Firewall Configuration¶
This document outlines the required Firewall configurations to ensure proper connectivity between your infrastructure and Escape's security testing platform.
Ingress Rules (Incoming Connections)¶
Identifying Escape Traffic (WAF / Bot Protection Allowlisting)¶
If your target is fronted by a WAF, bot protection service, or rate-limiter (Cloudflare, Akamai, AWS WAF, Imperva, DataDome, reCAPTCHA, etc.), you'll usually need to allowlist Escape's traffic so scans aren't blocked, throttled, or challenged. Escape offers two identification mechanisms available across scan types (REST DAST, GraphQL DAST, Frontend DAST, and ASM). By default, both are included on requests unless explicitly disabled in configuration:
- IP address — see the Public Locations table below. This is the only identifier that cannot be spoofed by a third party.
- The
Sec-Escape-Userheader — a single, Escape-specific HTTP header that identifies which scan and which simulated user sent each request.
Quick answer: is there a single header I can whitelist?
Yes — Sec-Escape-User. It is the same header across REST DAST, GraphQL DAST, Frontend DAST, and ASM. It is enabled by default on all scans, so no configuration is required on the customer side to make it appear. It is exposed in the scan YAML as network.sec_escape_user and is true by default — you'd only touch it if you explicitly wanted to turn it off.
Recommended WAF Allowlist Rule¶
HTTP headers can be trivially spoofed. Sec-Escape-User alone is fine for identification (e.g. to tag Escape traffic in logs), but for allowlisting — letting traffic bypass WAF rules — combine it with something that cannot be spoofed. Two equally good options:
Allow traffic when both conditions are true:
- Source IP is in the Public Locations table (or your Private Location egress IP), AND
- Request contains a
Sec-Escape-Userheader.
This is the right default for most customers: no extra configuration in Escape, and the IP match prevents spoofing.
If your network path makes IP allowlisting painful (shared egress, proxies, CDN-to-origin flows), configure a custom header containing a shared secret and allowlist on that secret instead. In your global or per-scan configuration:
Then in your WAF, allow any request that presents X-Escape-WAF-Bypass: <your-long-random-secret>. Rotate the secret the same way you would rotate any other credential.
Never allowlist on the header alone
An attacker who discovers that your WAF trusts Sec-Escape-User can simply send that header to bypass your WAF. Always pair the header with an IP allowlist (Option A) or a secret (Option B).
Where to Configure¶
sec_escape_user and custom_headers live under the top-level network: key in the scan configuration YAML, which is the same across every scan type. See each product's reference for the full schema:
- REST DAST —
networkconfig - GraphQL DAST —
networkconfig - Frontend DAST —
networkconfig - ASM —
networkconfig
You can set these values either in your organization-wide defaults or in the Expert Configuration of an individual scan — scan-level values override defaults.
Legacy x-escape-user header (Frontend DAST only)
Older Frontend DAST configurations exposed a setting named escape_user_header which added an x-escape-user header. This is deprecated because it can break CORS on some applications. Use sec_escape_user instead — it behaves identically from a WAF allowlisting perspective and is safe for Frontend scans.
Public Locations¶
By default, all security testing requests from Escape are routed through Public Locations in your organization. To allow incoming traffic from Escape's Public Locations, allowlist the following IP addresses in your Firewall configuration:
| IP Address | Region |
|---|---|
163.172.177.16 | Europe |
163.172.182.228 | Europe |
163.172.182.47 | Europe |
163.172.178.115 | Europe |
163.172.174.61 | Europe |
163.172.168.233 | Europe |
51.79.24.70 | Canada |
51.79.25.196 | Canada |
51.79.26.185 | Canada |
172.235.52.11 | United States |
172.235.52.232 | United States |
172.236.242.86 | United States |
23.22.140.167 | Connectivity Checks |
Private Locations
Alternatively, you can deploy Private Locations to route requests through your own network infrastructure. Private Locations enable secure detection, fingerprinting, and scanning of internal applications behind your organization's Firewall or VPN without exposing them to the public internet.
External exposure assessment¶
In order to assess whether your assets are exposed to the public Internet, we use the following IP addresses. Please DO NOT add them to the IP allowlist of your firewall, as they are precisely used to simulate access from the open internet, mirroring the behavior of real-world attackers or external users outside your infrastructure.
| IP Address | Region |
|---|---|
172.232.32.148 | Europe |
172.236.228.250 | United States |
Egress Rules (Outgoing Connections)¶
Required for Private Locations and Out-of-Band Testing¶
To enable Private Locations and Out-of-Band Testing capabilities (to detect vulnerabilities like SSRF), ensure that outgoing connections are allowed to the following endpoints:
| Purpose | Address/Domain | Protocol | Port(s) |
|---|---|---|---|
| Private Location Tunnel | 34.198.143.22 | SSH | 2222 |
| Private Location Tunnel | 52.6.14.96 | SSH | 2222 |
| Private Location Tunnel | private-location.escape.tech | TCP | 2222 |
| Escape Platform API | public.escape.tech | HTTPS | 443 |
| CLI Update Checks | api.github.com | HTTPS | 443 |
| Out-of-Band Testing | 51.159.205.221 | HTTP | 80 |
| Out-of-Band Testing | 51.159.205.221 | HTTPS | 443 |
| Out-of-Band Testing | ssrf.tools.escape.tech | HTTP | 80 |
| Out-of-Band Testing | ssrf.tools.escape.tech | HTTPS | 443 |
IP-Based Firewall Rules
If your Firewall requires specific IP addresses instead of domain names, use nslookup private-location.escape.tech to retrieve the current IP addresses.
Verifying Firewall Configuration¶
To verify that your Firewall is properly configured, run the following connectivity tests from your internal network:
Test Private Location Connection¶
Expected Result: The output should include debug1: OpenSSH_10.0p2, OpenSSL 3.4.1 11 Feb 2025 or similar version information, indicating successful SSH connectivity.
Test Out-of-Band Testing Endpoints¶
Expected Result: Both commands should return an HTTP response (any status code indicates successful connectivity). If either command times out or fails to connect, the corresponding protocol (HTTP or HTTPS) requires additional Firewall configuration.