Scan profiles

What does the scan profile settings mean?

This article explains the basics of the settings in a scan profile for a web application scanning.

General Information

  • Name
    The name for the scan profile.
  • Owner 
    The owner of the policy.
  • Details
    Description field that can be utilized to explain the profile's purpose.

Crawl settings

  • Form method
    This refers to the various methods used by the scan engine to evaluate the functionality and security of forms on a web application.
  • User agent
    The user agent will be used while the scan is running.
  • Maximum crawl requests
    The maximum number of crawl requests the scan will perform during the test. The total amount of requests that the system will allow is 8,000. 
  • Scan intensity
    Four different types of settings determine the number of requests per minute.
    • Low: 10 requests per second
    • Medium: 30 requests per second
    • High: 50 requests per second
    • Custom: a custom value
  • Requests per second 
    Total requests per second. The recommended number is 30 per second.


Vulnerability selection

This feature lets you choose which vulnerabilities to include or exclude in your web application scan. 

  • Default Vulnerability Categories
    These categories include most of the tests needed to identify vulnerabilities in a web application.
  • Enable advanced path traversal XSS
    Include path traversal testing; read more about path traversal XSS here:
  • Include
    To scan for specific vulnerabilities, you can search and choose the category name, vulnerability name, or HID you are interested in. This allows you to customize your web application scan and focus on specific areas of concern.
  • Exclude
    To exclude specific vulnerabilities in your scan, add them to the exclusion form. You can exclude single HIDs or full categories.


Some tests are skipped by default to increase the stability and performance of the scanned web applications.

  • Skip Password brute forcing
    Disables attempts to brute force authentication forms.

Sensitive content

Sensitive content contains tests that search for information such as credit card numbers and social security or personal identification numbers. 

Custom content allows you to type specific search criteria the scanner will try to detect. If this setting is turned off, no personal data will be processed.