Start IAST Session

Install the IAST Agent on your application server, and configure the scan.

Before you begin

If you use more than one server for a single IAST monitoring session, you can either copy the agent from one server to the other, or download separate agents. Both methods are supported.
Note: The IAST monitoring session technically "starts" as soon as this process is complete, but no issues can actually be discovered until the agent is deployed on the application server.


  1. If you have not yet done so: Create an application for your scans.
  2. In the Application, click Create Scan to open the wizard, then select Interactive (IAST).
  3. Click Download Agent - and then select .NET, Java or Node.js - to save the relevant agent file to your computer. The process of creating the file for download may take a few moments, but then the download starts automatically.
    Note: The downloaded agent includes a key that is valid on multiple servers for the same session, so you can copy the agent to several servers. If you download another agent for the same session, the new agent will have a new key, but the new and old keys will both be valid for the session.
  4. Deploy the IAST Agent on your application server.
    The IAST agent is now monitoring traffic to the server. You can see this confirmed in the Scan entry in the application tab. When you run system tests or a DAST scan, issues will be identified and added to the scan entry.
    Important: An IAST Scan does not send its own requests. It can discover issues only if requests are sent to the tested application by a third party, such as system tests, a manual explore, or a DAST Scan.
    Note: An IAST scan does not stop automatically unless it is configured to stop if the agent gets disconnected and this happens. Otherwise it continues indefinitely until stopped by the user.


Once the scan is created, the Actions dropdown offers the following options (as relevant):
  • Generate new key: In case the downloaded key was lost. Note that if you generate a new key, the previous key becomes invalid.
  • Stop: Stops a running scan without deleting it. You can start it again later. If you want a report on the current scan results, go to to the All Issues tab.
  • Start: Starts a stopped scan (license permitting). The Issue counter for the scan starts from zero.
  • Cancel: Deletes the scan.