Windows agent (.NET)

A native Windows desktop app that combines an embedded browser (WebView2) with a capture engine (Chrome DevTools Protocol) and a live findings sidebar. The user types a URL, clicks Go, and starts browsing; every request is streamed to the platform, active tests run server-side, and findings appear in real time in the sidebar.

No proxy. No certificate trust dance. No external browser launch.

When to use

Pentesters on Windows running exploratory manual testing against their customer's app.
Internal security teams doing a guided audit of a corporate app.
Bug bounty hunters who want the platform to re-run its full test suite against every page they load.

For headless / service deployments, use the Python agent instead.

Prerequisites

Windows 10 1809+ or Windows 11 (x64 or ARM64).
Microsoft Edge WebView2 Evergreen runtime — ships with Windows 11 by default. On older Windows 10 boxes, install from Microsoft's download page.

No Python, no .NET runtime installed separately — the agent is a single self-contained .exe.

Install

Two options.

Quick: download the prebuilt .exe

(Enterprise customers only — contact your success manager for a signed build.)

Drop PentestasAgent.exe anywhere on disk.
Double-click.
Enter your agent key (the pa_... value shown under Settings → Agents) in the first-run dialog.
Start browsing.

Build from source

Source is in /var/assets/pentestas-agent-dotnet/ (Pentestas internal) or on your clone of the repository. Prerequisites on the build box: .NET 8 SDK.

powershell

cd PentestasAgent-dotnet
.\build.ps1                       # x64, Release
# output at publish\win-x64\PentestasAgent.exe

build.ps1 supports -Rid win-arm64 and -Sign -Pfx cert.pfx for Authenticode signing.

UI tour

Address bar — URL input + Back / Forward / Refresh / Go / Settings.
WebView2 pane — the embedded browser; loads the URL you type.
Findings sidebar — live feed of findings returned by the platform for the current capture session. Colour-coded by severity.
Status bar — connection state, capture count, scope label.
Settings dialog — rotate the agent key or change the platform URL.

How capture works

The app subscribes to the WebView2 CDP Network domain (requestWillBeSent, responseReceived, loadingFinished).
On navigation to a new site, the registrable domain becomes the session's scope.
Every in-scope request is packed into a browser_request frame and streamed to the platform over WebSocket.
The platform runs active probes against the captured endpoints.
Findings are pushed back via finding_notify frames; the sidebar renders them as they arrive.

See Browser capture for more detail on the architecture.

Storage + credentials

Agent key — DPAPI-encrypted at CurrentUser scope, stored at %LocalAppData%\Pentestas\config.json. Only the Windows user that installed it can decrypt.
WebView2 profile — lives at %LocalAppData%\Pentestas\WebView2, completely separated from the user's normal Edge profile.
Logs — %LocalAppData%\Pentestas\agent.log (fatal traces only; inline status for normal ops).

Scope filtering

Only requests whose host matches the currently-navigated registrable domain are streamed to the platform. Third-party analytics, CDN subresources on unrelated domains, and stray requests from browser background tasks are dropped client-side. You'll see a running dropped count in the status bar.

If you want to capture a specific subdomain set across several domains, override scope in the settings dialog (comma-separated list).

Disconnect / exit

Closing the window stops capture and ends the session.
Deleting config.json forgets the agent key; the next launch re-prompts.
In the platform UI, you can disable or delete the agent row; the .NET app will see the disconnect within a few seconds and show an error.

Troubleshooting

WebView2 Evergreen missing — the app will show an error on launch. Install the runtime from Microsoft's download page.
Agent shows offline in platform — check the allowlist includes your public IP (check curl https://ifconfig.me). The WebSocket only connects from allowed IPs.
Requests not reaching the platform — corporate firewall blocking outbound WSS. Agent key is correct but the TLS handshake to wss://app.pentestas.com:443 times out. Whitelist the domain.
Findings don't appear — active test pipeline is enabled from Pro plans up. Free-tier agents capture but don't run server-side active probes.