← Get Audit Ready • ↑ Documents
<aside>
🎯
Goal: Provide evidence that an independent, qualified party tested your application for vulnerabilities.
</aside>
What the auditor wants
- Proof that a qualified, independent third party attempted to find and exploit vulnerabilities in your application.
- A penetration test report showing findings and remediation progress.
How to clear this task
<aside>
🛡️
Option A: Run your pentest in the Security tab
- Go to Security → Penetration Tests and click + New Scan.
- Enter your target URL (and optionally a code repository), choose a scan depth (Quick, Standard, or Deep), and start the scan.
- Your first penetration test is free. Findings stream in live as the scan runs.
- When it finishes, download the Markdown or PDF report and upload it as your evidence.
- Remediate any High/Critical findings, then re-run the scan to produce a clean report.
</aside>
<aside>
📎
Option B: Bring your own report
- If you have a recent pentest from a third-party security vendor, click Upload Evidence.
- Upload the final PDF report.
- Make sure the report shows that any High or Critical findings were remediated and retested.
</aside>
<aside>
💡
The remediation rule: auditors typically expect remediation of High and Critical findings. Low and Medium findings can be tracked in your backlog.
</aside>