Preparing for an AI Pentest

Prepare a Test Environment

Run the pentest in a non-production environment (e.g. Staging) to avoid impacting live users.

• Mirror Production: Ensure the setup matches your live architecture.

• Safe Data: Use dummy data only. No real customer PII.

• Fully Functional: Enable all features and integrations.

Verify Ownership

To prevent abuse, we strictly require proof of ownership before launching attacks.

• How to verify: Currently, this step is integrated into the pentest wizard. Start a new pentest and click through to the final step to find the DNS or File verification options.

  Note: We are adding a dedicated page for this soon.

Whitelist Aikido IPs

Your security tools will likely block our testing agents. To prevent this, whitelist the Aikido IPs in:

• Network Firewall: Allow inbound traffic.

• WAF: Disable blocking and rate-limiting rules.

• Bot Defense: Disable behavioral blocking and rate limits.

Prepare Test Accounts

Create dedicated test users in your staging environment so our agents can test authenticated paths.

• Roles: Create at least one Admin and one Standard User to test for privilege escalation.

• Multi-Tenancy: If applicable, create users in different tenants (e.g., Tenant A vs. Tenant B) to check for data leakage.

See guide: Setting Up Authenticated Testing

Gather Context & Code

White-box testing finds deeper bugs than blind scanning. Gather these assets to give our agents full visibility:

• Repositories: Ensure the repositories for the tested applications are connected to Aikido.

• API Definitions: Have your OpenAPI/Swagger specs (JSON/YAML) or Postman collections ready.

• Documentation: Prepare any architectural docs, user role definitions, or descriptions of complex business logic.

• History: If you have PDF reports from previous pentests, we can use them to test for regressions.

See guide: Leveraging Code and Documentation