Glossary
Terms that appear throughout the product + docs.
Accuracy Gate
The pipeline Pentestas uses to filter false positives before persisting a finding β junk filter, orthogonal verifier, then (on Pro+) AI false-positive filter. See Validation.
Agent
A process deployed inside your environment (workstation, container, VM) that connects outbound to Pentestas and executes work β scans, browser captures, network probes β on behalf of the platform. Tenant-scoped via an agent_key. See Agents overview.
Attack chain
An ordered sequence of findings that combine into a single compromise path. Chain severity is usually higher than the max individual finding β the value is in the combinatorial risk. See Attack chains.
BFLA
Broken Function-Level Authorization. Occurs when an endpoint authorises a user but doesn't authorise the operation (e.g. a user can call DELETE /api/users/42 even though only admins should). OWASP API Top 10.
BYOK
Bring Your Own Key. Enterprise customers can provide their own KMS (AWS / Azure / GCP) to hold the tenant encryption key root. Revoking the KMS grant immediately denies Pentestas access to the tenant's encrypted data.
CDP
Chrome DevTools Protocol. The JSON/WebSocket protocol that Chrome exposes for debugging + automation. Pentestas uses CDP to capture browser traffic in the .NET Windows agent β see Browser capture.
CVE
Common Vulnerabilities and Exposures. A public registry of software vulnerabilities, each with a globally-unique ID (CVE-2024-NNNNN). Pentestas matches detected software versions against the NVD database.
CVSS
Common Vulnerability Scoring System, version 3.1. A 0.0β10.0 severity score plus a vector string encoding the dimensions (attack vector, complexity, privilege required, user interaction, scope, CIA impact). See Severity scale.
CWE
Common Weakness Enumeration. Taxonomy of vulnerability classes, distinct from CVEs (which are specific instances). Examples: CWE-89 (SQLi), CWE-79 (XSS), CWE-22 (Path Traversal). Every Pentestas finding carries a CWE ID.
Exploit-DB
A curated repository of public exploits (exploit-db.com). Pentestas mirrors it nightly and matches findings to ranked Exploit-DB candidates. See Exploit-DB matches.
Finding
A single identified vulnerability in a scan result. Carries endpoint, severity, evidence, validation steps, CVSS, CWE, remediation.
IDOR
Insecure Direct Object Reference. A user can access another user's data by changing an identifier in the URL or request (e.g. /api/users/42 β /api/users/43). OWASP A01:2021.
OWASP
Open Web Application Security Project. Maintains standards like the OWASP Top 10 (web) and the OWASP API Security Top 10. Every Pentestas finding is categorised into an OWASP bucket.
Payload encoder
A module in the scanner that transforms payloads (URL-encode, base64, Unicode, case-flip) to slip past WAF filters. A WAF that blocks ' alone won't block %27 or %EF%BC%87 β we try them all.
RCE
Remote Code Execution. The worst outcome in most attack chains β the attacker runs arbitrary code on the server. CRITICAL.
SARIF
Static Analysis Results Interchange Format. A JSON schema for vulnerability results, notably used by GitHub's code-scanning UI. Pentestas exports findings in SARIF so they light up in your repo's Security tab.
Scope
The set of hosts / URLs a scan is allowed to test. Pentestas enforces scope at two layers: tenant-level (verified domains) and scan-level (explicit scope list within a verified domain).
SSRF
Server-Side Request Forgery. The attacker induces the target server to make HTTP requests on the attacker's behalf. Often a path to cloud metadata endpoints, internal services, or firewalled resources.
SSTI
Server-Side Template Injection. A template engine evaluates user-supplied input, leading to remote code execution. Common in apps using Jinja, Twig, Handlebars with insecure defaults.
Tenant
A Pentestas workspace. Every user belongs to exactly one tenant; scans, findings, agents, API keys are scoped to their tenant. Cross-tenant data access is impossible by design β enforced at the DB level via Row-Level Security policies.
Validation (of a finding)
The process of re-running a finding through independent verifiers (different payload, time-based check, headless browser, OOB callback) to confirm it's real before persisting.
Verifier
A function, per vulnerability class, that tries to confirm a raw detection using orthogonal signals. An SQLi detector sees a SQL error β the SQLi verifier fires a time-based blind payload and measures delay.
Verified domain
A domain you've proven you control, usually via DNS TXT. Required before Pentestas will scan it. See Verify a domain.
WAF
Web Application Firewall. Cloudflare, Akamai, AWS WAF, Imperva, F5, Sucuri. Pentestas fingerprints the WAF and adapts payloads to reduce false blocks.
WebView2
Microsoft's embeddable Chromium runtime for Windows apps. The Pentestas .NET agent uses WebView2 to provide an in-app browser with CDP hooks.