How to setup a Pentest

Setting up a pentest shouldn't involve weeks of emailing or complex scoping documents. Aikido streamlines the process so you can get your assessment running immediately, whether you're prepping for an audit or just hardening your security posture.

You can watch the 3-minute walkthrough below, or follow the step-by-step guide further down.

How to setup a pentest in Aikido? - Watch Video

Step-by-step Guide

Prerequisites

Before starting, ensure you have:

• Manage Pentests permission in Aikido

• Sufficient credits in your wallet.

• Authorization to scan the target domains.

To launch the wizard, navigate to Pentests in Aikido, open your Project and click Create Assessment.

1. Scope

We recommend focusing on a single application per assessment to keep the report actionable.

1. Enter Domain: Input your application's URL.

2. Scope: Choose to test the entire application or give specific instructions on where to focus the test on.

2. Review Discovered Domains

The system will detect dependencies (e.g., authentication service, API gateways, ... ).

• Add and mark domains as In scope to be included in the pentest.

• Add and mark domains as Allowed to reach to allow usage, but exclude from pentesting.

• Blocked: Anything that is not defined will be blocked by default for safety.

3. Authentication

Aikido uses AI agents to navigate complex login flows. You don't need complex scripts, just tell us how to log in.

• Define Roles: Create credential sets for different user types (e.g., Admin, Tenant A User, Read-Only User). This ensures we test authorization logic, not just authentication.

• Write Instructions: Use plain English.

  Example: "Navigate to /admin. Login with user 'admin' and password '1234'. If a 2FA prompt appears, use the provided OTP secret."

• Self-Registration: If your app allows public sign-ups, the agent can create its own account.

4. Code and Documentation

White Box testing significantly increases the ability to analyse deep logic and lowers the risk of missing critical issues. More detailed information here.

• Link Repositories: Connect your code repo. We index the codebase to identify logic flaws that aren't visible from the outside.

• Upload Specs: Attach OpenAPI/Swagger specs or previous pentest reports to guide the scanner toward known sensitive areas.

• Additional Context: Provide any additional context that helps to understand the behaviour of the application.

5. Safety

Pentests can be intense. Configure these settings to prevent service degradation.

• Maximum Requests Per Second:

  • High: Faster completion, higher server load.

  • Low: Slower, more gentle load on your system.

• Allowed Scanning Time: Restrict pentesting to specific hours to avoid impacting other work.

6. Select Assessment Type

Choose the assessment profile that matches your goal.

7. Summary & Launch

Review your configuration and click Run Assessment to start the scan.

• Cancellation Policy: If you realize you made a mistake or something went wrong in the run, you can cancel immediately after launch.

  • Note: If cancelled early, your credits will be automatically refunded.

Need help?

If the scanner is failing to authenticate or you're unsure about scoping, open the Intercom chat in the bottom right corner. Our team is here to help!