Domains

WAF & Rate Limiting

Overview

Web Application Firewalls (WAF) and rate limiting protect your application from malicious traffic. However, these protections can prevent Pensar from comprehensively testing your application for real vulnerabilities.

For Best Results: Allowlist Pensar’s testing infrastructure or temporarily disable WAF and rate limiting during penetration tests.

Why This Matters

Pensar’s automated security testing triggers defensive mechanisms, preventing accurate vulnerability assessment:

Complete Coverage

WAFs block legitimate security test payloads (SQL injection, XSS, path traversal) before they reach your application, hiding real vulnerabilities.

Prevent False Negatives

Rate limits stop testing mid-scan, causing incomplete coverage and missed vulnerabilities in untested endpoints.

Test Your Code

Testing your actual application code reveals real vulnerabilities in your business logic, not just WAF effectiveness.

True Security Posture

Understand your application’s native security without relying solely on external protections.

What Gets Blocked

Without proper configuration, you may experience:

  • Blocked Test Payloads: SQL injection, XSS, and command injection tests blocked by WAF rules
  • Incomplete Scans: Rate limiting stops endpoint discovery and fuzzing before completion
  • Bot Detection: CAPTCHA challenges and JavaScript validation block automated testing
  • Throttled Requests: Authentication testing and concurrent requests trigger rate limits
  • Missed Vulnerabilities: Protections prevent Pensar from fully testing your attack surface

Pensar Production IP Addresses

All Pensar penetration testing traffic originates from our AWS infrastructure with static IPs. Allowlist these IPs in your WAF and rate limiting configuration:

Production IPs to Allowlist:

3.225.121.161
44.219.4.250

Add both IPs to your WAF allowlist and rate limiter exceptions.

1

Allowlist Pensar IPs

Add Pensar’s production IPs to your WAF and rate limiter allowlist. This maintains protection against actual threats while allowing comprehensive testing.

2

Test Staging First

Run initial tests against staging/development environments where protections can be safely disabled.

3

Verify Configuration

Run a test scan and monitor your WAF logs to confirm Pensar traffic is allowed through without blocking or rate limiting.

4

Schedule Production Testing

For production, schedule pentests during low-traffic periods if you need to temporarily disable protections.

Common WAF Providers

Refer to your WAF provider’s documentation for allowlisting IPs:

  • Cloudflare: Create firewall rule to skip WAF for Pensar IPs
  • AWS WAF: Create IP set with Pensar IPs and add allow rule with priority 0
  • Google Cloud Armor: Add allow rule for Pensar IPs with highest priority
  • Azure Front Door: Add custom rule to allow Pensar IPs
  • Other Providers: Add Pensar IPs to allowlist/whitelist with highest priority

Most providers support IP allowlisting that bypasses all WAF rules and rate limits for specified IPs.

After Configuration

Once configured, you should see:

  • ✅ Pensar traffic allowed through WAF without blocking
  • ✅ No rate limiting on Pensar requests
  • ✅ Complete test coverage of all endpoints
  • ✅ Accurate vulnerability findings
  • ✅ Comprehensive security assessment

If tests are still being blocked, check your WAF logs and verify the allowlist rule has highest priority.

Need Help? Contact team@pensarai.com for assistance with WAF configuration or if you need updated IP addresses.

Next Steps

Adding Domains

Add domains to your project for penetration testing.

Authentication

Configure authentication credentials for testing protected endpoints.

Blackbox Testing

Start automated penetration testing on your domains.

Attack Surface Mapping

Learn how Pensar discovers and maps your application’s attack surface.