Rate limiting
Request rate limit
The Intruder API is rate limited on a per user / access_token basis.
The default rate limit for authenticated requests is set to 5000 requests per hour.
Unauthenticated requests are limited to 60 requests per hour.
If you exceed the rate limit, our API will start rejecting your requests and you'll receive an error response with the code HTTP 429
"Too Many Requests".
Active scan limit
The Intruder API limits the amount of active scans to 500.
If you attempt to start a new scan that exceeds the limit, our API will start rejecting your requests and you'll receive an error response with the code HTTP 422
"Unprocessable Entity".
How to avoid being rate limited
If you're reaching the rate limit, please get in touch. The most obvious fix is normally to improve performance by restructuring the architecture of your integration, but we're happy to help where we can.
Updated over 1 year ago