How to Disable Brute-Force Rules in Vulnerability Scanning

Last updated: June 8, 2026

Introduction

Astra's automated scanner includes brute-force testing rules that simulate real-world credential and enumeration attacks. If your environment has policies that restrict this type of testing — for example, account lockout thresholds or rate limiting that could disrupt your application — you can disable these specific rules. This guide explains which rules are involved and how to turn them off.

Prerequisites

  • Access to the Astra dashboard

  • An active verified target

  • Workspace Full Member role or higher

Brute-Force Rules Available for Disabling

The following scanner rules relate to brute-force and enumeration testing:

  • Email Enumeration in Login Page

  • Bruteforceable Login Page

  • Missing Rate Limit on Forgot Password

  • Possible Name Enumeration

Disabling these rules affects only credential and enumeration-related checks. All other vulnerability categories including XSS, SQLi, and misconfigurations continue to be tested normally.

How to Disable a Brute-Force Rule

Option 1: Mark as False Positive From a Scan Result

Use this method if the rule has already triggered a finding in a completed scan.

  1. Log in to your Astra dashboard

  2. Navigate to Vulnerabilities in the left sidebar

  3. Locate the brute-force related vulnerability you want to disable

  4. Click on the vulnerability to open the details sheet

  5. Scroll down and click Mark False Positive

  6. Enter a note explaining why the rule is being excluded

  7. Check the box Exclude scanning of this vulnerability in all future scans

  8. Click Add note and Mark as False Positive

The rule will be added to your excluded scan rules list and will not trigger in future scans on this target.

Option 2: Manage Excluded Rules Directly

Use this method to review or manage all currently excluded rules in one place.

  1. Log in to your Astra dashboard

  2. Navigate to Settings

  3. Click Manage Excluded Scan Rules

  4. Review the list of currently excluded rules

  5. Add or remove rules as needed

Option 3: Contact Support

If you need help identifying which rules to disable or want our team to configure it on your behalf:

  1. Raise a support ticket from your Astra dashboard

  2. Specify which brute-force rules you want disabled

  3. Include your target name or ID

  4. Our team will apply the configuration promptly

Expected Outcome

After disabling the relevant rules, future scans on the affected target will skip brute-force and enumeration checks. The excluded rules will appear under Target Settings → Excluded Scan Rules for reference.

Troubleshooting

Cannot find the brute-force vulnerability in the Vulnerabilities list

  • The rule can only be excluded via the false positive method if it has already appeared as a finding in a completed scan

  • If the rule has not triggered yet but you want to pre-emptively disable it, use Option 3 and contact support directly

Excluded rule is still triggering in new scans

  • Confirm the exclusion was saved by checking Target Settings → Excluded Scan Rules

  • Verify the exclusion was applied to the correct target — excluded rules are per-target and do not apply across all targets automatically

  • Clear your application cache and check again. Press Ctrl+Shift+K on Windows or Cmd+K on Mac, search for "Clear Cache", and retry the scan

Want to re-enable a previously disabled rule

  • Navigate to Target Settings → Excluded Scan Rules

  • Locate the rule you want to re-enable

  • Remove it from the exclusion list

  • The rule will be active again from the next scan onward

Unsure whether disabling these rules will impact compliance requirements

  • Some compliance frameworks such as PCI-DSS specifically require testing for brute-force vulnerabilities

  • Review your compliance requirements before disabling these rules or consult your account manager for guidance