Welcome
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Rescanning
After you fix identified vulnerabilities, you can rescan the same application multiple times to verify your fixes and overwrite previous results. For DAST scans, you can choose from three scan modes: Full scan for complete coverage, Retest only to confirm fixes, or Incremental scan for changed areas only. For SAST and SCA scans, you can upload an updated archive file.
DAST retest only scan
A DAST retest-only scan checks only the areas where vulnerabilities were previously detected. Use this mode to quickly confirm that your fixes resolved the identified issues.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes navigating AppScan on Cloud, including items on the side main menu and top navigation bars, with links to more detailed information.
Management
Define users, roles, groups, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
- Sample Security Reports
- Application reports
- Scan data
- Issues
  The Issues page for an application, by default displays non-compliant issues only. You can apply a variety of filters to see the issues you need, and click on any issue to open the detailed issue information pane.
- Correlation
  AppScan analyzes issues found by IAST, DAST and SAST to identify common weak links in the code (correlations) where multiple vulnerabilities can be resolved with a single or consolidated remediation effort.
- Fix groups
  Fix groups currently apply only to issues found in static analysis scans.
- Reports
  Generate reports for issues discovered in an application. Send reports to send to developers, internal auditors, penetration testers, managers, and the CISO. Security information might be extensive, and can be filtered depending on your requirements.
- Remediation
  After risks are determined and vulnerabilities are prioritized, your security team can start the remediation process.
- HCL AppScan RapidFix integration
  HCL AppScan RapidFix is an AI-driven solution that automates the triage and remediation process for application security vulnerabilities. HCL AppScan RapidFix applies to SAST results.
- Rescanning
  After you fix identified vulnerabilities, you can rescan the same application multiple times to verify your fixes and overwrite previous results. For DAST scans, you can choose from three scan modes: Full scan for complete coverage, Retest only to confirm fixes, or Incremental scan for changed areas only. For SAST and SCA scans, you can upload an updated archive file.
  - DAST retest only scan
    A DAST retest-only scan checks only the areas where vulnerabilities were previously detected. Use this mode to quickly confirm that your fixes resolved the identified issues.
  - DAST Edit configuration
    You can fix issues and rescan an application, overwriting previous results. Before rescanning, you can edit the scan configuration.
- IAST scan results
  An interactive (IAST) scan entry shows results since the last time the scan was started.
AppScan on Cloud AI assistant
The AI assistant is an integrated intelligence layer that works within the AppScan on Cloud environment. It provides security insights, automates issue triage, and offers remediation guidance.
AppScan Model Context Protocol (MCP) server
The AppScan MCP server integrates HCL AppScan on Cloud directly with AI-powered development environments and agents. By implementing the Model Context Protocol (MCP), this server allows LLMs (such as Claude or models running in VS Code) to securely access your security data—including SAST, DAST, SCA, and IAST results—to help you triage issues, analyze findings, and automate workflows using natural language.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

DAST retest only scan

A DAST retest-only scan checks only the areas where vulnerabilities were previously detected. Use this mode to quickly confirm that your fixes resolved the identified issues.

About this task

Note:

The following restrictions apply:

Only scans that ran within the last 60 days are available for selection. The scan can be paused, failed, completed, or partially completed, and but the testing stage must have been initiated.
You cannot run a retest only scan if there are issues such as incorrect login credentials, or if the scan configuration has changed.

Procedure

You can run a retest only scan for a DAST scan using any of the following methods:
1. Scans and sessions > DAST Scans. From the vertical three-dot menu for a scan, click Rescan, select Retest only, and then click Rescan.
2. Applications > Application name > Scans and sessions > DAST Scans. From the vertical three-dot menu for a scan, click Rescan, select Retest only, and then click Rescan.
3. In the single scan view, from the Manage scan drop-down, click Rescan, select Retest only, and then click Rescan.
The scan runs only the testing stage.

What to do next

You can view the scan status on the Scans and sessions page.