# Pentest Overview

Section	What you will find	Target
Prepare a Pentest	Projects, environment prep, and allowlisting.	prepare-a-pentest
Configure a Pentest	Access, setup, scope, code context, safety, and retesting.	configure-a-pentest
Coverage and Findings	What Aikido tests and how to read key finding types.	coverage-and-findings
Continuous Pentesting	How to automatically test changes to your application.

## What is Aikido Pentest Aikido Pentest is an agentic, AI-powered penetration testing platform that performs deep, realistic security assessments in a fraction of the time of a traditional pentest. It uses hundreds of autonomous agents that behave like top-tier red teamers; discovering, exploiting, and validating vulnerabilities across your applications, APIs, and infrastructure. Instead of waiting weeks for manual reports, you get actionable results within hours, complete with validated findings, proof-of-concepts, and remediation guidance. ### Core principles * **Built by world-class hackers:** designed to think and act like them, but safe and repeatable. * **Scalable & continuous:** run tests on demand, or continuously with each release. * **Full visibility:** every request, exploit, and finding can be observed live. * **Actionable output:** results are validated and prioritized, ready for developers to fix. ## How it works Aikido Pentest performs a full penetration testing workflow using intelligent agent coordination. ### 1. Discovery The system maps all features, endpoints, and APIs of your application, either by scanning (black-box) or analyzing your code and OpenAPI specs (white-box). Examples include endpoints like password reset, account deletion, or file uploads. ### 2. Exploitation Hundreds of agents are dispatched to focus on specific areas, simulating a wide range of real-world attack techniques. To view the comprehensive list of vulnerabilities and attack vectors covered during this phase, please refer to [What Issues Can Aikido Pentest Find?](https://help.aikido.dev/pentests/coverage-and-findings/what-issues-can-aikido-pentest-find). ### 3. Validation Each finding is validated using additional agents to eliminate false positives and confirm exploitability. You get verified vulnerabilities, each with: * Attack type and severity level * CVE or CWE references (if applicable) * Example request/response data * Developer-ready remediation steps ### 4. Report When Aikido Pentest finishes validation, it produces a single, detailed report that combines an executive overview with developer-first, actionable findings. The report is designed so security, engineering and compliance teams can all act on it immediately. ## Pricing and credits Aikido Pentest is paid with **Aikido credits**. * Manage credits and payments in [Wallet & Credits](https://help.aikido.dev/miscellaneous-info/wallet-and-credits). * For **Rightsized** assessments, Aikido shows a **recommended credit amount** based on the repositories you linked. ### Skip Payment Start your pentest now and pay with credits later. #### How it works * **Start instantly:** We create "pending credits" to cover your initial run. * **Limited results:** Critical and High-risk issues will stay blurred until you pay the pending credits. * **One at a time:** You must pay your balance before using Skip Payment again. #### Requirements You can use Skip Payment if you: * Have no unpaid credits that are outstanding * Are running a pentest that costs 8,000 credits or less (majority of apps fall within this scope) * Have linked at least one active repository (not a demo). * Have provided at least two valid test user accounts. ## What it’s not Aikido Pentest complements, but doesn’t replace, all forms of security testing. It is not: * A social engineering or physical security assessment. * A guarantee that *all* vulnerabilities are found