PentesterraPENTESTERRA

Platform Updates & Releases

Stay updated with the latest Pentesterra platform developments, new features, and improvements in automated penetration testing and attack surface management.

Pentesterra Changelog

2025-11-06 · Expanded Web Discovery Toolkit · minor

Highlights

  • Dynamic discovery modules now plug into the web-app pentest to complement existing SPA/API/DNS endpoint mapping.
  • Context brute-forcing and base-path detection uncover deeper application roots.
  • Redirect and link analysis highlights hidden surfaces for follow-up testing.
  • 404 response parsing extracts <a>, <script>, fetch(), and similar clues to enrich context automatically.
  • Lightweight SPA-focused wordlists and heuristics tailored to modern front-ends.
  • Weighted enumeration of common paths such as /app, /static, and /assets based on detected technologies.
  • Enhanced Playwright phases rerun SPA analysis on newly discovered contexts to surface fetch calls, REST endpoints, and routes ahead of authentication.

Improvements

  • Provides earlier insight into attack paths by mirroring reconnaissance depth from network pentests in the web workflow.

2025-11-05 · Web Pentest Artifact Reuse Pipeline · minor

Highlights

  • Harvested artifacts like Set-Cookie/Authorization headers, Playwright tokens, and other session materials are automatically extracted and stored in context.
  • Collected artifacts are reused across subsequent requests inside the web pentest module, mirroring how Pentesterra network engagements reuse discovered accounts and tokens.
  • New pipeline is in active development, passing tests, and slated for release soon.

Improvements

  • Brings lateral movement and credential reuse logic from network pentests into the web testing workflow.

Notes

  • Early access build focuses on reliability; wider rollout planned after final validation.

2025-10-16 · New Web Application Modules in Development and Testing · major

Highlights

  • LFI/Path Traversal detection with nuclei payloads.
  • XSS (Reflected/DOM) Cross-Site Scripting detection + nuclei.
  • SQL Injection - Error/Boolean/Time-based SQLi detection + nuclei.
  • SSTI (Template Injection) Server-Side Template Injection + nuclei.
  • Deserialization vulnerabilities detection.
  • JWT Vulnerabilities - JSON Web Token security analysis.
  • Security Headers analysis for missing headers.
  • TLS/SSL Analysis - Certificate and cipher suite checks.
  • Cloud Metadata exposure (AWS/GCP/Azure).
  • HTTP Smuggling - Request smuggling and cache poisoning.
  • IDOR Detection - Insecure Direct Object References.
  • Open Redirect - URL redirection to external domains + nuclei.
  • Technology Stack - Framework and version detection.
  • WAF/CDN Detection - Protection system identification.
  • CVE Detection - Known vulnerability patterns + nuclei.
  • Cookie Security - Secure cookie configuration.
  • CSP Analysis - Content Security Policy validation.
  • Clickjacking - X-Frame-Options validation.
  • Command Injection - OS command injection and RCE detection + nuclei.
  • File Upload - Unrestricted file upload vulnerabilities + nuclei.
  • XXE (XML External Entity) injection + nuclei.
  • SSRF/RFI - Server-side request forgery and RFI + nuclei.
  • GraphQL Injection - GraphQL query injection and introspection.
  • Zip Traversal - Zip archive path traversal.
  • Nuclei CVE Scanner - Additional CVE detection layer.

Improvements

  • Enhanced detection depth and improved validation logic.
  • New categories of web-based security testing.
  • Verification of detected vulnerabilities for reliable results.

2025-08-08 · Extended WAF Detection · minor

Highlights

  • Extended WAF detection capabilities.
  • Passive and active WAF detection methods.

2025-08-07 · New Detection & Evasion Capabilities · major

Highlights

  • DoS Protection Detection and Bypass.
  • CDN Detection and Origin Discovery.
  • LoadBalancerDetector - F5, NGINX, AWS ALB, HAProxy detection.
  • ProxyDetector - Reverse proxies, Squid, Apache mod_proxy detection.
  • DockerDetector - Docker containers and Swarm detection.
  • K8sDetector - Kubernetes clusters and services detection.
  • VMwareDetector - vSphere and ESXi environments detection.
  • CloudDetector - AWS, Azure, GCP detection.
  • GeoBlockingDetector - geographic access restrictions.
  • AntiAutomationDetector - anti-bot and automation defenses.
  • IPSDetector - behavioral intrusion prevention systems.

Improvements

  • All modules integrated into adaptive scanning workflow.
  • Caching, smart prioritization, and real-time feedback.

2025-08-07 · Scanner Performance Update · minor

Highlights

  • Adaptive Scan Parameters - automatic adjustment based on network type.
  • Smart Port Selection - prioritized -> extended -> full sets.
  • Parallel Scanning - up to 3-4 simultaneous CIDR blocks.
  • Intelligent Grouping - similar networks scanned together.
  • Caching System - avoids redundant protection checks.
  • Adaptive Scheduling - smaller networks scanned first.

Improvements

  • Scanning 4 CIDR blocks: improved from 5.6s -> 2.8s.
  • Smart grouping: +20-30% efficiency.
  • Protection caching: reduced load on protected systems.
  • Prioritization: faster feedback for small networks.

2025-08-05 · Navigator and Monitoring Updates · minor

Highlights

  • Added upcoming events to the digest.
  • Events searchable via Navigator.
  • Navigator includes more sources: exploits, PoCs, vulnerabilities, and news.
  • Social media trend tracker for monitoring posts and discussions.
  • Darknet monitoring for Gov version.
  • Host protection detection before starting analysis.
  • Protection bypass methods based on detected defense mechanisms.

Improvements

  • Scan parameters adjust automatically if protection is detected.
  • Updated and improved quickinfo section.

2025-07-15 · QuickInfo Page Update · minor

Highlights

  • Persistent State - scan results stay visible when switching pages.
  • FindSubDomain Upgrade - DNS record fetching and live status indicators.
  • Revamped UI for FindSubDomain.
  • One-click JSON Copy for any module.
  • Dark Theme Overhaul matching modern standards.

Improvements

  • Improved API Communication Protocol.
  • More efficient data handling.
  • Blue theme coming soon as alternative.

Fixes

  • Patched several minor protocol vulnerabilities.

2025-03-16 · Active Directory Security Analysis Framework Update · major

Highlights

  • Domain Controller discovery (Unauthenticated).
  • User, group, and share enumeration (Standard User).
  • GPO analysis (Standard User).
  • AS-REP Roasting, Kerberoasting (Standard User).
  • Password spraying, NTLM relay (Standard User and Unauthenticated).
  • Pass-the-Hash, Pass-the-Ticket, Silver Ticket (Standard User).
  • Null session vulnerabilities.
  • Delegation attacks.
  • Token impersonation.
  • SID history injection.
  • RID hijacking.
  • DCSync rights.
  • SMB signing checks (Unauthenticated).
  • LDAP signing verification (Unauthenticated).
  • Null session testing (Unauthenticated).
  • GPP password exposure (Standard User).
  • LAPS configuration checks (Standard User).
  • DS replication rights (Standard User).
  • Zerologon (Unauthenticated).
  • PetitPotam (Unauthenticated).
  • PrintNightmare (Standard User).
  • NoPac (Standard User).
  • SAM dump attempts (Standard User).

2025-02-28 · DoS Detection with 9 Methods · minor

Highlights

  • SYN Flood detection.
  • UDP Flood detection.
  • ICMP Flood detection.
  • Slowloris detection.
  • HTTP Flood detection.
  • NTP Amplification detection.
  • LAND Attack detection.
  • DNS Amplification detection.
  • Individual services (TCP ports) DoS detection.

Improvements

  • Advanced detection system for GOV organizations in ANPTT module.
  • Demonstration of potential attack vectors including DoS exploits.
  • Testing resilience against distributed DDoS attacks from multiple sources.

2025-02-26 · Advanced WAF & DDoS Protection Detection · major

Highlights

  • Cloudflare, Akamai, Imperva detection - TTL and ASN-based.
  • Firewalls detection (AWS Shield, Fortinet, etc.) - TCP RST connection resets.
  • WAFs detection (Cloudflare, ModSecurity, Imperva, etc.) - HTTP method filtering and header analysis.
  • DDoS Rate-Limiting - identifying artificial response delays.
  • CAPTCHA Protection - detecting reCAPTCHA challenges and JS verifications.
  • User-Agent Filtering - bot blocking and fingerprinting defenses.

Improvements

  • Intelligent network tests analyzing response times, headers, TTL.
  • Connection resets and behavioral patterns analysis.
  • Exact protection identification beyond 403 errors.

2025-02-21 · DRSE Rules Enhancement · major

Highlights

  • Variable Support in Actions - dynamic rule variables.
  • Real-Time Toast Notifications via SSE with MQ buffering.
  • Live Alerts via Actions - toast messages in real time.
  • Trigger Multiple Actions in a Rule.

Improvements

  • Status updates tracking for ongoing operations.
  • Do Not Disturb mode for notifications.
  • Start scan/pentest on detected host/port.
  • Execute script or custom logic.
  • Refine data immediately without waiting for full processing.

2025-02-17 · WAF Detection in OnlineTools · minor

Highlights

  • WAF Detection support in OnlineTools version 3.0.267.

Improvements

  • Future releases will include automatic scanning parameter adjustments when WAF is detected.

2025-02-14 · Pentesterra Platform Launch · major

Highlights

  • Agentless SaaS/PaaS solution.
  • Attack Surface Management (ASM).
  • Breach Attack Simulation (BAS).
  • Automated Network Penetration Testing (ANPTT).
  • Vulnerability Management (VM).
  • Automated and scalable deployment with thousands of scanner nodes.
  • AI-powered testing with real penetration testing tasks.
  • DRSE (Dynamic Rule Set Engine) for automation management.
  • Passive and active scanning (mdns/arp/Shodan/etc).
  • API integrations with existing VM/ASM/BAS solutions.

Improvements

  • Cost-effective solution without expensive security experts.
  • Automated vulnerability detection and attack path mapping.
  • Real-time security insights.
  • Seamless workflow automation.

2024-11-22 · v3.1.70 · Enhanced Scheduled Scan Management · major

Highlights

  • System templates now available.
  • Copy system templates into custom templates for organization.
  • Custom templates secure and accessible only to authorized users.
  • Flexible Scheduling Options - single scan profile for multiple schedules.
  • Run Now - start immediately.
  • Run Once - schedule a one-time scan.
  • Daily - run at fixed time every day.
  • Weekly - schedule weekly scans.
  • Monthly - plan monthly scans effortlessly.
  • Node Selection for Scans - specify which node executes scan.
  • Use any available scanner option when specified node unavailable.

Improvements

  • Simplified onboarding process.
  • Efficient reuse of scanning profiles.
  • Secure access to scan results for authorized users only.

Take Control of Your Attack Surface.

Request a DemoStart Free Tier