Scan intensity

Then you can increase the intensity if you determine that there is minimal impact. You can measure impact by reviewing the web access logs and comparing the volume of logged entries with the WAS scan at various intensity settings.

WAS scanning is highly automated and the interpretation of results is almost instantaneous. Even the Lowest scan intensity setting moves very quickly. If the web application has only two pages and two easy selections, then users may be able to move as fast as the scanner at Lowest intensity with a short pause between requests. If the application has 20 input fields per page on average, the scanner will probably work 5 to 15 times faster than a user because it can populate the fields instantly without pausing to think. At higher intensity settings the scan would be even faster.

WAS tracks average response time from the web application during scanning. When WAS detects at trend showing the average response time is becoming slower (response time is increasing), it will slow down the requests, regardless of the scan intensity setting.

For WAS scans it's not possible to limit the number of packets that are sent.

10 simultaneous HTTP requests with 0 artificial sleep time introduced between each request. So what this means is that a maximum of 10 requests can be on the wire at any given time. Now keep in mind that there is network delay in both the request and response, plus any delay induced by the scanner for processing the response.

7 simultaneous HTTP requests with 0 artificial sleep time introduced.

5 simultaneous HTTP requests with 0 artificial sleep time introduced.

2 simultaneous HTTP requests with 0 artificial sleep time introduced.

1 simultaneous HTTP request with 0 artificial sleep time introduced.