Overview

Detectify’s Internal Scanning Agent enables you to scan web applications that are not exposed to the public internet. Deploy the scanner within your private network to identify vulnerabilities in internal applications with the same DAST capabilities as external scanning.

How It Works

Internal Scanning uses an agent-based architecture deployed in your cloud environment:


┌─────────────────────────────────────────────────────────────┐
│                     Your Environment                        │
│  ┌─────────────────────────────────────────────────────┐    │
│  │                  Private Network                    │    │
│  │                                                     │    │
│  │   ┌──────────────┐      ┌──────────────────────┐    │    │
│  │   │   Internal   │      │   Internal Scanner   │    │    │
│  │   │ Applications │◄────►│                      │    │    │
│  │   └──────────────┘      └──────────┬───────────┘    │    │
│  │                                    │                │    │
│  └────────────────────────────────────┼────────────────┘    │
│                                       │                     │
└───────────────────────────────────────┼─────────────────────┘
                                        │ Outbound only (443)
                                        ▼
                              ┌──────────────────┐
                              │    Detectify     │
                              │    Platform      │
                              └──────────────────┘

Deploy - Run the scanner in your cloud environment using our Terraform module
Configure - Point the scanner at your internal applications
Scan - The scanner performs DAST scans from within your network
Report - Results are sent securely to the Detectify platform

Key Benefits

Scan What You Couldn’t Before

Access internal APIs, staging environments, and applications behind firewalls that external scanners cannot reach.

Same Powerful Engine

Uses the same DAST scanning engine as Detectify’s external scanning, including:

Crowdsource vulnerability research
Continuously updated security tests
Low false-positive rate

Your Data Stays Private

The scanner runs entirely in your infrastructure. Only scan metadata and results are sent to Detectify—your application data never leaves your network.

Secure by Design

All communication is outbound-only over TLS 1.3
No inbound firewall rules required
Deploy in private subnets with no public IP

Architecture Components

Component	Description
Scan Scheduler	Scheduler service for managing scans and receiving jobs (port 3000)
Scan Manager	Executes security tests against your applications (port 8080)
Chrome Controller	Browser automation for JavaScript-heavy applications (port 8080)
Redis	Job queue and state management (port 6379)
Pushgateway	Metrics aggregation for Prometheus (port 9091, optional)

Deployment Options

The scanner is deployed as a containerized application on Kubernetes. We provide Terraform modules for major cloud providers:

Cloud Provider	Status	Guide
AWS	Available	Terraform
Azure	Coming Soon	Terraform
Google Cloud	Coming Soon	Terraform

Documentation

Getting Started

Requirements - Infrastructure and network requirements
Configuration - Set up scan targets and integrate with Detectify

Deployment Guides

Deployment Options - Overview of all deployment methods
AWS with Terraform - EKS deployment
Azure with Terraform - AKS (coming soon)
GCP with Terraform - GKE (coming soon)

Operations

Scaling - Capacity planning and scaling configuration
Troubleshooting - Monitoring, maintenance, and common issues