Skip to main content
How does our licensing work?

Understand what we offer, how to use them and when they're assigned

Updated over a month ago

Infrastructure license

This license allows users to conduct external scanning on IP addresses, Fully Qualified Domain Names (FQDNs) and subdomains; as well as internal scanning on devices supporting Windows, Linux or MacOS.

Application license

The Application license covers infrastructure scanning; enhanced web-app scanning of unauthenticated pages; authenticated web-app scanning (pages behind the login); as well as API scanning (where users have uploaded a schema file).


When are licenses assigned?

Infrastructure License

External Targets

Infrastructure licenses are assigned to external targets as soon as a scan (scheduled, on-demand, or ETS) is kicked off and a target is found to be active:

If a target is found to be active, but you don't have enough licenses, it will be marked with an orange dot and we'll send you a message to let you know what to do next.

Internal Targets

Unlike external targets, unresponsive internal will consume a license whether they're unresponsive or not.

Licenses are ‘tentatively assigned’ to internal targets as soon as you link the agent and see it pop up on your target list. Below, you'll see there's no mention of the license release date, because one hasn't been officially 'consumed' yet.

Once you've kicked off a scan, the license is officially assigned and when you hover over the license icon, you'll see the license release date:

The screenshot shows an unresponsive internal target, consuming a license:

Application License

Application licenses are assigned in two ways:

  1. You add the target as a web app via the add target modal and it's found to be active when added:



    2. Or, you added a target as an infrastructure target and then added authenication or an API schema. You would then need to have kicked off a scan and the target needs to have been found as active.




  1. For targets with authentication provided, it'll look like this:


  2. For targets that have authentication provided and an API schema uploaded, it'll look like this:


How long are licenses locked to a target?

Please note: deleting the target, cancelling the scan, removing/disabling the authentication or deleting the API schema will not release the license early.

Please note that Emerging Threat Scans will reset the consumption period for any target they run on. (As will any other vulnerability scan).

Infrastructure License

Licenses are deemed ‘in use’ for 30 days; re-scanning the target simply resets the consumption period. Once those 30 days have elapsed the license is released and available for use on another target.

Application License

Same as above: licenses are deemed ‘in use’ for 30 days; re-scanning the target simply resets the consumption period. Once those 30 days have elapsed – assuming you have deleted/disabled any authentication, removed any API schemas and no scans have run – the license is released and available for use on another target.

If you forget to remove the authentication or the API schema, once you have removed it – assuming the 30 days have elapsed – the license will be released within 24 hours.


How do I know when my licenses are due for release?

There are several places where you can find this information.

Targets > Licenses Tab

Target's Detail Page


How do I know when my targets were last scanned for vulnerabilities?

You can find this information by heading to Targets > Licenses > Last scan column:

Normally, you'll notice the date listed in the Last Scan column is 30 days before the Release date shown under the License type column.

The only time there might be more than 30 days between the two dates is if a licensed internal target is showing as unresponsive. In that case, the Last scan column will list the last date it was successfully scanned for vulnerabilities, whilst the License type column will list the last time the license consumption period was reset (which is every time a scan is kicked off on an internal target, regardless of whether the target is active or not).

(The greyed-out line item shows an internal device that has been deleted/agent unlinked but is still consuming a license. Since it's been deleted, the license will be released from this unresponsive machine on 20th July).


FAQs: Licensing

How do I know if I need more licenses?

You'll see a banner at the top of the screen (as shown above). To find the exact number of licenses you need, have a look for the 'Active' count under 'Unlicensed'.

How do I increase/decrease my license count?

We’ve written an article on exactly this – just click here.

Can I re-assign a license?

No, unfortunately not. Once a license has been assigned to a target, it will remain 'locked' to it for 30 days.

Can I transfer a license from the IP address to the domain?

No, unfortunately not. The portal has no way of knowing that the two are affiliated and so it treats them as independent targets, each requiring a license to scan them.

What license do I need to scan web apps?

What license do I need to scan APIs?


FAQs: Infrastructure Licenses

I need to add my web server as a target – what should I do?

We have just the article for this, head here.

What about scanning the same target internally and externally?

To scan the same target from both perspectives, you would need two licences. The reason for this is because each scanning perspective provides you with different insights: 

  • The external scan reveals what is directly accessible from the internet right now – this could be web-layer security problems; infrastructure weaknesses or security misconfigurations.

  • Whereas, the internal scan is useful for viewing the device from the perspective of an attacker who has bypassed perimeter defences (perhaps in the form of an email), and is able to exploit internal configuration weaknesses; missing patches and encryption weaknesses.


FAQs: Application Licenses

How do I add authentication to a target?

You can only add authentications to a target if you have an Application license available; instructions on how to add them can be found here.

Can I change from an Infrastructure license to an Application license?

If an Infrastructure license has been assigned to the target, but you want to run an authenticated scan, then you’ll need to make sure you have an Application license available. Once you have added the authentication and kicked off a scan, the Application license is assigned and the infrastructure license is released (so you can use it to scan other targets from an unauthenticated perspective).

What happens if I have purchased an Application license and run a scan before adding credentials?

The license will be assigned, but will only scan the infrastructure. As soon as you add the authentications, you can run another scan to cover the authenticated pages too.

What happens if I delete my authentication(s)?

👉 If you've scanned the target

The Application license will remain assigned to the target for 30 days and will reset with every subsequent scan, even if you have removed the credentials. Only once the 30-day consumption period has elapsed will the Application license be released and available for use on another target.

If an Application license is currently assigned to a target without credentials and you wish to continue with unauthenticated scanning only, please feel free to reach out via the chatbot and we can discuss options).

👉 If you haven't scanned the target

The Application license won't have been assigned so it's available for immediate use on another target.

What do the icons mean?

  • This target has an application license assigned, and one set of authentication provided:

  • This target has an application license assigned, and two sets of authentication provided:

  • This target has an application license assigned, one set of authentication provided and API schema upload:

  • This target has an application license assigned, but no authentication of API uploaded:

How many authentications can I add per Application License?

You license the target and not the authentications, so you can add as many sets of credentials as you like.

Did this answer your question?