Creating an account
Accounts in Pentestas belong to a tenant — a private workspace that holds your scans, findings, team members, agents, and API keys. Every user is a member of exactly one tenant.
Sign-up options
Email + password
- Password requirements: minimum 12 characters, at least one number, not a known-breached password.
- You must solve a Cloudflare Turnstile CAPTCHA before the account is created. This keeps abusive sign-ups out.
- Email verification is sent immediately. You can browse the dashboard before verifying, but scans are blocked until the mailbox round-trip completes.
Google OAuth
Click Continue with Google. If the Google account's email domain already has a tenant, you'll be invited to it (subject to the tenant admin's approval flow); otherwise a new tenant is created and you become its admin.
Microsoft 365 OAuth
Identical flow to Google. Microsoft tenant federation is supported — your organisation's admin can pre-approve Pentestas in Azure AD so users sign in without per-person consent.
Tenant assignment rules
| Sign-up email | Existing tenant? | What happens |
|---|---|---|
alex@acme.com |
No | New tenant acme.com created; alex is admin. |
sam@acme.com |
Yes, acme.com exists with admin |
Invitation sent to admin for approval. |
demo@gmail.com |
No (consumer provider) | Personal tenant created; single-user workspace. |
Why domain-based grouping? It matches how companies buy software. The first person from a company to sign up becomes the owner; subsequent sign-ups land in the same workspace (after admin approval). Nobody accidentally creates fifteen "Acme Corp" tenants.
Plans
New accounts start on the Free plan:
- 1 concurrent scan
- 10 scans per month
- 1 verified domain
- No AI analysis
- No persistent agents
Upgrade to Pro for higher limits + AI analysis, or Enterprise for SSO, custom scan quotas, unlimited agents, and contractual SLAs. See Plans and limits.
Security
- Passwords are hashed with bcrypt (cost factor 12).
- JWTs use HS256 with a randomly-generated 32-byte secret rotated on each major release.
- API keys are prefixed (
aa_...) and shown only once — losing one means generating a new one, not recovering it. - Session cookies are
HttpOnly,Secure,SameSite=Lax. - OAuth tokens are never stored server-side beyond the sign-in transaction.
Deleting your account
Settings → Account → Delete account. Asks for password confirmation. Deletion is immediate and irreversible: all scans, findings, reports, agent keys, API keys, and team memberships are purged. If you're the last admin in a tenant, the entire tenant is deleted (cascade delete enforced at the database level).
To keep your data but leave the tenant, ask an admin to remove you. Your account survives (rejoinable at a later date), but you lose access to that workspace.