Deployment: Invicti Platform on-premises
Prerequisites
Invicti Platform on-premises edition runs on a Kubernetes cluster with enough resources to support all components. Proper resource allocation helps handle peak scan workloads, maintain performance, and scale effectively in production environments.
System requirements
Worker nodes
Worker nodes run the application workloads in your Kubernetes cluster. The Invicti Platform on-premises edition deploys multiple services and DAST scanner pods across these nodes.
Recommended minimum hardware for each worker node:
- CPU: 6 cores
- Memory: 12 GB RAM
- Storage: 50 GB available disk space
These specifications represent the baseline for running the platform's core services along with a few concurrent scans. In production environments, allocate additional resources based on your expected workload and scan volume.
Worker nodes handle:
- Core platform services (API, web interface, background workers)
- DAST scanner pods that execute security scans
- Supporting infrastructure (databases, message queues, cache)
- Persistent storage for scan data and logs
The platform distributes workloads across available worker nodes automatically. More worker nodes allow for better resource distribution and higher concurrent scan capacity.
Start with up to five concurrent scans and increase the number gradually while monitoring performance. If scans begin to fail due to insufficient resources, expand cluster capacity accordingly.
Because some scans require more resources than others, the optimal number of concurrent scans can vary between environments.
The DAST scanner architecture supports node autoscaling, so the cluster can expand and shrink according to scan demand. Each DAST scanner pod needs about 2 CPU cores and 4 GB RAM for a single scan.
During a scan, the system writes logs, cache, and state information to node storage. It removes these temporary files after the scan finishes, but disk usage can still reach several gigabytes during scanning.
The database layer also uses persistent storage. The S3-compatible seaweedfs stores historical scan data, imported artifacts, and scan logs. By default, it uses one volume with a maximum capacity of 250 GB, which you can adjust in the values.yaml file. Other persistent services, such as jetstream and valkey, store smaller amounts of data.
Node requirements
For testing or small-scale deployments, you can use a single high-performance node. For high availability setups, especially when running microk8s, use at least three nodes. If your nodes are smaller or less powerful, plan for four or more nodes to maintain stability and performance.
Required tools for installation
Install the following tools and add them to your system’s PATH:
- helm (v3.8+) - Installation guide
- kubectl (v1.23+) - Installation guide (optional for verification and troubleshooting).
Verify installations:
kubectl version --client
helm version
Set up your Kubernetes cluster so that both helm and kubectl commands function correctly.
Kubernetes cluster requirements
- Kubernetes version: 1.23 or higher
- Cluster access: Administrator privileges for namespace creation and RBAC configuration
- LoadBalancer support: Required for external access
- Storage class: Default storage class with dynamic provisioning capability
- Namespace: Dedicated namespace required (e.g.,
invicti)
Network requirements
- Internet access: Required to pull container images from
platform-registry.invicti.com - Ports: The Ingress service must expose ports 443 through a LoadBalancer
Credentials required
- Invicti username: Your registered email address
- Invicti license key: Provided by Invicti
- SMTP server (optional): Used for sending email notifications
- SSL certificates (optional): Valid TLS certificate and private key for HTTPS access
Customizing for your scale
The provided Helm chart supports both low- and high-scale scanning scenarios. By default, it assumes that the cluster doesn't include a node autoscaler. In this configuration, DAST scanner pods run without resource requests or limits and use available node resources. The cluster balances pods across nodes automatically.
If your cluster uses a node autoscaler, define resource requests and limits for the DAST scanner pods. These limits help the autoscaler adjust node capacity based on scan workloads. Modify these settings in the values.yaml file before installation. Refer to the Values documentation for more information.
You can also change scaling options after installation by upgrading the Helm release with updated values.
After reviewing the prerequisites, continue with the Kubernetes requirements to verify your cluster meets the supported standards.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center