Test Credentials

Save and reuse credentials (username+password, API Key, OAuth, SSH) across tests.

If your company runs multiple pentests, typing the same credentials every time in the wizard is repetitive. HAS lets you save credentials once and reuse them in future tests with a single click.

Security: all credentials are encrypted in the database with AES-256-GCM. Only master users of the company can create, edit and view them. Every action (create / edit / view / use / delete) is recorded in the audit log.

Where to manage

Go to Company settings › "Test Credentials" tab. The tab is visible only to master users.

There you see the list of saved credentials (name, type, role, target URL/host, last use) and can add new ones or edit/delete existing ones.

Supported credential types

Four types covering the most common pentest scenarios:

Username + Password — classic login for web apps, admin panels, legacy systems. Supports optional MFA (TOTP seed, for example).
API Key — REST APIs authenticated via header (Authorization: Bearer, X-API-Key, etc.). Stores endpoint + key + header.
OAuth / Client Credentials — machine-to-machine authentication using Client ID + Client Secret + Token URL.
SSH Key — SSH/SFTP access to servers, bastions, Kubernetes. Stores host + port + user + private key + optional passphrase.

Common fields across all types

Name — free-form label to identify the credential in the list (e.g. "Admin Staging", "API Prod v2").
Role — the user level this credential represents (Admin, Standard, Viewer, Operator, Custom). Helps the pentester understand the test context.
Notes — extra context (e.g. "MFA via app", "Business hours only", "Don't lock out after 3 attempts").

Reusing credentials in a test

When creating a new pentest via the wizard (Requesting a pentest), on the credentials step you'll see a "Load saved credential" button (visible only to master).

Click Load saved credential.
A list of previously saved credentials appears (auto-filtered by the asset URL when possible).
Pick the credential you want.
The "add credential" modal opens automatically with all fields pre-filled. You can confirm or adjust before adding to the test.

Audit

Each credential keeps a history:

Created by — email of who registered it.
Creation date.
Last use — when it was last loaded into a test.
View / edit / delete events are stored in the company's action log.

Best practices

Name credentials descriptively (e.g. "Admin Production" ≠ "Admin 1").
If the client rotates a credential, edit the existing record instead of creating a new one.
When a credential is disabled on the client side, delete the record in HAS — it reduces visual clutter and avoids mistakes in new tests.
For API Keys and OAuth, consider creating pentest-dedicated credentials (with reduced scope) and removing them after completion.