Skip to Content
Web Application Security TestingScan Profiles

Scan Profiles

Scan profiles are reusable configurations that define how Application Scanning tests your web application. Each profile specifies the target scope, authentication method, schedule, and behavioral settings.

Creating a Scan Profile

  1. Navigate to Application Scanning and select your target domain
  2. Select Create scan profile
  3. Configure the settings described in the sections below
  4. Save the profile

You can create multiple scan profiles for the same domain to test different areas or configurations. For example, you might have separate profiles for the public site, the authenticated application, and the admin panel.

Scope Configuration

The scope defines which parts of your application the scanner will test.

Start URL

The URL where the crawler begins. By default, this is the root of your domain. Set a specific start URL to focus the scan on a particular section of your application (e.g., https://app.example.com/dashboard).

Path Inclusion and Exclusion

  • Include paths: Restrict scanning to specific URL path prefixes. Only pages matching these paths will be crawled and tested.
  • Exclude paths: Prevent the scanner from visiting specific paths. Use this for logout endpoints, account deletion pages, or areas that should not be tested.

Common exclusions:

  • /logout or /signout — Prevents the scanner from ending its authenticated session
  • /delete or /remove — Prevents destructive actions during scanning
  • /admin/dangerous-action — Protects sensitive administrative operations

Subdomains

By default, the scanner stays within the target domain. If your application spans multiple subdomains (e.g., api.example.com and app.example.com), you can configure the scope to include additional subdomains.

Authentication

Scan profiles support multiple authentication methods for testing areas behind login. See Authentication for detailed configuration guides.

Available methods:

  • Basic Access Authentication — HTTP Basic Auth with username and password
  • Recorded Login — Replays a recorded login sequence for custom login forms
  • Recorded Crawling — Guides the scanner through specific authenticated workflows

Scheduling

Scan profiles support three scheduling modes:

Manual

Scans run only when manually triggered from the dashboard. Use this for ad-hoc testing or initial setup.

Weekly

Scans run automatically on a specified day and time each week. Weekly scanning is recommended for most production applications to maintain continuous coverage.

API-Triggered

Scans are started via the Detectify API. This is ideal for CI/CD integration where you want to trigger a scan after each deployment to staging.

Custom Schedules

For organizations that need non-weekly schedules, the API can be used to trigger scans on any cadence using your own scheduling infrastructure (cron jobs, CI/CD pipelines, or orchestration tools).

Scan Behavior Settings

Request Throttling

Control the rate at which the scanner sends requests to your application. Throttling is configurable in requests per second (RPS).

  • Default: Balanced between scan speed and application load
  • Lower RPS: Use for applications sensitive to load or with strict rate limiting
  • Higher RPS: Use for high-capacity applications where faster scan completion is desired

Adjust throttling if you observe performance degradation on your application during scans.

Port Scanning

Port scanning checks for open ports on the target. As of May 2023, port scanning is off by default for new scan profiles. You can enable it in the profile settings if needed.

Scan Data Retention

Scan results are retained for 365 days by default. After this period, detailed scan data is removed, though summary findings and their statuses are preserved.

Managing Scan Profiles

Editing

Edit a scan profile at any time by selecting it and modifying its settings. Changes take effect on the next scan run.

Duplicating

Duplicate an existing profile to create a new one with similar settings. This is useful when setting up profiles for different environments (staging vs. production) that share most configuration.

Deleting

Deleting a scan profile removes its configuration and scheduled runs. Historical scan results from the profile are retained.

Next Steps

  • Authentication — Detailed guides for each authentication method
  • Settings — Advanced scanner settings
  • Results — Understanding scan findings
Last updated on
Getting StartedSettings