Settings

The Settings section of Pentest Copilot Enterprise provides several options to configure scans, usage details, integrations, and overall app configuration.

Usage

Credits

Credits represent the total number of scan runtime hours available to your account. These credits determine how long you can operate and execute scans.

Key Features:

  • View your total available credits

  • Monitor runtime hours you have consumed

  • Track remaining scan time

  • Credits are consumed based on actual scan execution time

Example: If you have 100 credits, this equals 100 hours of total scan runtime across all your assessments.

Usage Timeline

The Usage Timeline feature provides visibility into your historical scan activity and credit consumption patterns.

Key Features:

  • Filter scan runtime by custom date ranges

  • View detailed breakdown of past scan activity

  • Track credit consumption over time

  • Analyze usage patterns to optimize scan scheduling

Use the date range selector to view specific periods and understand how your credits have been utilized.

External Assessment Settings

Rate Limit

The Rate Limit setting controls the maximum number of HTTP requests per second that the scanner will send to the target application during an assessment.

Purpose:

  • Prevent overwhelming target systems

  • Avoid triggering rate-based security defenses (WAF, IPS)

  • Ensure stable and controlled testing

  • Comply with target system capacity constraints

Example: Setting a rate limit of 15 requests/second ensures the scanner sends no more than 15 HTTP requests per second to the target application.

Attack Vectors

Attack Vectors define the security vulnerability categories that will be tested during your scan. Select specific vulnerability types to prioritise during assessments.

Common Attack Vector Categories:

  • Authentication - Tests for authentication bypass, weak credentials, and session management issues

  • CSRF (Cross-Site Request Forgery) - Validates anti-CSRF token implementation

  • SQL Injection - Detects database injection vulnerabilities

  • XSS (Cross-Site Scripting) - Identifies reflected, stored, and DOM-based XSS

  • Command Injection - Tests for OS command injection flaws

  • Path Traversal - Checks for directory traversal vulnerabilities

  • XXE (XML External Entity) - Tests for XML injection attacks

  • SSRF (Server-Side Request Forgery) - Identifies SSRF vulnerabilities,

Usage:

  • Enable all vectors for a thorough security assessment. Selecting None will also test all vectors.

  • Select specific vectors to focus on particular vulnerability classes

  • Disable certain vectors if they're not relevant to your application

Custom Headers

Custom Headers allow you to specify additional HTTP headers (key-value pairs) that will be included with every request made to the target application during scanning.

Domains

Domain Whitelist

The Domain Whitelist feature allows you to explicitly specify which domains (including subdomains) are allowed for scanning. Only whitelisted domains will be included in vulnerability tests, even if additional domains are discovered during crawling.

Key Features:

  • Add specific domains to allow scanning

  • Support for wildcard patterns

  • Ensures scans stay within the authorised scope

  • Discovered domains outside the whitelist are automatically excluded

Wildcard Pattern Examples:

example.com - Matches exactly example.com
*.example.com - Matches all subdomains (api.example.com, app.example.com, etc.)
*.dev.example.com - Matches all sub-subdomains under dev (test.dev.example.com, staging.dev.example.com)

Domain Blacklist

The Domain Blacklist allows you to explicitly exclude specific domains from scanning. Any domains added to the blacklist will be completely ignored during assessments.

Key Features:

  • Explicitly exclude domains from scanning

  • Support for wildcard patterns

  • Overrides whitelist settings

  • Useful for excluding third-party services or sensitive areas

Wildcard Pattern Examples:

analytics.example.com - Blocks only analytics.example.com
*.analytics.example.com - Blocks all subdomains under analytics
*.third-party.com - Blocks all subdomains of third-party services

Important Notes:

  • Blacklist takes precedence over whitelist

  • Wildcards apply to all matching subdomains

  • Use carefully to avoid excluding critical test targets

  • Both whitelist and blacklist support complex wildcard patterns for flexible scope control

PreviousReportsNextHelpful Copilot

Last updated