
Infrastructure
Use for IP addresses, servers, hosts, and network-level assets.
Best for:
- IPv4 addresses and IP ranges
- Mail servers, DNS servers, VPN endpoints
- Assets you know primarily by IP rather than URL
What Topscan checks:
- Open ports and exposed services
- Service versions and known vulnerabilities for those versions
- Network-level misconfigurations
Web Application
Use for websites, web apps, APIs, and domains.
Best for:
- Public-facing websites and SaaS products
- Domains and subdomains (e.g.
app.example.com) - REST APIs and CMS-based sites
What Topscan checks:
- Full port scan + version detection
- Deep vulnerability scanning
- SSL/TLS certificate issues and exposed services
- Web application security testing (OWASP-class checks)
Can the same host be both types?
Yes. If a domain is also a server you want to monitor at the network level, you can add it as both an Infrastructure target and a Web Application target. Each will consume a separate license and be scanned independently.