Agents overview
A Pentestas agent runs inside your environment (a workstation, a container in your VPC, a Windows laptop) and connects outbound to the platform. Scan traffic originates from the agent, so it can reach:
- Corporate intranet apps on
10.x.x.x/192.168.x.x - On-prem GitLab / Jira / Jenkins / admin panels
- Staging environments behind VPN
- Windows AD / Samba / RDP services
- Any target that's firewalled off from the public internet
Agents are tenant-scoped β each agent belongs to exactly one tenant, authenticates via a pa_... key, and is further locked to a pre-declared IP allowlist.
The variants
| Variant | Platform | Docs |
|---|---|---|
| Linux agent (Python) | Debian/Ubuntu/RHEL/Fedora | Linux agent |
| Windows agent (Python) | Any Windows with Python 3.10+ | Windows Python agent |
| Windows agent (.NET) | Windows 10 1809+ / Windows 11 | Windows .NET agent |
The .NET variant is the flagship. It embeds a browser (WebView2) inside the app for scan-as-you-browse β captures everything the user loads and streams it to the platform for active testing. No proxy, no CA cert dance.
The Python variants are headless β meant for systemd-managed services on servers. They support the full DirectScanEngine locally (Docker image) and network scanning.
Capability matrix
| Capability | Linux Python | Windows Python | Windows .NET |
|---|---|---|---|
| Server/network scan | β | β | β |
| Web app scan (full engine) | β (Docker) | β (with full install) | β |
| Browser capture | β (Firefox/Chrome) | β | β (WebView2) |
| Runs as service | systemd | NSSM / Task Scheduler | User UI (no service) |
| Single binary install | No | No | Yes (.exe) |
| Needs Python on host | Yes | Yes | No |
Install
Each agent has a distinct install flow β pick the right page above. All start with the agent key minted in Settings β Agents β New.
Security model
- Tenant scope β the agent_key belongs to exactly one tenant. A stolen key gets you nothing in other tenants.
- IP allowlist β the WebSocket connection is only accepted from pre-declared IPs. Admins can edit the allowlist in the UI without rotating keys.
- Disable / delete β an admin can immediately disconnect a running agent. The backend drops the live socket and blacklists the key.
- At-rest encryption β agent keys are stored DPAPI-encrypted (Windows) or chmod-0600 env file (Linux).
- Forward-only traffic β the agent only opens outbound connections (
wss://app.pentestas.com:443). No inbound ports to manage.
What the agent does not do
- Store scan data locally β findings are streamed to the platform and persisted there. The agent keeps no long-term state beyond its config file.
- Accept commands from anyone but the platform β the WebSocket is one-to-one with
app.pentestas.com. No local socket / RPC / shell access. - Run as root unless explicitly configured β the Linux systemd unit defaults to a dedicated
pentestasuser withProtectSystem=strict.
See also
- Linux agent β install + systemd
- Windows .NET agent β flagship browser-capture experience
- Browser capture β deep-dive on capture-as-you-browse
- Network scanning from agents β scan
10.x.x.xsubnets from inside the LAN