Welcome
Intelligent Finding Analytics (IFA)
Intelligent Finding Analytics (IFA) uses artificial intelligence (AI) and machine learning (ML) to analyze data, discover patterns, and make predictions, ultimately transforming data into actionable insights. IFA goes beyond regular data analysis by using advanced methods to find deeper meanings and make smart decisions.
DAST for LLM-augmented applications
Dynamically test large language model (LLM) features in your application for sensitive information disclosure, prompt injection, data exfiltration, tool abuse, content policy violations, and more before attackers exploit them. Configure AppScan to target chat endpoints, retrieval-augmented generation (RAG) pipelines, and other LLM components, and then review reproducible findings with full transcripts and remediation guidance.
Configure and run an LLM scan
Configure provider access, capture a representative LLM sequence, enable required capabilities, and run a scan in a controlled test environment.

Welcome
Welcome to the documentation for HCL AppScan Standard version 10.10.0
Getting started
This section provides a short tour of basic product features and procedures, including using the wizard to set up a scan.
Configuration
You configure a scan by choosing settings that best describe your application, and the kind of testing you want.
Intelligent Finding Analytics (IFA)
Intelligent Finding Analytics (IFA) uses artificial intelligence (AI) and machine learning (ML) to analyze data, discover patterns, and make predictions, ultimately transforming data into actionable insights. IFA goes beyond regular data analysis by using advanced methods to find deeper meanings and make smart decisions.
- DAST for LLM-augmented applications
  Dynamically test large language model (LLM) features in your application for sensitive information disclosure, prompt injection, data exfiltration, tool abuse, content policy violations, and more before attackers exploit them. Configure AppScan to target chat endpoints, retrieval-augmented generation (RAG) pipelines, and other LLM components, and then review reproducible findings with full transcripts and remediation guidance.
  - Configure and run an LLM scan
    Configure provider access, capture a representative LLM sequence, enable required capabilities, and run a scan in a controlled test environment.
- AI for smarter error page detection
  Intelligent Finding Analytics (IFA) in Dynamic Application Security Testing (DAST) augments error page detection by reducing false positives and enhancing test results. HCL AppScan DAST uses heuristic and comprehensive methods to identify error pages, with Gen AI now selectively employed to confirm errors and handle edge cases, thus increasing accuracy and minimizing scan times.
Manual exploring
Manual exploring enables you to explore specific parts of your application, filling in fields and forms as you go. This can be a way of ensuring that particular areas of the site are covered, and that AppScan has the information needed to complete forms correctly.
Scanning
Learn how to start a scan, and what happens during the scan; how to manually manipulate the Explore stage, and how to export the results of a scan.
Data
Data view is populated with information about the structure of the site during the Explore stage of the scan.
Issues
Issues view provides access to the results of a scan. You can view results at a high level or select specific tests or objects and access more details. These details include how to fix, requests/responses, and differences between the test variants that resulted in issues. You can manipulate the severity of issues, resend tests (with or without modifications), and create reports based on Issues.
Reports
Tools
This section explains how to use additional tools provided with HCL AppScan Standard.
Integrations
This section describes integrations of other applications with AppScan Standard:
Best practices
This section contains some best practices and use cases for advanced users.
FAQ & Troubleshooting
CLI
This section describes the syntax and options available using the Command line interface.
References
Menus and toolbar summaries, and glossary

Configure and run an LLM scan

Configure provider access, capture a representative LLM sequence, enable required capabilities, and run a scan in a controlled test environment.

Before you begin

Ensure you have an Azure OpenAI account.

Procedure

Set up provider access and keys. See Configure provider access.
Enable LLM configuration and record a representative LLM sequence. See Configuring LLM to validate LLM tests.
If the LLM domain differs from the starting URL, add it to the "Domains to be tested" list.
Optional: If your workflow requires authentication, enable login before sequence playback.
Start the scan and monitor progress. Pause or stop if unexpected impacts occur in the test environment.
Review findings, evidence, and remediation guidance. Reproduce issues using captured transcripts and prompts.
Assess LLM risks and be compliance ready with out-of-the-box reports.

Results

The scan identifies vulnerabilities and provides evidence and guidance for remediation. AppScan presents findings with evidence to streamline triage under Issue details pane. Issue details page showing the Issue information of an LLM vulnerability

Issue details page showing the Issue information of an LLM vulnerability

Issue information:
- Risk classification and severity.
- LLM test interaction displays the conversation which led AppScan to raise vulnerability.
- Impacted LLM vulnerability identified by test name.
LLM interaction:
- History of all prompts and responses.
  Note: For other issues this is the Request\Response tab.
How to fix:
- Remediation guidance and references.
- Clear reproduction steps and example prompts.

To filter LLM vulnerabilties, type the prefix “llm” in the search issues bar.

LLM scan showing LLM issue in search result

What to do next

You can generate the OWASP Top 10 for LLM Applications 2025 report.