Welcome
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Dynamic scanning (DAST)
ASoC can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available for a web application or web API in ASoC, or upload an AppScan Standard configuration (template file) or a full scan file.
Creating an LLM scan
Configure provider access, capture a representative large language model (LLM) interaction sequence, enable required capabilities, and run an AppScan LLM security scan in a controlled test environment.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes navigating AppScan on Cloud, including items on the side main menu and top navigation bars, with links to more detailed information.
Management
Define users, roles, groups, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
- About dynamic analysis (DAST)
  An ASoC dynamic (DAST) scan consists of two stages: Explore and Test. Even though most of the scan process is seamless to the user, and no input is required until the scan is complete, understanding how dynamic scanning works can help you to better understand the role of scanning in your development process.
- Dynamic scanning (DAST)
  ASoC can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available for a web application or web API in ASoC, or upload an AppScan Standard configuration (template file) or a full scan file.
  - Creating a web application scan
    Provide the starting URL and user credentials for the scan, select the type of site, and (if not previously done) verify your permission to scan the site.
  - Creating an LLM scan
    Configure provider access, capture a representative large language model (LLM) interaction sequence, enable required capabilities, and run an AppScan LLM security scan in a controlled test environment.
  - Creating an API scan
    ASoC supports different workflows for scanning a web API. If you have a Postman collection, OpenAPI specification file or recorded traffic of your web API, you can import it and use it as the basis for a scan by using the API scan configuration. Alternatively, you can use the Postman collection files or the OpenAPI specification files with the REST API.
  - Creating scan from template
    You can upload your own AppScan Standard template (SCANT) file or use a saved template associated with your application to run an ASoC scan.
  - Creating scan from scan file
    You can upload your own AppScan Standard scan (SCAN) file to run an ASoC scan.
  - Creating an Incremental scan
  - Resuming a scan
    If a scan fails or only partially completes due to external issues not directly related to the scan itself, you can resume the scan after resolving the external problem, such as a server down failure during the scan.
  - Test automation
    Incorporate dynamic scanning in your functional testing.
  - Client certificates
  - Intelligent Finding Analytics (IFA)
    Intelligent Finding Analytics (IFA) uses artificial intelligence (AI) and machine learning (ML) to analyze data, discover patterns, and make predictions, ultimately transforming data into actionable insights. IFA goes beyond regular data analysis by using advanced methods to find deeper meanings and make smart decisions.
- AppScan Presence
  An AppScan Presence on your server enables you to scan sites not accessible from the Internet, and to incorporate scanning as part of your functional testing.
- Recording traffic
  You can record traffic as Recorded explore data for DAST scans using the AppScan Activity Recorder browser extension (for Chrome or Edge), the HCL AppScan Traffic Recorder proxy server, or AppScan Standard.
- HCL AppScan Traffic Recorder
  The HCL AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.
- IAST Total
  IAST Total (Interactive Application Security Testing), harnesses IAST capabilities to enhance Dynamic Analysis (DAST) scans, improving scan and remediation times while uncovering a broader spectrum of vulnerabilities.
- AppScan Standard
- Private sites
  An AppScan Presence on your server enables you to scan sites not accessible from the Internet .
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
AppScan on Cloud AI assistant
The AI assistant is an integrated intelligence layer that works within the AppScan on Cloud environment. It provides security insights, automates issue triage, and offers remediation guidance.
AppScan Model Context Protocol (MCP) server
The AppScan MCP server integrates HCL AppScan on Cloud directly with AI-powered development environments and agents. By implementing the Model Context Protocol (MCP), this server allows LLMs (such as Claude or models running in VS Code) to securely access your security data—including SAST, DAST, SCA, and IAST results—to help you triage issues, analyze findings, and automate workflows using natural language.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Configure and run an AppScan LLM security scan

Configure provider access, capture a representative large language model (LLM) interaction sequence, enable required capabilities, and run an AppScan LLM security scan in a controlled test environment.

Before you begin

Ensure that you have an Azure OpenAI account.
For LLM testing, ensure that the deployment is configured with a content filter that does not block jailbreak attempts.

Procedure

Set up provider access and keys. See Configure provider access.
Create a DAST web application scan: On the specific Application page, click Create scan, then click Create scan under DAST Dynamic Analysis, and then click Scan a web application.
Enter the Starting URL and domains, and other scan configurations as required.
Under Targets > LLM:
1. Use the Activity Recorder extension (for Chrome and Edge) to locate the LLM service within the application.
2. Start the recording and navigate to the LLM service.
3. Enter and submit the prompt: AppScan
4. Stop the recording and upload the recording file.
5. Select the Use the login settings to access LLM checkbox if you require ASoC to use the login management settings to access LLM.
6. LLM database connectivity (optional): Select the LLM is connected to a database checkbox and provide the table name connected to the database to fully map and test the LLM service’s database attack surface. AppScan uses this information to simulate injection attacks and identify vulnerabilities that could allow unauthorized data access.
If the LLM domain differs from the Starting URL, add it to the "Domains to test" list.
Click Scan to run the AppScan LLM scan. You can view the scan status on the Scans and sessions page.

Results

The AppScan LLM security scan identifies vulnerabilities and provides evidence and remediation guidance. AppScan presents findings with evidence to streamline triage in the Issue details pane.

Issue information page showing identified LLM security vulnerabilities in AppScan

LLM test interaction displays the conversation that led AppScan to raise a vulnerability. For other issues, this is the Test Requests and Responses section.
To filter LLM vulnerabilities, type the prefix “llm” in the search issues bar.

What to do next

Generate the OWASP Top 10 for LLM Applications 2025 report.