Preparing for a Pentest
Before starting a pentest, you need to prepare your environment. These one-time steps ensure Aikido’s agents can safely access your app and perform a meaningful assessment without getting blocked.
Follow this checklist to get set up quickly.
Whitelist Aikido IPs
Your security tools will likely block our testing agents. To prevent this, whitelist the Aikido IPs in:
Network Firewall: Allow inbound traffic.
WAF: Disable blocking and rate-limiting rules.
Bot Defense: Disable behavioral blocking and rate limits.
Prepare Test Accounts
Create dedicated test users in your staging environment so our agents can test authenticated paths.
Roles: Create at least one Admin and one Standard User to test for privilege escalation.
Multi-Tenancy: If applicable, create users in different tenants (e.g., Tenant A vs. Tenant B) to check for data leakage.
See guide: Setting Up Authenticated Testing
Gather Context & Code
White-box testing finds deeper bugs than blind scanning. Gather these assets to give our agents full visibility:
Repositories: Ensure the repositories for the tested applications are connected to Aikido.
API Definitions: Have your OpenAPI/Swagger specs (JSON/YAML) or Postman collections ready.
Documentation: Prepare any architectural docs, user role definitions, or descriptions of complex business logic.
History: If you have PDF reports from previous pentests, we can use them to test for regressions.
See guide: Leveraging Code and Documentation
Verify Ownership
To prevent abuse, we strictly require proof of ownership before launching attacks.
How to verify: Currently, this step is integrated into the pentest wizard. Start a new pentest and click through to the final step to find the DNS or File verification options.
Note: We are adding a dedicated page for this soon.
Not sure? If you have complex auth flows or architectural constraints, hit the Intercom chat in the bottom right. We can help to prepare in real-time.
Last updated
Was this helpful?