Validity of Vulnerability Assessment Report, Vetted Report & Pentest Report

Last updated: June 8, 2026

Introduction

Every security report generated by Astra comes with a defined validity period. Understanding how long your reports remain valid — and what can invalidate them early — helps you maintain a continuous and accurate security posture. This guide covers validity periods for all three report types and the key factors that affect them.

Report Validity Periods

Report Type	Validity Period	Reviewed by Security Engineers
Vulnerability Assessment Report	14 days	No — automated scanner only
Vetted Report	90 days	Yes — false positives removed
Pentest Report	180 days	Yes — full manual audit

What Each Report Covers

Vulnerability Assessment Report

Generated directly from Astra's automated scanner. Contains findings from automated tools only. May include false positives. Valid for 14 days.

Vetted Report

A Vulnerability Assessment Report that has been manually reviewed by Astra's security engineers to remove false positives. Provides an actionable, high-confidence report for teams without dedicated security staff. Valid for 90 days.

Pentest Report

The most comprehensive report type. Combines automated scanning with a full manual audit by Astra's security engineers. Includes re-scan verification after fixes are applied and comes with a publicly verifiable Pentest Certificate. Valid for 180 days.

What Can Invalidate a Report Early

Regardless of the validity period, the following changes can compromise the accuracy and relevance of any report:

Code changes — New code introduces potential new vulnerabilities not covered by the existing report
New vulnerabilities discovered globally — Thousands of new CVEs are published monthly, meaning your application may become vulnerable to threats that did not exist at the time of the scan
Infrastructure or server changes — Modifications to hosting environments, configurations, or third-party integrations can introduce new attack surfaces

When any of the above occur, running a new scan or pentest is strongly recommended even if the current report is still within its validity period.

Extending Report Validity

The Pentest Certificate (included with a Pentest Report) can be extended beyond its initial 180-day validity in two ways:

Request a Vetted Scan — Available if your certificate is within 180 days old. Extends validity by an additional 180 days after Astra's engineers review the results.
Undergo a new Pentest — Required if your certificate is more than 180 days old or if major new features have been released since the last assessment.

Troubleshooting

Report expired sooner than expected

Check whether significant code changes, infrastructure updates, or new feature releases occurred since the report was generated. Any of these can reduce the practical validity of a report even if the formal period has not elapsed.

Unsure which report type you have

Navigate to Reports in your Astra dashboard. Each report is labeled by type — Vulnerability Assessment, Vetted, or Pentest Report.

Need a report valid for longer than 14 or 90 days

Consider upgrading to a Vetted Scan or full Pentest. Contact your account manager or reach out at help@getastra.com to discuss plan options.

Pentest Certificate expired before extension was requested

A 20-day grace period applies beyond the initial 180 days. If you are within this grace period, you can still request a Vetted Scan to extend validity. Beyond the grace period, a new Pentest is required.