It's important to note that scans exceeding the 24-hour execution limit are automatically stopped. However, you will still receive all results obtained up to the moment of termination.
In most cases, scans reaching the 24 hour limit will have covered an overwhelming majority of all vulnerabilities available on your website.
The following guide presents several best practices and configuration adjustments that can help reduce scan duration and optimize resource usage. Several factors can contribute to a scan reaching the time threshold.
Follow the steps below to improve the scanning time:
1. Break Down Target URLs into Separate Entities
Split the targeted URL if it contains numerous sections, such as products, articles, or user pages.
URL Structure:
/login
Single login endpoint/products
Contains thousands of product entries/users
Includes hundreds of user profiles/en
English version of the site
Recommendation
Create distinct targets with the Crawl scope configured to "Limit to content located at or below URL subdirectory." This ensures that only relevant subdirectories are scanned, reducing unnecessary overhead.
Running a discovery scan before your full security scan can help identify how to divide a large website into smaller, more manageable parts.
2. Limit the Total Number of URLs Crawled
If you are scanning a directory containing numerous entries with a similar structure, testing a representative subset is typically sufficient, as all entries share the same body format and parameters.
Examples:
-
/products/1
Product 1 -
/products/2
Product 2
Recommendation
- Use the Crawl scope: Limit to content located at or below URL subdirectory
- Configure the scan profile to limit the maximum number of crawl requests.
Suggested Setting: Maximum Crawl Requests = 250
3. Restrict Scans by HTTP Method
If you want to scan an application that contains multiple forms using different HTTP methods (e.g., GET, POST).
We recommend conducting two scans:
- Scan 1: Target only
GET
methods - Scan 2: Target only
POST
methods
In our Audit phase (Running HIDs), POST requests usually contain one or more parameters, leading to longer processing times than GET requests.
Disable JavaScript scanning for sensitive forms
The HTTP method restriction (GET/POST) is applicable only with JavaScript scanning disabled.
4. Exclude Static Content and Non-Vulnerable Endpoints
If your website contains static resources (images, PDFs, CSS, JS) and endpoints that don't process user input (e.g., forms), we recommend configuring URL exclusion patterns to skip testing these resources. This significantly reduces scan time without compromising security coverage.
Excluding these patterns helps focus scanning resources on endpoints that process user input and are susceptible to common web vulnerabilities.
Example Exclusions:
- jpg jpeg png .gif svg .css *.js
- /static/*
- /assets/*
- /fonts/*
- /docs/*.pdf
- /images/*
- /dist/*
- /cdn/*
5. Avoid Redundant Query Parameters
In some targets, query values are essential for proper crawling
/redirect?to=home
/redirect?to=login
These are treated as distinct URLs if HID-3-1-10263
was included in the scan profile
/log?errorid=2334234234
/log?errorid=3432352355
In this case, considering them as distinct URLs is redundant. So, we have changed how we report query vulnerabilities to prevent unnecessary duplication in scans.
The standard scan profile does not include HID-3-1-10263 by default.
If you would like Query vulnerabilities to be reported on each URL instead of once, ensure that you include HID-3-1-10263 manually in the scan profile.