What types of licenses do we offer?
Currently, Intruder has two different license categories: Infrastructure licenses and Authentication licenses.
This license allows users to conduct external scanning on IP addresses, domains and subdomains; as well as internal scanning
on devices supporting Windows, Linux or MacOS.
(This license is changing! Read more to see how 👇 )
The Authentication license can be used to conduct infrastructure scanning and
authenticated web-app scanning (where authentication has been provided); allowing us to scan your perimeter and those pages behind
the login. On March 28th, Intruder’s Authentication licenses will become an Application license and have expanded capabilities.
Improving our web app security and API scanning is a focus for 2023. To do that, we are simplifying licenses so that it’s easy to understand exactly what is protected.
The *new* Application license
The Application license can be used to scan authenticated or unauthenticated web applications and APIs on one target (an IP address or host name) allowing us to scan your perimeter, the underlying infrastructure and the pages behind a login.
The license supports many applications or APIs on one target, which is very helpful if you want to scan:
- An application with different user types
- An application with different permission levels
- An IP address or domain hosting multiple applications or APIs
Some customers use an Infrastructure license to scan unauthenticated web apps, which provides a good level of security for customers who want to scan commercial, off-the-shelf applications for known vulnerabilities. But this is not sufficient for our customers with more complex applications that require additional context to provide meaningful results.
The Application license extends the Infrastructure license. While still scanning the underlying infrastructure, the Application license uses the OWASP ZAP Dynamic Application Security Testing (DAST) scanner to run more comprehensive checks on your web apps, finding zero day or unknown vulnerabilities in custom applications.
So, if you build apps, have apps built for you, need more control over your apps, or generally want more comprehensive security, the Application license might be the right choice for you. The differences between the licenses are explained in more detail in the chart below.
OWASP ZAP + Tenable
What does it scan?
– Scans the underlying infrastructure of the app, including some basic DAST scanning
– Scans the underlying infrastructure of the app or API
– Enhanced DAST approach attempts to identify vulnerabilities in the same way an attacker would by updating its approach dynamically whilst testing
– Scans behind login pages and authentication (if they exist)
Difference in security
– Useful for finding vulnerabilities in commercial, off-the-shelf applications (stuff you haven’t built yourself)
– Finds known vulnerabilities
– Will find some common web app issues like cross-site scripting and SQL injection
– Finds zero days in customer applications (aka software you have built yourself)
– Finds unknown and known vulnerabilities
– Control the scope of the scan yourself - if you have multiple apps on a single target, you can specify which apps you want to scan
– Will also check website pages behind authentication that wouldn't be checked otherwise
When are licenses assigned?
Infrastructure licenses are assigned to external targets as soon as
a scan (scheduled
, or ETS
) is kicked off and a target is found to be active. The Authentication license will be locked to the target as soon as an authentication or API is added. The new Application license will not function any differently than the existing Authentication license but to add an API onto an application license, you need to upload the OpenAPI/Swagger schema. (If a target is found to be active, but you don't have enough licenses, it will be marked with an orange dot and we'll send you a message to let you know what to do next).
Licenses are ‘tentatively assigned’ to internal targets as soon as you link the agent and see it pop up on your target list. (For that reason, you can only add as many internal targets as you have licenses available). However, the license is formally assigned as soon as the scan is started, regardless of whether the target is active or not.
How long are licenses locked to a target?
All Intruder licenses are deemed ‘in use’ for 30 days; only once those 30 days have elapsed is the license released and available for use on another target.
For Infrastructure licenses, once a target has not been scanned for 30 days the license is release.
For Application licenses, the license will only be released once:
• An authentication is disabled or deleted, or
• The API is deleted.
Please note, deleting the target, cancelling the scan or removing the authentication does not release the license immediately. You can re-scan the same target(s) as many times as you like without using any additional licenses – it just resets the 30 days.
Can I re-assign a license?
No, unfortunately not. Once a license has been assigned to a target, it will remain 'locked' to it for 30 days.
Can I transfer a license from the IP address to the domain?
No, unfortunately not. The portal doesn't know that the two are affiliated and so it treats them as independent targets, each requiring a license to scan them.
How do I know if my target is consuming a license / has authentication provided?
The first icon indicates that authentication has been added. The second icon indicates that the target has an API.
How do I know when my licenses are due for release?
Head to the targets
page and click 'Licenses
'. The ‘License release’ column is what you’re looking for.
How do I increase/decrease my license count?
We’ve written an article on exactly this – just click here
Questions about Infrastructure licenses
I need to add my web server as a target – what should I do?
We have just the article for this, head here
.What about scanning the same target internally and externally?
To scan the same target from both perspectives, you would need two licenses. The reason for this is because each scanning perspective provides you with different insights:
• The external
scan reveals what is directly accessible from the internet right now – this could be web-layer security problems, infrastructure weaknesses or security misconfigurations.
• Whereas, the internal
scan is useful for viewing the device from the perspective of an attacker who has bypassed perimeter defenses (perhaps in the form of an email), and is able to exploit internal configuration weaknesses and missing patches.
Questions about Application licenses
How do I scan a web app?
Once you have an Application license assigned to a target, you can add an authentication (you do this for both authenticated and unauthenticated apps) or add an API by uploading a schema using the instructions below.How do I add authentication to a target?
You can only add authentications to a target if you have an Application license available; instructions on how to add them can be found here
Currently, to scan an unauthenticated web app, you need to add dummy credentials. Instructions on how to do that can be found here
.How do I add an API to a target?
You can only add an API to a target if you have an Application license. Instructions on how to add an API will be shared once the feature launches.Can I change from an Infrastructure license to an Application license?
If an Infrastructure license has been assigned to the target, but you want to run a web app or API scan, then you’ll need to make sure you have an Application license available. Once you have added the authentication or API and kicked off a scan, the Application license is assigned and the Infrastructure license is released (so you can use it to scan other targets from an unauthenticated perspective).What happens if I have purchased an Application license and run a scan before adding credentials?
The license will be assigned, but will only scan the infrastructure. As soon as you add the authentications to the target that was assigned the Application license, you can run another scan to cover the authenticated pages too.What happens if I delete my authentication(s)?
👉 If you've scanned the target
The Application license will remain assigned to the target for 30 days and will reset with every subsequent scan, even if you have removed the credentials. Only once the 30-day consumption period has elapsed will the Application license be released and available for use on another target.
👉 If you haven't scanned the target
The Application license is locked to the target for 30 days from when the authentication or API is added.