• How do you define a target for the vulnerability scanner?

  What is a Target in the Vulnerability Scanner? A target refers to the domain or URL that will be scanned for vulnerabilities by the scanner. This could be a web application, a website, or an API endpoint. Examples of Unique Targets: https://app.example.com https://example.com/portal https://www.example.com Understanding the Scope of the Vulnerability Scan Target URL WPopular

• How Astra calculates the Risk Rating & Security Grade

  Astra's OrbitX Pentest Platform (PTaaS) solution provides a comprehensive approach for assessing and mitigating security vulnerabilities in your infrastructure. As a part of this process we assign a risk score to each reported vulnerability which helps prioritize remediation efforts, and also a security grade (A through F) to indicate the security level of your target. In this help article, we will explain the methodology behind our risk scoring and security grading system, highlighting the keyPopular

• What are false positives & how to work with them?

  Vulnerability scanners are built to report every possible vulnerability or potential vulnerability in the application. If certain conditions within the application or server match a known vulnerability, the scanner reports the vulnerability within the dashboard along the description, request, response & steps to fix the vulnerability.Some readers

• Astra IP Ranges

  You might find it handy to know about Astra's IPs. This page is intended to be the definitive source of Astra's current IP ranges. You can add these IPs to the allow-list in your application firewall, login system, captcha, MFA etc. 34.69.226.239 35.193.102.27 12.202.180.108 34.136.217.65 35.222.104.14 104.154.201.208 34.27.197.32 34.135.0.247 172.103.34.69 34.70.219.138 104.154.186.213 34.69.130.106 34.135.25.35 34.66.6.242 34.41.10.119Some readers

• How much time does a Pentest (VAPT) take?

  The time required to complete a Vulnerability Assessment and Penetration Testing (VAPT) typically ranges from 10 to 15 working days after our security engineers receive all necessary information from you. Several factors influence this timeline: Timeliness of Information: The speed at which our security engineers receive the required information for the pentest is crucial. This information varies depending on the type of asset (e.g., web app, mobile app, network devices, APIs). DurinSome readers

• Validity of Vulnerability Assessment Report, Vetted Report & Pentest Report

  Validity of Pentest Report, Vulnerability Scan Report & Vetted Report by Astra Pentest.Few readers

• How to request a rescan & reaudit after fixing the found vulnerabilities?

  Once you've fixed the found vulnerabilities during a Pentest, you can request a re-scan. During the rescan Astra's security engineers verify the fixes your engineers have put in place. A couple of things to ensure before requesting a rescan At least 50% of the vulnerabilities are fixed: This ensures that you make the most of the number of rescans available to you & security engineers are able to re-check maximum vulnerabilities in one go Vulnerabilities are marked as fixed: UFew readers

• What are the various support levels within Pentest Platform pricing?

  The Scanner, Expert and Pentest plans come with different levels of support to help you ensure your applications are proactively secure. We've tried to make Astra's Pentest Platform massively self served, and are happy to help whenever you need us. Here's how the support coverage look like for each of the plans:Few readers

• Is there any downtime when a vulnerability scan or a Pentest is happening?

  We've not had a situation where Astra's vulnerability scanner or Pentest has caused any downtime. This is because: Our vulnerability scanner sends requests in a controlled manner to your application The intent of a Pentest is not to stress test the application but to uncover vulnerabilities in the application A Pentest or a Vulnerability Scan is different from DDoS testing. We do not perform any DDoS testing which often leads to you having a downtimeFew readers

• Understanding publicly verifiable pentest certificate by Astra and how to verify them?

  How to Enable Publicly Verifiable Certificates from the Dashboard? Log into your dashboard. Navigate to the Scan Page of the target for which you want a certificate. Click on the button. You will see an option to toggle on (https://storage.crisp.chat/users/helpdeFew readers

• Does the Astra Vulnerability Scanner support GraphQL APIs?

  GraphQL serves as a flexible and efficient alternative to traditional REST APIs, empowering developers to optimize data fetching and reduce over-fetching or under-fetching issues. Can Astra's vulnerability scanner effectively detect and exploit vulnerabilities in GraphQL APIs?Few readers

• How Astra’s Pentest platform helps with SOC2 & ISO27001 compliances?

  Here are some of the ways in which Astra’s Pentest platform can help your organization: While Astra doesn’t help with end to end SOC2 & ISO27001 compliance, but Astra does help with Pentest/VAPT and continuous vulnerability scanning which often is recommended within these compliances. The compliance is best done by organizations like Sprinto, Cyber Sierra, Secure Frame etc. If you would like an introduction to any of these providers via Astra, we’re happy to introduce you.Few readers

• We have one main domain and multiple sub-domains which have similar app running as main domain. How will the pricing work?

  Since we work with hundreds of SaaS businesses, we understand that there some SaaS businesses who have customer dashboards running on their sub-domains. If you application is structured like this: www.domain.com app.domain.com app1.domain.com app2.domain.com In the above case here's how we tend to structure the pricing IF app.domain.com, app1.domain.com & app2.domain.com all have above 90% similar code base: In case of Pentest Plan: In our assFew readers

• How to change the target URL?

  Can You Change the Target URL? In certain cases, we can make a one-time exception to change the target URL, based on the situation. This exception typically applies when the target URL was added incorrectly or when there's a need to switch between staging and production URLs. If you find yourself in this situation, please contact our support team for assistance.Few readers

• What types of reports do we provide for each scan?

  Vulnerability Scan Reports OverviewFew readers

• How to find all the URL's that were scanned by the scanner?

  When scanning a website, Astra's Vulnerability Scanner will crawl only the target URL and follow any links it can find. Follow these steps to find all the URLs that were scanned by Astra's Vulnerability Scanner. Log in to Astra and click on View Scans from the correspondent target. Choose the Dashboard option from the completed scan withinFew readers

• How can I see vulnerability scan and Pentest history of all the scans that ran within Astra on a target?

  To access the scan and Pentest history of a Target scanned using Astra: Go to the Astra dashboard and select the “SCAN”section. Once you have arrived on your project dashboard, look for the “All Scan”icon located at the top right corner of the page and Click on it. A Scan history willFew readers

• How to change the target & business name?

  You can easily update the basic details of your target from Astra’s dashboard, including: Target Name Business Name Steps to Update Basic Information: Go to the Target Settings page. Scroll to the General Settings section. In the Basic Information section, click on the Business Name and Target Name fields to update them. After making yFew readers

• How to Download CSV Summary?

  Step 1: Login to Your Dashboard Begin by logging into your Astra dashboard using your credentials. Step 2: Access the Reports Section Once logged in, navigate to the Reports section within your dashboard. Step 3: Download the CSV Summary InsideFew readers

• What is the maximum time it may take for a scan to finish?

  Time Taken for Various Scan TypesFew readers

• Does Astra offer Red Teaming?

  Yes, Astra offers Red Teaming. DAST Scanner : We provide an industry-standard scanner that is continuously updated to detect the latest vulnerabilities, including both newly disclosed and traditional security weaknesses such as those outlined iFew readers

• How to run a Vulnerability scan or Pentest on a private staging environment that requires VPN access?

  Yes, with Astra, you can easily perform a Vulnerability scan or Pentest on a private staging environment that requires VPN access. If you are utilizing Astra's vulnerability scanner, youFew readers

• What access levels are necessary for conducting a web application Pentest?

  Prerequisites for Conducting a Web Application Penetration Test: Staging Environment: Please provide a staging environment for the penetration test. The staging environment should allow easy clearing of any test-generated data. If you are unable to provide a staging environment, we can work with your production environment, but we will need additional details about your web application. Production Environment: If you don't have a staging environment, you can provide yFew readers

• How much does it take for re-scan?

  A rescan or re audit generally takes half the initial scan time. It may take anywhere between 2 to 4 business days based on the scope of testing. You can request a re-scan anytime within 30 days of the initial manual scan completion.Few readers

• Does Astra provide ASVS and MASVS auditing?

  Yes, At Astra we do offer ASVS (Application Security Verification Standard) and MASVS (Mobile Application Security Verification Standard) both security audits.Few readers

• What approach do you take when testing emerging technologies or cloud environments?

  In testing emerging technologies or cloud environments, Astra Security takes a comprehensive approach, combining automated and manual testing techniques. Our focus extends beyond automated tools to include business logic testing, ensuring thorough coverage. We provide an intuitive vulnerability management dashboard for accessing timely results and offer collaboration feFew readers

• Starting a Scan

  Starting or bulk starting a scan in Astra is a straightforward process that can be done directly from the dashboard. Below is a step-by-step guide on how to perform this task: Start a Scan Locate the "Start a Scan" Button The Start a Scan button is prominently located on the dashboard. Astra has strategically placed this button across the dashboard, allowing you to start a scan from any part ofFew readers

• What are the various support levels within Pentest Platform pricing? (Updated)

  The Scanner, Expert and Pentest plans come with different levels of support to help you ensure your applications are proactively secure. We've tried to make Astra's Pentest Platform massively self served, and are happy to help whenever you need us. Here's how the support coverage look like for each of the plans:Few readers

• Markdown Article

  What all markdown syntax is supported in the editor?Few readers

• How to schedule vulnerability scans

  Scheduling Vulnerability Scans & Pentest with Astra From the Getting Started page, click on Automations in the navigation bar on the left side to schedule your scans in advance and continuously test your targets Now, click on the Create Scan Schedule button, and you will get a window to select the target you want to schedule scans for and click on continue at the bottom. (https://storaFew readers

• How to manage your profile information?

  To change your profile name in the Astra dashboard, follow these steps: 1. Log in to the Astra Dashboard: Access the Astra dashboard using your login credentials. 2. Go to the "Settings" Section: On the left-side navigation bar, click the Settings icon 3. Access the "Profile" Settings: Under My Account, click on Profile (https://storage.crisp.chat/users/helpdesk/website/Few readers

• I’m seeing traffic fuzzing our infrastructure. How can I verify if requests coming to the target web app, APIs or server are from Astra?

  If you’re seeing traffic on your server or unexpected requests coming to your website, infra or SaaS application and suspect that it might be from a Pentest or a DAST scanner, Astra provides an easy way to verify this. Follow these steps to determine if the traffic is coming from Astra's scanner. Steps to Verify Astra Traffic Log in to your Astra platform using your credentials. Once you’re in the dashboard, proceed with the steps below: 1. Check fFew readers