Welcome
Dynamic analysis
HCL AppScan 360° performs security scans for web-applications for production, staging and development environments.
HCL AppScan Traffic Recorder
The HCL AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.

Getting started
Welcome to the documentation for HCL AppScan 360°, where you can find information about how to install, maintain, and use this service.
Installation
Learn about AppScan 360° architecture and how to install the product.
Navigation
This section describes the items on the main AppScan 360° menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
HCL AppScan 360° performs security scans for web-applications for production, staging and development environments.
- About dynamic analysis (DAST)
  An AppScan 360° dynamic (DAST) scan consists of two stages: Explore and Test. Even though most of the scan process is seamless to the user, and no input is required until the scan is complete, understanding how dynamic scanning works can help you to better understand the role of scanning in your development process.
- Dynamic scanning (DAST)
  AppScan 360° can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available for a web application or web API in AppScan 360°, or upload an AppScan Standard configuration (template file) or a full scan file.
- Recording traffic
  You can record traffic as Recorded explore data for DAST scans using the AppScan Activity Recorder browser extension (for Chrome or Edge), the HCL AppScan Traffic Recorder proxy server, or AppScan Standard.
- HCL AppScan Traffic Recorder
  The HCL AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.
  - System requirements
  - Installing the HCL AppScan Traffic Recorder
  - Configuring the Traffic Recorder
    Changes you can make in the configuration file Settings.json for use with HCL AppScan Traffic Recorder
  - Starting and stopping the Traffic Recorder
    You can either start the traffic recorder, or run it as a service. You cannot do both in parallel.
  - Using the HCL AppScan Traffic Recorder
    Once the HCL AppScan Traffic Recorder has started, you can start new instances to record your application's traffic.
  - API commands
- IAST Total
  IAST Total (Interactive Application Security Testing), harnesses IAST capabilities to enhance Dynamic Analysis (DAST) scans, improving scan and remediation times while uncovering a broader spectrum of vulnerabilities.
- AppScan Standard
- Troubleshooting Dynamic Analysis
Interactive monitoring
Using an agent installed on your application, AppScan 360° identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Reference
Some frequently asked questions, and information about integrating AppScan 360° into the product lifecycle (SDLC).

HCL AppScan Traffic Recorder

The HCL AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.

In the world of DevOps it's increasingly important to be able to incorporate security scans in your CI/CD processes. If you use an automation framework (such as Selenium), you can take advantage of the scripts that are already written to create tailor-made scans.

Using the HCL AppScan Traffic Recorder, you can automatically start a traffic recorder instance. The requests from the automation framework to the web application are recorded as they are sent through the recorder. The traffic is saved in HAR format in a file with the DAST.CONFIG suffix, that you can later upload to be used by AppScan as Explore data for a scan.
You can record traffic manually, through the traffic recorder, to create a DAST.CONFIG file.
To upload your own HAR file to AppScan 360° without using the traffic recorder, first compress it into a ZIP file, and then change the filename extension to dast.config.

Note: US Federal AppScan 360° customers: The HCL AppScan Traffic Recorder link redirects to AppScan on Cloud, where the download begins automatically. Downloading Traffic Recorder using this method is not CFIUS compliant. Contact HCL Federal Support (+1-855-855-5016) for additional information.