Contact Support


Installing Internal Agents

In order to scan a website located on your internal network, and not accessible from the internet, you can install and configure a scan agent on your network. The agent will conduct the actual scan job and then report the results back to Netsparker Enterprise.

In addition to the scanning agent, you can add an authentication verifier agent that will verify the form authentication on your website. For further information, see Authentication Verifier for Internal Agents.

There are three stages to this process:

  1. Download and configure the Netsparker Enterprise agent
  2. Run the agent on your local network where it can reach the internal website you want to scan
  3. Define and scan your internal website
You can install internal agents in Linux and Docker, too. For further information about installing agents in Linux, see Installing a Scan Agent on Linux. For the docker, see Installing a Scan Agent via Dockerization.

Downloading and Configuring the Agent

First, you need to download the installation files of the agent and install them on a machine in your internal network.


Hardware Requirements

  • Windows Server 2016 or above (Windows Server 2019 recommended)
  • .NET Framework 4.7.2
  • 1.4 GHz Processor (2.0 GHz or faster recommended)
  • 2 GB RAM (4 GB or higher recommended)
  • 10 GB Free Disk space for each internal agent

Network Requirements

  • Agent should be configured so that it can reach your internal website through HTTP/HTTPS
  • Agent needs to be able to access the Netsparker Enterprise Application Server’s HTTP(S) (443) port

Required Access

  • User(s) must have administrator privileges to run the required commands and agent service.

How to Download and Configure the Scanning Agent

  1. Log in to Netsparker Enterprise.
  2. From the main menu, go to Agents Manage Agents > Configure New Agent
  3. From the Agent section, select Windows to download the Netsparker Enterprise Scanner Agent. Your Agent Token is also displayed
    • Extract the contents of the zip file to C:\NC_Agent. (You can use another location, but these instructions will use this path.)
    • Open the C:\NC_Agent\appsettings.json file with your preferred text editor.
    • You need to edit two attributes before running the agent, listed under AgentInfo:
        • AgentName: This can be anything you want. This text will be displayed when you are starting a new Scan. (If you are going to install more than one instance of the agent make sure you set a unique AgentName value for each instance, something you will remember later.)
        • ApiToken: In Netsparker, the Agent Token is displayed in the Configure New Agent window. Copy it into the ApiToken.

          Agent Token

            • Save and close the C:\NC_Agent\appsettings.json.

          Setting Agent as a Windows Service

          An internal agent should be configured as a Windows service, so that it can poll the Netsparker Enterprise servers regularly, and can take the scan initiation command from the server.

          How to Set the Agent as a Windows Service
          1. Open a command prompt in Administrator mode and navigate the agent's folder.
          2. Run the command below to install the Netsparker Enterprise Scanning Agent as a Windows Service:
          Netsparker.Cloud.Agent.exe -i
          1. Press Windows+R, type 'services.msc' and press Enter.
          2. Find 'Netsparker Enterprise Scanning Service - [YOUR_AGENT_NAME]'.
          3. Right-click on it, and select Properties.
          4. Make sure Startup type is set to Automatic, and select Start.
          Please note that although this service is set to start automatically, it will not restart until the PC is restarted too.
          1. Select Apply and OK, then exit the Properties window.

          The Netsparker Enterprise Agent is now running on your network, shortly it will be registered to Netsparker Enterprise.

          You can uninstall the Windows Service by specifying the -u argument instead of the -i argument used during the installation process.

          Any changes in the appsetting.json file, such as setting proxy and changing API Token, require restarting the service so that the changes can take effect.

          Managing Groups

          In the Manage Groups window, you can search for and view the names of the different agent groups. You can also edit or delete their details, and add a new agent group.

          How to Add a New Agent Group

          1. From the main menu, select Agents > Manage Groups.
          2. From the Agent Groups window, select New Agent Group.
          3. Complete the Name and Agents fields.
          4. Select Save.

          How to Edit Agent Groups

          1. From the main menu, select Agents > Manage Groups.
          2. From the Agent Groups window, click Edit on the field of the group you want to edit. 
          3. In the New Agent Group window, make your edits.
          4. Select Save.

          How to Delete Agent Groups

          1. From the main menu, click Agents Manage Groups
          2. From the Agent Groups window, select Delete
          3. Select Yes, Delete in the dialog.

          Auto-Update Support for Scanner Agents

          Netsparker Enterprise On-Demand users can install Netsparker Enterprise Scanning Agents on their own network, while Netsparker Enterprise On-Premises users can use their own Agents with Netsparker Enterprise in their own environments.

          • When a new Agent version has been published, users can update their Agents manually using installation files on the machines on which Agents are installed. Alternatively, users can update Agents manually by clicking Update Agent (visible only when the Enable Auto Update is not configured and the new version of the Agent is available).

          • While the update is in progress, the State field will display 'Updating'.

          • Alternatively, enabling Auto Update means that when the new version of the Netsparker Enterprise Scanning Agent is available, the target Agent will update itself as soon as possible when it’s idle.
          How to Enable Automatic Agent Updates
          1. From the main menu, select Agents Manage Agents.
          2. Next to the relevant Agent, select the Command drop-down, then Enable Auto Update.
          How to Disable Automatic Agent Updates
          1. From the main menu, select Agents Manage Agents.
          2. Next to the relevant Agent, select the Command drop-down, then Disable Auto Update.

          Setting Proxy in Scanner Agents

          You can set a proxy for the scanning agent in Netsparker Enterprise. You are required to enter proxy settings manually to the appsettings.json file with your preferred text editor. 

          Netsparker supports Basic Authentication but not Digest and NTLM.

            "ProxySettings": {
              "Enabled": false,
              "UseSystemDefault": false,
              "Username": "",
              "Password": "",
              "Domain": "",
              "Address": "",
              "Port": "8888",
              "ByPassOnLocal": false,
              "ByPassList": []

          This table lists and explains the fields in the Proxy settings.

          Field Description
          Enabled Enter true if you use a proxy
          Use System Default Enter true if you authenticate the agent via operating system credential
          Username Enter a username for authentication
          Password Enter a password for authentication
          Domain Enter a domain name
          Address Enter a proxy address
          Port Enter a port for the proxy
          Bypass on Local Enter a value that indicates whether to bypass the proxy server for local addresses.
          Bypass List Enter the address(es) that do not use the proxy server.

          Malware Analysis with ClamAV 

          If you want a Netsparker Enterprise scan agent to carry out malware analysis, you need to download and install ClamAV. For further information, see Malware Analysis with ClamAV in Netsparker Enterprise.

          Defining and Scanning an Internal Website in Netsparker Enterprise

          Now, you have installed a scanning agent into your infrastructure, you should configure Netsparker Enterprise to let it know which websites should be scanned with an internal agent rather than with the built-in agents.

          How to Define an Internal Website in Netsparker Enterprise
          1. Log in to Netsparker Enterprise.
          2. From the main menu, select Websites > New Website
          3. Enter your internal website details (see Adding a Website in Netsparker Enterprise).
          4. From the Agent mode field, select Internal.
          5. Select Save
          How to Scan an Internal Website with Agent
          1. Log in to Netsparker Enterprise.
          2. From the main menu, select Scans > New Scan.
          3. From the Target URL field, select your Internal Website (if the field is not already populated).
          4. The Preferred Agent field is already selected by default. Your newly installed scanning Agent is displayed as an option. If you installed more than one instance, select the one which can access your Internal Website. If any of them can access your Internal Website, select the default option Any of the available agents. By selecting this, one of the idle agents will scan your website.
          5. Select Launch. (For simplicity, optimization and other settings are ignored in this procedure.)

          Your scan has been started in the Queued state. Shortly, you will see that its status changes to Scanning. Once it is completed, you will be able to explore the vulnerabilities found on your website.


          Highly accurate, fast & easy-to-use Web Application Security Scanner

          Get a demo