adding more information

claudiacodacy · claudiacodacy · commit 04f11612f9cb · 2025-07-01T10:11:17.000+01:00
diff --git a/docs/codacy-api/examples/triggering-dast-scans.md b/docs/codacy-api/examples/triggering-dast-scans.md
@@ -19,7 +19,7 @@ Before the automation process itself, you need to create a target. Targets are i
 Targets only need to be created once. Note that **targets are immutable** — if you need to change the URL, definition, or authentication, you'll need to delete the target and create a new one.
 
 !!! important
-    **Do not run API scans on production enviroments** as our API scanners may cause potential downtime.
+    **Do not run API scans on production enviroments** as our API scanners may cause potential downtime. [Learn more](../../organizations/managing-security-and-risk.md#avoid-running-api-scans-on-production-environments)
 
 To create a target, use the following API request:
 
diff --git a/docs/organizations/managing-security-and-risk.md b/docs/organizations/managing-security-and-risk.md
@@ -590,7 +590,7 @@ Codacy supports two types of scanning:
 ### Creating an App Scanning target
 
 !!! important
-    **Do not run API scans on production enviroments** as our API scanners may cause potential downtime.
+    **Do not run API scans on production enviroments** as our API scanners may cause potential downtime. [Learn more](#avoid-running-api-scans-on-production-environments)
 
 When creating a scan target, you'll be able to choose between a Web App or an API. Configuring a Web App will only require a target URL, while APIs will have other requirements:
 
@@ -602,6 +602,17 @@ API targets optionally support **header-based authentication**. As you create a
 !!! important
     If exposing your API specification isn't feasible for your team, let us know via support or your account representative.
 
+#### Avoid running API scans on Production environments
+
+Our DAST API scanner performs active security testing by sending a large number of requests to your application. When using authenticated API scanning, this activity can be even more intensive, as ZAP explores and probes more of your API surface.
+
+Depending on how your target environment is configured, this may:
+- Trigger rate limiting or throttling
+- Appear as a high volume of traffic, similar to a load test
+- Lead to incomplete scan results if key endpoints are blocked or limited
+
+We recommend running scans in a **test or staging environment**, or coordinating with your infrastructure team to ensure that your environment can safely handle the load.
+
 
 ### How to scan a target
 
