User Guides
Managing Scans

Seeds and IPs

6min

This section explains seeds and IPs and includes information on limits applied to them. The limits applied to domains/IPs for a scan type are covered in the Scan Limiting section.

What is a seed?

A seed, or multiple seeds, are used to provide the starting point for a scan. The example below shows the Add Seeds dialogue for an Own Monitoring scan.

Text guidance followed by an Add Seed box, after which the Start Scanning button can be used.
Scan Scope


Using the seeds defined in the scope, Hexiosec ASM uses various sources and methods to find related subdomains and IP addresses.

What can be used as a seed?

A seed can be specified as one or more of the following:

  • a domain (e.g. hexiosec.com)
  • an IP (e.g. 8.8.8.8)
  • an IP range (e.g. 1.0.0.0-1.0.0.255, 1.0.0.0/24).

When specifying a domain, the simplified form can be used, for example you can use redmaple.tech instead of https://www.hexiosec.com.

The option to use IP ranges is not included in all plans. If you would like to discuss the use of IP ranges, please contact us at [email protected].

Seed Limits

The limit on the number of seeds per scan will vary based on your license plan. These limits only apply to the seeds used to create the scan, they do not apply to the number of IPs or domains found when the scan is run.

The owner and admins of an organisation can check the scan limits for their license plan on the Usage page, this will show the seed limits for each type of scan.

Each scan is shown with the seed limit, in this example they are all at 20
Seed limits by scan type


When the seeds for a scan are defined or updated, a message under the Add Seeds box will show the seed allowance that has been used and how many are available - the information displayed will depend on the license plan.

Example seed is shown, with the Add Seed box underneath
Specifying scan seeds


If more seeds are needed, they will need to be manually split across two or more scans or please contact [email protected] to discuss upgrading your account.

Identifying additional seeds

An online asset will be defined as being in scope if it is connected back to one of the seeds via a valid path, this means that if issues are found then they are within the remit of the seed owner to fix rather than belonging to a third party such as Amazon or Google etc. Hexiosec ASM achieves good coverage from the starting seeds but after the scan results have been reviewed, you may identify additional seeds that should be included in the scan.

The Out of Scope page includes domains that Hexiosec ASM has found but excluded from the results (see what is out of scope?), this should be reviewed, as additional domains may be found that can be included in a scan.

If a subdomain has a minimal online presence or doesn't use a name that appears to be related to the seeds, it may not be found and may need to be manually added as a seed. Office and VPN IP addresses may also need to be manually added as seeds.

Seeds can be added to an existing scan at the bottom of the overview page.

Single or multiple seeds per scan?

Each licence plan has a domain/IP limit applied to each scan type. The limit is not just the seeds used as the starting point for the scan, it is based on all discovered domains and IPs during the scan discovery activity which includes both in and out of scope domains and IPs. If the scan shows as limited, the seeds will need to be manually split across two or more scans, or your account upgraded to ensure that all subdomains are scanned by Hexiosec ASM. The Domains page can be a good starting point for identifying how to split out the scan if the license plan limit has been reached.

Aside from scan limit considerations, it may be appropriate to split out seeds into separate scans if the resulting scan report needs to be shared with multiple stakeholders and confidentiality needs to be maintained on results for subdomains. It may also be appropriate to split seeds across multiple scans when the scanned infrastructure is managed by different teams.