Infrastructure license

This license enables external scanning of IP addresses, Fully Qualified Domain Names (FQDNs), and subdomains, as well as internal scanning on devices running Windows, Linux, or macOS.

Application license

The Application license covers infrastructure scanning, enhanced web-app scanning of unauthenticated pages, authenticated web-app scanning (pages behind the login), as well as API scanning (where users have uploaded a schema file).

When are licenses assigned?

Infrastructure License

External Targets

Infrastructure licenses are assigned to external targets as soon as a scan (scheduled, on-demand, or ETS) is kicked off, and a target is found to be active:

If a target is found to be active, but you don't have enough licenses, it will be marked with a red dot, and we'll send you a message to let you know what to do next:

Internal Targets

Unlike external targets, unresponsive internal targets will consume a license whether they're unresponsive or not.

Licenses will be ‘tentatively assigned’ to internal targets as soon as you link the agent and see it pop up on your targets list. Below, you'll see there's no mention of the license release date, because one hasn't been officially 'consumed' yet.

Once you've kicked off a scan, the license is officially assigned, and when you hover over the license icon, you'll see the license release date:

The screenshot shows an unresponsive internal target, consuming a license:

Application License

Application licenses are assigned in two ways:

You add the target as a web app via the add target modal, and it's found to be active when added:

2. Or, you add an authentication/API schema to an existing target. You would then need to have kicked off a scan, and the target needs to have been found to be active.

For targets with authentication added, they will look like this:
For targets that have an authentication added, and an API schema uploaded, they will look like this:

How long are licenses locked to a target?

Please note: deleting the target, cancelling the scan, removing/disabling the authentication, or deleting the API schema will not release the license early. The 30-day release period will still apply.

Please note that Emerging Threat Scans will reset the consumption period for any target they run on. (As will any other vulnerability scan).

Infrastructure Licenses

Licenses are deemed ‘in use’ for 30 days; re-scanning the target simply resets the consumption period. Only once 30 days have elapsed is the license released and available for use on another target.

Application Licenses

Same as above: licenses are deemed ‘in use’ for 30 days; re-scanning the target simply resets the consumption period. Once those 30 days have elapsed – assuming you have deleted/disabled any authentication, removed any API schemas, and no scans have run – the license is released and available for use on another target.

If you forget to remove the authentication or the API schema, once you have removed it – assuming the 30 days have elapsed – the license will be released within 24 hours.

How do I know when my licenses are due for release?

There are several places where you can find this information.

Targets Page

Targets > Licenses Tab

Target's Detail Page

How do I know when my targets were last scanned for vulnerabilities?

You can find this information by heading to Targets > Licenses > License consumed by column:

Normally, you'll notice the date listed in the License consumed by column is 30 days before the Release date shown under the License released on column.

The only time there might be more than 30 days between the two dates is if a licensed internal target is unresponsive. In that case, the License consumed by column will list the date that the target was last successfully scanned, whilst the License released on column will list the last time the license consumption period was reset (which is every time a scan is kicked off for internal targets, regardless of status).

(The first line shows an unresponsive internal target that is still consuming a license. It was last successfully scanned on 12th May, but the license was re-consumed by the scheduled scan, which ran 30 days before the release date.)

FAQs: Licensing

How do I know if I need more licenses?

You'll see a banner at the top of the screen as shown here:

To find the exact number of licenses you need, have a look at the 'Active' count under 'Unlicensed'.

How do I increase/decrease my license count?

We’ve written an article on exactly this – just click here.

Can I re-assign a license?

Once a license has been assigned to a target, it will remain 'locked' to it for 30 days. After it has been released, the license will be free to use on a different target.

Can I transfer a license from the IP address to the domain?

No, unfortunately not. The portal has no way of knowing that the two are affiliated, and so it treats them as independent targets, each requiring a license to scan them.

What license do I need to scan web apps?

We have just the article for you.

What license do I need to scan APIs?

We have just the article to help with that.

FAQs: Infrastructure Licenses

I need to add my web server as a target – what should I do?

We have just the article for this, head here.

What about scanning the same target internally and externally?

To scan the same target from both perspectives, you would need two licences. The reason for this is that each scanning perspective provides you with different insights:

The external scan reveals what is directly accessible from the internet right now – this could be web-layer security problems, infrastructure weaknesses, or security misconfigurations.
Whereas, the internal scan is useful for viewing the device from the perspective of an attacker who has bypassed perimeter defences, and is able to exploit internal configuration weaknesses, missing patches, and encryption weaknesses.

Why is my license locked for 30 days? That's too long.

Licenses are locked for 30 days from the last scan in order to ensure fair usage of the platform. One of our underlying scanning engines locks the licenses for a 90-day period, but we feel this is too restrictive, so we absorb the cost of 60 days to increase the value for our customers.

FAQs: Application Licenses

How do I add authentication to a target?

You can only add authentications to a target if you have an Application license available; instructions on how to add an authentication can be found here.

Can I change from an Infrastructure license to an Application license?

If an Infrastructure license has been assigned to the target, but you want to run an application scan, then you’ll need to make sure you have an Application license available. Once you have added the authentication and kicked off a scan, the Application license is assigned, and the infrastructure license is released (so you can use it to scan other targets from an unauthenticated perspective).

What happens if I have purchased an Application license and run a scan before adding credentials?

The license will be assigned, but it will only run an infrastructure scan. As soon as you add an authentication, you can run another scan to cover the authenticated pages too, which will, in turn, assign an application license as per the question above.

What happens if I delete my authentication(s)?

👉 If you've scanned the target

The Application license will remain assigned to the target for 30 days and will reset with every subsequent scan, even if you have removed the credentials. Only once the 30-day consumption period has elapsed will the Application license be released and available for use on another target.

If an Application license is currently assigned to a target without credentials and you wish to continue with unauthenticated scanning only, please feel free to reach out via the chatbot, and we can discuss options.

👉 If you haven't scanned the target

The Application license won't be assigned, so it's available for immediate use on another target.