Requesting a pentest

Step-by-step of the test creation wizard.

A pentest in HAS is requested through a 4-step wizard inside your company. This guide covers what you fill in at each step, how pricing works and the expected turnaround.

To start, go to Company overview → New test or use the "New test" option in the platform menu.

Step 1 — Scope

In the first step you define what will be tested and when:

Categories: Application (web, API, mobile), Infrastructure (servers, cloud, internal network) or Specialized (AI/LLM, IoT). You can combine multiple.
Assets: URLs, IPs or specific domains to test. See Filling assets for accepted formats.
Start date: when our pentesters should begin. We schedule up to 3 months ahead.

Step 2 — Authentication

Here you decide whether to provide any access:

No credentials: 100% Black Box test. Our pentesters simulate an external attacker with no prior access.
Provide credentials: Gray Box test. In this case, we ask whether the asset is internet-accessible or on a private network.

Asset on a private network

If the asset isn't on the internet, you need to grant access to our IPs. HAS shows 4 ways (load balancer/CDN, firewall allowlist, bastion host, or Cloudflare Tunnel). See Granting access for internal networks for details.

Step 3 — Details

Fill in:

Test name: a short identifier to locate the test later.
Goal and instructions: describe what should be validated, relevant context and limitations. Minimum 40 characters.
Attachments (optional): up to 4 files of 200 MB each. Accepts VPN configs (.ovpn), technical docs (.pdf, .docx), mobile APKs/IPAs, certificates, etc.

Heads up: the Goal field is for describing the test, not for listing assets. Put assets in step 1. If URLs/IPs are detected in the Goal, submission will be blocked.

Step 4 — Confirmation

Final review with a summary of what was entered. Here you choose the test level:

Level	Scope	Typical turnaround
AI-Native	Targeted assessment of the most relevant vulnerabilities	2 to 4 business days
AI-First	In-depth coverage with thorough analysis of the full scope	1 to 2 weeks

How it's billed

Depends on your company's plan:

Pay-per-test: one-time payment per test via card, PIX or boleto. Price based on assets and chosen level.
Monthly or Annual (allocation): the test consumes assets from your monthly quota. If you exceed it, you can buy an additional Pay-per-test.

After submitting

Once confirmed, the test shows up under Tests with status Requested. Our team validates within 48h and starts on the scheduled date. You follow everything in real time.