As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

Pen Test

You will learn

How to add manual vulnerabilities to your applications for tracking through the Pen Test feature.


Audience: IT Professional and/or End User
Difficulty: Intermediate
Time needed: Approximately 30 minutes
Tools required: ThreadFix

Importing vulnerabilities from scanner files is quick and convenient, but ThreadFix also allows you to easily add manual vulnerabilities to your applications for tracking through the Pen Test feature. The Pen Test feature allows users with the necessary permissions to build a list of manual findings over time and submit them as an assessment once the test is complete. This guide details the process for creating static, dynamic, and dependency findings with a Pen Test and interacting with these vulnerabilities afterward.

For information on how to create and manage your Pen Test Teams, see our documentation here. Permissions are required for creating, editing and deleting Pen Test Teams and findings. For Information on permissions please see the documentation on Manage Roles.

Performing a Pen Test

From your Team page open the application details page for the application you wish to perform a Pen Test in. Then click the Action button, and select ‘Perform Pen Test’.

Pen Test Teams are comprised of users that have been placed on that team. More info on managing Pen Test team here.

Only users on a Pen Test Team can access the Pen Test page. Users will only have the option to select Pen Test Teams that they are members of. If a Pen Test Team has an active test, all users who access that Pen Test Team page will be brought to that active Pen Test. Members of the same Pen Test Team will all be able to add findings to the same Pen Test to be submitted as vulnerabilities from one Pen Test assessment. 

When you select ‘Start Pen Test,’ all users with the appropriate permissions will be able to add findings to this Pen Test. This test will remain active until the test is submitted, at which point the findings are added to the applications vulnerabilities and editing of findings is limited. 

Depending on your permissions, you now have the option to add finding, submit your Pen Test, and delete your Pen Test.

Add Findings

When ‘Add Finding’ is selected, you are taken to the Add Finding page.

Here you are given the option to create a static, dynamic, or dependency finding within the appropriate tabs. Severity, Parameter, and a CWE or Summary are required for Static and Dynamic findings. Severity and CWE or Summary are required for Dependency findings. These fields are important because this is how ThreadFix merges findings. Dependency findings can merge without a matching CWE. For static and dynamic findings the CWE and parameter have to match in order for the findings to merge. For more information on finding merge requirements please see the examples of these findings below.  

Files can be added to findings as evidence (Note: files are saved as-is and not used as scans). Files can only be deleted before a Pen Test is submitted; afterward, the files are permanently attached to the finding.


Dynamic Finding

Required Fields
  • Severity

  • Parameter

  • CWE or Summary

  • URL (Note: Do not include any parameter(s) in the URL; this string belongs in the Parameter field.)

Dynamic findings will only merge with other findings who's parameter, CWE and URL match. Note that a dynamic finding can have both static and dynamic information. 

Static Finding

Required Fields
  • Severity

  • Parameter

  • CWE or Summary

  • Source and Sink information

Static findings will only merge with other findings whose parameter, CWE, and source and sink information (file path and line number) match. Note that a static finding can have both static and dynamic information.

Dependency Finding

Required Fields
  • Severity

  • CWE or Summary (though summary is more common for dependency findings)

  • Library

  • Issue type

  • Reference

Dependency findings will only merge with other findings who's library, version number, and reference match (for dependency findings the CWE/summary and parameter are not required to match to merge with another finding).

Active Pen Test

After a finding is submitted to the Pen Test Team, it is listed under ‘New Pen Test Findings’ where members of the team can edit and delete the finding.

Deleting an Assessment After Creating a Pen Test

Once a Pen Test has been started and is active, you cannot delete assessments from that Pen Test scanner type or upload a ThreadFix file for that scanner type in that application until the active Pen Test has been submitted or deleted.

Once the Pen Test has been submitted you are given the option to delete assessments from the Assessments tab.

Submitting a Pen Test

After clicking Submit Pen Test, you will be provided with a modal to set the date and time of the assessment.

Introduced in 2.8.3, when submitting a Pen Test, a time zone drop down will allow users to set a desired time zone region. When viewing a Pen Test result, the time zone on the display will be based on the user’s browser’s local time.

Note: Once a Pen Test is submitted, it can no longer be edited or deleted from the Pen Test Findings page, they will be treated as scan findings.

After Pen Test Submission

After the Pen Test is submitted you will see the vulnerabilities with the rest of your applications vulnerabilities. If another Pen Test is created from the same Pen Test Team, you will be prompted to review open Pen Tests created by that team. 

Not Remediated

If ‘Not Remediated’ is selected, the finding is moved to the Not Remediated Pen Findings section.


If ‘Remediated’ is selected, you can change it to Not Remediated or revert. Again if revert is selected the finding is sent back to its original state of needing review.

Note: Remediating the findings will remove the vulnerabilities that Pen Test added from the application.

Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.