Skip to content

Scanning Internal Web Applications

When scanning internal web applications that are not publicly accessible, there are three main approaches you can use:

1. Whitelist Scanning IPs

If your internal network allows external traffic from specific IP addresses, you can whitelist our scanning IPs. This enables us to scan your internal app remotely without requiring additional infrastructure.

2. Using a Reverse Proxy

If exposing the internal app directly is not possible, you can route traffic through a reverse proxy or expose a test instance of the application. This allows the scanner to access the internal app indirectly.

Steps:
1. Set up a reverse proxy pointing to your internal app.
2. Configure the proxy to allow access from the scanner.
3. Follow the web scan creation steps through the proxy.

Optionally configure advanced scan settings

3. On-Prem Scanner / Agent

For highly isolated environments where the internal app cannot be exposed externally, you can deploy an on-prem scanner or agent directly inside your network.

  • The on-prem scanner executes scans locally and securely reports the results to the platform.

  • This method is preferred for isolated or air-gapped environments.

  • Installation and configuration guide: On-Prem Scanner Documentation

By using one of these approaches, you can effectively scan internal applications while respecting network security constraints.