How to set up Application Scanning

We know it can sometimes be cumbersome to work with security software, hence we made the setup of Application Scanning as simple as possible, to allow you to start your first scan as quickly  as possible. Our onboarding guide helps you along the way, and it is also possible to set up additional scans by following this guide. In addition to the Detectify tool, you can also do this in the Detectify API.

Setup in the Detectify tool

In order to set up Application Scanning via the UI, you first need to register an account with Detectify, then add the asset on which you host your web application.

Once you have your asset verified, go to the Application Scanning page, where you have access to all information on your Application Scanning setup.

Select Add Application Scan Profile to create a new Scan Profile. In the dialog, use the dropdown for “Domain or IP to scan” to select which asset you want to have scanned. When you select a domain, you can choose to create the Scan Profile for a subdomain of the selected asset. This is recommended if you host a separate web application on a subdomain. If you don’t have a subdomain, you can leave the field blank.

Name your Scan Profile, so you can easily find it in case you will make several scan profiles later. If you leave the name blank, we will name the Scan Profile the same as the asset is named (including the subdomain name in case the subdomain is specified). You can also change the name of the Scan Profile later in the settings.

That’s it, you are ready to run your first scan with the default settings, or you can choose to customize your Scan Profile by editing settings.

Setup in the Detectify API

This feature is only accessible for customers with Enterprise plan, please contact your customer support representative or for more information.

In order to set up Application Scanning in the API, you need to create an API key, then add and verify an asset on which you host your web application.

You can create a Scan Profile by sending a POST request to with the following request body:


"asset_token": "string",

"endpoint": "string",

"name": "string"


Here “domain token” refers to the asset token on which the scan profile should be created, while “endpoint” contains the complete scan profile endpoint, which may either be the asset, or a subdomain of the asset. Optionally, you can specify a “name” for the profile. For more information, please refer to the API documentation.


Q: I added an asset, but I don’t see it in the dropdown list?

A: Only verified assets are listed in the dialog. Please check whether your asset is verified.

Q: I wanted to add a subdomain, but forgot, can I change it later?

A: Scan Profiles are tied to a specific asset, and therefore it is not possible to change the asset afterwards. Please create a new Scan Profile for the subdomain.