Generic security scanners don't understand OutSystems factories. AppScan Studio does — we catch what code review missed before your customers do. Pages reachable without login. Customers seeing each other's data. Junior staff seeing executive screens. Last release's fix quietly broken in this one. Built for the developers shipping the code and the PMs shipping the project.
No source code, no agents. AppScan works against the published app the way an attacker would see it.
Point AppScan at your published OutSystems app. We pull the public surface — every screen, every server action, every response header — exactly the way an attacker would see it.
Every screen, action, and endpoint is checked for known risk patterns: pages reachable without login, customers able to see each other's data, server actions named in ways that often hide privilege gaps. Ranked by severity, not by where they came from.
Mark findings as fixed, ignored, or false positive. Compare against the previous release to see what's new. Share scoped, expiring links with stakeholders.
For every anonymous endpoint AppScan discovers, we can actively fire typed payloads — SQL injection, command injection, path traversal, pagination bypass, length-boundary stress — and grade what comes back. Same scanner, two modes: read the surface, then probe it.
Each input gets variants matched to its declared OutSystems type — Integer, Date, Text, Boolean — plus boundary stress and the canonical SQLi / CMDi / path-traversal classics. Per-tenant ignore list silences known-clean endpoints.
Responses are graded High / Medium / Low / Info by signature, not raw HTTP status. Excessive data exposure on paginated endpoints, SQL error leakage, server-side request mirroring — each finding carries its CWE + OWASP reference and a reproduction curl command.
One-click export as SARIF v2.1.0 (drops straight into GitHub Advanced Security or any IDE that speaks the standard) or as a Acunetix-style PDF — cover, executive summary with severity donut, per-finding detail blocks, glossary.
Every finding category maps to its PCI DSS 4.0 / ISO 27001 / SOC 2 control reference in the PDF report. Hand it to auditors without translating from CWE numbers yourself.
The dashboard view of every scan, every status, every release — designed to be skimmed in seconds before a deploy.
Every scan in one table — live status, findings, and what's new since the last release. Filter by URL, sort by danger or suspicion, drill into a report.
Want to see a finished report? Open the sample report
Sometimes. Until your factory grows past one reviewer's working memory, or the same legacy debug code surfaces in every release for the fifth quarter running.
A reviewer skims the same BackupOldOrders action on every PR for two years. AppScan triages it once and silences it on every future scan — only what's new gets your attention.
Code review tools show what changed. AppScan shows what's still risky — including code that didn't change but is exposed differently because something else around it did.
A reviewer sees the PR they're assigned. AppScan walks every screen, every server action, every module — including the modules nobody actively owns and the ones a junior dev shipped six months ago.
Alice catches role misuse. Bob misses it because he's tired. The next reviewer doesn't know what to look for. AppScan applies the same curated pattern set on every scan — no off days.
Different layer. AI Mentor reviews your source at design time — patterns and suggestions inside Service Studio. AppScan tests the deployed app from the outside — what's actually exposed once a release is published. Both are useful; they don't see the same things.
Source-time tools read what you wrote. AppScan reads what your customers get — the live URL, the published role, the response your app actually returns today. Same code can ship differently across environments; only the runtime sees that.
Static reviewers flag issues per file. AppScan diffs scan vs. scan — what's new since last release, what's still triaged from last quarter, what was silently fixed. Releases, not files.
A scan written outside your IDE is an independent check on the assumptions inside your IDE. If something says it's "Registered" but the deployed endpoint answers anonymously, AppScan catches the gap. Defense in depth is layered on purpose.
Designed around the way OutSystems teams actually work — release cycles, modules, and PMs who need a plain-English summary.
Flags screens left open to Anonymous or stuck on generic Registered — the access-control gaps that turn into data leaks.
Spots endpoints that take internal IDs without ownership checks — the pattern attackers use to enumerate other users' records.
Server-action names are scored against curated Dangerous and Suspicious pattern sets — code that always deserves a second pair of eyes.
CSP gaps, cookie-flag issues, missing security headers. Each finding links to a guide explaining the why and the fix.
Compare two scans. Get a dev-facing changelog and a PM-friendly summary — engineers and stakeholders read the same release notes.
Per-release diffing surfaces only what wasn't flagged last time and isn't already triaged. No alert fatigue.
Mark findings fixed, ignored, or false positive. Triage state is shared and silences resolved items on future scans.
Send a 7-day, scoped read-only link to one specific report. No login needed for the recipient.
Custom headers (Akamai, Cloudflare bypass) and proxy-country selection — for apps behind firewalls or geo-restricted.
Visual graph of which modules consume which — three layouts (radial, force, hierarchical), full-viewport canvas, exportable PNG. Spot the high-fan-in modules that quietly underpin half the factory.
One page per app showing dangerous-finding count over every scan, severity-ratio over time, scan cadence, and an Acunetix-style health verdict. Catches regressions release-over-release without re-reading every report.
The questions every procurement and security team asks before signing — answered in-product, not in a slide deck.
TOTP (Google Authenticator, Authy, 1Password) enforced for every user, with backup codes and remember-device. No password-only logins anywhere.
Every login, scan start, role change, API key use, and admin action lands in a tamper-resistant audit table. Account Admins see their tenant's slice; full history is exportable.
Programmatic access via Authorization: Bearer aps_…. Per-token read / write scopes, self-service issuance, soft-revoke. Drop into your CI/CD pipeline.
Standard SARIF output for runtime findings. Drops straight into GitHub Advanced Security, GitLab SAST integration, or any IDE / dashboard that consumes the format.
One-click async export of every record we hold for your tenant — reports, users, audit log, API keys metadata. ZIP delivered by email + page download, valid for 7 days.
Upload your own logo and we replace ours on the cover of every PDF report. Same scanner, your branding for executive readouts and customer-facing audits.
Reports, users, settings, and API keys are scoped to client_id at the SQL layer — not at the application layer. A leaked session cannot reach another tenant's data; the SQL itself refuses.
Infrastructure in the EU, processed by QUICKSYNC, UNIPESSOAL LDA (Portugal). Data residency answer comes pre-checked on the procurement form.
These rules don't prove a vulnerability — they spot server actions whose names land in territory that's worth a closer look. Same rules drive every count, pill, and diff in the app.
Names that consistently land in high-impact territory — the kind of code reviewers always want to look at twice before a release ships. The exact pattern set is curated and updated as we learn what teams actually miss.
Naming and shape patterns that point to code which probably shouldn't have shipped to production — context-dependent, but always worth confirming.
The ones we hear most often, answered before the call.
No. AppScan scans the deployed app over HTTP at the URL you give us. No agent, no install in your factory, no LifeTime access, no source export. If a screen, REST endpoint, or server action is reachable from the internet (or a network we can reach), AppScan can reason about it.
Hosted in the EU. We store the scan reports we generate (findings, response headers, role assignments, action names), per-tenant and isolated. We do not store full response bodies, customer PII, or anything that wasn't necessary to produce the report.
Triage state (fixed / ignored / false positive) and share-link metadata live alongside the reports. See the privacy policy for the data-flow detail and retention windows.
Yes. You give AppScan a custom HTTP request header — name and value of your choice — that we attach to every scan request. Your security team allow-lists that exact value at the WAF (Cloudflare, Akamai, or wherever it sits), so our traffic identifies itself cleanly and gets through while everything else stays behind your usual protections. The value is yours, you rotate it whenever you want, and we just send back what you configured.
Scans can also be routed through a configurable proxy region so the source IP is predictable for IP-based allow-lists. For aggressive bot-protection rules (rate limits, JS challenges), we coordinate the full allow-list with your security team before the first scan.
Most apps scan in 1–3 minutes. Big multi-module apps — think a full banking app with many screens, server actions, and roles — can run up to around 30 minutes. Scan time scales with how much there is to walk, not with whether the release is new or unchanged: re-scans take roughly the same time as the first scan. Your triage state (fixed / ignored / false positive) carries forward, so the report stays focused on what actually changed.
Accounts are admin-provisioned today; SSO (SAML / OIDC) is on the roadmap and we'll prioritize it for tenants that ask. Reports can be shared externally with scoped, expiring read-only links — no recipient login required.
AppScan only issues HTTP requests against your published apps and reads the responses. We never call write/mutating endpoints with destructive payloads, never authenticate as a real user against your environment, and never modify configuration in your factory. The full request log for any scan is available to you on request — every URL we hit, every method, every header.
For active runtime probing (the SQLi / CMDi / path-traversal sweep), payloads are fired only against endpoints declared anonymous in your OutSystems metadata, and only with the standard typed-payload set documented in the report. We never escalate to authenticated probes without an explicit, scoped credential you provision yourself.
Yes, and it's mandatory. Every user enrols TOTP (Google Authenticator, Authy, 1Password, hardware keys that emit TOTP) on first login. Backup codes are issued at enrolment for lost-device recovery. There is no password-only login path anywhere in the app, for any role.
SSO (SAML / OIDC) is on the roadmap — see the SSO question above. Until that lands, TOTP is the second factor for every account including Staff.
Yes. Every login (success and failure), scan start, role change, password reset, API-key issuance, API call, and admin action lands in a tamper-resistant audit_logs table. Account Admins see their tenant's slice via Settings → Audit log; AppScan staff have the cross-tenant view for support.
The data is also part of the GDPR export (next question) so you can ingest it into your own SIEM / observability stack on whatever cadence makes sense.
Yes. Settings → Data export (Account Admin only) generates a ZIP of every record AppScan holds for your tenant: tenant.json, users.json (no password hashes), api_keys.json (no secret hashes), audit_logs.jsonl, and one JSON file per scan report. The export runs asynchronously — you get an email with a 7-day download link, and the page table shows live status.
Hard-delete on contract end-of-term: we wipe the tenant row, every report payload, every audit entry, and every artifact within 30 days of termination. Available on request before then.
Yes — runtime findings export as SARIF v2.1.0 (the standard GitHub, GitLab, and most IDEs consume). One-click from the anon-probe report page. Each finding carries its rule id, CWE reference, severity, evidence excerpt, and the request that triggered it. PDF reports include the same data plus PCI / ISO / SOC 2 control mappings.
Yes. Self-service token issuance at Settings → API keys with read / write scopes. Tokens are aps_<32hex> bearer tokens passed in the Authorization header. Endpoints today: GET /api/v1/reports/{code} (full report JSON), GET /api/v1/health (scan-status counts for your tenant). Scan-trigger and webhook-on-finish endpoints are on the roadmap and prioritised for tenants that ask.
Pricing scales with your factory size — tell us about it and we'll come back with a quote, access details, and answers.
Paste the URL of a non-production app you own. We'll confirm it's an OutSystems Reactive app before scanning.
If your app only accepts traffic from one country, we'll route the scan through a proxy in that country so we can reach it.
We'll email a link to your scan report. Your address is kept for 7 days, then automatically deleted unless you opt in to follow-up next step.
We use your email to verify your identity and send the report. Stored 7 days; deleted automatically. See our privacy notice.
We'll email once to set up a short call about your report. No marketing list, no automated sequences — just a real conversation about what we found.
Your email is kept for 7 days unless you say yes.
We sent a 6-digit code to . It expires in 10 minutes.
Didn't get it? Check spam, or send a new code.
This usually takes a couple of seconds. You'll be taken to a live progress page when it's ready.