Scan Schedules
Predictable, operator-defined recurring scans with locked-template compliance windows, per-schedule preferences, and explicit enable/disable state.
WASViking® Scan Schedules is the operator-controlled recurring scan layer. The operator picks a target, a scan template (or inline configuration), a frequency, and the platform runs the scan on cadence with the chosen preferences. Each schedule is independent, individually enable/disable-able, and can be pinned to a specific template version for compliance windows.
This is the page at Scans → Scan Schedules in the portal.
When to use Scan Schedules
Schedules are the right tool when you want a predictable cadence:
- Compliance windows that require a scan every 30 days against a specific configuration.
- Weekly maintenance scans against staging.
- Monthly attestation runs against a documented baseline.
- One-time runs scheduled in advance for a known window (post-release, post-migration, after a change freeze).
For ad-hoc investigations, use a manual scan. For dynamic, AI-driven scan selection across a large portfolio, see AI Scan Planner.
The list view
| Column | Meaning |
|---|---|
| Domain Name | The target the schedule applies to. |
| Scan Type | Single Domain Scan or other type. |
| Execution Path | Direct (External) for cloud egress, or the name of a Sentinel agent for internal targets. |
| Status | A per-row toggle to enable or disable the schedule without deleting it. |
| Next Scheduled Run | When the schedule will fire next, or Start time not set for incomplete schedules. |
| Frequency | The cadence (One-Time, Daily, Weekly, Monthly, etc.). |
| Manage | Edit pencil. |
Status is the master switch. A disabled schedule preserves its configuration; toggle it back on to resume.
Frequency
Two top-level options:
| Frequency | Use for |
|---|---|
| One-Time Scan | A scan scheduled to run once at a specific future moment. After running, the schedule completes. |
| Recurring Scan | A scan that repeats. Configurable cadence (daily, weekly, monthly, custom) with start time. |
The frequency drives the next-run computation and is shown in the list.
Edit a schedule
Opening Edit Schedule shows two top-level sections, the Scan Template block and the Edit Scan Schedule block, followed by the Preferences sub-tabs and the Scan Profile card.
Scan Template
Pick which template the schedule uses:
| Field | Notes |
|---|---|
| Use a saved configuration | Dropdown of templates from Scan Templates. Default: Full Coverage (System) - Default. |
| Lock this schedule to the template's current version | Toggle. See lock behavior below. |
Lock behavior. When unlocked, this schedule follows the latest version of the template on every run. When locked, it pins to the version snapshotted at save time. Use lock when you need compliance windows that prove the scan ran against an exact, version-stamped configuration even if the template itself is edited later.
Edit Scan Schedule
| Field | Notes |
|---|---|
| Domain | Read-only. Set at schedule creation; not editable later. |
| Enable Schedule | Master toggle. Off = paused but preserved. |
| Frequency | One-Time Scan or Recurring Scan, with the relevant cadence options. |
Preferences (sub-tabs)
The Preferences block has four tabs that mirror the New Scan form. Any preference set here applies to every dispatch of this schedule, unless the schedule is locked to a template version (in which case the template's settings win and Preferences is read-only).
| Tab | What it controls |
|---|---|
| Scan Method | Execution Path: Direct (External) for cloud egress, or a specific Sentinel agent for internal targets. |
| AI & Compliance Settings | AI Recommendation on/off, primary compliance framework for the report. |
| Authentication | None, Form Login, Bearer, Cookie, Custom header. |
| Crawl | Custom User-Agent, excluded paths, depth controls. |
Scan Profile
Pick the depth of the scan (Full Coverage, Web Application, API and JWT, SOAP and WSDL, Network and TLS, Custom, PCI DSS, LGPD, GDPR). See Scan profiles and templates for the full profile catalog.
Compliance windows
The combination of Lock this schedule to the template's current version plus fixed frequency is the WASViking pattern for compliance windows:
- Create the template that satisfies the audit's scope.
- Create a schedule that uses that template at the required cadence (every 30 days for PCI DSS, for example).
- Lock the schedule to the template version.
- The schedule will continue to run that exact configuration even if the template is later edited. The audit binder can cite the pinned version.
Edits to the template propagate to other schedules and to manual scans, but the locked compliance schedule stays on the snapshotted version until the operator explicitly unlocks and updates it.
Execution Path
| Value | Notes |
|---|---|
| Direct (External) | Scans the target via the WASViking cloud egress. Default for public-facing targets. |
| Via Sentinel agent | Scans the target through a configured agent's mTLS tunnel. Required for internal targets and recommended when the agent is geographically closer to the target. See Sentinel internal scanning. |
The Execution Path is per-schedule. A single target can have one schedule running via the cloud and another running via an internal agent (rare, but supported).
How it fits with the other dispatch sources
WASViking has three independent dispatch sources:
| Source | Trigger | Best for |
|---|---|---|
| Manual scan | Operator clicks Scan. | Investigations, ad-hoc validation, demos. |
| Scan Schedules (this page) | Operator-defined cadence. | Predictable cadence, compliance windows, post-change validation. |
| AI Scan Planner | Daily priority review across the portfolio. | Continuous coverage of a large portfolio without manual triage. |
A target can be touched by all three in the same week. The platform applies a 24-hour cooldown between any two dispatches of the same target to avoid redundant work; the AI Scan Planner will not re-scan a target that a schedule already scanned within the cooldown window.
What it does NOT do
- Schedules do not auto-discover. A schedule runs against the target it was configured for. New subdomains discovered later do not automatically become new schedules. Auto-discovery scan is a separate behavior.
- Schedules do not adapt. The cadence is what you set, not what the platform thinks is optimal. For adaptive cadence, use AI Scan Planner.
- Schedules do not bypass quota. Each scan dispatched from a schedule consumes scan capacity per your plan. Over-quota schedules surface a warning at save time.
- Schedules do not retain custom credentials. Authentication credentials are encrypted at rest, scoped to the schedule, and not reusable outside it.
Audit and contestability
Every schedule lifecycle event is recorded in the customer-facing audit log:
- Schedule created, edited, paused, resumed, or deleted.
- Lock toggled on or off.
- Frequency changed.
- Each dispatched scan, with the source set to
scan_scheduleand the schedule identifier.
Filter the audit log by scan_schedule_* actions for a clean
operational history.
Where it lives in the portal
- Scans → Scan Schedules: list view and edit view.
- Scans → Scan Templates: the saved configurations a schedule picks from.
- Audit Log: filterable history of schedule changes and dispatches.
- Settings → Usage: scans-per-month metering across all dispatch sources.