diff --git a/.copywrite.hcl b/.copywrite.hcl
index daa4a34..5efa9b8 100644
--- a/.copywrite.hcl
+++ b/.copywrite.hcl
@@ -14,5 +14,6 @@ project {
     "**/*.pb.go",
     "**/*_string.go",
     "**/*pkrtpl.hcl",
+    "**/.web-docs/**",
   ]
 }
\ No newline at end of file
diff --git a/.web-docs/components/provisioner/cnspec/README.md b/.web-docs/components/provisioner/cnspec/README.md
index 05243cf..f138b65 100644
--- a/.web-docs/components/provisioner/cnspec/README.md
+++ b/.web-docs/components/provisioner/cnspec/README.md
@@ -54,34 +54,39 @@ Optional Parameters:
   If `score_threshold` is set to a value, and `on_failure = "continue"`
   builds will continue regardless of what score is returned.
 
-- `labels` (map[string]string) - Configure an optional map of labels for the asset data.
+- `labels` (map[string]string) - Configure an optional map of `key/val` labels for the asset in
+  Mondoo Platform.
 
-- `annotations` (map[string]string) - Configure an optional map of `key/val` annotations for the asset data in
+- `annotations` (map[string]string) - Configure an optional map of `key/val` annotations for the asset in
   Mondoo Platform.
 
-- `incognito` (bool) - Configures incognito mode. Defaults to `true`. When set to false, scan results
-  will not be sent to Mondoo Platform.
+- `incognito` (bool) - Configures incognito mode. By default it detects if a Mondoo service account
+  is available. When set to false, scan results will not be sent to
+  Mondoo Platform.
 
-- `policies` ([]string) - A list of policies to be executed (requires incognito mode).
+- `policies` ([]string) - A list of policies to be executed (will automatically activate incognito mode).
 
 - `policybundle` (string) - A path to local policy bundle file.
 
-- `sudo` (\*SudoConfig) - Run mondoo scan with `--sudo`. Defaults to none.
+- `sudo` (\*SudoConfig) - Runs scan with `--sudo`. Defaults to none.
 
 - `winrm_user` (string) - Configure WinRM user. Defaults to `user` set by the packer communicator.
 
-- `winrm_password` (string) - Configure WinRM user password. Defaults to `password` set by the packer communicator.
+- `winrm_password` (string) - Configure WinRM user password. Defaults to `password` set by the packer
+  communicator.
 
-- `use_proxy` (bool) - Use proxy to connect to host to scan. This configuration will fall-back to packer proxy
-  for cases where the provisioner cannot access the target directly
-  NOTE: we have seen cases with the vsphere builder
+- `use_proxy` (bool) - Use proxy to connect to host to scan. This configuration will fall-back to
+  packer proxy for cases where the provisioner cannot access the target directly
 
-- `output` (string) - Set output format: summary, full, yaml, json, csv, compact, report, junit (default "compact")
+- `output` (string) - Set output format: summary, full, yaml, json, csv, compact, report, junit
+  (default "compact")
 
-- `score_threshold` (int) - An integer value to set the `score_threshold` of mondoo scans. Defaults to `0` which results in
-  a passing score regardless of what scan results are returned.
+- `score_threshold` (int) - An integer value to set the `score_threshold` of mondoo scans. Defaults to
+  `0` which results in a passing score regardless of what scan results are
+  returned.
 
-- `mondoo_config_path` (string) - The path to the mondoo client config. Defaults to `$HOME/.config/mondoo/mondoo.yml`
+- `mondoo_config_path` (string) - The path to the Mondoo's service account. Defaults to
+  `$HOME/.config/mondoo/mondoo.yml`
 
 <!-- End of code generated from the comments of the Config struct in provisioner/provisioner.go; -->
 
diff --git a/.web-docs/components/provisioner/mondoo/README.md b/.web-docs/components/provisioner/mondoo/README.md
index f2164bd..26db037 100644
--- a/.web-docs/components/provisioner/mondoo/README.md
+++ b/.web-docs/components/provisioner/mondoo/README.md
@@ -68,34 +68,39 @@ Optional Parameters:
   If `score_threshold` is set to a value, and `on_failure = "continue"`
   builds will continue regardless of what score is returned.
 
-- `labels` (map[string]string) - Configure an optional map of labels for the asset data.
+- `labels` (map[string]string) - Configure an optional map of `key/val` labels for the asset in
+  Mondoo Platform.
 
-- `annotations` (map[string]string) - Configure an optional map of `key/val` annotations for the asset data in
+- `annotations` (map[string]string) - Configure an optional map of `key/val` annotations for the asset in
   Mondoo Platform.
 
-- `incognito` (bool) - Configures incognito mode. Defaults to `true`. When set to false, scan results
-  will not be sent to Mondoo Platform.
+- `incognito` (bool) - Configures incognito mode. By default it detects if a Mondoo service account
+  is available. When set to false, scan results will not be sent to
+  Mondoo Platform.
 
-- `policies` ([]string) - A list of policies to be executed (requires incognito mode).
+- `policies` ([]string) - A list of policies to be executed (will automatically activate incognito mode).
 
 - `policybundle` (string) - A path to local policy bundle file.
 
-- `sudo` (\*SudoConfig) - Run mondoo scan with `--sudo`. Defaults to none.
+- `sudo` (\*SudoConfig) - Runs scan with `--sudo`. Defaults to none.
 
 - `winrm_user` (string) - Configure WinRM user. Defaults to `user` set by the packer communicator.
 
-- `winrm_password` (string) - Configure WinRM user password. Defaults to `password` set by the packer communicator.
+- `winrm_password` (string) - Configure WinRM user password. Defaults to `password` set by the packer
+  communicator.
 
-- `use_proxy` (bool) - Use proxy to connect to host to scan. This configuration will fall-back to packer proxy
-  for cases where the provisioner cannot access the target directly
-  NOTE: we have seen cases with the vsphere builder
+- `use_proxy` (bool) - Use proxy to connect to host to scan. This configuration will fall-back to
+  packer proxy for cases where the provisioner cannot access the target directly
 
-- `output` (string) - Set output format: summary, full, yaml, json, csv, compact, report, junit (default "compact")
+- `output` (string) - Set output format: summary, full, yaml, json, csv, compact, report, junit
+  (default "compact")
 
-- `score_threshold` (int) - An integer value to set the `score_threshold` of mondoo scans. Defaults to `0` which results in
-  a passing score regardless of what scan results are returned.
+- `score_threshold` (int) - An integer value to set the `score_threshold` of mondoo scans. Defaults to
+  `0` which results in a passing score regardless of what scan results are
+  returned.
 
-- `mondoo_config_path` (string) - The path to the mondoo client config. Defaults to `$HOME/.config/mondoo/mondoo.yml`
+- `mondoo_config_path` (string) - The path to the Mondoo's service account. Defaults to
+  `$HOME/.config/mondoo/mondoo.yml`
 
 <!-- End of code generated from the comments of the Config struct in provisioner/provisioner.go; -->
 
diff --git a/docs-partials/provisioner/Config-not-required.mdx b/docs-partials/provisioner/Config-not-required.mdx
index 5cdfd97..65efb30 100644
--- a/docs-partials/provisioner/Config-not-required.mdx
+++ b/docs-partials/provisioner/Config-not-required.mdx
@@ -36,33 +36,38 @@
   If `score_threshold` is set to a value, and `on_failure = "continue"`
   builds will continue regardless of what score is returned.
 
-- `labels` (map[string]string) - Configure an optional map of labels for the asset data.
+- `labels` (map[string]string) - Configure an optional map of `key/val` labels for the asset in
+  Mondoo Platform.
 
-- `annotations` (map[string]string) - Configure an optional map of `key/val` annotations for the asset data in
+- `annotations` (map[string]string) - Configure an optional map of `key/val` annotations for the asset in
   Mondoo Platform.
 
-- `incognito` (bool) - Configures incognito mode. Defaults to `true`. When set to false, scan results
-  will not be sent to Mondoo Platform.
+- `incognito` (bool) - Configures incognito mode. By default it detects if a Mondoo service account
+  is available. When set to false, scan results will not be sent to
+  Mondoo Platform.
 
-- `policies` ([]string) - A list of policies to be executed (requires incognito mode).
+- `policies` ([]string) - A list of policies to be executed (will automatically activate incognito mode).
 
 - `policybundle` (string) - A path to local policy bundle file.
 
-- `sudo` (\*SudoConfig) - Run mondoo scan with `--sudo`. Defaults to none.
+- `sudo` (\*SudoConfig) - Runs scan with `--sudo`. Defaults to none.
 
 - `winrm_user` (string) - Configure WinRM user. Defaults to `user` set by the packer communicator.
 
-- `winrm_password` (string) - Configure WinRM user password. Defaults to `password` set by the packer communicator.
+- `winrm_password` (string) - Configure WinRM user password. Defaults to `password` set by the packer
+  communicator.
 
-- `use_proxy` (bool) - Use proxy to connect to host to scan. This configuration will fall-back to packer proxy
-  for cases where the provisioner cannot access the target directly
-  NOTE: we have seen cases with the vsphere builder
+- `use_proxy` (bool) - Use proxy to connect to host to scan. This configuration will fall-back to
+  packer proxy for cases where the provisioner cannot access the target directly
 
-- `output` (string) - Set output format: summary, full, yaml, json, csv, compact, report, junit (default "compact")
+- `output` (string) - Set output format: summary, full, yaml, json, csv, compact, report, junit
+  (default "compact")
 
-- `score_threshold` (int) - An integer value to set the `score_threshold` of mondoo scans. Defaults to `0` which results in
-  a passing score regardless of what scan results are returned.
+- `score_threshold` (int) - An integer value to set the `score_threshold` of mondoo scans. Defaults to
+  `0` which results in a passing score regardless of what scan results are
+  returned.
 
-- `mondoo_config_path` (string) - The path to the mondoo client config. Defaults to `$HOME/.config/mondoo/mondoo.yml`
+- `mondoo_config_path` (string) - The path to the Mondoo's service account. Defaults to
+  `$HOME/.config/mondoo/mondoo.yml`
 
 <!-- End of code generated from the comments of the Config struct in provisioner/provisioner.go; -->
diff --git a/provisioner/provisioner.go b/provisioner/provisioner.go
index 86c00ba..1361efc 100644
--- a/provisioner/provisioner.go
+++ b/provisioner/provisioner.go
@@ -44,8 +44,6 @@ import (
 type Config struct {
 	common.PackerConfig `mapstructure:",squash"`
 	ctx                 interpolate.Context
-	// The command to invoke mondoo. Defaults to `mondoo scan`.
-	Command string
 	// The alias by which the host should be known.
 	// Defaults to `default`.
 	HostAlias string `mapstructure:"host_alias"`
@@ -82,34 +80,39 @@ type Config struct {
 	// If `score_threshold` is set to a value, and `on_failure = "continue"`
 	// builds will continue regardless of what score is returned.
 	OnFailure string `mapstructure:"on_failure"`
-	// Configure an optional map of labels for the asset data.
+	// Configure an optional map of `key/val` labels for the asset in
+	// Mondoo Platform.
 	Labels map[string]string `mapstructure:"labels"`
-	// Configure an optional map of `key/val` annotations for the asset data in
+	// Configure an optional map of `key/val` annotations for the asset in
 	// Mondoo Platform.
 	Annotations map[string]string `mapstructure:"annotations"`
-	// Configures incognito mode. Defaults to `true`. When set to false, scan results
-	// will not be sent to Mondoo Platform.
+	// Configures incognito mode. By default it detects if a Mondoo service account
+	// is available. When set to false, scan results will not be sent to
+	// Mondoo Platform.
 	Incognito bool `mapstructure:"incognito"`
-	// A list of policies to be executed (requires incognito mode).
+	// A list of policies to be executed (will automatically activate incognito mode).
 	Policies []string `mapstructure:"policies"`
 	// A path to local policy bundle file.
 	PolicyBundle string `mapstructure:"policybundle"`
-	// Run mondoo scan with `--sudo`. Defaults to none.
+	// Runs scan with `--sudo`. Defaults to none.
 	Sudo *SudoConfig `mapstructure:"sudo"`
 	// Configure WinRM user. Defaults to `user` set by the packer communicator.
 	WinRMUser string `mapstructure:"winrm_user"`
-	// Configure WinRM user password. Defaults to `password` set by the packer communicator.
+	// Configure WinRM user password. Defaults to `password` set by the packer
+	// communicator.
 	WinRMPassword string `mapstructure:"winrm_password"`
-	// Use proxy to connect to host to scan. This configuration will fall-back to packer proxy
-	// for cases where the provisioner cannot access the target directly
-	// NOTE: we have seen cases with the vsphere builder
+	// Use proxy to connect to host to scan. This configuration will fall-back to
+	// packer proxy for cases where the provisioner cannot access the target directly
 	UseProxy bool `mapstructure:"use_proxy"`
-	// Set output format: summary, full, yaml, json, csv, compact, report, junit (default "compact")
+	// Set output format: summary, full, yaml, json, csv, compact, report, junit
+	// (default "compact")
 	Output string `mapstructure:"output"`
-	// An integer value to set the `score_threshold` of mondoo scans. Defaults to `0` which results in
-	// a passing score regardless of what scan results are returned.
+	// An integer value to set the `score_threshold` of mondoo scans. Defaults to
+	// `0` which results in a passing score regardless of what scan results are
+	// returned.
 	ScoreThreshold int `mapstructure:"score_threshold"`
-	// The path to the mondoo client config. Defaults to `$HOME/.config/mondoo/mondoo.yml`
+	// The path to the Mondoo's service account. Defaults to
+	// `$HOME/.config/mondoo/mondoo.yml`
 	MondooConfigPath string `mapstructure:"mondoo_config_path"`
 }
 
@@ -154,10 +157,6 @@ func (p *Provisioner) Prepare(raws ...interface{}) error {
 		return err
 	}
 
-	if p.config.Command == "" {
-		p.config.Command = "mondoo"
-	}
-
 	var errs *packer.MultiError
 	if len(p.config.SSHAuthorizedKeyFile) > 0 {
 		err = validateFileConfig(p.config.SSHAuthorizedKeyFile, "ssh_authorized_key_file", true)
diff --git a/provisioner/provisioner.hcl2spec.go b/provisioner/provisioner.hcl2spec.go
index 2892d85..dff9ce9 100644
--- a/provisioner/provisioner.hcl2spec.go
+++ b/provisioner/provisioner.hcl2spec.go
@@ -18,7 +18,6 @@ type FlatConfig struct {
 	PackerOnError        *string           `mapstructure:"packer_on_error" cty:"packer_on_error" hcl:"packer_on_error"`
 	PackerUserVars       map[string]string `mapstructure:"packer_user_variables" cty:"packer_user_variables" hcl:"packer_user_variables"`
 	PackerSensitiveVars  []string          `mapstructure:"packer_sensitive_variables" cty:"packer_sensitive_variables" hcl:"packer_sensitive_variables"`
-	Command              *string           `cty:"command" hcl:"command"`
 	HostAlias            *string           `mapstructure:"host_alias" cty:"host_alias" hcl:"host_alias"`
 	User                 *string           `mapstructure:"user" cty:"user" hcl:"user"`
 	LocalPort            *uint             `mapstructure:"local_port" cty:"local_port" hcl:"local_port"`
@@ -62,7 +61,6 @@ func (*FlatConfig) HCL2Spec() map[string]hcldec.Spec {
 		"packer_on_error":            &hcldec.AttrSpec{Name: "packer_on_error", Type: cty.String, Required: false},
 		"packer_user_variables":      &hcldec.AttrSpec{Name: "packer_user_variables", Type: cty.Map(cty.String), Required: false},
 		"packer_sensitive_variables": &hcldec.AttrSpec{Name: "packer_sensitive_variables", Type: cty.List(cty.String), Required: false},
-		"command":                    &hcldec.AttrSpec{Name: "command", Type: cty.String, Required: false},
 		"host_alias":                 &hcldec.AttrSpec{Name: "host_alias", Type: cty.String, Required: false},
 		"user":                       &hcldec.AttrSpec{Name: "user", Type: cty.String, Required: false},
 		"local_port":                 &hcldec.AttrSpec{Name: "local_port", Type: cty.Number, Required: false},