Troubleshooting

Scans

"Scan stuck in `pending`"

The Celery worker pool is fully occupied or the queue has backed up.

Check Dashboard for other running scans — concurrent-scan caps may be the reason. Cancel one or wait.
If no running scans, the Pentestas platform may be throttled. Hit the status page: https://status.pentestas.com.
Still stuck after 10 min: open a support ticket.

"Scan running but no progress for an hour"

Pentestas auto-detects this. A background watchdog runs every 5 minutes and flags scans that haven't logged progress for ≥1 hour as stuck. When that happens:

The scan list shows a Fix Stuck button on the row.
Clicking it calls POST /api/scans/{id}/unstick, which clears the stale phase, requeues the scan from its last checkpoint (see below), and resumes.
If the watchdog hasn't yet flipped the row but you're sure it's hung, the same button is available on the scan detail page.

"Worker restarted mid-scan — did I lose progress?"

No. Each scan writes a checkpoint to the scans.checkpoint JSONB column at every phase boundary (recon, crawl, parameter discovery, payload testing, exploitation, AI analysis). On worker startup, in-flight scans are re-queued automatically and the engine skips phases already in the completed set. You'll see a [RESUME] Skipping completed phase: <name> line in the live feed.

"Live feed went blank when I navigated away"

The live feed is buffered server-side in Redis (scan:log:{id}, last 2,000 lines, 2-hour TTL) and replayed when you reopen the scan detail page. If the feed shows nothing on reload:

The scan finished more than 2 hours ago — logs aged out. The persisted findings are still on the page.
The browser tab is on a stale build — hard reload (Ctrl/Cmd+Shift+R).

"Scan failed — target not reachable"

Pentestas tried to reach the target and got ICMP unreachable / TCP reset / DNS NXDOMAIN.

Double-check the target URL (scheme, host spelling, port).
If it's an internal target, you need an agent — cloud-side Pentestas can't reach private subnets.
If it's behind a WAF / Cloudflare, ask support@pentestas.com for the current scanner IP range and add it to your allowlist. For internal-only targets, run from an agent instead.

"Scan hung at `PAYLOAD_TESTING`"

Rare; usually an upstream network timeout to the target. Scan will fail after ~30 minutes of no progress. You can cancel early.

If it happens on every scan of the same target, the target is likely rate-limiting our IPs. Either whitelist us or run from an agent.

"Findings look wrong"

Open a specific finding → does the evidence match? (Request + response should demonstrate the issue concretely.)
If the evidence looks thin, the finding may be junk that escaped the Accuracy Gate. Click Report false positive — our eng team reviews these weekly.
For SQLi, the evidence must include actual database content (table names, version strings, row data). For default-credentials findings, the proof must include a new session cookie issued by the target. If it doesn't, file a bug via Settings → Feedback.

"Report a bug or request a feature"

Settings → Feedback / Bug report — single text box, history of past submissions visible to your tenant admin and to Pentestas staff. Faster than email for product feedback; replies come back in the same panel.

Agents

"Agent shows offline in the UI"

Check the allowlist includes the agent's public IP. Run curl -s ifconfig.me on the agent host.
On Linux: journalctl -u pentestas-agent -n 50 shows the last few connect attempts.
On Windows: open the Pentestas Agent app — the status bar at the bottom of the window shows the last connect attempt and any error. Detailed logs live under %LocalAppData%\Pentestas\logs\agent.log.
Verify the WebSocket is reachable: curl -I https://app.pentestas.com should return 200.

"Agent key was rejected"

Agent keys don't expire, but can be revoked (admin deleted it) or disabled. Check Settings → Agents → pick the agent — if the row is missing or disabled, that's the cause.

Generate a new key if the old one's been leaked.

"Scan dispatched from an agent stays `pending`"

The dispatcher sent the job but the agent hasn't acked. Usually means the agent just disconnected. Wait for it to reconnect (30–60s) and the job will pick up automatically.

Reports

"PDF generation failed"

Report renderer can get starved under heavy load. Retry after a minute. If it keeps failing:

Check the scan has completed (not in running state). Reports generate off of completed scans only.
Very large scans (10,000+ findings) may exceed the PDF renderer's row budget. Export JSON instead, or narrow the scope.

"Branding not applied"

Branding is applied to new reports, not historical ones. Regenerate the report (Export report → PDF on the scan detail page) to get branding refreshed.

Auth

"API key returns 401"

Key may be revoked — check Settings → API keys and look for the key's name in the list.
Wrong header format — must be Authorization: Bearer aa_... or X-API-Key: aa_....
Server clock skew — rare, but can invalidate some requests if your CI system has a wildly-wrong time.

"Forgot password"

Login page → Forgot password → email. The reset link expires in 30 minutes.

"Locked out of tenant"

If every admin in your tenant has left the company and their accounts are gone, contact support@pentestas.com from a verified domain email. We'll re-establish admin access after checking DNS / corporate ownership.

Billing

"Plan not updating after upgrade"

Changes apply at the start of the next billing cycle. If you need an upgrade to take effect immediately, contact support@pentestas.com.

"Quota exceeded unexpectedly"

Check Settings → Usage → Scan quota. Charts show scans / month and where the budget went.

Enterprise plans include overage allowance; Pro plans hard-cap at plan limits.