Features

Sandbox Testing

Overview

Sandbox testing allows Pensar to spin up your entire application in an isolated, ephemeral environment for security testing. By providing a Docker Compose file or letting Pensar automatically configure your development environment, you can test your application safely without impacting production systems.

Sandbox testing is the optimal approach for applications where the development environment can be easily containerized and started programmatically.

How Sandbox Testing Works

Pensar creates isolated environments on-demand for each pentest:

1

Environment Preparation

Pensar clones your repository into an isolated sandbox environment with full network isolation and resource constraints.

2

Service Discovery & Startup

The AI agent identifies your application’s service requirements: - Looks for docker-compose.yml or docker-compose.yaml in your repository - If found, uses your existing configuration - If not found, analyzes your codebase to detect required services (databases, caches, message queues) - Automatically generates a Docker Compose configuration if needed - Starts all services and waits for health checks to pass

3

Security Testing

Once the environment is healthy, whitebox testing is performed against the sandbox with full source code context and dynamic analysis.

4

Environment Cleanup

After testing completes, the entire sandbox environment is destroyed, ensuring no data persistence or resource leakage.

Key Benefits

Sandbox testing provides unique advantages for security testing:

Isolated Preview Environments

Spin up isolated environments in real-time for each scan without affecting production or staging systems. Test destructive exploits safely.

Real-Time POC Replay

During auto-remediation, replay exploit proof-of-concepts in real-time to confirm vulnerabilities are fixed. This verification loop ensures patches work before creating pull requests.

No Production Risk

Test aggressively without worrying about data corruption, service disruption, or production incidents. All testing is fully isolated.

Consistent Environments

Every scan runs in a fresh, identical environment. Eliminates environmental differences that can cause false positives or missed vulnerabilities.

Complex Attack Testing

Safely test destructive exploits like SQL injection, file uploads, command injection, and other attacks that modify system state.

Automated Setup

The AI agent automatically handles environment configuration, dependency installation, database migrations, and service startup.

Docker Compose Configuration

Using Your Existing Configuration

If your repository contains a docker-compose.yml or docker-compose.yaml file, Pensar will use it automatically:

1# docker-compose.yml
2version: '3.8'
3services:
4  app:
5    build: .
6    ports:
7      - '3000:3000'
8    environment:
9      DATABASE_URL: postgres://user:pass@db:5432/myapp
10      REDIS_URL: redis://redis:6379
11    depends_on:
12      db:
13        condition: service_healthy
14      redis:
15        condition: service_started
16
17  db:
18    image: postgres:15
19    environment:
20      POSTGRES_USER: user
21      POSTGRES_PASSWORD: pass
22      POSTGRES_DB: myapp
23    healthcheck:
24      test: ['CMD-SHELL', 'pg_isready -U user']
25      interval: 5s
26      timeout: 5s
27      retries: 5
28
29  redis:
30    image: redis:7-alpine
31    command: redis-server --appendonly yes

Ensure your Docker Compose file includes health checks for all critical services. This allows Pensar to wait for services to be fully ready before starting security tests.

Automatic Configuration Generation

If no Docker Compose file is found, Pensar analyzes your codebase to automatically generate one:

1

Dependency Detection

The AI agent scans your code for: - Database connections (PostgreSQL, MySQL, MongoDB, etc.) - Cache services (Redis, Memcached) - Message queues (RabbitMQ, Kafka) - Search engines (Elasticsearch, OpenSearch) - Other infrastructure dependencies

2

Configuration Generation

Based on detected dependencies, Pensar generates an appropriate docker-compose.yml with: - Correct service images and versions - Proper networking configuration - Health checks for all services - Environment variables extracted from your code

3

Iterative Troubleshooting

If the environment fails to start: - The AI agent reviews error logs - Adjusts configuration automatically - Retries with improved settings - Repeats until the environment is healthy

Best Practices for Docker Compose

Define health checks for all services to ensure they’re fully ready:

1healthcheck:
2  test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
3  interval: 10s
4  timeout: 5s
5  retries: 5
6  start_period: 30s

Health checks prevent Pensar from starting tests before services are ready.

Specify service dependencies with conditions:

1depends_on:
2  db:
3    condition: service_healthy
4  cache:
5    condition: service_started

This ensures proper startup order and prevents race conditions.

Include database seeding in your setup:

1db:
2  image: postgres:15
3  volumes:
4    - ./seed-data.sql:/docker-entrypoint-initdb.d/seed-data.sql

Test data helps the AI agent understand your data model and test more effectively.

Expose all ports that Pensar needs to test:

1ports:
2  - "3000:3000"  # Main application
3  - "8080:8080"  # Admin panel
4  - "4000:4000"  # GraphQL endpoint

This ensures all endpoints are accessible for testing.

Sandbox Testing vs. Live Environment Testing

Understanding when to use each approach:

AspectSandbox TestingLive Environment Testing
Setup ComplexitySimple dev environmentsComplex production-like setups
Best ForApps with Docker ComposeApps with complex infrastructure
SafetyFully isolated, no production riskRequires careful rate limiting
POC ReplayReal-time verification during fixesCannot safely replay exploits
Environment ConsistencyIdentical for every scanMay drift over time
Resource RequirementsModerate - spins up containersMinimal - tests existing environment
Testing SpeedSlower - environment startup timeFaster - no environment setup
Data PersistenceEphemeral, cleaned up after scanProduction/staging data

When to Use Sandbox Testing

Sandbox testing is ideal when:

Your application can be started with:

  • A Docker Compose file
  • A simple shell script
  • Standard development commands (npm start, rails server, etc.)

If your entire dev environment can run locally with minimal configuration, sandbox testing is perfect.

You want to safely test exploits that:

  • Modify or delete data
  • Upload malicious files
  • Execute system commands
  • Cause service disruptions

Sandboxes allow aggressive testing without production risk.

You’re using auto-remediation and want to:

  • Replay POCs to verify fixes work
  • Iterate on patches until confirmed resolved
  • Have high confidence in automated fixes

Sandbox environments enable real-time verification loops.

You need:

  • Identical environments for every scan
  • No environmental drift
  • Reproducible results
  • Fresh state for each test run

When to Use Live Environment Testing

For organizations with more complex applications where the dev environment can’t simply be spun up with a Docker Compose file or similar simple approach, we recommend pentesting against live domains instead using the whitebox testinglive environment testing approach.

Live environment testing is better when: - Your application requires complex infrastructure (Kubernetes clusters, cloud services) - Third-party integrations can’t be easily mocked - Database migrations or data setup is complex - Microservices architecture with many dependencies - Enterprise systems with specialized hardware/software

With live environment testing:

  • Provide your staging or production domain URLs
  • Verify domain ownership via DNS TXT records
  • Configure authentication credentials if needed
  • Pensar tests against the live environment with source code insights

Learn more about live environment testing in the whitebox testing guide.

Sandbox Security & Isolation

Pensar sandboxes are designed with multiple layers of security:

Network Isolation

Sandboxes run in isolated networks with no access to internal infrastructure or other customer environments.

Resource Limits

CPU, memory, and disk limits prevent resource exhaustion and ensure fair resource allocation.

Ephemeral Storage

All data is destroyed when the sandbox terminates. No persistence between scans.

Time Limits

Sandboxes automatically terminate after a maximum time to prevent runaway processes.

Configuration Options

Configure sandbox behavior in your project settings:

Sandbox Settings

  • Enable/Disable Sandboxes: Turn sandbox testing on or off per project
  • Startup Timeout: Maximum time to wait for environment to become healthy (default: 10 minutes)
  • Resource Limits: CPU and memory allocation for the sandbox
  • Port Mapping: Additional ports to expose beyond those in Docker Compose

Environment Variables

Provide environment variables needed for your application:

  • Secrets: API keys, database credentials, third-party tokens
  • Configuration: Feature flags, environment settings
  • Testing Overrides: Disable external services, use test mode

Secrets provided for sandbox testing are encrypted at rest and in transit, and are destroyed when the sandbox terminates.

Troubleshooting

If your sandbox environment fails to start:

  1. Check the sandbox logs in the Pensar Console scan details
  2. Verify your Docker Compose file works locally
  3. Ensure health checks are properly configured
  4. Check for missing environment variables
  5. Review build logs for dependency installation errors

The AI agent automatically attempts to fix configuration issues, but complex problems may require manual intervention.

If services fail health checks:

  • Increase the start_period in health check configuration
  • Verify health check commands are correct
  • Check service logs for startup errors
  • Ensure dependencies are available (network, volumes)

If tests fail to reach your application:

  • Verify ports are correctly exposed in Docker Compose
  • Check that the application is listening on 0.0.0.0, not localhost
  • Review application logs for startup errors
  • Ensure the application waits for dependencies before starting

If sandboxes take too long to start:

  • Optimize Docker image sizes
  • Use build caching effectively
  • Pre-build images and push to a registry
  • Reduce the number of dependencies
  • Consider switching to live environment testing for very complex setups

Best Practices

Minimize sandbox startup time:

  • Use lightweight base images
  • Leverage Docker layer caching
  • Pre-install dependencies in container images
  • Use multi-stage builds
  • Avoid unnecessary services in dev environment

Ensure all services have proper health checks: - Database connections are ready - Application server is accepting requests - Migrations have completed - External dependencies are available

Provide test data that represents your production data: - User accounts with different roles - Sample products, orders, content - Edge cases and boundary conditions - Data that exercises your business logic

Track sandbox metrics over time:

  • Average startup time
  • Success/failure rates
  • Resource utilization
  • Testing duration

Use this data to optimize your configuration.

Next Steps

Whitebox Testing

Learn about whitebox testing approaches including sandbox and live environment testing.

Auto-Remediation

Discover how sandbox environments enable real-time verification of security fixes.

Adding Domains

Configure live domains for testing when sandboxes aren’t suitable.

Authentication

Set up authentication credentials for testing protected application areas.