How do I optimize a web assessment reaching the 24-hour limit?

It's important to note that web assessments exceeding the 24-hour execution limit are automatically stopped. However, you will still receive all results obtained up to the moment of termination.

In most cases, assessments that reach the 24-hour limit will have covered the overwhelming majority of the vulnerabilities on your web application.

The following guide presents best practices and configuration adjustments to reduce assessment duration and optimize resource usage. Several factors can contribute to an assessment reaching the time threshold.  

Follow the steps below to improve the assessment time:

Break down target URLs into separate entities

Split the targeted URL if it contains numerous sections, such as products, articles, or user pages.

URL structure

• /login Single login endpoint
• /products Contains thousands of product entries
• /users Includes hundreds of user profiles
• /en English version of the site

Recommendation

Create distinct targets with the Crawl scope configured to "Limit to content located at or below URL subdirectory". This ensures that only relevant subdirectories are scanned, reducing unnecessary overhead.

Limit the total number of URLs crawled

If you scan a directory containing numerous entries with a similar structure, testing a representative subset is typically sufficient, since all entries share the same body format and parameters.

Examples

• /products/1 

• /products/2 

Recommendation

• Use the Crawl scope: "Limit to content located at or below URL subdirectory".
• Configure the profile to limit the "Maximum crawl requests".

Suggested setting

Maximum Crawl Requests = 250

Restrict assessments by HTTP method

If you want to scan a web application that contains multiple forms using different HTTP methods (e.g., GET, POST), then we recommend conducting two assessments:

• Assessment 1: Target only GET methods
• Assessment 2: Target only POST methods

During our audit phase (running HIDs), POST requests often include multiple parameters, resulting in longer processing times than GET requests.

Exclude static content and non-vulnerable endpoints

If your web application contains static resources (images, PDFs, CSS, JS) and endpoints that don't process user input (e.g., forms), we recommend configuring URL exclusion patterns to skip testing these resources. This significantly reduces assessment time without compromising security coverage.

Excluding these patterns helps focus assessment resources on endpoints that process user input and are susceptible to common web application vulnerabilities.

Example exclusions

• /static/*
• /assets/*
• /fonts/*
• /docs/*
• /images/*
• /dist/*
• /cdn/*

Avoid redundant query parameters

In some targets, query values are essential for proper crawling:

• /redirect?to=home
• /redirect?to=login

These are treated as distinct URLs if HID-3-1-10263 was included in the profile:

• /log?errorid=2334234234
• /log?errorid=3432352355

Using optimized profiles

For large-scale web applications, consider using the optimised profiles. They are designed to improve efficiency and reduce assessment time with the following available profiles:

Web scan - Optimised Profile - Fast

Assessments without using the tests that are the least efficient in terms of speed and finding vulnerabilities. This profile will see 96% of vulnerabilities in 80% of the default assessment runtime.

Web scan - Optimised Profile - Essentials

Assessments using only highly efficient tests for speed and vulnerability detection. In this profile, it is expected that 60% of vulnerabilities are found in 5% of the default assessment runtime.

Using a Scanner Appliance

The 24-hour maximum assessment duration does not restrict web assessments started with a Scanner Appliance. This allows longer assessments to be completed without interruption, which is ideal for complex or large-scale targets that require extended assessment time. The time limit for assessments running on a Scanner Appliance is 5 days.