How Internal Scanning Works
Internal Scanning uses the same DAST engine as Detectify’s external scanning products, deployed as an agent inside your infrastructure. The agent communicates outbound to the Detectify cloud platform — no inbound firewall rules required.
Architecture Overview
The Internal Scanning Agent is a self-contained scanning engine, not a thin proxy. It runs the full DAST engine locally in your environment, including the same Crowdsource modules used by Application Scanning and API Scanning.
The agent sits in your private network, scans your internal applications locally, and sends only vulnerability findings outbound to the Detectify platform over HTTPS (port 443).
Step-by-Step Flow
- Agent deployment — Install the agent via Docker, standalone binary, or Terraform module. Pre-configured Terraform modules are available for AWS, Azure, and Google Cloud
- Outbound connection — The agent establishes an outbound-only HTTPS connection to Detectify’s cloud platform. No inbound firewall rules needed
- Scan orchestration — Scan scheduling and orchestration happens in the cloud, with instructions sent to the agent through the outbound connection
- Local scanning — The agent uses local compute to run parallel payload-based tests against your internal applications using the full scanning engine
- Results normalization — Findings are assigned standard ScanIDs (the same format used by external scans) and sent to Detectify
- Unified reporting — Results appear in the same dashboard, API, and integrations as your Surface Monitoring, Application Scanning, and API Scanning findings
What Data Leaves Your Network
Only scan metadata and vulnerability findings are transmitted to Detectify:
| Sent to Detectify | Never leaves your network |
|---|---|
| Vulnerability type and severity | Application source code |
| Affected URL path | Full HTTP request/response bodies |
| CVE/CWE identifiers | Authentication tokens and cookies |
| Remediation guidance | Database query results |
| Scan progress status | Environment variables and secrets |
Module Coverage
The Internal Scanning Agent currently supports approximately 80% of external scanning modules. The scanning engine is identical to what powers Application Scanning and API Scanning externally — modules from Detectify’s internal research team and ~400 Crowdsource ethical hackers.
Vulnerability types covered include:
- SQL injection and NoSQL injection
- Cross-Site Scripting (XSS)
- Server-Side Request Forgery (SSRF)
- Remote Code Execution (RCE)
- SSL/TLS misconfigurations
- Command injection
- Path traversal
- And many more — extending beyond the OWASP Top 10
Agent Update Model
The agent is updated through the Docker registry. When Detectify releases new modules or engine updates, they are delivered through container image updates managed via your existing deployment tooling (Terraform, Helm).
Deployment Options
| Method | Best for | Guide |
|---|---|---|
| Terraform module (AWS, Azure, GCP) | New deployments on supported cloud providers | Deploy |
| Helm chart | Existing Kubernetes clusters, on-premises | Self-Managed Kubernetes |
| Docker | Standalone deployments | Contact Detectify |
Next Steps
- Security & Privacy — Data handling, encryption, and compliance details
- Requirements — Infrastructure prerequisites
- Deploy — Choose your deployment method