Welcome
Dynamic analysis
HCL AppScan 360° performs security scans for web-applications for production, staging and development environments.
Private site scanning with AppScan Presence
An AppScan Presence on your isolated network segment enables you to scan sites not directly accessible by the AppScan 360° due to internal firewalls, VLAN isolation, or restrictive organizational network policies., and to incorporate scanning as part of your internal functional testing workflows.

Getting started
Welcome to the documentation for HCL AppScan 360°, where you can find information about how to install, maintain, and use this service.
Installation
Learn about AppScan 360° architecture and how to install the product.
Navigation
This section describes the items on the main AppScan 360° menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
HCL AppScan 360° performs security scans for web-applications for production, staging and development environments.
- About dynamic analysis (DAST)
  An AppScan 360° dynamic (DAST) scan consists of two stages: Explore and Test. Even though most of the scan process is seamless to the user, and no input is required until the scan is complete, understanding how dynamic scanning works can help you to better understand the role of scanning in your development process.
- Dynamic scanning (DAST)
  AppScan 360° can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available for a web application or web API in AppScan 360°, or upload an AppScan Standard configuration (template file) or a full scan file.
- Private site scanning with AppScan Presence
  An AppScan Presence on your isolated network segment enables you to scan sites not directly accessible by the AppScan 360° due to internal firewalls, VLAN isolation, or restrictive organizational network policies., and to incorporate scanning as part of your internal functional testing workflows.
  - System requirements
  - Configure AppScan 360° to support Presence for DAST Scanning
    This document provides a step-by-step guide for users on how to set up AppScan 360° to support DAST scanning of Web Applications deployed on isolated networks.
  - Creating the Presence
    For private web applications, or for including a scan as part of your functional testing procedure, you must create an AppScan Presence, with access to the web application or back-end server, and to the AppScan 360° environment. Proxy connections are supported.
  - Starting the Presence
  - Configuring Private Site Server proxy
    If your private network requires the Private Site Server to use a proxy to connect with the web application or back-end server (internal proxy), or with the AppScan 360° server (outgoing proxy), configure it as follows.
  - Configuring a PAC file
    If a proxy auto-config (PAC) file is required in order to reach the various domains in your site, configure the AppScan Presence as follows.
  - Renewing the Presence key
    When you originally download the Presence, it includes a key to activate it. When that key expires, you must replace it with a valid key.
  - Log files
  - AppScan Presence troubleshooting
    Troubleshooting tasks for errors found when working with the AppScan Presence in an AppScan 360° environment..
- Recording traffic
  You can record traffic as Recorded explore data for DAST scans using the AppScan Activity Recorder browser extension (for Chrome or Edge), the HCL AppScan Traffic Recorder proxy server, or AppScan Standard.
- HCL AppScan Traffic Recorder
  The HCL AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.
- IAST Total
  IAST Total (Interactive Application Security Testing), harnesses IAST capabilities to enhance Dynamic Analysis (DAST) scans, improving scan and remediation times while uncovering a broader spectrum of vulnerabilities.
- AppScan Standard
- Private sites
  An AppScan Presence on your isolated network segment enables you to scan sites not accessible from the AppScan 360° server.
- Troubleshooting Dynamic Analysis
Interactive monitoring
Using an agent installed on your application, AppScan 360° identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
AppScan Model Context Protocol (MCP) server
The AppScan MCP server integrates HCL AppScan 360° directly with AI-powered development environments and agents. By implementing the Model Context Protocol (MCP), this server allows LLMs (such as Claude or models running in VS Code) to securely access your security data—including SAST, DAST, SCA, and IAST results—to help you triage issues, analyze findings, and automate workflows using natural language.
Reference
Some frequently asked questions, and information about integrating AppScan 360° into the product lifecycle (SDLC).

Private site scanning with AppScan Presence

An AppScan Presence on your isolated network segment enables you to scan sites not directly accessible by the AppScan 360° due to internal firewalls, VLAN isolation, or restrictive organizational network policies., and to incorporate scanning as part of your internal functional testing workflows.

For web applications that are restricted by internal network security, you must create an AppScan Presence on a machine that has line-of-sight to both the target web application (or back-end server) and the AppScan 360° console. Once the Presence is established, follow the standard instructions for dynamic scanning within the AppScan 360°interface. Proxy connections are supported for both internal and outbound traffic.