IP Addresses for Domain Scanning

Aikido uses dedicated IP addresses to perform scanning of your domains (DAST). To prevent connectivity issues, rate limiting, or security blocks, add these IPs to your firewall’s allowlist or other security software. After this, rescan your domains to confirm connectivity.

To use 'Fetch OpenAPI by URL', you must also add the Code & Container scanning IP addresses.

EU-based IP addresses:

3.248.4.169
54.76.211.68
54.228.156.63
54.247.155.164
18.200.152.99
18.202.99.112
52.48.122.82
54.194.175.200

US-based IP addresses

98.85.190.95
52.204.144.1
44.209.56.130
18.210.114.117
35.168.38.209
35.173.56.162
54.227.161.94
44.209.154.183

Optional IP addresses (used for troubleshooting with support):

79.127.239.171

Request Headers

All requests from Aikido's scans include one of the following headers, which can also be used for allowlisting:

aikido-scan-agent/1.0

Third party provider instructions

For instructions on adding IP addresses to allowlists with third-party providers, refer to the following resources:

Cloudflare WAF
- Cloudflare Turnstile does not support allowlisting specific client IP addresses. If you need to bypass Turnstile for Aikido scanning traffic, you must do it in your application code. We recommend bypassing only when both conditions are true:
  1. The request originates from an Aikido IP range
  2. The request includes the aikido User Agent in headers as described above
Azure WAF
AWS WAF.
- For WAFs behind Application Load Balancers or CloudFront, your WAF should check the last IP address in the X-Forwarded-For header.
Vercel WAF
- Use the "bypass" action for trusted IPs

The IP address lists are also available as JSON arrays

Last updated 1 day ago

Was this helpful?