Security

Pentestas is a security product, and the meta-product is our own security posture. This page summarises the model.

Tenant isolation

DB-level — every tenant-scoped table has tenant_id as a non-null foreign key. Row-Level Security policies in Postgres (enabled + FORCED) require every query to set app.current_tenant; queries that forget it see zero rows, not all rows.
App-level — every authenticated request sets the tenant context from the JWT / API key. There's no admin override for cross-tenant queries other than explicit superadmin actions, which are logged.
Backup-level — backups are per-tenant encrypted with the tenant's Fernet key. Restoring a tenant's backup in a different Pentestas instance requires its key material to decrypt.

Encryption

See Encryption for field-level specifics.

At rest — TDE via the storage provider + Fernet field encryption for sensitive columns.
In transit — TLS 1.3 on all public endpoints; internal Docker network between backend services; agent connections use TLS 1.2+ with strict cert pinning to *.pentestas.com.
At the agent — credentials DPAPI-encrypted (Windows) or chmod-0600 (Linux); never logged.

Authentication

Passwords — bcrypt (cost 12, called directly — no third-party password library).
MFA / 2FA — TOTP supported, FIDO2 roadmap (Enterprise).
SSO — SAML 2.0 + OIDC on Enterprise.
Session tokens — JWT signed with a 32-byte HS256 secret rotated annually; delivered as HttpOnly Secure SameSite=Lax cookies (pt). The legacy fallback that accepted tokens missing aud/iss claims has been removed; every accepted JWT must have the full claim set.
Logout = revocation — logging out (or admin-revoking a session) writes the token's JTI to a Redis blocklist; subsequent requests with that token are rejected with 401, so a stolen token cannot be reused after logout.
OAuth onboarding — when a user signs in with Google or Microsoft on a domain that already maps to a tenant, they are auto-joined to that tenant rather than dropped onto the plan-selection page. Domain ownership is verified through the tenant's existing allowed-domains list.

Audit logging

Every security-relevant action is logged:

Login / failed login (with IP + UA).
Role change / invitation / removal.
API key create / revoke.
Scan create / cancel / delete.
Agent create / disable / delete.
Setting changes.

Audit logs retention: 365 days Pro, unlimited Enterprise. Exportable via API or CSV.

Network posture

Pentestas backend runs behind nginx with strict CSP, HSTS, frame-ancestors=none, permissions-policy locking down camera / mic / geolocation. WebSocket endpoints require Origin checks. Rate limits per-IP are enforced at two layers:

Nginx — per-IP request rate (e.g. login = 5/min, API = 30/s).
Redis-backed application limiter — Redis INCR + EXPIRE against ratelimit:<route>:<ip> keys, replacing in-memory dicts so limits survive worker restarts and are shared across web replicas.

Public scan endpoints (/api/public/*) additionally validate IPs to reject loopback, link-local, and RFC1918 ranges before they reach the scanner.

No inbound ports exposed on customer-deployed agents.

Log hygiene

Live-feed log lines visible to users have third-party tool names redacted (payload-tester instead of sqlmap, binary-analyzer instead of mobsf, etc.). The redaction is content-aware — error messages from those tools also have their identifying strings stripped before reaching the UI. Internal server logs retain the original tool names for engineering use.

Vulnerability management

Dependency scanning — weekly audit via Pentestas' own dependency scanner (meta, yes).
Third-party pentest — annual, report summary available under NDA to Enterprise prospects.
Responsible disclosure — Please email security@pentestas.com. We respond within 24h, maintain a 90-day disclosure window, and publish accepted reports in our security hall of fame.

Compliance

SOC 2 Type II (Pro+) — report available under NDA.
GDPR — data-processor on your behalf; DPA available.
CCPA — likewise.
HIPAA / FedRAMP — Enterprise only, custom agreement.

Incident response

If we suspect a breach affecting a tenant:

We triage within 1 hour of detection.
Notification to tenant admin within 4 hours if confirmed.
Public disclosure within 7 days (with remediation status) unless law enforcement requests delay.
Full post-mortem published within 30 days.

Reporting a concern

Product security issue — security@pentestas.com, PGP key at https://pentestas.com/.well-known/pgp-key.txt.
Abuse of the platform — abuse@pentestas.com.
Legal / privacy — privacy@pentestas.com.