Skip to main content

Pentrova is launching soon. Join the waitlist for early access.Join the waitlist

This guide walks a new team from account creation to reading your first evidence bundle. Expect about thirty minutes end to end if your target already has a staging environment Pentrova can reach.

1. Create your account#

Sign in at app.pentrova.ai with a work email. The first user in a workspace becomes the Owner and can invite teammates, create targets, and configure auth modes. The default roles are Owner, Admin, Member, and Viewer — day-to-day pentesting belongs to the Member role so owner credentials stay reserved for administration.

2. Configure your first target#

A target is a single logical application. Create one from the Targets tab and supply:

target:
  name: "staging-api"
  base_url: "https://staging.api.example.com"
  environment: "staging"
  scope:
    include:
      - "/v1/**"
    exclude:
      - "/v1/admin/danger/**"

Pentrova only pentests paths you explicitly include. The exclude list is honoured absolutely — excluded paths are never touched, even if testing would otherwise reach them.

3. Set an authentication mode#

Pentrova supports bearer, apikey, basic, oauth2, custom, and mtls. The full configuration surface is documented in the Configuring authentication guide, but for a first pentest a bearer token against a test account is usually enough to exercise realistic coverage.

4. Launch your first pentest#

From the target overview, click Run pentest. The engagement produces three things in order: a crawl inventory, an activity log, and a chain report. Chains are the output you care about — each chain is a fully replayable evidence bundle stored in your workspace, with a reproducible command and a response hash you can re-check.

5. Read the evidence bundle#

Open any confirmed chain to see the bundle. The Interpreting PoC artifacts guide walks through every section, but the short version: command output, screenshots, and captured request/response exchanges are all attached. The bundle URL on every webhook event lets you fetch the same evidence from a CI step or a downstream automation.

Next steps#

Configure additional auth modes, wire Pentrova into your CI, or explore the Authorization Matrix for multi-role replay. Each of those has a dedicated guide in the sidebar.

Last updated: May 31, 2026

Was this page helpful?

Site search

↑↓ navigateEnter openEsc close