Skip to main content
White-box Pentests are deep, scoped assessments that go beyond day-to-day pull request review. They use repository context, target URLs, and access instructions to assess a defined application or codebase. They run on a slower cadence than continuous Code Review: some teams run one during initial rollout, while others run them monthly, quarterly, or ahead of compliance audits.

When to use it

White-box Pentest is a good fit when you need:
  • A deep, scoped assessment of a service or application
  • Coverage that includes both source code context and live target URLs
  • Assessments for SOC 2, ISO 27001, vendor security reviews, or internal release gates
  • A broader review than continuous PR or MR comments

Start here

Quickstart

Prepare scope, create the scan, estimate credits, and start from the dashboard.

Credits and billing

Understand credit estimates, shared organization balances, top-ups, checkout, and insufficient-credit handling.

Run status

StatusMeaning
DraftScope is being prepared and has not been estimated or started yet.
EstimatingHacktron is calculating the credit estimate.
Ready to StartThe estimate is complete and the scan is waiting for checkout/start.
RunningHacktron is assessing the selected repository and targets.
CompletedThe scan finished and findings are available.
FailedThe scan could not complete. Review the run details or contact support.
CancelledThe scan was stopped before completion.

Relationship to Code Review

Use Code Review when you want ongoing pull request coverage on connected repositories. Use White-box Pentest when you want a broader assessment with shared credits and explicit scope review before the run starts.

Connect repositories

Give Hacktron source access through GitHub, GitHub Enterprise Server, or GitLab.

Code Review

Set up ongoing pull request review coverage.