What’s New in HCL AppScan on Cloud: Innovation at the Speed of Risk

The reality of modern development is that the "attack surface" is moving faster than most security teams can track. Whether it's the sudden explosion of LLMs in production or the hidden risks buried in open-source dependencies, "good enough" security isn't sufficient anymore. Over the last six months, we’ve introduced a series of major updates to HCL AppScan on Cloud (ASoC) designed to remove the friction from DevSecOps and put actionable intelligence directly into your workflow.

Securing the AI Frontier: DAST for LLM-augmented Applications

The rapid integration of Large Language Models (LLMs) into web applications, such as chatbots or RAG (Retrieval-Augmented Generation), has opened the door to new threats, including Prompt Injection and model manipulation. These vulnerabilities often stay invisible to traditional scanners. 

HCL ASoC has launched a powerful new Dynamic Application Security Testing (DAST) capability specifically for these AI-augmented environments to provide a holistic, full-stack defense.

Key Capabilities:

• LLM-specific testing: Configure tests for chat endpoints and other prompt-based interfaces to actively test your LLM components.
• Attack simulation: DAST acts as an attacker, automatically sending malicious prompts to manipulate the underlying model or exploit its external connections.
• Actionable reporting: You receive full transcripts of the simulated attacks, along with actionable remediation guidance so you can quickly secure the AI models and the applications that rely on them.

By combining DAST with specialized LLM testing, HCL AppScan ensures you can adopt AI technology while proactively managing the unique risks of this new frontier.

Hybrid Scanning: Redefining SAST Performance and Precision

Traditional Static Application Security Testing SAST engines often reach a limit because they attempt to process entire programs as one monolithic task. The new HCL AppScan Hybrid SAST Scanner addresses this issue through a horizontally scalable architecture. By breaking codebases into "chunks" and processing them across auto-scaling pods, HCL AppScan ensures even the largest applications are scanned at the speed of modern DevOps.

Beyond speed, the Hybrid SAST Scanner delivers superior accuracy:

• Intelligent noise reduction: It recognizes safe coding patterns, like math operations or secure regex, to automatically filter out false alarms that typically clutter scan results.
• Dynamic CVSS scoring: Instead of static "high/low" labels, it calculates severity based on how reachable a vulnerability is (e.g., via the network versus physical access), prioritizing the most dangerous risks first.
• Cross-language analysis: It tracks data flows even as they cross language barriers (such as Vue.js interacting with HTML), ensuring no "blind spots" are left between different parts of your code.
• Full data flow tracking: By analyzing the entire journey of data from source to sink, the Hybrid SAST Scanner provides high-fidelity results that focus on how data actually moves through your application.

ICA 2.0: AI-driven Precision for Modern Code

Static analysis often relies on rigid, "rule-based" definitions that can struggle with the complexity of modern frameworks, leading to high noise and alert fatigue. Intelligent Code Analytics (ICA) 2.0 solves this in two of the most common languages, Java and .Net, by using LLM and ML intelligence to understand the intent of your code. This accurately identifies "sources" (where untrusted data enters) and "sinks" (where that data can do damage) with human-like reasoning, providing a far more reliable foundation for security testing.

Key benefits include :

• Smarter detection and classification: LLM-driven intelligence categorizes vulnerabilities correctly, so you understand the true impact immediately without manual investigation.
• Massive noise reduction: By accurately distinguishing between benign methods and actual threats, ICA 2.0 eliminates the "alert fatigue" caused by low-value or incorrect findings.
• Enhanced taint propagation: Traces data flows through complex frameworks more reliably, catching critical vulnerabilities buried deep inside your code.
• Actionable DevSecOps workflows: With cleaner, more trustworthy results, security teams can stop triaging false alarms and focus entirely on accelerating fixes.

By combining massive scalability with deep, context-aware AI, these updates ensure your security testing is both faster and more meaningful than ever before.

Advanced SCA: EPSS Prioritization and Malware Protection

Effective vulnerability management requires focusing on the threats that matter most. We’ve integrated the Exploit Prediction Scoring System (EPSS) into our new version of the Software Composition Analysis (SCA) scanning engine to prioritize threats.

Focus on Exploitation Likelihood

Unlike the CVSS score, which measures potential impact, EPSS estimates the likelihood that a vulnerability will be actively exploited in the wild within the next 30 days.

This Dynamic, Data-driven Score is Available in the SCA Issue Details Tab:

• EPSS score (0.0 to 1.0): A higher score means a higher probability of near-future exploitation, helping you quickly identify critical threats.
• EPSS percentile: Use this to rank the CVE against all others by likelihood, spotting high-priority outliers often missed by traditional scoring.

Leverage EPSS For:

• Refined prioritization: Focus on fixes where high likelihood of exploitation meets high business impact.
• Data-driven decisions: Combine EPSS with asset exposure and other signals for a comprehensive, risk-balanced view.

Protect Against Supply Chain Attacks

SCA Malware Detection: As dependency confusion and malicious code injection become increasingly common, our new SCA engine now includes dedicated Malware Detection. This layer of defense blocks malicious components, like those in the "Shai Hulud" campaign, before they can compromise your environment.

Enhanced IAST Support for Microservices

The latest updates to IAST significantly enhance support for Kubernetes Node.js environments. This feature streamlines security integration for microservices, providing a powerful, non-intrusive solution.

• Automatic agent deployment: IAST now provides a non-intrusive solution for automatically deploying the IAST agent directly within Kubernetes pods.
• Automated integration: HCL AppScan simplifies the process by automating the integration of agents using a provided deployment script.
• Simplified management: This new capability significantly streamlines the management of multiple containers.
• No app image changes required: Use your standard application images in both testing and production—no rebuilding, no special variants.development process.
• Full visibility and early security: Users benefit from a full visibility graph view for their microservices, which helps in identifying context and addressing security issues as efficiently as possible.

Interactive analysis gets easier on Azure App Service: Install IAST as a .NET site extension

Getting runtime security insights shouldn’t require changing your code or rebuilding your pipeline. That’s why HCL AppScan IAST now supports deploying the agent to Azure App Service for .NET Core on Windows as an Azure site extension, a clean, Azure-native install path removing the need for a NuGet-based agent installation in many cases.

With the HCL AppScan IAST .NET Core Site Extension, you can install the IAST agent directly from the Azure portal into your App Service. Once enabled, the agent monitors the application at runtime and reports detected vulnerabilities back to AppScan on Cloud (ASoC). 

With the site extension approach, you get:

• A straightforward, Azure-integrated installation flow (no app rebuild just to add an agent)
• Fast enablement for teams already running .NET Core workloads on Azure App Service (Windows)
• Simple operations: Install, set a couple of environment variables, restart, and you’re connected

Streamlined DAST Configuration and Management

We’re giving DAST users more control to ensure scans are precisely targeted and efficient. These features remove the friction from configuring and managing your scans:

• Template management: Manage and organize your scan templates directly in HCL ASoC. By grouping templates by asset groups, you ensure the right security policies are applied to the right applications every time.
• Edit DAST configuration: You can now edit your DAST configuration before a rescan, which is perfect for updating credentials or tweaking settings on the fly.

New Plugins: Seamless Security Integration

We've strengthened the HCL AppScan ecosystem with three new plugins for ASoC and HCL AppScan 360º (AS360). These integrations stop security from being a "siloed" task and embed it directly into the tools your team uses every day:

1. Cursor AI plugin: Enables developers to identify and remediate vulnerabilities during AI-assisted coding. Catch issues earlier and ensure AI-generated code is secure.
2. Splunk integration: Get a unified view and analysis of your imported security issues. Use pre-configured dashboards to easily track security trends, generate reports, and see your entire security posture in one place.
3. Slack plugin: Improve visibility, communication, and team member response times with real-time security alerts and scan notifications sent directly to designated Slack channels.

Availability: All three plugins are available via the Integrations page.

HCL AppScan on Cloud (ASoC) is trusted by enterprise-scale organizations worldwide for its consistent evolution to meet the evolving security needs of modern development. These latest updates aren't just a list of new features; they’re the direct result of an aggressive innovation roadmap fueled by your feedback and our clear vision for the future of application security testing. We’ve spent the last six months focused on one goal: ensuring that HCL ASoC evolves as fast as the threats you face.

Learn more about HCL AppScan on Cloud or try it out yourself with a 14-day free trial.