availability

Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)

Invicti Platform DAST/API Integration

Invicti Platform is an enterprise-grade dynamic application security testing (DAST) solution. This integration allows Invicti AppSec to trigger scans, retrieve results, and track vulnerabilities directly from the Invicti Platform scanner.

Prerequisites

Field	Description
Invicti Platform URL	The base URL of your Invicti Platform instance (e.g., `https://your-org.invicti.com`)
API Token	A personal API token generated from your Invicti Platform account

Get an API Token (on Invicti Platform Side)

Log in to your Invicti Platform instance.
Click your profile icon in the upper right corner.
Select API Settings or My Account.
Navigate to the API Token section.
Click Generate Token.
Copy the token immediately — it is shown only once.

Step 1: Navigate to Integrations

From the left sidebar menu, click on Integrations.

Step 2: Select the DAST/API Tab

On the Integrations > Scanners page, click on the DAST/API tab.

Step 3: Find and Activate Invicti Platform

Scroll through the list of DAST/API scanners to find Invicti Platform.

If Invicti Platform is not activated, you will see an "Activate" button. Click it to enable the integration.

note

The scan method badge on the Invicti Platform card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).

Step 4: Configure Connection Settings

Click on the gear icon on the Invicti Platform card to open the configuration panel. Fill in the required fields:

Token: Paste the API token generated from your Invicti Platform account.
URL: Enter your Invicti Platform base URL (default: https://platform.invicti.com).
Insecure: Enable this checkbox only if your Invicti Platform instance uses a self-signed SSL certificate.

Step 5: Test the Connection

Click Test Connection. A green Connection successful message confirms that Invicti AppSec can communicate with your Invicti Platform instance.

Summary

Step	Action
1	Navigate to Integrations from the sidebar
2	Select the DAST/API tab
3	Activate the Invicti Platform scanner
4	Enter URL and API Token
5	Test the connection

Create a Scan

Navigate to Project Scanners

Open a project in Invicti AppSec.
Go to Settings > Scanners.
Click Add Scanner.

Add Invicti Platform Scanner

Select DAST/API as the scanner type.
Choose Invicti Platform from the scanner list.
Click Add to open the scan configuration drawer.

Scan Configuration Fields

Field	Description	Required
Environment	Select the environment for the scan	No
Bind To	Invicti Platform project to bind to	Yes
Profiles	Scan profile to use	No
Start Scan	Toggle to trigger the scan immediately	No
Branch	Source code branch associated with this scan	No
Meta Data	Additional metadata for the scan	No
Scan Tag	Tag to identify the scan	No

Scheduler

Enable the Scheduler toggle to run this scan on a recurring schedule. Configure the frequency (daily, weekly) and time.

Webhook (Optional)

Add a webhook URL to receive scan status notifications when the scan completes or fails.

KDT Command

To trigger scans from a CI/CD pipeline using the KDT CLI:

kdt scan -p <project_name> -t invicti -b <branch_name>

Troubleshooting

Connection Fails

Issue	Resolution
Invalid API token	Regenerate the token from Invicti Platform and update the settings
Wrong URL	Ensure the URL includes the protocol (`https://`) and no trailing slash
SSL certificate error	Verify the Invicti Platform instance uses a valid SSL certificate
Network/firewall	Ensure Invicti AppSec can reach the Invicti Platform host on port 443

Scan Issues

Issue	Resolution
No scan profiles available	Verify the API token has sufficient permissions to list scan profiles
Scan not starting	Check that the target URL is reachable from the Invicti Platform agent
Empty results	Confirm the scan completed successfully in the Invicti Platform dashboard
Permission denied	Ensure the service account has the required role in Invicti Platform

Best Practices

Use a dedicated service account API token rather than a personal user token.
Rotate the API token every 90 days.
Always use HTTPS for the Invicti Platform URL.
Assign the minimum required permissions to the service account.
Use scan profiles optimized for your application type (web app vs. API).

Limitations

The integration requires Invicti Platform API access; firewall rules must allow outbound connections from Invicti AppSec.
Scan profile availability depends on your Invicti Platform subscription tier.
Rate limits imposed by Invicti Platform's API may affect scan triggering frequency in high-volume environments.
Only scan results from completed scans are imported; in-progress scan data is not retrieved until the scan finishes.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?

Prerequisites​

Get an API Token (on Invicti Platform Side)​

Step 1: Navigate to Integrations​

Step 2: Select the DAST/API Tab​

Step 3: Find and Activate Invicti Platform​

Step 4: Configure Connection Settings​

Step 5: Test the Connection​

Summary​

Create a Scan​

Navigate to Project Scanners​

Add Invicti Platform Scanner​

Scan Configuration Fields​

Scheduler​

Webhook (Optional)​

KDT Command​

Troubleshooting​

Connection Fails​

Scan Issues​

Best Practices​

Limitations​

Need help?​