Scan Creation Recommendations

New
  • Published on Jul 9, 2025
  • 2 minute(s) read
Prev Next

Creating efficient and targeted test scans is critical for maximizing coverage and minimizing runtime while testing your application ecosystem. This page highlights the recommended ways to structure your scans based on the following:

  • Attack type, plugin groupings, and execution schedules

  • Number of tests and assets

These recommendations are designed to help you optimize performance, focus scans on relevant assets and ensure continuous security improvement.

Attack Types

The following breakdown groups attacks into logical scans based on common categories and test volumes. Each scan recommendation also includes approximate test counts and suggested scan frequency. You can use the below Attack Selections while creating a policy, and then utilize the policy while creating a scan. While creating the scan, you can also use the recommended schedule. For information on how you can split scans based on the attack types and assets, see Number of Tests and Assets.

Scan Type

Attack Selections

Recommended Schedule

Approximate Tests

Remote Code Execution Scan

  • PHP-CGI Remote Code Execution (CVE-2024-4577)

  • Shell Shock Remote Code Execution (CVE-2014-6271)

  • Expression Language Injection

  • OS Command Injection

  • Buffer Overflow

  • Integer Overflow Error

  • Java Log4Shell (CVE-2021-44228)

Weekly

800,000

DB Attacks Scan

  • Error-Based SQL Injection

  • Blind NoSQL Injection

  • Blind SQL Injection

Weekly

800,000

XSS Attacks Scan

  • Reflected Cross-Site Scripting

Weekly

900,000

Design and Configuration Attacks Scan

  • XXE Remote File Inclusion

  • Directory Listing Leak

  • GraphQL Field Duplication Attack

  • GraphQL Alias-Based Attack

  • GraphQL Interface Protection

  • Bypass

  • Resource Intensive GraphQL Query

  • GraphQL Batch Query Attack

  • GraphQL Interface Exposure

  • GraphQL Field Suggestion

  • Graphql Introspection

  • HTTP Redirect

  • Server Version Disclosure

  • Cross-Domain Misconfiguration

  • XXE Local File Inclusion

Daily

235,000

Protocol Attacks Scan

  • TLS Certificate Transparency

  • BREACH

  • HEARTBLEED (CVE-2014-0160)

  • ROBOT (CVE-2017-13099)

  • TLS Certificate Wildcard

  • SSL/TLS Weak Ciphers

  • SSL/TLS Expired Certificate

  • TLS Not Implemented

  • Browser Exploit Against SSL/TLS (BEAST) (CVE-2011-3389)

  • Revoked Certificate

  • SWEET32 - Birthday attacks against TLS ciphers with 64bit block size (CVE-2016-2183)

  • Self Signed Certificate

  • Broken Certificate Chain

  • SSL/TLS Diffie-Hellman Attack (Logjam) (CVE-2015-4000)

  • Padding Oracle on Downgraded Legacy Encryption (POODLE) (CVE-2014-3566)

  • Certificate Common Name Mismatch

  • TLS/DTLS CBC Attack (Lucky13) (CVE-2013-0169)

  • Compression Ratio Info-leak Made Easy (CRIME) (CVE-2012-4929)

  • HTTPS Content Available via HTTP

  • HTTP Redirect

  • Insecure HTTP Method

  • GET for POST

Daily

200,000

Auth and Business Attacks Scan

  • Parameter Pollution

  • Weak Password

  • Mass Assignment

  • All JWT (JSON Web Token) Category

  • Parameter Tampering

  • Server-Side Request Forgery Blind

  • Unauthenticated Access

  • Multiple Versions of API

  • Broken Object Level Authorization

  • CRLF Injection

Daily

113,000

Number of Tests and Assets

Traceable recommends splitting a large scan into multiple smaller scans in scenarios where the number of attack types or assets (APIs) is significantly high. This helps:

  • Ensure that scans run efficiently without overutilizing resources

  • Prevent long-running scans that may result in a timeout or other connectivity issues

This section highlights the recommendations for splitting scans, enabling you to create scans efficiently based on the scale of your application testing.

You can break down scans in either of the following ways:

  • Split by Attack —  Divide the attack selections into multiple sets and create a separate policy for each set. You can then use each policy in its own scan.

    For example, in the above table, if the DB Attacks Scan contains ~800,000 tests across three attack selections, you can split it into three policies, each with a single attack selection. Further, you can assign them to three separate scans. This helps distribute the tests and allows for efficient testing.

  • Split by Assets — Divide the list of APIs across multiple scans while keeping the same attack policy.

    For example, if you are testing Cross-Site Scripting on 5,000 APIs using the XSS Attacks Scan (~900,000 tests) from the above table, you can create one policy with the Reflected Cross-Site Scripting attack selection. Further, you can assign this policy to two separate scans, each covering 2,500 APIs.

For information on the steps to create a scan, see Creating a Scan.