Enji
Start free demo

Authorized Testing

Questions or emergency contact: [email protected].

What This Covers

Some Enji Guard features send active requests to a website, API, or web resource. Auto-pentest is the primary example.

These checks are different from passive repository audits. They interact with the target system and may trigger logs, alerts, WAF rules, security monitoring, or temporary errors.

Authorization Requirement

You may run active checks only against systems that you own or have written permission to test.

By enabling Auto-pentest or a similar active check, you confirm that:

  • you own the target or have written authorization from the owner;
  • your organization permits the test;
  • the hosting provider or infrastructure provider permits the test;
  • the target is in scope for the selected check;
  • you understand that active checks may affect the target.

Do not use Enji Guard to test third-party systems without authorization.

Auto-pentest consent applies only to the specific project, website/domain, and selected active-check scope that the user confirmed.

Enji Guard should require renewed confirmation when:

  • the website, domain, or target scope changes;
  • the project is transferred to another owner or organization;
  • ownership or authorization for the target may have changed;
  • Enji Guard adds materially more aggressive active-test types to the selected scope;
  • the repository, website, or project is disconnected and connected again;
  • 12 months have passed since the previous confirmation.

What Enji Guard May Do During Auto-Pentest

Depending on the selected check, the Enji Fleet agents orchestrator may:

  • discover endpoints, forms, parameters, and headers;
  • send common vulnerability payloads;
  • test for common classes such as SQL injection, XSS, SSRF, IDOR/BOLA, broken access control, auth bypass, and sensitive data exposure;
  • use light load to validate behavior;
  • record reproduction steps and remediation suggestions;
  • generate a report with sensitive vulnerability details.

Possible Impact

Active checks may cause:

  • temporary errors or slowdown;
  • higher request volume than normal browsing;
  • security alerts, WAF events, logs, or monitoring noise;
  • temporary account lockouts if the target handles test traffic poorly;
  • exposure of bugs that need urgent remediation.

You are responsible for coordinating with relevant teams before running active checks.

Prohibited Testing

Do not use Enji Guard for:

  • denial-of-service or load testing;
  • credential stuffing, password spraying, or brute force attacks;
  • malware, persistence, lateral movement, or destructive payloads;
  • data exfiltration;
  • privilege escalation outside the agreed target scope;
  • scanning unrelated domains, IP ranges, tenants, customers, or shared infrastructure;
  • testing targets prohibited by your hosting provider, cloud provider, or customer contract.

Handling Reports

Auto-pentest reports may contain sensitive vulnerability details. Treat them as confidential.

Do not publish or share a report unless you have authority to disclose the target, findings, reproduction steps, and remediation information.

Stopping A Test

To stop future active checks, disable the Auto-pentest job or schedule in Enji Guard.

If you need help or believe an active check is causing harm, contact [email protected].

Enji Guard may store consent records showing that a user confirmed the active testing conditions for a target. Consent records may survive disabling and re-enabling a job so the product can show prior acknowledgement.

Stored consent records may be retained for auditability even after a consent is no longer valid for future active checks.