Requirements
Everything you need to deploy the Internal Scanning Agent.
Quick Checklist
Already familiar with the requirements? Use this checklist to verify you’re ready:
┌────────────────────────────────────────────────────────────────────────────────┐
│ DEPLOYMENT READINESS CHECKLIST │
├────────────────────────────────────────────────────────────────────────────────┤
│ │
│ INFRASTRUCTURE NETWORK │
│ ────────────── ─────── │
│ [ ] Kubernetes >= 1.28 [ ] Outbound HTTPS (443) allowed │
│ [ ] 2+ vCPU available [ ] Can reach *.detectify.com │
│ [ ] 8 Gi memory available [ ] Scanner can reach target apps │
│ [ ] 8 Gi persistent storage │
│ [ ] Internal load balancer support │
│ │
│ CREDENTIALS (from Detectify UI) TOOLS │
│ ─────────────────────────────── ───── │
│ [ ] License Key [ ] Terraform >= 1.5.0 │
│ [ ] Connector API Key [ ] kubectl >= 1.28 │
│ [ ] Registry username [ ] AWS CLI >= 2.0 (for AWS) │
│ [ ] Registry password [ ] Helm >= 3.0 │
│ │
│ AWS-SPECIFIC SECRETS │
│ ──────────── ─────── │
│ [ ] VPC with DNS support + hostnames [ ] KMS key for encrypting │
│ [ ] 2+ private subnets (different AZs) Detectify credentials │
│ [ ] Subnets tagged: │
│ kubernetes.io/role/internal-elb=1 │
│ [ ] NAT Gateway for outbound access │
│ │
└────────────────────────────────────────────────────────────────────────────────┘Ready? Jump to AWS Deployment.
Detailed Requirements
Infrastructure
Kubernetes Cluster
The Internal Scanner runs on Kubernetes. Your cluster needs:
| Requirement | Minimum | Recommended |
|---|---|---|
| Kubernetes Version | 1.28+ | Latest stable |
| Nodes | 1 | 2+ (for HA) |
| Node Autoscaling | Optional | Recommended |
| Persistent Storage | 8 Gi | 16 Gi |
| Load Balancer | Internal | Internal |
Compute Resources
For a minimal deployment supporting 5 concurrent scans:
| Resource | Minimum | What It’s For |
|---|---|---|
| CPU | 2 vCPU | Scan Manager, Chrome Controller |
| Memory | 8 Gi | Browser rendering, scan processing |
| Storage | 8 Gi | Redis job queue |
For larger deployments, see Scaling & Capacity Planning.
Cloud Provider Support
| Provider | Service | Status |
|---|---|---|
| AWS | EKS with Auto Mode | Available |
| Azure | AKS | Coming Soon |
| Google Cloud | GKE | Coming Soon |
Network
Outbound Access (Required)
The scanner needs outbound HTTPS access to:
| Destination | Port | Purpose |
|---|---|---|
*.detectify.com | 443 | API, job polling, results, container images |
Inbound Access (Not Required)
No inbound internet access is needed. The scanner:
- Uses an internal load balancer (no public IP)
- Initiates all external communication (outbound only)
- Requires no firewall holes or public endpoints
Internal Access
The scanner must be able to reach your internal applications:
┌─────────────────────────────────────────────────────────────────────────────────┐
│ NETWORK REQUIREMENTS │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ PRIVATE NETWORK │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ │ │
│ │ Scanner ──────────────────────────────────────► Your Applications │ │
│ │ (private subnet) Ports 80, 443, (private subnet) │ │
│ │ or custom │ │
│ │ │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ │ Outbound only (443) │
│ ▼ │
│ ┌─────────────────┐ │
│ │ NAT/Internet GW │ │
│ └────────┬────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────┐ │
│ │ Detectify │ │
│ │ Platform │ │
│ └─────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────────┘Configure security groups or network policies to allow:
- Scanner → Your apps (ports your apps use)
- Scanner → Internet (443 outbound via NAT)
Detectify Credentials
You need credentials from the Detectify platform. Find them at Internal Scanning Agents in the Detectify UI:
| Credential | Description | Used For |
|---|---|---|
| License Key | Unique identifier for your scanner instance | Scanner activation |
| Connector API Key | Authentication token for Detectify API | Job polling, results upload |
| Registry Username | Docker registry username | Pulling container images |
| Registry Password | Docker registry password | Pulling container images |
Don’t have credentials? Contact your Detectify account team or reach out to us to enable Internal Scanning.
Software Tools
Install these tools on your workstation:
| Tool | Version | Installation | Purpose |
|---|---|---|---|
| Terraform | >= 1.5.0 | terraform.io | Infrastructure provisioning |
| kubectl | >= 1.28 | kubernetes.io | Cluster management |
| Helm | >= 3.0 | helm.sh | App deployment (via Terraform) |
AWS-specific
| Tool | Version | Installation |
|---|---|---|
| AWS CLI | >= 2.0 | aws.amazon.com/cli |
Verify your tools:
# Check versions
terraform version # Should show >= 1.5.0
kubectl version # Should show >= 1.28
helm version # Should show >= 3.0
aws --version # Should show >= 2.0 (AWS only)AWS-Specific Requirements
If deploying on AWS, you also need:
VPC
| Requirement | Details |
|---|---|
| VPC | Existing VPC with DNS support and DNS hostnames enabled |
| Private Subnets | 2+ subnets in different availability zones |
| Subnet Tags | Private subnets tagged with kubernetes.io/role/internal-elb = 1 |
| Outbound Internet | NAT Gateway or Internet Gateway for outbound access |
| DNS | VPC DNS resolution and DNS hostnames enabled |
IAM Permissions
The IAM user/role running Terraform needs permissions to create:
- EKS clusters and node groups
- IAM roles and policies
- Application Load Balancers
- Security groups
- KMS keys (for Kubernetes secrets encryption at rest)
- Route53 records (optional)
- ACM certificates
Additionally, you need a KMS key for encrypting your Detectify credentials (license key, API key, registry password). This can be an existing key or a new one — see the deployment guide for instructions.
Route53 (Optional)
For automatic DNS configuration:
- Private hosted zone — For scanner endpoint (internal DNS)
- Public hosted zone — For ACM certificate validation (ACM requires public DNS even if the scanner endpoint is private)
Important: ACM certificate DNS validation always requires a public hosted zone, even if you use a private zone for the scanner endpoint itself.
Next Steps
Choose your deployment path:
Or learn more:
- Security & Privacy - Data handling and compliance
- Scaling - Capacity planning for larger deployments