Create a new scan (full configuration)

Provide the Starting URL and user credentials for the scan, select the type of site, and (if not previously done) verify your permission to scan the site.

Before you begin


  1. On the specific Application page, click Create scan, then select Dynamic (DAST) to open the wizard.
    You must enter the starting URL for the scan in the next step. Other settings (steps 2 to 5 below) can be changed or left with their default values. When finished, click Review and scan (step 6 below).
  2. URL and domains




    URL field
    Enter the URL where the scan should start. For web APIs, there is no "starting" URL, so simply enter any valid URL in the domain of the service you want to scan.
    Scan the demo site
    Click this link to fill in the URL of the AppScan demo site. This lets you run a scan without needing to verify a domain. In the Login tab, enter Username JSmith and Password Demo1234
    Note: Running a scan of the demo site will not be counted towards your license limit as long as you use the full URL provided. If you remove the ?mode=demo switch, the scan will be counted towards your limit.
    Include sub domains and parallel domains
    Select this check box to include any sub-domains and parallel domains that may be discovered as links when scanning, However, do this only if the scan will include sub-domains other than that of the Starting URL, and you are able to verify all the sub-domains (or they are already verified).
    Example 1:
    • Starting URL:
    • Site has links to and you want those links included in the scan.
    • Select the check box.
    Example 2:
    • Starting URL:
    • Site has links to or to and you want those links included in the scan.
    • Select the check box.


    Select your environment, this will affect how ASoC explores the site:
    Staging or testing environment (default)
    During the scan ASoC will fill out forms automatically to try and discover as much content as possible. This is a much more comprehensive scan, but also more likely to affect the structure and stability of the site.
    Live production site
    During the scan ASoC will not automatically fill out forms. The scan is less likely to affect the site or the structure of the scan but might take longer.
    Important: In February 2023 the default was changed from Production to Staging. If you are scanning a live production environment it is important that you change this setting.
    For more information, see FAQ.
  3. Login




    Select the relevant option:
    Login not required (default)
    Leave this selected if:
    • No login/authorization is required, or
    • (Web API) Authorization uses a fixed or long-term value, such as an API key or a fixed bearer token
    Login required: Username and Password
    Select if ASoC will be able to log in as needed using credentials but with no special procedure. You can also optionally enter a third credential, for example: PIN# = 1234, however, the use of a third credential will require intervention by our Support team, and may cause the scan to take longer than usual.
    Note: CAPTCHA is not supported.
    Tip: It is recommended to use test credentials rather than the credentials of an actual user.
    This option is not relevant for web APIs.
    Login Required: Recorded login
    If a special login procedure is needed, select this option to upload a recording of the procedure that ASoC will use whenever it needs to log in to the app during the scan. You can record using the AppScan Activity Recorder (saved as a CONFIG file) or AppScan Standard (exported as a LOGIN file).
    Important: The recorded login sequence must contain the following requests:
    • Login/Authorization request
    • An additional logged-in/authorized request. This "extra" request helps AppScan identify a successful authorization and maintain session when testiing the application.

    For details about recording a CONFIG or LOGIN file see Recording traffic and Recording the login using AppScan Standard.

    HTTP authentication

    In addition to the Login information, you can also indicate if the application requires HTTP authentication (Negotiate, NTLM, Kerberos, ADFS, Basic, or Digest). Enter the Username, Password and optionally the Domain, for ASoC to use during the scan.

  4. One-time password



    Use TOTP

    If your site requires a time-based one time password for users to log in (MFA), select this check box and complete the first four fields in the dialog, so AppScan will be able to log in.
    • Secret key
    • OTP length (number of digits)
    • Hash algorithm used (select from drop-down)
    • Time step (in seconds)
    Note: TOTP is the only OTP supported in this wizard. For more OTP options you can configure a scan in AppScan Standard and upload to ASoC. When configuring a scan in AppScan Standard with OTP, you must use action-based login, not request-based login, see the AppScan Standard documentation for details.
    OTP HTTP parameters (optional)

    If you used "Login required: Recorded login" in the previous step, this last field is not usually required, as AppScan usually identifies the OTP headers itself, when validating the recorded login procedure at the start of the scan.

    If you used the "Login required: Username and password" option, you must add the parameter here. If there is more than one, separate them with commas.

    Example of a possible OTP header: OTPvalue

    How do I identify the OTP HTTP-parameter?

  5. Explore




    Select the relevant option:
    Explore automatically
    Select for AppScan to crawl the web application automatically, from the starting URL, to discover the pages it will test. This option is not relevant for web APIs, use the next option.
    Explore with guidance
    Select to upload your own recorded Explore stage for AppScan to test. You can use this on its own or in addition to an automatic Explore stage.
    For details about the two Explore types, see Understanding Dynamic (DAST) Scanning

    Explore with guidance

    This section is active only if you selected Explore with guidance.

    Upload recording

    Upload one or more DAST.CONFIG traffic files. For details of how to record these, see the options described in Recording traffic. For web APIs the best option is usually the AppScan Traffic Recorder.

    File settings

    If the requests in your traffic file must be sent in the specific order you recorded them, activate Multistep. This method will significantly increase the duration of the scan, so use only if needed. To understand the difference between Multistep and regular Explore with guidance, refer to Explore with guidance.

    To activate Multi-step:
    • For each uploaded recording, click on the filename and toggle the Activate Multi-step option to On.
    How to use the recording
    Select one of the options:
    Use the recorded Explore in addition to a full automatic Explore stage, and test it all
    ASoC will run its own automatic Explore stage to discover the application, and test it based on both these results and the traffic file you uploaded. This option is not relevant for web APIs, use the next option.
    Analyze and test the recorded Explore only
    ASoC will treat the uploaded file as the Explore stage for the scan. It will analyze and create tests for the recorded traffic only, and then test it. There will be no automatic Explore stage.
  6. Network




    Select the relevant option:
    Public (default)
    Select if your site is available on the internet.
    Select only if your site is not available on the internet, and then select your presence from the list of connected presences.
    Note: If you have not yet created an an AppScan Presence you can do so now by clicking the AppScan Presences page link, and referring to Creating the AppScan Presence.



    Adjust automatically during the scan
    Select this check box to allow ASoC to decide how long to wait for any particular response before timing out. This can significantly reeduce scan time.
    Use the slider to set the maximum time ASoC will wait for a response before timing out. Increase this setting if your site's responses are slow and ASoC is missing responses due to the short timeout.

    Number of threads

    Set the maximum number of requests that ASoC can sent to the site simultaneously. Reduce this number if your site does not allow this many.

    This setting, and the one below, are available only for sites whose environment has been defined as "Staging or testing". For live production sites, the number of simultaneous threads sent, and the rate limit, are adjusted automatically based on various factors, and cannot be changed by the user.

    Request rate limit

    By default, ASoC sends its requests to the site as fast as possible. If this limit will overload your network or server, select this check box and reduce it.

  7. Test options



    Test policy

    ASoC applies the AppScan Standard Default Test Policy to scans and this cannot be changed using the wizard.

    You can apply a different Test Policy by configuring the scan in AppScan Standard, or through the API.
    Tip: Test policy is different to application policy.

    Test optimization

    Select the level of tradeoff between scan speed and issue coverage for your needs. The slider offers four levels, and the "Fast" level is selected by default. For details, see Test Optimization.

  8. Schedule



    Scan now

    Your scan will run as soon as set up and review are complete.

    Save for later

    Your configuration will be saved when completed, so you can run the scan later.

    Your configuration will be saved, and one or more scans run as configured.
    1. Select a date and time. Enter these according to the time zone configured on your machine, but note that times will be converted to UTC when displayed in the UI.
    2. To run the scan more than once, select the Repeat check box, and then choose:
      • Daily, and select a daily interval (1-30 days)
      • Weekly, and select which day, or
      • Monthly, select a monthly interval, and then select which numerical day of the month, or which weekday of the month (first, second, third, fourth, last).
      Note: If the maximum number of concurrent scans are running when the scheduled time arrives, the scan will start as soon as allowed by your subscription.
    3. Set the End date (the last date a scan will run), or click Remove end date to have the schedule run indefinitely.
  9. Click Review and scan or Review and save.


    In the Preferences section on the right, you can:
    • Edit the default name that was given to the scan.
    • Elect to run the scan as a Personal scan.
    • Elect to receive an email when the scan is complete.
    • Scan enablement: By default, the Allow intervention check box is selected. This means that if ASoC detects that the scan may produce poor results with the current settings, it will alert the Scan Enablement Team to review them. The scan status will then change to "Under Review" and resume when this is complete (see Scan status).
      • If you do not want the team to try to solve such issues, clear the check box.
      • If intervention is allowed: Optionally include a message to the team, if you think they might need specific information to resolve an issue.
  10. Click Scan.


The new scan is added to the Scans view with its starting time, and a progress bar indicates that the scan is running. When the scan is complete the progress bar closes, the results are summarized in a graph, and (if selected) you receive an email notification. See Results.
Note: Free Plan scans are limited to four hours in length, so large or complex sites may not be completely covered by these.