Allowlist, Add, and Manage Targets

CRC Advanced Only

This functionality is only included in the CRC Advanced offering.

Targets are domains that you add to the allowlist so that you can include them in apps and scans. InsightAppSec targets the domain for the attacks in the scan configuration to test for vulnerabilities.

To add apps and configure and run scans, you must add targets to the allowlist. To keep the allowlist clean and the list of active targets up to date, manage existing targets.

Removing targets

To make it easier to find relevant targets, keep your allowlist clean by removing targets that you don't need anymore. You can archive and disable previously scanned (used) targets and delete and disable unused targets.

Check out our FAQ for more information on allowlists and targets.

Add a target to the allowlist

Allowlisting target domains is a critical step for creating a scan config. Only the domain is required for adding to the allowlist. Protocols and subdirectories will be removed during scanning.

  1. On the Targets page, click Add Targets.
  2. When the Add Targets page appears, input one or more target domains you want to allowlist.
    • Enter a domain in URL format: protocol://
    • To bulk add multiple target domains, enter each domain on a new line.
  3. Click Add Targets.

All newly allowlisted target domains are enabled by default, unless configured otherwise.

Manage existing targets

When you're not using a target domain anymore and want it excluded from scans, you can disable and enable or archive as needed. If you attempt to add a disabled or archived target domain, you will be prompted to allowlist it. If you have a target domain that hasn't been scanned, you can delete it.

View the allowlist

On the left navigation menu, click Targets. The page that displays is the allowlist.

In each target row, you can disable, enable, archive, and delete targets.

Disable or enable targets
  1. On the Targets page, select the target you want to edit.
  2. To disable the target, toggle the Enable button off.
  3. To enable the target, toggle the Enable button on.
Archive used targets
  1. On the Targets page, select the target you want to edit.
  2. To archive previously scanned targets, click the Archive icon in the Enabled column.
  3. In the confirmation window, click Archive Target.
Unarchive targets
  1. On the Settings page, in the Scan Options section, click Manage next to Archived Targets.
  2. Select the target you want to unarchive.
  3. In the Total Scans column, click the Unarchive icon.
Delete unused targets

You can only delete target domains that have not been scanned. Disable or archive scanned targets instead.

  1. On the Targets page, select the target you want to delete.
  2. In the selected target row, click Delete.

Check scan configs

If you are disabling or archiving a target domain, existing scan configs that use it may be affected. Check your scan configs to ensure that the target domains can be taken offline.

Frequently asked questions:

What's an allowlist?

An allowlist is the list of IP addresses that you allow InsightAppSec to interact with. You may have also heard this element called "whitelist," which is an outdated term.

Which IP addresses do I need to add to my allowlist?

Some firewalls may block attack traffic and prevent InsightAppSec from testing your application for vulnerabilities. In such cases, you must allowlist the IP addresses of the InsightAppSec cloud engines to scan your web applications. The following table provides the IP addresses of the InsightAppSec engines based on the region where your platform account is hosted. When you log in to InsightAppSec, the region is the first sub-domain in the URL. For example, if the url is then your region is US-East-2.

Is your Rapid7 product subscription provisioned for the United States? Check your region code first!

As of April 12th, 2021, all new customers subscribing to Rapid7 Insight products that elect to store their data in the United States will be provisioned for one of three data centers. Since these data centers have unique endpoints, any firewall rules you configure must correspond to the data center your organization is assigned to. Follow these steps to determine which United States data center your organization is part of:

  1. Go to and sign in with your Insight account email address and password.
  2. Navigate to the Platform Home page.
    • If you are not taken to this page by default, expand the product dropdown in the upper left and click My Account.
  3. Look for the Data Storage Region tag in the upper right corner of the page below your account name. Your United States region tag will show one of the following data centers:
    • United States - 1
    • United States - 2
    • United States - 3

Consult the following table to determine which IPs must be allowlisted according to your region.

RegionIPs to allowlist
How does InsightAppSec use the targets in the allowlist?

When you create an app, you select one or more targets. The targets in the selection are pulled from the allowlist.

How do I clean up my allowlist?

If you have a lot of targets in your allowlist, you can archive the ones you have scanned previously, but no longer need. Archiving removes used targets from the target selection list when creating an app or scan config, but allows you to unarchive the targets whenever necessary.

What do I do with targets that I don't need right now, but may need later?

You can clean up your allowlist so that when you select targets, only active targets appear. The easiest way to do this is to archive used targets and delete unused targets.

Can I delete targets that I've already scanned?

No, you cannot delete targets that have been included in a previous scan. Instead of deleting, you can disable or archive scanned targets.

You can only delete unused targets.