Trustlist requirements for US region
To ensure the proper functioning of cloud agents and integrations, configure inbound and outbound traffic rules to allow access to the URLs in this document. Correctly configuring network access is a prerequisite for successful and accurate scans of your targets.
These are the trustlist configuration steps to consider:
-
Inbound connections
- Your target accepting inbound connections
- Your integration server accepting inbound connections
-
Outbound connections
- Your browser outbound connections
- Invicti Platform internal scanning agent outbound connections
- Target Application outbound connections
Inbound connections
Your target accepting inbound connections
Ensure your target's network infrastructure allows incoming scanning requests from:
| Scope | Source |
|---|---|
| Incoming scanning requests (from the cloud scanners) | scanners-platform.invicti.com (3.228.162.54) |
| Incoming scanning requests (from the internal scanners) | IP Address of your Internal Scanning Agents |
| Predictive Risk Scoring | 52.0.216.190 |
| PCI ASV scans | 38.123.140.0/24 |
Your integration server accepting inbound connections
Ensure your integration server's network infrastructure allows incoming connections for integration API calls.
| Scope | Source |
|---|---|
| Integration API calls | 54.85.4.50 54.242.66.255 |
If you have a dedicated environment, ensure access to the environment accordingly.
Outbound connections
Your browser outbound connections
Your browser might be behind an outbound firewall or web proxy, especially when connected to a corporate LAN or VPN. Ensure that your firewall, proxy, or VPN allows outbound connections to the Invicti Platform URL for your location.
| Scope | Destination |
|---|---|
| Browser access to Invicti Platform | https://platform.invicti.com |
Invicti Platform internal scanning agent outbound connections
If you have deployed an internal scanning agent, ensure your network infrastructure permits it to establish outbound connections to the following destinations:
| Scope | Destination |
|---|---|
| API calls to Invicti Platform | https://platform.invicti.com |
| API calls to the Invicti OOB service for out-of-band vulnerability checking | https://bxss.me |
| API calls to the safe browsing service | https://sb.bxss.me |
| API calls to the software composition analysis service | https://sca.invicti.com |
| Invicti OOB S3 bucket for out-of-band vulnerability checking | https://bxss.s3.dualstack.us-west-2.amazonaws.com |
| Downloading of update packages for the internal scanning agent & used by cloud and internal agents to send scan data into private S3 buckets | https://*.amazonaws.com |
| API calls to the Invicti IAST Bridge | https://iast.invicti.com/ |
| Scanning requests to your target | IP Address/URL for your target, including destination port |
Target application outbound connections
If you have deployed an Invicti IAST agent in your target web application, ensure your network infrastructure permits it to establish outbound connections for API calls to the Invicti IAST Bridge URL for your location.
| Scope | Destination |
|---|---|
| Injected payload calls to the Invicti OOB service to provide evidence of out-of-band vulnerability detection. | https://bxss.me |
| *API Calls to the Invicti IAST Bridge | https://iast.invicti.com/ |
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center.