Security
Pentestas is a security product, and the meta-product is our own security posture. This page summarises the model.
Tenant isolation
- DB-level β every tenant-scoped table has
tenant_idas a non-null foreign key. Row-Level Security policies in Postgres (enabled + FORCED) require every query to setapp.current_tenant; queries that forget it see zero rows, not all rows. - App-level β every authenticated request sets the tenant context from the JWT / API key. There's no admin override for cross-tenant queries other than explicit superadmin actions, which are logged.
- Backup-level β backups are per-tenant encrypted with the tenant's Fernet key. Restoring a tenant's backup in a different Pentestas instance requires its key material to decrypt.
Encryption
See Encryption for field-level specifics.
- At rest β TDE via the storage provider + Fernet field encryption for sensitive columns.
- In transit β TLS 1.3 on all public endpoints; internal Docker network between backend services; agent connections use TLS 1.2+ with strict cert pinning to
*.pentestas.com. - At the agent β credentials DPAPI-encrypted (Windows) or chmod-0600 (Linux); never logged.
Authentication
- Passwords β bcrypt (cost 12), known-breached-password check via the k-anonymity Pwned Passwords API.
- MFA / 2FA β TOTP supported, FIDO2 roadmap (Enterprise).
- SSO β SAML 2.0 + OIDC on Enterprise.
- Session tokens β JWT signed with a 32-byte HS256 secret rotated annually; HttpOnly Secure SameSite=Lax cookies.
Audit logging
Every security-relevant action is logged:
- Login / failed login (with IP + UA).
- Role change / invitation / removal.
- API key create / revoke.
- Scan create / cancel / delete.
- Agent create / disable / delete.
- Setting changes.
Audit logs retention: 365 days Pro, unlimited Enterprise. Exportable via API or CSV.
Network posture
Pentestas backend runs behind nginx with strict CSP, HSTS, frame-ancestors=none, permissions-policy locking down camera / mic / geolocation. WebSocket endpoints require Origin checks. Rate limits per-IP on every public route.
No inbound ports exposed on customer-deployed agents.
Vulnerability management
- Dependency scanning β weekly audit via Pentestas' own dependency scanner (meta, yes).
- Third-party pentest β annual, report summary available under NDA to Enterprise prospects.
- Responsible disclosure β Please email security@pentestas.com. We respond within 24h, maintain a 90-day disclosure window, and publish accepted reports in our security hall of fame.
Compliance
- SOC 2 Type II (Pro+) β report available under NDA.
- GDPR β data-processor on your behalf; DPA available.
- CCPA β likewise.
- HIPAA / FedRAMP β Enterprise only, custom agreement.
Incident response
If we suspect a breach affecting a tenant:
- We triage within 1 hour of detection.
- Notification to tenant admin within 4 hours if confirmed.
- Public disclosure within 7 days (with remediation status) unless law enforcement requests delay.
- Full post-mortem published within 30 days.
Reporting a concern
- Product security issue β security@pentestas.com, PGP key at https://pentestas.com/.well-known/pgp-key.txt.
- Abuse of the platform β abuse@pentestas.com.
- Legal / privacy β privacy@pentestas.com.
See also
- Encryption
- Authentication
- Plans and limits β compliance + SLA tiers