Summary

Astra's vulnerability scanner and pentest service are designed to assess your application without disrupting it. Scans send controlled, measured requests that simulate realistic behavior — not load testing or DDoS simulation. In practice, Astra's assessments have not caused downtime for customers.

Who Should Read This

• Engineering leads and DevOps teams who need to evaluate the operational risk of running a scan or pentest on a production environment.

• Product managers who want to understand the user impact before scheduling an assessment.

• Infrastructure teams who will be monitoring traffic during an active scan or pentest.

Key Functions

Automated Vulnerability Scanner Crawls your application using a real browser to discover pages, forms, and API endpoints, then sends sequential and concurrent test requests. The scan speed is configurable from your Target Settings, allowing you to reduce request frequency if your infrastructure is resource-constrained.

Manual Pentest Conducted by Astra's security engineers in a thorough but measured manner. Engineers investigate your application for vulnerabilities — they are not attempting to take it offline. If anything during the assessment poses a risk of disruption, they will communicate with you before proceeding. Timing can also be coordinated to align with low-traffic windows.

DDoS Testing Not included in Astra's standard vulnerability scans or pentests. DDoS testing is a separate, specialized engagement. Astra's assessments are fundamentally different from load testing or stress testing.

Available Actions

• Adjust scan speed — Go to Target Settings to reduce the number of concurrent requests if you are concerned about performance impact. See [How to change the scan speed?] for step-by-step instructions.

• Whitelist Astra's IP ranges — Add Astra's scanner IPs to your WAF, firewall, or monitoring platform to prevent scan traffic from being flagged as an attack. See [Astra IP Ranges] for the full list.

• Raise a support ticket — If you are concerned about the scan interacting with a paid third-party integration or API, contact Astra's team before the scan begins to adjust scope or approach.

Best Practices

• Set an appropriate scan speed in Target Settings if your application is running on limited server resources.

• Schedule scans during off-peak hours to minimize any performance impact on active users.

• Notify your infrastructure team before a scan begins so they are not alarmed by unusual traffic patterns in logs or monitoring dashboards.

• Disable transactional email notifications for test accounts used during the scan, or run the assessment on a staging environment to avoid triggering emails or in-app alerts.

• Use a staging environment that mirrors production as closely as possible for the most accurate results with zero user impact.