Skip to content
Docs Oneleet Docs

Scheduling a pentest

You can request a penetration test directly from the Oneleet dashboard. After you submit the request, your Pentesting Coordinator follows up to confirm timing and any open questions.

How to request a pentest

Section titled “How to request a pentest”
  1. Go to Penetration tests in the sidebar.
  2. Click Request a pentest in the top right. The button is available to tenant admins. If you don’t see it, ask an admin on your team to submit the request.
  3. Fill out the request form (see What the form asks for) and click Submit request.

Only one open request is allowed per tenant at a time. If a request is already in flight, the button is disabled and a tooltip tells you to wait for the coordinator to follow up.

What the form asks for

Section titled “What the form asks for”

The form is split into a required section and an optional section. Answer as much as you can in the optional section to save time on the scoping call.

Required

Section titled “Required”
  • Scheduling availability — a Calendly link or list of days/times that work for the scoping call. We need this before we can confirm a day and time with the pentester.
  • Desired start date for the pentest — the earliest date you’d like testing to begin. Testing typically starts 1–2 business days after the scoping call.
  • Your website — the production URL of the application in scope.
  • Scope summary — a brief description of what should be tested: applications, environments, and anything notable.
  • Primary technical contact — the person the pentester should reach with technical questions. Pick a tenant member or enter a custom contact in Name <email> format.

Optional

Section titled “Optional”
  • Compliance frameworks — the frameworks that motivate this pentest (e.g. SOC 2, ISO 27001, PCI DSS, HIPAA). Optional, but helpful for scoping.
  • Notes — anything else we should know.

Scoping questions

Section titled “Scoping questions”

These speed up the scoping call. You can also wait and answer them live.

  • Whether this is your tenant’s first pentest. If not, whether the previous report can be shared with the testers, plus any context about that engagement.
  • Number of user roles in the application (e.g. Super Admin, Admin, Member).
  • Whether the application is multi-tenant. Multi-tenant means more than one organization uses the same instance; for multi-tenant apps we typically test with two tenants and one user per role per tenant.
  • Tech stack (e.g. Go + React + Postgres on AWS).
  • Endpoint description or API definition — a Postman collection, OpenAPI URL, or list of endpoints.
  • Whether you have a staging environment, whether it’s representative of production, and any notes about it (URL, parity caveats).

What happens after you submit

Section titled “What happens after you submit”
  1. Your Pentesting Coordinator receives the request and reaches out to confirm scheduling.
  2. The scoping call is booked using the availability you provided.
  3. The engagement proceeds through the standard process.