       | Operators | Example                                |
| --------------- | --------- | -------------------------------------- |
| **Items found** | at least  | Alert when at least 10 items are found |
| **HTTP code**   | is        | Alert when HTTP code is 200            |

### Password Auditor conditions

| Condition             | Operators | Example                                   |
| --------------------- | --------- | ----------------------------------------- |
| **Credentials found** | at least  | Alert when at least 1 credential is found |

### Domains conditions

| Condition       | Operators | Example                                  |
| --------------- | --------- | ---------------------------------------- |
| **Domain name** | contains  | Alert when domain contains "example"     |
| **Company**     | contains  | Alert when company contains "Corp"       |
| **Email**       | contains  | Alert when email contains "@example.com" |
| **Certainty**   | at least  | Alert when certainty is at least 80      |

### Technology conditions

| Condition      | Operators | Example                         |
| -------------- | --------- | ------------------------------- |
| **Technology** | contains  | Alert when "WordPress" is found |

## Notification destinations

<CardGroup cols={2}>
  <Card title="Email" icon="envelope">
    Send to your account email or custom addresses.
  </Card>

  <Card title="Slack" icon="slack" href="/capabilities/integrations/slack">
    Send to a Slack channel.
  </Card>

  <Card title="Microsoft Teams" icon="microsoft" href="/capabilities/integrations/microsoft-teams">
    Send to a Teams channel via webhook.
  </Card>

  <Card title="Discord" icon="discord" href="/capabilities/integrations/discord">
    Send to a Discord channel via webhook.
  </Card>

  <Card title="Webhook" icon="webhook" href="/capabilities/integrations/webhooks">
    Send to any HTTP endpoint.
  </Card>

  <Card title="Nucleus" icon="layer-group" href="/capabilities/integrations/nucleus">
    Send findings to Nucleus for vulnerability management.
  </Card>
</CardGroup>

## Creating a notification

<Steps>
  <Step title="Go to Notifications">
    Click **Notifications** in the sidebar.
  </Step>

  <Step title="Add a notification">
    Click **Add** and enter a name.
  </Step>

  <Step title="Select a trigger type">
    Choose what to monitor, for example, Vulnerability or Port Scanner.
  </Step>

  <Step title="Set conditions">
    Add one or more conditions, for example, Risk level is at least High.
  </Step>

  <Step title="Select destinations">
    Under **Notification actions**, choose where to send alerts: your default email, additional addresses, or an integration like Slack, Teams, Discord, Webhook, or Nucleus.
  </Step>

  <Step title="Save">
    Click **Save**. The notification activates immediately.
  </Step>
</Steps>

<Tip>
  You can add multiple conditions to a single notification. All conditions must match (AND logic) for the notification to trigger.
</Tip>

## Workspace scope

Notifications are scoped to your current workspace. Each workspace can have its own set of notification rules.

The notifications configured on this page are applied to **all scans** running in the current workspace, whether started manually, scheduled, or via API. A notification will be sent if a scan result matches **any** of the defined notification rules in the workspace.

## Enabling and disabling

You can enable or disable notifications without deleting them:

* **Enabled**: Notification will trigger when conditions match
* **Disabled**: Notification is saved but won't trigger

## Diff notifications

Diff notifications alert you when results change from a previous scan:

* **New vulnerabilities**: alert when new findings appear
* **New ports**: alert when new ports are discovered
* **New subdomains**: alert when new subdomains are found

## Best practices

<AccordionGroup>
  <Accordion title="Start with high-severity alerts">
    Begin by setting up notifications for critical and high severity findings. Add more granular rules as needed.
  </Accordion>

  <Accordion title="Use meaningful names">
    Name notifications descriptively, for example "Critical vulns - Production".
  </Accordion>

  <Accordion title="Combine conditions wisely">
    Use multiple conditions to reduce noise. For example, "Risk level at least High" AND "Finding name contains SQL".
  </Accordion>

  <Accordion title="Use diff notifications">
    For scheduled scans, use diff notifications to only alert on changes instead of every finding.
  </Accordion>
</AccordionGroup>

<Tip>
  Too many notifications can lead to alert fatigue. Focus on actionable alerts rather than notifying on everything.
</Tip>

## Related topics

* [Slack integration](/capabilities/integrations/slack)
* [Microsoft Teams integration](/capabilities/integrations/microsoft-teams)
* [Webhooks](/capabilities/integrations/webhooks)
* [Scheduled scans](/core/scans/scheduled-scans)
