Preparing for a Pentest

Prepare a Test Environment

Run the pentest in a non-production environment (e.g. Staging) to avoid impacting live users.

• Mirror Production: Ensure the setup matches your live architecture.

• Safe Data: Use dummy data only. No real customer PII.

• Fully Functional: Enable all features and integrations.

Allowlist Aikido IPs

Your security tools will likely block our testing agents. To prevent this, allowlist the Aikido IPs in:

• Network Firewall: Allow inbound traffic.

• WAF: Disable blocking and rate-limiting rules.

• Bot Defense: Disable behavioral blocking and rate limits.

Prepare Test Accounts

Create dedicated test users in your staging environment so our agents can test authenticated paths.

• Roles: Create at least one Admin and one Standard User to test for privilege escalation.

• Multi-Tenancy: If applicable, create users in different tenants (e.g., Tenant A vs. Tenant B) to check for data leakage.

See guide: Setting Up Test Users

Connect Your Code

White box testing uncovers significantly deeper vulnerabilities. By connecting your source code repositories to Aikido, our agents gain full visibility into your application logic, enabling more accurate and impactful findings.

Recommended: Connect all repositories related to the application to Aikido.

See guide: Connect Your Repositories

Can’t connect your repositories? If direct repository access isn’t possible you can still improve coverage by providing supporting materials such as API specifications or other internal documentation.

See guide: Leveraging Code and Documentation

Verify Ownership

To prevent abuse, we strictly require proof of ownership before launching attacks.

• How to verify: Currently, this step is integrated into the pentest wizard. Start a new pentest and click through to the final step to find the DNS or File verification options.