Set Execution Options
Configure pentest mode, scheduling, stop conditions, compliance, and AI guidance.
When creating a pentest (Step 4: Settings), you can fine-tune how the test runs.
Pentest mode
| Mode | Behaviour |
|---|---|
| Safe | Read-only reconnaissance and analysis — no active exploitation |
| Full | All techniques including active exploit validation with proof-of-concept |
Use Safe mode for initial assessments or sensitive production environments. Use Full for thorough testing.
Scheduling
| Type | Behaviour |
|---|---|
| One-time | Runs once immediately |
| Recurring | Repeats on a schedule: hourly, daily, weekly, monthly, or custom |
Recurring tests automatically launch at the configured interval, keeping your security posture continuously assessed.
Stop conditions
Control when the test should stop:
| Condition | Behaviour |
|---|---|
| On verified critical | Stop as soon as a critical finding is confirmed |
| On verified high or critical | Stop on any high or critical finding |
| On report only | Never stop early — run all phases to completion |
Budget caps
Set limits on test resource usage:
- Never stop — no budget cap
- On verified critical — cap spend after critical finding
- On verified high or critical — cap spend after high+ finding
Compliance frameworks
Optionally select compliance frameworks to guide the test:
- OWASP Top 10 (2021)
- PCI DSS v4.0
- SOC 2 Type II
- NIST CSF
- ISO 27001
The agent will factor these into its approach and findings will be mapped to the relevant controls.
Test objective
Set a high-level objective to steer the agent toward a specific goal. The objective is injected into every phase prompt, shaping how the agent approaches reconnaissance, analysis, and exploitation.
Examples:
- "Find and extract the flag hidden in the application"
- "Focus on authentication and authorization vulnerabilities"
- "Prioritise testing the payment processing workflow"
The objective field supports up to 2,000 characters.
AI reasoning instructions
Provide custom instructions to guide the AI agent's behaviour. For example:
- "Focus on authentication and authorization testing"
- "Pay extra attention to the /api/v2 endpoints"
- "The application uses a custom token format in the X-Session header"
Notifications (Step 5)
Configure how you're notified of results:
| Channel | Description |
|---|---|
| Notification sent to specified email addresses | |
| Webhook | HTTP POST to your endpoint |
| Slack | Message to a Slack channel via webhook URL |
For each channel, set a severity threshold: critical only, high+, or all findings.