Welcome
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Deploying IAST
Deploy the IAST agent on the application server so it can monitor communication with the application and report to ASoC.
Deploy using the Key only option
Use this option to create an IAST session without downloading an agent. When selected, only a token is generated. This is useful when working with the IAST .NET Core Site Extension for Azure App Services, or when creating an IAST session for an already downloaded agent. This option applies to all IAST agents, across languages.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
- About interactive monitoring (IAST)
  ASoC can monitor normal application runtime behavior to detect vulnerabilities.
- Starting an IAST session
  Install the IAST agent on your application server, and configure the scan.
- Deploying IAST
  Deploy the IAST agent on the application server so it can monitor communication with the application and report to ASoC.
  - Deploying a Java IAST agent
    You can deploy an IAST agent on the application server that supports Java, .NET, Node.js or PHP based applications. This section explains how to create a Java agent type on your web server.
  - Deploying a .NET IAST agent
    You can deploy an IAST agent on the application server that supports Java, .NET, Node.js or PHP based applications. This section explains how to create a .NET agent type on your web server.
  - Deploying a Node.js IAST agent
    You can deploy an IAST agent on the application server that supports Java, .NET, Node.js or PHP based applications. This section explains how to create a Node.js agent on your web server.
  - Deploying a PHP IAST agent
    You can deploy an IAST agent on the application server that supports Java, .NET, Node.js or PHP based applications. This section explains how to create a PHP agent type on your web server.
  - Deploy on Kubernetes
    AppScan supports automatic installation of the IAST agent on a Kubernetes cluster. Using a MutatingAdmissionWebhook, the IAST agent is automatically installed in any starting pod. You can install or remove the agent using Helm or Webhook scripts.
  - Deploy on Azure App Service
    Use the IAST agent to monitor applications that run on Azure App Service.
  - Deploy using the Key only option
    Use this option to create an IAST session without downloading an agent. When selected, only a token is generated. This is useful when working with the IAST .NET Core Site Extension for Azure App Services, or when creating an IAST session for an already downloaded agent. This option applies to all IAST agents, across languages.
- OWASP Benchmark with IAST agent
- IAST using the REST API
  Configure and start an IAST scan, including agent deployment, through the REST API.
- IAST configuration file
  Configure a JSON file to override the default IAST settings, and report only the vulnerabilities you want to know about.
- User settings
  Some low-level IAST behavior can be controlled with user parameters.
- IAST scan results
  An interactive (IAST) scan entry shows results since the last time the scan was started.
- IAST troubleshooting
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
AppScan Model Context Protocol (MCP) server
The AppScan MCP server integrates HCL AppScan on Cloud directly with AI-powered development environments and agents. By implementing the Model Context Protocol (MCP), this server allows LLMs (such as Claude or models running in VS Code) to securely access your security data—including SAST, DAST, SCA, and IAST results—to help you triage issues, analyze findings, and automate workflows using natural language.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Deploy using the Key only option

Use this option to create an IAST session without downloading an agent. When selected, only a token is generated. This is useful when working with the IAST .NET Core Site Extension for Azure App Services, or when creating an IAST session for an already downloaded agent. This option applies to all IAST agents, across languages.

Procedure

If you have not yet done so, create an application for your scans.
In the Application view, click Create scan to open the wizard, then select Interactive (IAST).
Select Key only from the drop-down menu.
Click Generate key. This generates a unique key that connects your application with the IAST session in ASoC. Save this key for later.
To collect IAST findings, set the following environment variables on the web server where IAST runs:
```
IAST_ACCESS_TOKEN: [key]
IAST_HOST: as shown in the instructions (e.g. https://cloud.appscan.com/IAST)
```
Note: Setting these environment variables overrides any key and host information embedded in the agent. This allows the "Key only" session to be used with any agent you have already downloaded.