Setting Up Authenticated Testing

Most critical vulnerabilities—IDORs, privilege escalations, logic bugs—live behind your login screen. To find them, Aikido’s AI Pentest agent needs access.

Unlike legacy tools that require complex Selenium scripts or proxy recordings, Aikido uses an LLM-driven approach. You simply tell the agent how to log in using natural language, just like you would explain it to a human QA tester.

Here is how to configure your authentication sets.

1

Create an Authentication Set

1. Click Add Authentication Set.

2. Name: Give this set a descriptive name (e.g., Admin Credentials, Read-Only User, Tenant A - Manager).

We recommend setting up multiple personas to test for Broken Access Control (BAC) between different privilege levels.

2

Provide Login Instructions

This is the most important step. In the Authentication instructions field, provide a step-by-step text description of your login flow.

The AI agent parses this to navigate your specific UI quirks. Be explicit.

Example format:

Navigate to staging.app.com/login

Click on "Log in with Username"

Enter username: pentest_admin

Enter password: super_secure_password_123

Click the "Sign In" button

The AI agent is equipped to solve standard Captchas automatically. You do not need to disable these for the scan or provide specific instructions for them.

3

Test the Configuration

Finally, verify that the agent can interpret your instructions:

1. Click Save & Test.

2. The agent will launch a browser session and attempt to log in using the credentials and inbox instructions.

3. If successful, you will see a confirmation that the agent authenticated and reached the post-login state.

Advanced Login Flows

If your application requires more than a simple username and password, use our specialized tools:

• Email Verification & Magic Links: If you need to click a link in an email or receive a code.

• Two-Factor Authentication (TOTP): If you need to generate 6-digit codes from an authenticator app.

• Google Auth (Beta): Native support for Google Workspace login flows is available in beta.

Best Practices

• Don’t use Production Credentials: Always run pentests on a Staging or QA environment. The scanner performs intrusive tests that can corrupt data.

• Create Dedicated Test Accounts: Do not use personal developer accounts. Create specific accounts for the scanner (e.g., [email protected]).

• Cover All Tenants: If your app is multi-tenant, add credentials for users in different tenants (e.g., User - Tenant A, User - Tenant B). This allows the AI to test for cross-tenant data leakage.

Troubleshooting

Authentication is verified during the preflight check immediately after launch. You can watch the agent's screen in real-time to see if it succeeds.

If the agent fails to log in:

• Inspect the failure: Check the agent's screenshots in the error log to see exactly where it got stuck.

• Sanity check steps: Walk through your provided instructions manually in an incognito window. If you skipped a step or a button is unclear, the agent might struggle.

• Check accessibility: Is the URL reachable from the public internet? (Check your IP whitelisting).

• Account status: Ensure the test user hasn't been locked out.