Testing

Safe by design

Pentu tests your live application, so it's built to be careful. It exercises the app fully — but it will never do the genuinely dangerous things a careless tester might.

Strictly in scope

Every request is confined to your own domain and the backend hosts your app actually talks to. Pentu never touches third-party trackers, CDNs, or unrelated hosts it happens to see, and it won't port-scan a CDN's shared edge IPs — that tells you nothing about your server and violates the provider's rules.

Non-destructive

Pentu uses your app the way a real user would — creating projects, budgets, API keys, and invites, editing them, and deleting the ones it made — because exercising those flows is how it finds bugs. But it draws a hard line at anything genuinely critical or irreversible:

  • No real payments or charges.
  • No bulk or mass deletion.
  • It never deletes or modifies data it didn't create, or that pre-existed the test.
  • No real emails, messages, or spam to third parties.
  • SQL-injection testing is time-based only — it measures response delay and never dumps or changes data.

Disposable test accounts — with a cleanup guide

To test the authenticated app, Pentu signs up disposable test accounts on a controlled mailbox. Every report includes a "Test data created" section that lists exactly which accounts it created, so you can remove them (and anything they created) in one step. Nothing is left behind quietly.

Human-paced

Requests are rate-limited to look like ordinary user traffic rather than a hammering scanner — gentler on your systems, and more representative of a real attacker.

Authorized testing only

Pentu is for testing applications you own or are explicitly authorized to test. Scans are consent-based, scoped to your verified targets, and everything the tester did is recorded in the report's transcript, so there's a full, honest account of the engagement.