Skip to main content
availability

Package: Invicti AppSec Core (on-demand)

Configure target DAST settings

Set up a target so every DAST scan runs against the right application, at the right time, with the right context - and so the findings land in the right buckets afterward. This document walks through the decisions you make on the target's DAST settings tab: how to label the target, which hours to keep scan-free, how to make sure the scanner can actually reach the app, and how to use the scan cache to speed up subsequent scans.

To open the page: select Inventory > Targets from the left-side menu, click the target name, then select the DAST Settings tab. Changes only apply after you click Save target configuration at the bottom of the page; Discard changes next to it reverts unsaved edits.

Why this matters

The DAST settings are the contract between Invicti AppSec and the target it scans. If the environment label is wrong, dashboards lump production findings in with staging noise. If excluded hours aren't set, scans hit the application during peak traffic. If the wrong agent is selected, an internal target can't be reached at all. Getting these settings right up front saves the cleanup work later - retagged findings, rescheduled scans, and reopened tickets.

Label the target so findings end up where they belong

The decisions you make in the Target settings section shape how every future finding for this target is filtered, prioritized, and routed. Work through them in this order:

  • Name (required) - pick a name that's recognizable everywhere Invicti AppSec lists this target. This is what your team scans for when triaging.
  • Target URL - the application's root URL. Set when the target is created and read-only here. If the application has actually moved to a new URL, recreate the target rather than trying to edit this value.
  • Environment (optional) - pick Development, Staging, or Production so dashboards, reports, and team filters can separate this target's findings from the rest. Skipping this means production noise mingles with experimental noise.
  • Description (optional) - capture anything a teammate would need to know that the name doesn't already convey - owning team, business purpose, regulatory scope.
  • Business impact - set Critical, High, Medium, or Low to drive how aggressively this target's findings rank against others on the same dashboard. Hover the (?) icon for in-product guidance.
  • Tags - add comma- or Enter-separated labels that group this target with others sharing a context no built-in field captures (for example, pci-scope, a release train, or a docs-validation tag).
  • Allowed hosts (optional) - if the scanner needs to follow links into additional hostnames to fully cover the application (for example, an API subdomain), add those hosts here. Pick from hosts already registered in your account.
Allowed hosts expands scan scope

Anything you add to Allowed hosts becomes in-scope for this target's scans. Only add hosts you own and intend to scan.

Keep scans out of peak traffic

Pick an excluded hours profile to tell Invicti AppSec when not to scan this target - so traffic spikes and planned maintenance don't collide with a scan.

In the Hours profiles dropdown, choose the profile that matches when you can't afford a scan:

  • Use default excluded hours profile - if the account-wide default already covers your needs.
  • Allows scans from 9am to 5pm [GMT +0] - if your application is only safe to scan during business hours (for example, low-traffic internal tools).
  • No weekends [GMT +0] - if weekend traffic patterns or on-call coverage gaps make weekend scans risky.
  • Except working hours [GMT +0] - if this is a production app where business hours are off-limits and scans should run overnight.
Time zone

Built-in profiles are anchored to GMT +0. If your team operates in a different time zone, account for the offset when choosing a profile - or create a custom profile that matches your local working hours.

Make sure the scanner can reach the target

The Default agent decision determines whether the scanner can connect to the target at all - especially for anything that isn't publicly accessible.

In the Default agent dropdown:

  • Pick Cloud Agent for public-facing applications. Cloud agents are managed by Invicti and can reach any site on the public internet. This is the default for new targets and the right choice unless the target is private.
  • Pick a self-hosted agent for targets the public internet can't reach - internal staging, VPN-only environments, on-premises applications. Self-hosted agents only appear in the dropdown after they're installed, registered to your account, and currently connected. To add one, go to Scans > DAST agents and click Add new agent, then come back to this page.

Speed up future scans with the scan cache

A target's scan cache stores discovered paths, vulnerabilities, and other context from previous scans so the next scan starts informed instead of from zero. Use the two controls in the Scan Cache section to decide when to keep the cache and when to throw it away.

Reuse prior scan context

Under Use scan cache in future scans, choose:

  • Yes - if the application is stable and you want future scans to build on what the scanner already learned. Recommended for most targets.
  • No - if you want each scan to start fresh, ignoring prior context.

Start clean after a major app change

If the application has been rewritten or restructured and the cached paths no longer reflect reality, click Delete cache to clear what's stored. The cache rebuilds itself during the next scan.

Short-term scan slowdown

The first scan after a cache delete has to rediscover everything from scratch, so it'll likely take longer than usual. Once it completes, the cache rebuilds and subsequent scans return to normal speed.

Troubleshooting

I can't change the Target URL

The Target URL is set when the target is created and is read-only on the DAST Settings tab. If the target's root URL has actually changed (for example, the application moved to a new domain), create a new target with the correct URL and archive or delete the old one. Migrating findings between targets is a separate flow.

A self-hosted agent isn't showing up in the Default agent dropdown

The dropdown only lists agents that are installed, registered to your account, and currently connected. Go to Scans > DAST agents and confirm the agent shows as online. A disconnected or expired agent silently disappears from this dropdown. Once it's reconnected, refresh the DAST Settings tab.

Scans aren't honoring the excluded hours profile I selected

The built-in profiles are anchored to GMT +0. If a scan looks like it's running "during" your excluded hours, convert the profile's GMT +0 window to your local time and check again. If the offset isn't the issue, confirm the profile is still selected on this target (a re-save can drop the value if there were validation errors elsewhere on the page).

An allowed host isn't in the Allowed hosts dropdown

The dropdown only lists hosts already known to your account. If the host you want to allow isn't there, add it first as a separate target (or under the appropriate inventory entry), then come back to this page and refresh - the host should now appear in the list.

I deleted the scan cache and now scans take much longer

That's expected for the first scan after a cache delete - the scanner is rediscovering paths from scratch. Subsequent scans use the rebuilt cache and run at normal speed. If the slowdown persists across multiple scans, the cause is something other than the cache - check agent connectivity, target responsiveness, and any recent scan configuration changes.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?