Documentation
Pentestas is an AI-driven penetration testing platform: it scans your web apps, APIs, networks, and cloud estate; synthesises multi-step attack chains with Claude; and ships verified, exploit-grounded findings instead of generic scanner noise. These docs cover every layer — from your first scan to running agents inside a corporate LAN.
Quick start
Sign up, verify your first domain, and kick off a scan in under five minutes.
Running scans
Web apps, APIs, networks, S3 / Azure / GCS buckets, Google Workspace, subdomain enumeration.
Agents
Scan on-prem services, intranet apps, and browser sessions from a tenant-scoped local agent.
Findings
Severity, validation, attack chains, and Exploit-DB matches — understand what you're looking at.
AI features
Claude-powered analysis, auto-generated attack chains, false-positive filtering.
API reference
Programmatic access: JWT, API keys, scans, findings, webhooks.
Popular topics
- Your first scan — pick a target, choose scan types, start scanning.
- Scan profiles (roles) — pick what you're testing and Pentestas applies the right modules.
- Engagements — multi-scan grouping with shared scope, rules of engagement, and stealth posture.
- Understanding severity — what CRITICAL means, how it differs from HIGH, and how CVSS fits in.
- Attack chains — scored compromise paths plus the MITRE ATT&CK ribbon.
- SOC detection rules — Sigma + KQL + Splunk rules generated for every finding.
- Methodology Library — how Pentestas tests for every vuln class.
- Leaked secrets — 106 detector classes with 30+ live verifiers.
- DNS Surface Audit — six DNS posture checks per domain.
- DNS Infrastructure Scanner — sweep a CIDR for live DNS servers.
- OPSEC stealth mode — drop loud detectors when scanning production.
- Hard-refusal policy — five categorical refusals enforced at platform tier.
- 403 / 401 bypass — defeating inconsistent path normalisation between a gate and its backend.
- Manual testing tools — Forge / Volley / OAST and the hands-on tabs on every scan.
- Authentication — JWT, API keys, OAuth, and agent keys explained.
New here?
Start with Quick start. If you've never run a vulnerability scanner before, skim the glossary first — Pentestas assumes working familiarity with OWASP, CVSS, and the difference between a CVE and a CWE.
Need to talk to a human?
- Product questions → hello@pentestas.com
- Security issues → security@pentestas.com
- Documentation errors or requests → docs@pentestas.com