• How do you define a target for the vulnerability scanner?

  A target is a domain or URL that will be tested by our vulnerability scanner. It can be the URL of a web application, website, API etc. Examples of some unique targets: https://app.example.com https://example.com/portal https://www.example.com What is the scope of the vulnerability scan? Target URL Let us say you set https://app.example.com/admin as the target URL. The scanner willSome readers

• What are the different vulnerability scan types?

  Different Scan Modes When you click on 'Start a Scan' button on Scan page, you'll be given a choice to run three modes of scans. We've described below what each of these types of scans mean: Automated Scan: Our ever evolving vulnerability scanner scans your application for vulnerabilities in this scan. You can choose to configure it to scan behind login too. Any possiblFew readers

• What are false positives & how to work with them?

  Vulnerability scanners are built to report every possible vulnerability or potential vulnerability in the application. If certain conditions within the application or server match a known vulnerability, the scanner reports the vulnerability within the dashboard along the description, request, response & steps to fix the vulnerability.Few readers

• What are the various support levels within Pentest Platform pricing?

  The Scanner, Expert and Pentest plans come with different levels of support to help you ensure your applications are proactively secure. We've tried to make Astra's Pentest Platform massively self served, and are happy to help whenever you need us. Here's how the support coverage look like for each of the plans:Few readers

• Validity of Vulnerability Assessment Report, Vetted Report & Pentest Report

  Validity of Pentest Report, Vulnerability Scan Report & Vetted Report by Astra Pentest.Few readers

• How Astra calculates the Risk Rating & Security Grade

  Astra's vulnerability management solution provides a comprehensive approach to assessing and mitigating security vulnerabilities in your applications. As part of this process we assign a risk score to each reported vulnerability which helps prioritize remediation efforts, and also a security grade (A through F) to indicate the security level of your target. In this help article, we will explain the methodology behind our risk scoring and security grading system, highlighting the key factors weFew readers

• How to extend the validity of Astra's Pentest Certificate?

  After a successful Pentest, a publicly verifiable Pentest certificate is issued which looks like this. The validity of the certificate is 180 days. There are two ways validity of the certificate can be extended for another 180 days: Getting a Vetted scan: If you have been issued a Pentest certificate by Astra in the last 180 days, then you can request a vetted scan (https://help.getastra.com/en/artiFew readers

• Is there any downtime when a vulnerability scan or a Pentest is happening?

  We've not had a situation where Astra's vulnerability scanner or Pentest has caused any downtime. This is because: Our vulnerability scanner sends requests in a controlled manner to your application The intent of a Pentest is not to stress test the application but to uncover vulnerabilities in the application A Pentest or a Vulnerability Scan is different from DDoS testing. We do not perform any DDoS testing which often leads to you having a downtimeFew readers

• How much time does a Pentest (VAPT) take?

  A Pentest can take anywhere between a minimum of 8-15 working days after our engineers have all the required information from you. Here are a few factors that determine the timelines: How quickly our security engineer are provided with the required information for the Pentest. The required information can differ depending on the type of asset (web app, mobile app, network devices, APIs etc.). As soon as you sign-up, in the Getting Started flow you are asked this information. Our customer succFew readers

• We have one main domain and multiple sub-domains which have similar app running as main domain. How will the pricing work?

  Since we work with hundreds of SaaS businesses, we understand that there some SaaS businesses who have customer dashboards running on their sub-domains. If you application is structured like this: www.domain.com app.domain.com app1.domain.com app2.domain.com In the above case here's how we tend to structure the pricing IF app.domain.com, app1.domain.com & app2.domain.com all have above 90% similar code base: In case of Pentest Plan: In our assFew readers

• How to request a rescan & reaudit after fixing the found vulnerabilities?

  Once you've fixed the found vulnerabilities during a Pentest, you can request a re-scan. During the rescan Astra's security engineers verify the fixes your engineers have put in place. A couple of things to ensure before requesting a rescan At least 50% of the vulnerabilities are fixed: This ensures that you make the most of the number of rescans available to you & security engineers are able to re-check maximum vulnerabilities in one go Vulnerabilities are marked as fixed: UnFew readers

• Understanding publicly verifiable pentest certificate by Astra and how to verify them?

  How to Enable Publicly Verifiable Certificates from the Dashboard? Log into your dashboard. Navigate to the Scan Page of the target for which you want a certificate. Click on the button. You will see an option to toggle on (https://storage.crisp.chat/users/helpdeFew readers

• How Astra’s Pentest platform helps with SOC2 & ISO27001 compliances?

  Here are some of the ways in which Astra’s Pentest platform can help your organization: While Astra doesn’t help with end to end SOC2 & ISO27001 compliance, but Astra does help with Pentest/VAPT and continuous vulnerability scanning which often is recommended within these compliances. The compliance is best done by organizations like Sprinto, Cyber Sierra, Secure Frame etc. If you would like an introduction to any of these providers via Astra, we’re happy to introduce you.Few readers

• How can I see vulnerability scan and Pentest history of all the scans that ran within Astra on a target?

  To access the scan and Pentest history of a Target scanned using Astra: Go to the Astra dashboard and select the “SCAN”section. Once you have arrived on your project dashboard, look for the “All Scan”icon located at the top right corner of the page and Click on it. A Scan history willFew readers

• Does the Astra Vulnerability Scanner support GraphQL APIs?

  GraphQL serves as a flexible and efficient alternative to traditional REST APIs, empowering developers to optimize data fetching and reduce over-fetching or under-fetching issues. Can Astra's vulnerability scanner effectively detect and exploit vulnerabilities in GraphQL APIs?Few readers

• How to change the target & business name?

  You can update your target's basic information from Astra's dashboard. You can update: Target Name Business Name How to update Basic Information of a target Click on the target dashboard and slide to the Settings page Scroll down and find General Settings section. Click on Update Information from the Basic Information section. (https://storage.crisp.chat/users/Few readers

• How to find all the URL's that were scanned by the scanner?

  When scanning a website, Astra's Vulnerability Scanner will crawl only the target URL and follow any links it can find. Follow these steps to find all the URLs that were scanned by Astra's Vulnerability Scanner. Log in to Astra and click on View Scans from the correspondent target. Choose the Dashboard option from the completed scan withinFew readers

• What is the maximum time it may take for a scan to finish?

  Time Taken for Various Scan TypesFew readers

• How to change the target URL?

  Can you change the target URL? In certain situations, we have the flexibility to make a one-time exception on a case-by-case basis. This exception applies when there has been an error in adding the target or when there is a need to update staging or production URLs. Please reach out to our support team for the same.Few readers

• How much does it take for re-scan?

  A rescan or re audit generally takes half the initial scan time. It may take anywhere between 2 to 4 business days based on the scope of testing. You can request a re-scan anytime within 30 days of the initial manual scan completion.Few readers

• What access levels are necessary for conducting a web application Pentest?

  Prerequisites for Conducting a Web Application Penetration Test: Staging Environment: Please provide a staging environment for the penetration test. The staging environment should allow easy clearing of any test-generated data. If you are unable to provide a staging environment, we can work with your production environment, but we will need additional details about your web application. Production Environment: If you don't have a staging environment, you can provide yFew readers

• How to run a Vulnerability scan or Pentest on a private staging environment that requires VPN access?

  Yes, with Astra, you can easily perform a Vulnerability scan or Pentest on a private staging environment that requires VPN access. If you are utilizing Astra's vulnerability scanner, youFew readers

• Does Astra offer Red Teaming?

  Yes, Astra offers Red Teaming. DAST Scanner : We provide an industry-standard scanner that is continuously updated to detect the latest vulnerabilities, including both newly disclosed and traditional security weaknesses such as those outlined iFew readers

• What approach do you take when testing emerging technologies or cloud environments?

  In testing emerging technologies or cloud environments, Astra Security takes a comprehensive approach, combining automated and manual testing techniques. Our focus extends beyond automated tools to include business logic testing, ensuring thorough coverage. We provide an intuitive vulnerability management dashboard for accessing timely results and offer collaboration feFew readers

• Does Astra provide ASVS and MASVS auditing?

  Yes, At Astra we do offer ASVS (Application Security Verification Standard) and MASVS (Mobile Application Security Verification Standard) both security audits.Few readers

• How to Download CSV Summary?

  Step 1: Login to Your Dashboard Begin by logging into your Astra dashboard using your credentials. Step 2: Access the Reports Section Once logged in, navigate to the Reports section within your dashboard. Step 3: Download the CSV Summary InsideFew readers