Scan profiles (roles)
The New-Scan page leads with a "What are you testing?" grid of role cards. Pick a role and Pentestas applies the right module subset, attack strength, and rule thresholds — no checkbox-grid configuration required. The 8 built-in roles cover the testing shapes our customers actually run.
Built-in roles
| Role | Tier | Strength | Use when |
|---|---|---|---|
| Web App Pentest | Starter | Medium | Typical "test our web app" engagement. 21 modules covering injection, auth, access control, business logic, file upload, deps. |
| Quick Recon | Free | Low | Surface-and-fingerprint pass — what's out there before deciding what to scan in depth. |
| API Pentest | Starter | High | REST + GraphQL APIs. Spec ingestion, BOLA / BFLA, mass-assignment, JWT depth, race conditions, hidden parameters. |
| GraphQL Deep Dive | Pro | High | Targeted GraphQL audit. Introspection abuse, query-depth DoS, batched-query abuse, field-level auth gaps. |
| Cloud Asset Discovery | Pro | Medium | External cloud footprint. S3 / Azure blob / GCS buckets, admin panels, metadata SSRF endpoints, subdomain takeover. |
| Dependency & CVE Audit | Starter | Low | Software composition only — no application-level attack. Fast, low-noise, ideal for monthly compliance gates. |
| Secrets Hunt | Pro | Low | Focused leaked-credential hunt. 106 detector classes; with AI-assist, live-verifies the secret against the issuer. |
| Comprehensive | Pro | High | Every detector at high strength. Longest scan, max coverage. Use for engagement-grade reports. |
How the role applies
When you pick a role, two things happen instantly on the form:
- The role's scan types are selected as the module set. Open Advanced configuration to see the exact list.
- The role's attack strength is applied to the strength segmented control.
The launch payload carries profile: <role-id> through
to the worker. The worker's scan_profiles.merge_into()
re-applies the YAML on the backend so the same role is enforced even
if the request bypassed the SPA. Operator-supplied overrides
(individual checkboxes, manual strength override) still win
over the role's defaults — the role is the floor, not the ceiling.
Advanced configuration
Below the role grid is an Advanced configuration collapsible section. Open it to:
- Apply the four legacy module-bundle shortcuts (Quick / Full / API Focused / OWASP Top 10).
- Toggle individual modules outside the role's defaults.
- Switch from Internal Engine to + AI assist mode.
- Override attack strength.
Clicking any legacy preset clears the role selection — the launch
payload won't carry a profile field, because you're now
configuring by hand.
Custom profiles (enterprise)
Enterprise tenants can author tenant-specific scan profiles. Drop
scan_profiles/<name>.yaml in your tenant's config
directory (see your tenant config);
the API surfaces them in the role grid alongside built-ins, scoped
to your tenant.
Launching with a role from the API
POST /api/scans
Authorization: Bearer <your-api-key>
Content-Type: application/json
{
"target_url": "https://example.com",
"profile": "api-pentest"
}The role's module set, strength, and thresholds are applied server-side. Pass any additional keys in the body to override the role's defaults.