> For the complete documentation index, see [llms.txt](https://copilot-docs.bugbase.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://copilot-docs.bugbase.ai/enterprise/readme.md).

# Overview

Pentest Copilot Enterprise helps security teams run repeatable external and internal security assessments from one control plane. The platform combines target scoping, agent-based execution, browser automation, exploit-graph analysis, validated findings, retesting, scheduling, reporting, and API/MCP automation.

<figure><img src="/files/aBhxDiWdefswIZWal0bF" alt=""><figcaption></figcaption></figure>

## What Pentest Copilot Runs

| Assessment type           | What it covers                                                                                                                                | Typical operator input                                                                                                              |
| ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| **External Discovery**    | Domains, subdomains, web pages, APIs, services, exposed cloud objects, and other internet-facing assets.                                      | Root domain, optional discovery depth, optional authenticated browser sessions.                                                     |
| **External Assessment**   | Contextual web and API vulnerability testing, authenticated and unauthenticated user flows, attack-path construction, and finding validation. | Target domains, authentication mode, browser sessions, attack vectors, rate limits, trajectory scope, and browser controls.         |
| **Code Assessment**       | Source-code vulnerability review, open-source dependency risk, leaked secrets, business logic and authorization review, SBOM, and AI-BOM.     | GitHub App connection, repository selection, branch or commit, scan checks, automation triggers, branch filters, and auto-fix mode. |
| **Internal Discovery**    | Internal hosts and services reachable from a deployed agent.                                                                                  | Connected local agent and authorized subnet/CIDR scope.                                                                             |
| **Internal Assessment**   | Active Directory, host, credential, delegation, ADCS, lateral movement, and selected exploit validation paths.                                | Subnets, agent assignment, allowed exploit families, exclusions, PCE Intercept/Inveigh settings, and RCE safety controls.           |
| **Credential Compromise** | Credential collection and attack-path workflows for tenants with the credential-compromise module enabled.                                    | Module-specific inputs and approved scope.                                                                                          |

## Product Layout

The left sidebar is the main navigation. Enterprise onboarding uses these areas:

| Section       | Purpose                                                                                                                                                                             |
| ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Dashboard** | Guided six-phase launch path, mission status, exploit graph, target entities, agents, and MITRE ATT\&CK mapping.                                                                    |
| **Modules**   | Configure and run discovery, assessment, code assessment, credential-compromise, custom, and retest workflows.                                                                      |
| **Activity**  | Track running and historical modules, submodules, logs, and schedules.                                                                                                              |
| **Reports**   | Generate executive and comprehensive PDF reports.                                                                                                                                   |
| **Settings**  | Configure usage, account/team, domains, domain verification, external assessment defaults, agents, API keys and MCP, integrations, email identities, debug tools, and trajectories. |

## Recommended First Enterprise Run

1. Sign in to the deployment and confirm your user role has access to scans, reports, settings, and API keys as needed.
2. Open **Settings -> Domains** and add the approved root domains.
3. Verify domain ownership from **Settings -> Domain Verification** when required.
4. Confirm at least one execution worker is available:
   * external scans need a SANDBOX runner, either managed for your deployment or attached to your environment;
   * internal scans need a local AGENT that can route to the target subnet.
5. Record browser sessions for each important authenticated role.
6. Run **External Discovery Phase** before an external attack phase unless the target surface is already mapped.
7. Review discovery output, then run **External Attack Phase** with the needed authentication modes, attack vectors, rate limits, and trajectory scope.
8. For source-code review, connect the GitHub App, select repositories from **Modules -> Code Assessment**, and run the default branch or a specific branch/commit.
9. For internal testing, run internal discovery first, then use the internal attack phase page to select subnets, agents, allowed exploits, and exclusions.
10. Monitor **Activity**, triage **Attack Paths**, review SBOM/AI-BOM exports where applicable, and generate a report from **Reports**.

{% hint style="warning" %}
Pentest Copilot enforces scan launch policy. API keys, MCP clients, and UI actions cannot bypass permissions, feature access, usage/credit state, scope controls, or agent availability.
{% endhint %}

## Important Safety Concepts

* **Whitelist and blacklist rules** keep external testing inside approved domain and trajectory scope.
* **Rate limits** and auto-calibration help avoid overwhelming fragile targets or triggering rate limits.
* **Browser-session readiness** prevents authenticated scans from starting with expired or incomplete login state.
* **Code Assessment branch selection** makes clear whether the run uses the default branch, a selected branch/commit, a pull request head branch, or a push branch filter.
* **SBOM and AI-BOM exports** help teams review software dependencies and AI/LLM usage in source repositories.
* **Internal exploit selection** is explicit per subnet. Some categories can change AD, ADCS, host, credential, or ticket state.
* **PCE Intercept/Inveigh** is opt-in per subnet and binds only to selected agent interfaces.
* **Max module runtime** can cancel remaining submodules when a configured runtime limit is reached.

{% content-ref url="/pages/m0MFk64j3GzxywJZ70vv" %}
[Scan Noise and Safety](/enterprise/scan-noise-and-safety.md)
{% endcontent-ref %}

Please contact <queries@bugbase.ai> for onboarding, deployment, or engagement-specific questions.
