Troubleshooting

Scans

"Scan stuck in `pending`"

The Celery worker pool is fully occupied or the queue has backed up.

Check Dashboard for other running scans — concurrent-scan caps may be the reason. Cancel one or wait.
If no running scans, the Pentestas platform may be throttled. Hit the status page: https://status.pentestas.com.
Still stuck after 10 min: open a support ticket.

"Scan failed — target not reachable"

Pentestas tried to reach the target and got ICMP unreachable / TCP reset / DNS NXDOMAIN.

Double-check the target URL (scheme, host spelling, port).
If it's an internal target, you need an agent — cloud-side Pentestas can't reach private subnets.
If it's behind a WAF / Cloudflare, add the Pentestas scanner IPs to your allowlist: dig TXT scan-ips.pentestas.com.

"Scan hung at `PAYLOAD_TESTING`"

Rare; usually an upstream network timeout to the target. Scan will fail after ~30 minutes of no progress. You can cancel early.

If it happens on every scan of the same target, the target is likely rate-limiting our IPs. Either whitelist us or run from an agent.

"Findings look wrong"

Open a specific finding → does the evidence match? (Request + response should demonstrate the issue concretely.)
If the evidence looks thin, the finding may be junk that escaped the Accuracy Gate. Click Report false positive — our eng team reviews these weekly.

Agents

"Agent shows offline in the UI"

Check the allowlist includes the agent's public IP. Run curl -s ifconfig.me on the agent host.
On Linux: journalctl -u pentestas-agent -n 50 shows the last few connect attempts.
On Windows: Get-Content "C:\Program Files\Pentestas\Agent\state\agent.log" -Tail 50 for the Python agent, or the .NET agent's status bar.
Verify the WebSocket is reachable: curl -I https://app.pentestas.com should return 200.

"Agent key was rejected"

Agent keys don't expire, but can be revoked (admin deleted it) or disabled. Check Settings → Agents → pick the agent — if the row is missing or disabled, that's the cause.

Generate a new key if the old one's been leaked.

"Scan dispatched from an agent stays `pending`"

The dispatcher sent the job but the agent hasn't acked. Usually means the agent just disconnected. Wait for it to reconnect (30–60s) and the job will pick up automatically.

Reports

"PDF generation failed"

Report renderer can get starved under heavy load. Retry after a minute. If it keeps failing:

Check the scan has completed (not in running state). Reports generate off of completed scans only.
Very large scans (10,000+ findings) may exceed the PDF renderer's row budget. Export JSON instead, or narrow the scope.

"Branding not applied"

Branding is applied to new reports, not historical ones. Regenerate the report (Export report → PDF on the scan detail page) to get branding refreshed.

Auth

"API key returns 401"

Key may be revoked — check Settings → API keys and look for the key's name in the list.
Wrong header format — must be Authorization: Bearer aa_... or X-API-Key: aa_....
Server clock skew — rare, but can invalidate some requests if your CI system has a wildly-wrong time.

"Forgot password"

Login page → Forgot password → email. The reset link expires in 30 minutes.

"Locked out of tenant"

If every admin in your tenant has left the company and their accounts are gone, contact support@pentestas.com from a verified domain email. We'll re-establish admin access after checking DNS / corporate ownership.

Billing

"Plan not updating after upgrade"

Changes apply at the start of the next billing cycle for pro-rata upgrades. For immediate effect: Settings → Billing → Apply plan now (charges prorated).

"Quota exceeded unexpectedly"

Check Settings → Usage → Scan quota. Charts show scans / month and where the budget went.

Enterprise plans include overage allowance; Pro plans hard-cap at plan limits.