Skip to main content

Repeater Agent

Enterprise Feature

This feature is only available to Enterprise Customers. Contact us via email or your Private Slack Support Channel for more information.


Escape's Repeater Agent allows you to scan scan Internal Apps behind your organization's firewall or VPN.

This repeater creates a private tunnel between Escape and one of your servers. All the Ecape requests will comes from this server.

Here is a schema of the infrastructure :

Escape repeater

First, the repeater client you have deployed locally will connect to the Repeater manager (1). When you start a scan on Escape, instead of sending the requests directly to your server, Escape will send them to the Repeater manager (2). Your client will receive the requests and send them to your server (3 & 4). The results are sent back to Escape to allow you to see scans results.

Setup a repeater

Escape's Repeater Agent is available as a Docker image. You can deploy it on any server that can reach your internal applications. The agent's code can also be found on Github.

As it is a Docker image, you can deploy it using docker cli, docker compose or any other container orchestration tool. In this tutorial, we will use docker cli but for production setup, we recommend you to use a container orchestration tool like docker compose.

You now need to run the repeater with the following environment variables:

  • ESCAPE_REPEATER_ID: Your repeater id.
docker run -it --rm --name escape-repeater \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \

You can find in the example folder more deployment examples. Feel free to contribute and add your own.

If you need to add a custom ca certificate, you can mount it in the container:

docker run -it --rm --name escape-repeater \
-v /path/to/ca.crt:/usr/local/share/ca-certificates/ca.crt \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \

If you want to allow insecure connections, you can set the ESCAPE_REPEATER_INSECURE environment variable to true:

docker run -it --rm --name escape-repeater \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \

Configure your firewall

Make sure the following outgoing connections are allowed by your network configuration:


Connect a repeater

  1. Go to the Network Configuration page.
  2. Create a Repeater or use an existing one.
  3. Follow the deployment intrusctions directly in the Network page. The Repeater is available via a Docker image accessible on DockerHub.
  4. The connection status is refreshed every minute in the Last seen column.

Use a repeater on a new application

While additing a new app to Escape, the Repeater list will be proposed when try to reach your API. Select the Repeater you want to use.

Use a repeater on an existing application.

Go to the Advanced Settings of the applications and add the following configuration:

"client": {
"proxy": {
"type": "repeater",
"target": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" // Put here your repeater id
// ...

Configure a custom certificate

See instructions on the Repeater Github documentation

For more information about how to whitelist Escape scans, read the Scan Internal APIs page.