- Knowledge base
- Web Application Security
- Troubleshooting
-
Security updates
-
Product news
-
Next-Gen Vulnerability Management
-
Getting started
-
General
-
Operating status
-
System & Network Security
-
Web Application Security
-
Cloud Security
-
API Security
-
Phishing Simulation & Awareness Training
-
Attack Surface Management
-
Scanner Appliance
-
Device Agent
-
On-premise platform deployment
-
Asset management
-
Vulnerability Manager
-
Reports
-
Digest reports
-
Organizer
-
Continuous monitoring
-
Integrations
-
Platform API
-
Remediation
-
Users
-
PCI DSS ASV scans
-
Partner Portal
-
Terms & conditions
-
Dashboard
How can I speed up web app scans?
In many scanning scenarios, performance and speed are critical — especially when customers demand quick results or need frequent scans. However, while optimizations can make scans run faster, they may also reduce coverage and accuracy. It’s important for the customers to understand these tradeoffs.
1. Using Only GET Requests
Restricts the scanner to use only HTTP GET requests, skipping POST, PUT, and other methods. This reduces the overall number of requests and speeds up the scan.
Impact
Faster scans — Fewer requests mean less data transfer and quicker results. Reduced coverage — Many modern web applications rely heavily on other HTTP methods (like POST) for functionality such as logins, form submissions, or API interactions. By excluding these, the scanner might miss vulnerabilities in those areas.
When explaining scan duration improvements, remind customers that this is a speed vs. depth tradeoff. If full coverage is a priority, they should keep all request methods enabled.
2. Excluding Specific HID
Certain HIDs represent complex or time-consuming checks. Excluding them can significantly shorten scan times.
Impact
Improved performance — The scan completes faster, ideal for recurring or time-sensitive assessments. Reduced detection — Some excluded HIDs might correspond to critical vulnerabilities. Excluding them means those vulnerabilities won’t be tested or reported.
Position this as a customizable optimization. It’s useful when customers want to focus on a subset of issues (e.g., OWASP Top 10), but they should be made aware that exclusions equal reduced visibility into some risk areas.
3. Blacklisting Paths
Prevents the scanner from testing specific directories or URLs (e.g., /admin, /api, /uploads).
Impact
Faster scanning — Large or dynamic sections of a website can slow down scans; skipping them helps performance. Untested areas — Any path on the blacklist will remain completely unscanned, which could hide critical vulnerabilities.
This option is great for customers who already know certain paths are out of scope or contain heavy, irrelevant content. However, emphasize that blacklisting paths should be used with caution — “if you skip it, it’s untested.”
TLDR
When discussing optimization options with customers, always frame them around performance versus coverage. Faster scans are valuable, but speed should never come at the cost of missing high-risk vulnerabilities.
- Use optimizations strategically — for large-scale or routine scans.
- Keep full scans in their regular cycle to ensure full coverage.
- Understand exactly what’s excluded when optimizations are applied.