How to set up Application Scanning

We know it can sometimes be cumbersome to work with security software, which is why we've made the setup of Application Scanning as simple as possible.

To start your first scan, navigate to the Application Scanning tab to create a Scan Profile. Click on the "Create Scan Profile" button.

Think of a Scan Profile as a collection of settings dictating where and how a scan should be executed. 

When deciding on locations for scanning, consider the following three tips: 

1. Prioritize scanning custom-built web applications. 

2. Ensure thorough scanning of login forms, as they often contain personally identifiable information, such as usernames and passwords. 

3. Pay special attention to areas where tracking or A/B testing is conducted, as these are key to understanding user behavior and often contain valuable data that needs protection. 

To set up a profile, select the desired domain or IP address from the dropdown menu, name the profile, and then create it. You can change the name of the Scan Profile later in the settings.

That’s it, you are ready to run your first scan with the default settings, or you can choose to customize your Scan Profile by editing the settings.

Detectify API setup

This feature is only accessible for customers with Enterprise plan, please contact your customer support representative or for more information.

In order to set up Application Scanning in the API, you need to create an API key, then add and verify an asset on which  you host your web application.

You can create a Scan Profile by sending a POST request to with the following request body:


"asset_token": "string",

"endpoint": "string",

"name": "string"


Here, “domain token” refers to the asset token on which the Scan Profile should be created, while “endpoint” contains the complete Scan Profile endpoint, which may either be the asset, or a subdomain of the asset. Optionally, you can specify a “name” for the profile. For more information, please refer to the API documentation.


Q: I added an asset, but I don’t see it in the dropdown list?

A: Only verified assets are listed in the dialog. Please check whether your asset is verified.

Q: I wanted to add a subdomain, but forgot, can I change it later?

A: Scan Profiles are tied to a specific asset, and therefore it is not possible to change the asset afterwards. Please create a new Scan Profile for the subdomain.