Hello If the customer want to Scan his web application 1st time, he requires to know the WAS scan process in brief, & what primary details we need to ask him to perform the was scan.
List would be helpful.
Not sure I completely understand your question but; the scan will come from the Qualys SOC Range or your private scanner(s).
The first thing and I am sure dferguson will correct but WAS and other scanner will "spider" the site and check authentication. If you selected full vulnerability .vs. discovery then Qualys will proceed with a vulnerability scan.
The WAS Getting Started Guide walks you through your first scan, and this gives you an idea of some expectations you may want to set within your organization.
In general I would start with what Robert is suggesting in addition too a letter then outlines the scope of the engagement. For instance if you are to scan www.abc.org and that site has a link to another site www.zxy.org then you probably don't want crawl the second site.
You want to make sure your targets are listed and the time date to start and when you must be done. You don't want to be scanning a site that might be promoting something big for the company.
The customer should be aware of possible issues resulting from the scan and proper precautions should be taken into account; such as backups of the system and content.
More or less you need a letter stating it is ok to do what you plan to do and you will not go outside of that scope. If they are a "client" then you have all the general permission but scanning applications can be tricky; be sure they have a good backup and restore process; if not that is a vulnerability in their systems.
Let me know if you still have questions and I will try to help.
You might also see if you have legal counsel to draft up something is general enough to be applied to most clients.
Retrieving data ...