Verified domains

Pentestas only scans targets you've proven you own. This page manages the list.

Add a domain

See Verify a domain for the full flow. Quick version:

Settings → Domains → Add domain → enter bare domain → follow DNS TXT / file / meta-tag instructions → click Verify.

What verification covers

A verified domain unlocks:

• The domain itself + all subdomains under it (api., staging., etc.).
• Matching IP addresses (only when the domain's DNS resolves to the IP at scan time — no standalone IP scanning unless you set up IP allowlisting).

Bulk verify

Enterprise plans can pre-authorise many domains via:

• CSV upload — domain,method columns.
• Parent domain inheritance — verifying example.com automatically covers any sub.example.com you add later without re-challenge, as long as you keep the parent's TXT record live.
• Proof of ownership by IP range — BGP-announced prefix match.

Remove a domain

Settings → Domains → pick domain → Remove. Immediate. Any scheduled scans against that domain will fail on their next run until re-verification.

Removal does not delete existing scan history — past scans remain readable; only new scans are blocked.

Re-verification

Pentestas periodically re-checks (every 30 days). If the TXT record / well-known file / meta tag has vanished, the domain drops to Pending re-verification. Scans against it pause until you re-publish the token.

Private / internal domains

For .corp.local, .internal, and similar non-public zones that can't have a public TXT record:

• Agent-based verification — deploy an agent in the network; the agent verifies a file on an internal host via DNS+HTTP probe from inside.
• API-based manual approval — Enterprise customers can whitelist domains that an Enterprise admin approves via written attestation.

Talk to us if you need this — it's a manual workflow, not self-serve.

See also

• Verify a domain (first time)
• Plans and limits — per-plan verified-domain caps