Trustlist requirements for US region
Invicti Platform makes network connections that may require updates to your firewall settings. Configure inbound and outbound traffic rules to allow access to the URLs in this document. Correctly configuring network access is a prerequisite for successful and accurate scans of your targets. For more information about what happens when trustlisting isn't configured, see Consequences of scanning without trustlisting.
These are the trustlist configuration steps to consider:
-
Inbound connections
- Your target accepting inbound connections
- Your integration server accepting inbound connections
-
Outbound connections
- Your browser outbound connections
- Invicti Platform internal scanning agent outbound connections
- NTA Reconstructor outbound connections
- Target Application outbound connections
Inbound connections
Your target accepting inbound connections
Ensure your target's network infrastructure allows incoming scanning requests from:
| Scope | Source | Address and Port |
|---|---|---|
| Incoming scanning requests (from the cloud scanners) | scanners-platform.invicti.com (3.228.162.54) | Your target's address and port |
| Incoming scanning requests (from the internal scanners) | IP Address of your Internal Scanning Agents | Your target's address and port |
| Predictive Risk Scoring | 52.0.216.190 | Your target's address and port |
| PCI ASV scans | 38.123.140.0/24 | Your target's address and port |
Your integration server accepting inbound connections
Ensure your integration server's network infrastructure allows incoming connections for integration API calls.
| Scope | Source | Port |
|---|---|---|
| Integration API calls | 54.85.4.50 54.242.66.255 | 443 |
If you have a dedicated environment, ensure access to the environment accordingly.
Outbound connections
Your browser outbound connections
Your browser might be behind an outbound firewall or web proxy, especially when connected to a corporate LAN or VPN. Ensure that your firewall, proxy, or VPN allows outbound connections to the Invicti Platform URL for your location.
| Scope | Destination | Port |
|---|---|---|
| Browser access to Invicti Platform | https://platform.invicti.com | 443 |
Invicti Platform internal scanning agent outbound connections
If you have deployed an internal scanning agent, ensure your network infrastructure permits it to establish outbound connections to the following destinations:
| Scope | Destination | Port |
|---|---|---|
| Invicti Platform | https://platform.invicti.com | 443 |
| Invicti OOB service for out-of-band vulnerability checking | https://bxss.me | 443 |
| Safe browsing service | https://sb.bxss.me | 443 |
| Software composition analysis service | https://sca.invicti.com | 443 |
| Invicti OOB S3 bucket for out-of-band vulnerability checking | https://bxss.s3.dualstack.us-west-2.amazonaws.com | 443 |
| Downloading agent update packages | https://registry.invicti.com | 443 |
| Invicti IAST Bridge | https://iast.invicti.com/ | 443 |
| Scanning requests to your target | IP Address/URL for your target | Your target's port |
NTA Reconstructor outbound connections
If you have deployed the NTA Reconstructor, ensure your network infrastructure permits it to establish outbound connections to the Invicti APIHub Service URL:
| Scope | Destination | Port |
|---|---|---|
| APIHub Service URL: NTA Reconstructor communication with Invicti Platform | https://platform.invicti.com/api/apihub/v1/nad | 443 |
Target application outbound connections
If you have deployed an Invicti IAST agent in your target web application, ensure your network infrastructure permits it to establish outbound connections for API calls to the Invicti IAST Bridge URL for your location.
| Scope | Destination | Port |
|---|---|---|
| Injected payload calls to the Invicti OOB service to provide evidence of out-of-band vulnerability detection. | https://bxss.me | 443 |
| *API Calls to the Invicti IAST Bridge | https://iast.invicti.com/ | 443 |
API rate limits
If you are using the Invicti Platform API, note that rate limits apply per client IP address and per tenant. See Handle responses: Rate limits for the full thresholds and guidance on handling 429 responses.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center.