Choose Scan Settings

Pick content type, phase, mode, focus, profile, and data sensitivity from real product examples.

Mighty inspects anything before your product trusts it: user input, generated output, uploads, OCR text, image evidence, PDF evidence, office documents, and agent tool output.

Start with the thing your product is about to trust. Then choose the settings that match that story.

For definitions of focus, AI edits, steganography, prompt injection, and related terms, see the glossary.

Start With The Thing You Are About To Trust

Use this table first. It shows the setting combinations that should be copied into real integrations.

Scenario	Use these settings	Why
User prompt before AI	`content_type=text`, `scan_phase=input`, `mode=secure`, `focus=steg`	Finds text trying to override rules, steer the model, reveal secrets, or hide unsafe instructions.
OCR text before automation	`content_type=text`, `scan_phase=input`, `mode=secure`, `focus=steg`, `data_sensitivity=tolerant`	OCR can expose hidden or altered text. Tolerant mode avoids blocking normal names, addresses, claim IDs, and invoice details.
Public AI answer	`content_type=text`, `scan_phase=output`, `mode=secure`, `focus=steg`, `profile=ai_safety`, `data_sensitivity=strict`	Checks generated output before users see leaks, unsafe text, or policy-breaking content.
Internal AI summary	`content_type=text`, `scan_phase=output`, `focus=steg`, `data_sensitivity=tolerant`	Lets normal business PII exist in internal notes while still catching unsafe generated output.
Mixed file upload	`content_type=auto`, `scan_phase=input`, `mode=secure`, `focus=steg`	Safest default before storage, OCR, indexing, or AI extraction.
Office document	`content_type=document`, `focus=steg`	Office/structured documents currently support hidden-content and threat inspection only. Wrong focus values return `unsupported_focus_for_content_type`.
Image authenticity review	`content_type=image`, `scan_phase=input`, `mode=secure`, `focus=ai`	Use when the main question is whether visual evidence looks AI-generated, AI-edited, reposted, or provenance-backed.
Image edit comparison	`content_type=image`, `scan_phase=input`, `mode=secure`, `focus=edits`, `reference_file=@original.jpg`	Use when you have an original/source image and need to find what changed in the submitted image.
Full image/PDF evidence review	`content_type=image` or `pdf`, `focus=all`	Use when hidden content, authenticity, and edit evidence all matter.
High-value image/PDF review	`mode=comprehensive`, `async=true`, `focus=all`	Use when latency is acceptable and the result affects money, safety, account trust, or legal review.

Safe Default

If you are unsure, start here:

{
  "content_type": "auto",
  "scan_phase": "input",
  "mode": "secure",
  "focus": "steg",
  "profile": "balanced",
  "data_sensitivity": "standard"
}

This says: "A user or upstream system submitted something, Mighty should inspect it with the normal production path, and normal product policy should decide what happens next."

Change the defaults only when the workflow needs it:

Use data_sensitivity=tolerant when the text normally contains names, addresses, claim IDs, policy numbers, invoice lines, or contact details.
Use profile=ai_safety and data_sensitivity=strict for public AI output.
Use focus=ai, focus=edits, or focus=all only for supported image/PDF evidence paths.
Use mode=comprehensive and async=true for high-value image/PDF review where waiting is acceptable.

Input Inspection

Input inspection means the material came from a user, customer, claimant, vendor, partner, upload, browser, or upstream system.

Examples:

What came in	Settings	What Mighty looks for
Chat prompt or form field	`content_type=text`, `scan_phase=input`, `focus=steg`	Prompt injection, content steering, secrets, unsafe instructions, and hidden text patterns.
Uploaded PDF, image, or document before storage	`content_type=auto`, `scan_phase=input`, `focus=steg`	Hidden content, suspicious text, visual prompt injection, unsafe file text, and parser-safe extraction risk.
Office document	`content_type=document`, `scan_phase=input`, `focus=steg`	Hidden content and threat inspection in structured documents.
Damage photo or receipt photo	`content_type=image`, `scan_phase=input`, `focus=all`	Hidden content, AI authenticity evidence, and localized edit evidence together.
Known image authenticity review	`content_type=image`, `scan_phase=input`, `focus=ai`	Whether the visual evidence appears AI-generated, AI-edited, reposted, provenance-backed, or visually inconsistent.
Original vs submitted image	`content_type=image`, `scan_phase=input`, `focus=edits`, `reference_file=@original.jpg`	What changed between the source image and the submitted image.

For browser or API uploads, see Scan File Uploads. For visual evidence, see Damage Photo AI Fraud Review.

Output Inspection

Output inspection means your system generated the material: a model answer, OCR text, extraction result, AI summary, agent tool result, generated recommendation, or public response.

Scan output before users, models, tools, or workflow automation act on it.

{
  "content": "Generated answer shown to a user",
  "content_type": "text",
  "scan_phase": "output",
  "mode": "secure",
  "focus": "steg",
  "profile": "ai_safety",
  "data_sensitivity": "strict"
}

Use the scan_group_id from the related input scan. That keeps the prompt, upload, OCR output, model answer, and review record connected.

Output	Settings	Why
Public assistant answer	`scan_phase=output`, `focus=steg`, `profile=ai_safety`, `data_sensitivity=strict`	Catches unsafe generated text, secret leakage, and policy-breaking output before users see it.
Internal claim or invoice summary	`scan_phase=output`, `focus=steg`, `data_sensitivity=tolerant`	Normal business PII can remain in reviewer-only notes while unsafe output still gets routed.
OCR text or extracted fields	`content_type=text`, `scan_phase=input`, `focus=steg`, `data_sensitivity=tolerant`	OCR output is derived, but it is still untrusted input to your automation.
Agent tool output	`scan_phase=output`, `focus=steg`, `profile=ai_safety` or `code_assistant`	Keeps unsafe tool results, retrieved text, and browser content out of the next model step.

For generated responses, see Scan Model Output. For multi-step evidence chains, see Sessions And Scan Groups.

Focus Modes Without Jargon

focus answers: what kind of risk or evidence should Mighty prioritize?

Focus	Plain meaning	Use it for	Do not use it for
`steg`	Hidden content, prompt injection, content steering, unsafe text, OCR/document safety.	Text, OCR text, model output, mixed uploads, office documents, AI-facing uploads.	AI-authenticity-only review or pairwise image comparison.
`ai`	Is this visual evidence likely generated, AI-edited, reposted, or missing useful provenance?	Damage photos, receipt photos, marketplace listing images, ID or verification images, screenshot/PDF evidence where authenticity is the main question.	Text, OCR text, model output, office documents, or anything where hidden instructions could reach an AI system unless paired via `focus=all`.
`edits`	What changed, and where does the submitted image look manipulated?	Original vs submitted damage photos, altered labels, receipts, package photos, food photos, screenshots, and document images where visible text may have changed.	Office documents, text/OCR/model output, or general hidden-instruction safety scans.
`all`	Run the supported image/PDF evidence paths together at 10 SCU per image unit.	Image/PDF evidence where hidden content, authenticity, and edit evidence all matter.	Structured office documents; use `focus=steg`.

Default value: steg. Focused image paths bill 4 SCU per image. focus=all bills 10 SCU per image unit. Deprecated aliases still exist: standard maps to steg, and both maps to all.

Office and structured documents currently support steg only. For content_type=document, focus=ai, focus=edits, focus=all, and deprecated focus=both return 400 with code=unsupported_focus_for_content_type.

For the technical compatibility table, see POST /v1/scan focus compatibility.

When `focus=ai` Is Useful

Ask: "Is this visual evidence likely generated, AI-edited, reposted, or missing useful provenance?"

Use focus=ai when authenticity is the main question and you already know the material is image/PDF evidence.

curl -X POST https://gateway.trymighty.ai/v1/scan \
  -H "Authorization: Bearer $MIGHTY_API_KEY" \
  -F "file=@./receipt-photo.jpg" \
  -F "content_type=image" \
  -F "scan_phase=input" \
  -F "mode=secure" \
  -F "focus=ai" \
  -F "profile=strict"

This is review evidence, not proof of fraud. Use focus=all instead when the same image/PDF may also contain hidden instructions or unsafe text.

When `focus=edits` Is Useful

Ask: "What changed, and where does the submitted image look manipulated?"

The best path is to send a source image with reference_file.

curl -X POST https://gateway.trymighty.ai/v1/scan \
  -H "Authorization: Bearer $MIGHTY_API_KEY" \
  -F "file=@./submitted-damage-photo.jpg" \
  -F "reference_file=@./original-damage-photo.jpg" \
  -F "content_type=image" \
  -F "scan_phase=input" \
  -F "mode=secure" \
  -F "focus=edits" \
  -F "profile=strict"

Without a reference image, Mighty can only return conservative hints. Use focus=all when you also need hidden-content or AI-authenticity review.

Mode, Profile, And Data Sensitivity

These settings are separate from focus.

Setting	Plain question	Default	Change it when
`mode`	How deep should Mighty look?	`secure`	Use `fast` for low-risk low-latency text. Use `comprehensive` for high-value image/PDF review and async scans.
`profile`	How strict is this workflow?	`balanced`	Use `strict` for regulated, financial, legal, insurance, healthcare, or high-value workflows. Use `ai_safety` for public AI output.
`data_sensitivity`	Should normal PII be expected?	`standard`	Use `tolerant` for claims, invoices, healthcare, identity, or support workflows. Use `strict` for public output, secrets, and credentials.

Mode is not tolerance. mode changes how deep the inspection goes. profile, data_sensitivity, and your routing policy decide how strict the product is after Mighty returns a result. See Modes And Tolerance.

Content Types

content_type answers: what kind of thing is this?

Value	Use when
`auto`	Your server does not know the type yet, or the upload route accepts mixed files.
`text`	Chat text, form fields, OCR text, extracted fields, model output, tool output, notes, or transcripts.
`image`	Damage photos, ID images, receipt photos, screenshots, marketplace images, or visual evidence.
`pdf`	PDF claim packets, invoices, estimates, forms, statements, or evidence packets.
`document`	Office or structured documents such as DOCX, XLSX, PPTX, CSV, Markdown, JSON, XML, HTML, RTF, and similar business files.

If a PDF contains images, still send it as pdf. If an OCR system extracted text from a PDF, scan that extracted text as content_type=text and reuse the same scan_group_id.

IDs And Review

Store these fields so your reviewers and logs can explain what happened:

Field	Use it for
`request_id`	One unique request. Use it for retries and logs.
`scan_id`	The exact Mighty result. Use it for audit and async polling.
`scan_group_id`	Connect original input, OCR text, model output, image evidence, and review for one item.
`session_id`	Connect the wider chat, claim, case, batch, or agent run.

Route results in product language:

Action	Product route
ALLOW	Continue. Store IDs.
WARN	Review, add friction, constrain the model/tool path, or request more evidence.
BLOCK	Stop the workflow, or show `redacted_output` when Mighty returns it and your policy allows it.

Common Wrong Choices

Using focus=all for normal text, OCR text, or model output. Use focus=steg.
Using focus=ai as a fraud verdict. Mighty flags review evidence; your business process decides fraud.
Using focus=edits without explaining reference vs no-reference review. Use reference_file when you have the source image.
Using focus=ai, focus=edits, or focus=all on content_type=document. Structured documents support focus=steg only.
Using mode=fast because a workflow should be tolerant. Use data_sensitivity=tolerant for expected PII.
Scanning only OCR text when the original file is available. Scan the file first, then scan extracted text with the same scan_group_id.

Next step

Ready to scan real traffic?

Create an API key, keep it on your server, then wire Mighty into the workflow that handles untrusted material.

See workflow recipes Choose by material

Related docs

Keep going from here

Modes And ToleranceSeparate depth from strictness.GlossaryDefine focus, steg, AI edits, and prompts.Multimodal SupportChoose by material type.Workflow PlaybooksApply settings in real flows.