Creating a Test

Creating a new pentest

1. Navigate to Pentests in the dashboard sidebar
2. Click New Pentest
3. Fill in the test configuration

Test configuration

Target

Enter the primary URL, IP address, or hostname of the system you want to test. You can provide up to 10 seed targets — CodeWall will use all of them as starting points for reconnaissance. For a single application, one target is usually sufficient. Use multiple seeds when you have several related domains or subdomains to cover.

Test type

Select the type of test you want to run:

• Surface Discovery — maps your external attack surface from a domain or company name
• Full Blackbox — tests a target with no prior knowledge, simulating an external attacker
• Scoped Blackbox — tests multiple specific targets (domains, URLs, IPs, endpoints)
• Authenticated (Gray Box) — tests with provided credentials to access authenticated areas
• MCP Server Security — tests MCP servers for injection and access control vulnerabilities
• LLM App / Chatbot — tests LLM-powered apps for prompt injection and guardrail bypasses

Scope

Define the boundaries of the test:

• Included hosts — domains and subdomains the agent is allowed to interact with
• Excluded paths — specific URLs or patterns to avoid
• Excluded methods — HTTP methods to restrict (e.g., block DELETE requests)

See Safety & Guardrails for more on scope configuration.

Depth

Control how aggressively the agent tests:

• Standard — balanced approach suitable for most environments
• Thorough — deeper testing with more complex exploit chains
• Light — quick surface-level assessment

Launching the test

Once configured, click Start Pentest. The test will appear in your pentests list with a status indicator showing the current phase (Recon, Analysis, Exploit, or Report).

Monitoring progress

Click on an active test to see real-time progress:

• Live agent activity log
• Discovered assets and endpoints
• Findings as they are identified
• Current phase and estimated completion