Welcome
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Dynamic scanning (DAST)
ASoC can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available for a web application or web API in ASoC, or upload an AppScan Standard configuration (template file) or a full scan file.
Intelligent Finding Analytics (IFA)
Intelligent Finding Analytics (IFA) uses artificial intelligence (AI) and machine learning (ML) to analyze data, discover patterns, and make predictions, ultimately transforming data into actionable insights. IFA goes beyond regular data analysis by using advanced methods to find deeper meanings and make smart decisions.
AI error page detection and LLM validation
Intelligent Finding Analytics (IFA) in Dynamic Application Security Testing (DAST) augments error page detection by reducing false positives and enhancing test results. HCL AppScan DAST uses heuristic and comprehensive methods to identify error pages, with Gen AI now selectively employed to confirm errors and handle edge cases, thus increasing accuracy and minimizing scan times. Configuring Azure OpenAI is also required to validate LLM testing.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes navigating AppScan on Cloud, including items on the side main menu and top navigation bars, with links to more detailed information.
Management
Define users, roles, groups, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
- About dynamic analysis (DAST)
  An ASoC dynamic (DAST) scan consists of two stages: Explore and Test. Even though most of the scan process is seamless to the user, and no input is required until the scan is complete, understanding how dynamic scanning works can help you to better understand the role of scanning in your development process.
- Dynamic scanning (DAST)
  ASoC can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available for a web application or web API in ASoC, or upload an AppScan Standard configuration (template file) or a full scan file.
  - Creating a web application scan
    Provide the starting URL and user credentials for the scan, select the type of site, and (if not previously done) verify your permission to scan the site.
  - Creating an LLM scan
    Configure provider access, capture a representative LLM sequence, enable required capabilities, and run a scan in a controlled test environment.
  - Creating an API scan
    ASoC supports different workflows for scanning a web API. If you have a Postman collection, OpenAPI specification file or recorded traffic of your web API, you can import it and use it as the basis for a scan by using the API scan configuration. Alternatively, you can use the Postman collection files or the OpenAPI specification files with the REST API.
  - Creating scan from template
    You can upload your own AppScan Standard template (SCANT) file or use a saved template associated with your application to run an ASoC scan.
  - Creating scan from scan file
    You can upload your own AppScan Standard scan (SCAN) file to run an ASoC scan.
  - Creating an Incremental scan
  - Resuming a scan
    If a scan fails or only partially completes due to external issues not directly related to the scan itself, you can resume the scan after resolving the external problem, such as a server down failure during the scan.
  - Test automation
    Incorporate dynamic scanning in your functional testing.
  - Client certificates
  - Intelligent Finding Analytics (IFA)
    Intelligent Finding Analytics (IFA) uses artificial intelligence (AI) and machine learning (ML) to analyze data, discover patterns, and make predictions, ultimately transforming data into actionable insights. IFA goes beyond regular data analysis by using advanced methods to find deeper meanings and make smart decisions.
    - AppScan DAST for LLM-augmented applications
      Dynamically test large language model (LLM) features within your applications for sensitive information disclosure, prompt injection, data exfiltration, tool abuse, content policy violations, and more before attackers exploit them. Configure AppScan to target chat endpoints, retrieval-augmented generation (RAG) pipelines, and other LLM components, and then review reproducible findings with full transcripts and remediation guidance.
    - AI error page detection and LLM validation
      Intelligent Finding Analytics (IFA) in Dynamic Application Security Testing (DAST) augments error page detection by reducing false positives and enhancing test results. HCL AppScan DAST uses heuristic and comprehensive methods to identify error pages, with Gen AI now selectively employed to confirm errors and handle edge cases, thus increasing accuracy and minimizing scan times. Configuring Azure OpenAI is also required to validate LLM testing.
    - Test optimization
      Test optimization uses intelligent finding analytics (IFA) to achieve faster scans with minimal loss of issue coverage. When speed is a consideration, choose between four optimization levels.
- AppScan Presence
  An AppScan Presence on your server enables you to scan sites not accessible from the Internet, and to incorporate scanning as part of your functional testing.
- Recording traffic
  You can record traffic as Recorded explore data for DAST scans using the AppScan Activity Recorder browser extension (for Chrome or Edge), the HCL AppScan Traffic Recorder proxy server, or AppScan Standard.
- HCL AppScan Traffic Recorder
  The HCL AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.
- IAST Total
  IAST Total (Interactive Application Security Testing), harnesses IAST capabilities to enhance Dynamic Analysis (DAST) scans, improving scan and remediation times while uncovering a broader spectrum of vulnerabilities.
- AppScan Standard
- Private sites
  An AppScan Presence on your server enables you to scan sites not accessible from the Internet .
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
AppScan on Cloud AI assistant
The AI assistant is an integrated intelligence layer that works within the AppScan on Cloud environment. It provides security insights, automates issue triage, and offers remediation guidance.
AppScan Model Context Protocol (MCP) server
The AppScan MCP server integrates HCL AppScan on Cloud directly with AI-powered development environments and agents. By implementing the Model Context Protocol (MCP), this server allows LLMs (such as Claude or models running in VS Code) to securely access your security data—including SAST, DAST, SCA, and IAST results—to help you triage issues, analyze findings, and automate workflows using natural language.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

AI for smarter error page detection and LLM testing validation

Intelligent Finding Analytics (IFA) in Dynamic Application Security Testing (DAST) augments error page detection by reducing false positives and enhancing test results. HCL AppScan DAST uses heuristic and comprehensive methods to identify error pages, with Gen AI now selectively employed to confirm errors and handle edge cases, thus increasing accuracy and minimizing scan times. Configuring Azure OpenAI is also required to validate LLM testing.

About this task

Set up Azure OpenAI to detect error pages and validate LLM tests.

Procedure

Navigate to Administration > Settings > AI powered features.
Under the Scanning features section, click Bring your own LLM to enable Azure OpenAI configuration.
Note:
- AppScan supports deployments that support Chat Completions API. The GPT 5 mini model was used for testing.
- Azure OpenAI services incur costs based on token usage (input and output). Follow best practices and regularly monitor usage to ensure cost efficiency.

Enter the Endpoint in the following format: https://{azure_openai_endpoint}

Table 1. Endpoint elements
Element	Description	Example
`{azure_openai_endpoint}`	Replace with the value from the Endpoint field under the Keys & Endpoint section from the Azure portal.	`https://aoairesource.openai.azure.com` where `aoairesource` is specific to your Azure OpenAI resource.

Enter the API Key. This value can be found in the Keys & Endpoint section when examining your resource from the Azure portal. You can use either KEY1 or KEY2.
Enter the Deployment ID. This is the custom name you assigned to the model deployment when you created it. You can find this value in Azure OpenAI Studio in the Azure portal.
Click Save to apply the configuration for your organization.
The Azure OpenAI endpoint, API key and deployment ID have been configured.

If the Azure OpenAI endpoint, API key, or Deployment ID is not configured correctly, the scan fails. Verify that these values are correct, update them if needed, and then run the scan again.

What to do next

Start your scan in AppScan on Cloud as usual.