# Preparing for a Pentest

Before starting a pentest, you need to prepare your environment. These one-time steps ensure Aikido’s agents can safely access your app and perform a meaningful assessment without getting blocked.

Follow this checklist to get set up quickly.

{% stepper %}
{% step %}

### Prepare a Test Environment

Run the pentest in a non-production environment (e.g. Staging) to avoid impacting live users.

* **Mirror Production:** Ensure the setup matches your live architecture.
* **Safe Data:** Use dummy data only. No real customer PII.
* **Fully Functional:** Enable all features and integrations.
  {% endstep %}

{% step %}

### Whitelist Aikido IPs

Your security tools will likely block our testing agents. To prevent this, whitelist the [Aikido IPs](https://help.aikido.dev/~/revisions/SGhJfnCIOpxRjx1gC1k5/pentests/ip-addresses-for-pentest) in:

* **Network Firewall:** Allow inbound traffic.
* **WAF:** Disable blocking and rate-limiting rules.
* **Bot Defense:** Disable behavioral blocking and rate limits.
  {% endstep %}

{% step %}

### Prepare Test Accounts

Create dedicated test users in your staging environment so our agents can test authenticated paths.

* **Roles:** Create at least one **Admin** and one **Standard User** to test for privilege escalation.
* **Multi-Tenancy:** If applicable, create users in different tenants (e.g., Tenant A vs. Tenant B) to check for data leakage.

**See guide:** [setting-up-authenticated-testing](https://help.aikido.dev/~/revisions/SGhJfnCIOpxRjx1gC1k5/pentests/setting-up-authenticated-testing "mention")
{% endstep %}

{% step %}

### Gather Context & Code

White-box testing finds deeper bugs than blind scanning. Gather these assets to give our agents full visibility:

* **Repositories:** Ensure the repositories for the tested applications are connected to Aikido.
* **API Definitions:** Have your OpenAPI/Swagger specs (JSON/YAML) or Postman collections ready.
* **Documentation:** Prepare any architectural docs, user role definitions, or descriptions of complex business logic.
* **History:** If you have PDF reports from previous pentests, we can use them to test for regressions.

**See guide:** [leveraging-code-and-documentation](https://help.aikido.dev/~/revisions/SGhJfnCIOpxRjx1gC1k5/pentests/leveraging-code-and-documentation "mention")
{% endstep %}

{% step %}

### Verify Ownership

To prevent abuse, we strictly require proof of ownership before launching attacks.

* **How to verify:** Currently, this step is integrated into the pentest wizard. Start a new pentest and click through to the final step to find the DNS or File verification options.

  *Note: We are adding a dedicated page for this soon.*
  {% endstep %}
  {% endstepper %}

**Not sure?** If you have complex auth flows or architectural constraints, hit the Intercom chat in the bottom right. We can help to prepare in real-time.