Workspace Objectives

Overview

Every Pensar pentest automatically covers the OWASP Top 10 and OWASP API Top 10 security risks — no configuration required. Workspace objectives let you extend testing with additional, targeted goals specific to your application, compliance requirements, or known risk areas.

OWASP Top 10 and OWASP API Top 10 coverage is always included by default. Workspace objectives are additive — they don’t replace the standard coverage, they extend it.

What Are Workspace Objectives?

Workspace objectives are custom penetration testing instructions that you define at the workspace level. They tell the AI agent to test for specific concerns beyond the standard vulnerability categories.

For example:

“Test for IDOR vulnerabilities in all tenant-scoped API endpoints”
“Verify that PHI data is never exposed in API responses or logs (HIPAA compliance)”
“Test payment processing flows for price manipulation and race conditions”
“Verify multi-tenant data isolation — no user should be able to access another tenant’s resources”

When the agent generates pentest objectives for each endpoint, your workspace objectives are included alongside the standard OWASP-derived objectives, ensuring every endpoint is tested against your custom criteria.

When to Use Workspace Objectives

Compliance Requirements

Add objectives for specific regulatory standards (PCI-DSS, HIPAA, SOC 2) that require testing beyond OWASP coverage.

Business Logic Testing

Define objectives around your application’s unique workflows — payment processing, multi-tenant isolation, privilege escalation paths.

Known Risk Areas

Focus additional testing on areas where past incidents or threat modeling have identified elevated risk.

Custom Integrations

Test security of third-party integrations, webhooks, or inter-service communication specific to your architecture.

Managing Objectives

Navigate to Workspace Settings > Objectives to manage your workspace objectives.

Workspace objectives require an admin or owner role. Members with the member role cannot view or modify objectives.

Adding Objectives

Navigate to Objectives Settings

Go to Settings > Objectives in your workspace navigation.

Write Your Objective

Enter a clear, specific pentesting objective in the text area. Be as descriptive as possible — the AI agent uses this text to understand what to test for.

Add the Objective

Click Add Objective (or press Enter). The objective is saved immediately and will be included in future attack surface generation for all projects in the workspace.

Removing Objectives

Click the trash icon next to any objective to remove it. Removing an objective from the workspace does not retroactively remove it from endpoints that already have it — it only affects future attack surface generation.

Writing Effective Objectives

Good objectives are specific, actionable, and describe a concrete security concern:

Compliance-Focused Objectives

Verify that all API endpoints returning user data implement
field-level encryption for PII fields (SSN, date of birth,
financial account numbers) per PCI-DSS Requirement 3.4.

Test that session tokens are invalidated server-side on logout
and after 15 minutes of inactivity per SOC 2 CC6.1 requirements.

Verify that audit logs capture all access to PHI data including
the authenticated user, timestamp, and accessed resource per
HIPAA §164.312(b).

Business Logic Objectives

Test the checkout flow for price manipulation — verify that
product prices are validated server-side and cannot be modified
via request tampering between cart and payment.

Test multi-tenant data isolation: authenticate as User A and
attempt to access resources belonging to Tenant B through direct
object references, API parameter manipulation, and query injection.

Verify that the referral/promo code system cannot be exploited
through race conditions to apply multiple discounts or generate
unlimited credits.

Architecture-Specific Objectives

Test webhook endpoints for SSRF — verify that user-controlled
callback URLs cannot be used to access internal services or
cloud metadata endpoints (169.254.169.254).

Test the file upload pipeline for path traversal and
unrestricted file type upload. Verify that uploaded files
cannot be executed server-side.

Test GraphQL endpoints for introspection disclosure, query
depth attacks, and batching abuse. Verify query complexity
limits are enforced.

Propagating Objectives to Existing Endpoints

When you add workspace objectives, they are automatically included when generating attack surfaces for new endpoints. However, endpoints that were created before the objectives were defined won’t have them yet.

Use the Propagate action to push workspace objectives to all existing endpoints:

Define Your Objectives

Add all desired workspace objectives in Settings > Objectives.

Click Propagate

Click the Propagate Objectives to All Endpoints button that appears below your objectives list.

Review Results

Pensar traverses all projects, applications, and endpoints in your workspace, adding any missing objectives. You’ll see a count of how many endpoints were updated.

Propagation is a merge operation — it only adds objectives that an endpoint doesn’t already have. It never removes or overrides existing per-endpoint objectives.

Per-Endpoint Objectives

In addition to workspace-level objectives, you can customize objectives on individual endpoints in the attack surface view. This is useful when a specific endpoint has unique security concerns that don’t apply workspace-wide.

Per-endpoint objectives are edited in the endpoint detail form within the attack surface editor. You can add or remove objectives for any individual endpoint without affecting other endpoints or the workspace objectives.

How Objectives Flow

Workspace Objectives (Settings > Objectives)
  ↓  automatically included in new attack surfaces
  ↓  manually propagated to existing endpoints
Endpoint Objectives (per-endpoint, editable in attack surface view)
  ↓  included in scan execution
Scan Results & Pentest Reports

During a scan, the agent sees each endpoint’s full objectives list and uses them to guide testing. Objectives also appear in pentest reports as part of the endpoint summary.

Example Objective Sets

Here are complete objective sets for common application types:

SaaS Platform

E-Commerce

Healthcare / HIPAA

Financial Services

Test multi-tenant data isolation across all API endpoints
Verify role-based access control (RBAC) enforcement — regular users should not access admin endpoints
Test the subscription/billing flow for plan upgrade bypass and price manipulation
Verify API rate limiting is enforced per-tenant and cannot be circumvented
Test OAuth/SSO integration for token leakage and session fixation
Verify that webhook delivery cannot be replayed or forged

Next Steps

Attack Surface Mapping

Understand how objectives integrate with attack surface generation and per-endpoint testing.

Hybrid Testing

Learn about Pensar’s hybrid testing methodology that executes your objectives.

Pentest Reports

See how objectives and findings appear in compliance-ready pentest reports.

Authentication

Configure authentication credentials to maximize the coverage of objective-driven testing.