Safety measures

To minimise the impact the pentest can have on your environment, the following safety mechanisms are in place.

We strongly recommend to launch the pentest in staging, test or isolated environments

Preventing pentests outside of intended scope

By design, the pentesting agents cannot reach domains that have not been explicitly approved during the setup of the pentest. Two security boundaries are in place:

Attackable domains: Domains that can be actively attacked during the pentest
Reachable domains: Domains that should not be actively attacked but are allowed to reach.

In the example configuration below, the pentesting agents can reach "portal.attack-me.com", "api.attack-me.com" and "login.attack-me.com" but are not going to attack "login.attack-me.com". All other domains are blocked.

Note: Requests containing static files or that are part of developer tool platforms are automatically marked Allowed (but will not be attacked)

Cancel pentest any time

In case anything goes wrong during the pentest, the pentest can be cancelled at any time. This will terminate all ongoing actions and stop the pentest fully.

Mitigating high server load

To minimize potential impact due to server load, the setup allows the configuration of the maximum requests per second that the pentest generates and the option to execute it in our outside of business hours.

Last updated 5 days ago

Was this helpful?