System requirements and version support

Explore the detailed system requirements and supported operating systems and languages for the AppScan on Cloud analyzers. Additionally, discover the compatible browsers and minimum screen resolution necessary for optimal service performance.

ASoC service host requirement

All ASoC customers with a subscription for any technology (DAST, SAST, IAST, and/or SCA) need access to the domain:
  • cloud.appscan.com

ASoC DAST technology requirements

ACTION REQUIRED: Before March 1, 2026.
  • Change: HCL AppScan on Cloud (ASoC) is consolidating Dynamic Analysis Security Testing (DAST) scanner IPs so that both Public Site Scanning and Private Site Scanning (PSS) use a single IP set per data center region.
  • Action required: Update your firewall allowlist to the new IPs before March 1, 2026 to avoid scan interruptions.
    • New IP addresses (use for both Public and PSS):
      • North America data center (US): 172.175.168.216
      • Western Europe data center (EU): 131.189.248.122

  • Impact: Replaces the previous multiple/region-specific IPs; ensures continued DAST connectivity and scalability.

For DAST scanning, ASoC uses specific IP ranges. To ensure uninterrupted scans, adhere to these guidelines:

  • For DAST public site scanning (sites accessible via the internet), allow incoming connections on these IPs:
    • North America data center (US): 4.152.146.92, 4.152.146.110, 20.57.85.61, 48.214.37.157
    • Western Europe data center (EU): 4.182.90.213
      Attention: Effective March 1, 2026, these IP addresses will be deprecated and no longer available.

      For more information about data centers, see Data center selection.

  • For private site scanning (sites not publicly accessible), make sure you accept outgoing connections (connections use TLS with certificate pinning):
    • Port: 443
      • US: 4.152.146.92
      • EU: 4.182.90.213
      Attention: Effective March 1, 2026, these IP addresses will be deprecated and no longer available.
    • Tunnel connections are secured using TLS with certificate pinning. This ensures the client only accepts a specific certificate, and any attempt to inspect or intercept traffic (such as through an organizational proxy performing a man-in-the-middle (MITM) inspection) will result in connection failure.
    • Ensure your network allows direct TLS connections without interception. For more information on private site scanning, refer to Private sites
  • The ASoC blob storage host relevant to the ASoC region must be allowed:
    • North America data center (US): asoceapusstorage.blob.core.windows.net
    • Western Europe data center (EU): asoceapdestorage.blob.core.windows.net

      This storage is used to display the live DAST scan log during a DAST scan execution.

  • Azure manages the IP addresses for these domains and might change them over time. Therefore, you must add the domains themselves to your allowlist. If direct domain addition is not possible, you can manually add the IP addresses. To do this, download the file from Azure IP Ranges and Service Tags – Public Cloud and include only the IP ranges listed under the AzureFrontDoor.Frontend section.
  • For DAST Command Execution and Remote File Inclusion testing, allow the host:
    • securityip.appsechcl.com

    This host is used to perform ADNS testing by sending DNS lookup queries to find security issues such as Log4j.

ASoC analyzers

Requirements and limitations:

Supported Browsers

ASoC is compatible with the latest versions of the following browsers:
  • Chrome
  • Edge
  • Firefox
  • Safari (Mac only)

Screen resolution

The recommended screen resolution for ASoC is 1920 x 1080.

Request rate limit

You can make up to 500 requests per minute (sliding window). The limit is counted separately per authenticated user and per unique IP address for unauthenticated requests. If you exceed this limit, AppScan will return a 429 status code with the response message "Too many requests."

Login requirements

  • If login to your site or app requires credentials beyond a username and password, you can provide these when setting up the scan. However, note that intervention by our Support team will be necessary to run the scan, which may increase scan time.
  • CAPTCHA is not supported. You must disable any CAPTCHA mechanism to enable scanning.

AppScan Presence