Web applications are usually made up of multiple parts, some of which can be hosted on different domains. Hence, to cover all parts of the application in Application Scanning, might go beyond the Scan Profile endpoint when crawling and include subdomains in the security testing.
Discovery and assessment of subdomains of the Scan Profile endpoint when you enable “Should we crawl subdomains?” in the Application Scanning settings. This includes subdomains discovered during the scan (by, for example, a link on the website leading to it). In addition to following links towards these subdomains. For more information, see how to include or avoid URLs and paths in Application Scanning.
In case you would like to exclude one or more subdomains from being scanned, you can add them under “Which subdomains must we avoid?” in the Application Scanning settings. The scan will automatically block any HTTP request towards these subdomains, (and also all subdomains of these) during discovery and assessment. Ex. when avoiding blog.example.com, if you have a subdomain tech.blog.example.com, it will also be avoided.