Scan intensity

During a WAS scan, HTTP requests are sent over the wire from the WAS scanning engine to the web application server. For the scanner to crawl and test the web application that you would like to scan, the scanner has to make various requests to collect the links and then test the links in order to check for various vulnerabilities. The requests the scanner makes to collect and test the links of the web application constitute the HTTP request.

Good to Know

We recommend you start with a lower intensity setting

WAS scanning happens very quickly - faster than a human would

WAS automatically slows down requests if average response time gets slower

The scan intensity setting impacts the number of HTTP requests generated


Pre-defined scan intensity settings

Maximum - Scan performance is configured to finish in the fastest time possible.

Important This setting is recommended for internal scans (web application inside your LAN) and high performance, public web sites. Scans may be faster to complete but may overload your network, web server or database. Scanning a web application with limited resources may result in an unresponsive host or web application. How many requests?

High - Scan performance is optimized for high bandwidth use. How many requests?

Medium - Scan performance is optimized for medium bandwidth use. How many requests?

Low - Scan performance is optimized for low bandwidth use. How many requests?

Lowest - Scan performance is optimized for the lowest possible bandwidth use. How many requests?








Number of HTTP threads used to scan each host (applies to vulnerability scan only)






Delay between requests






Loading a site's pages

The maximum number of requests that WAS can have live on the wire is 10 requests. This means that a single request can only spend 25 milliseconds between any network delay, target delays in processing the request and generating a response, as well as any processing of the response that occurs within WAS.

Using a tool like to measure the time it takes to load a page, you will find that even sites like, which are highly optimized, take over 700 milliseconds to fully load due to the different analytic packages that are also being loaded by this single page.