# CreatePentest
<a name="API_CreatePentest"></a>

Creates a new pentest configuration in an agent space. A pentest defines the security test parameters, including target assets, risk type exclusions, and logging configuration.

## Request Syntax
<a name="API_CreatePentest_RequestSyntax"></a>

```
POST /CreatePentest HTTP/1.1
Content-type: application/json

{
   "agentSpaceId": "string",
   "assets": { 
      "actors": [ 
         { 
            "authentication": { 
               "providerType": "string",
               "value": "string"
            },
            "description": "string",
            "identifier": "string",
            "uris": [ "string" ]
         }
      ],
      "documents": [ 
         { 
            "artifactId": "string",
            "s3Location": "string"
         }
      ],
      "endpoints": [ 
         { 
            "uri": "string"
         }
      ],
      "integratedRepositories": [ 
         { 
            "integrationId": "string",
            "providerResourceId": "string"
         }
      ],
      "sourceCode": [ 
         { 
            "s3Location": "string"
         }
      ]
   },
   "codeRemediationStrategy": "string",
   "excludeRiskTypes": [ "string" ],
   "logConfig": { 
      "logGroup": "string",
      "logStream": "string"
   },
   "networkTrafficConfig": { 
      "customHeaders": [ 
         { 
            "name": "string",
            "value": "string"
         }
      ],
      "rules": [ 
         { 
            "effect": "string",
            "networkTrafficRuleType": "string",
            "pattern": "string"
         }
      ]
   },
   "serviceRole": "string",
   "title": "string",
   "vpcConfig": { 
      "securityGroupArns": [ "string" ],
      "subnetArns": [ "string" ],
      "vpcArn": "string"
   }
}
```

## URI Request Parameters
<a name="API_CreatePentest_RequestParameters"></a>

The request does not use any URI parameters.

## Request Body
<a name="API_CreatePentest_RequestBody"></a>

The request accepts the following data in JSON format.

 ** [agentSpaceId](#API_CreatePentest_RequestSyntax) **   <a name="securityagent-CreatePentest-request-agentSpaceId"></a>
The unique identifier of the agent space to create the pentest in.  
Type: String  
Required: Yes

 ** [assets](#API_CreatePentest_RequestSyntax) **   <a name="securityagent-CreatePentest-request-assets"></a>
The assets to include in the pentest, such as endpoints, actors, documents, and source code.  
Type: [Assets](API_Assets.md) object  
Required: No

 ** [codeRemediationStrategy](#API_CreatePentest_RequestSyntax) **   <a name="securityagent-CreatePentest-request-codeRemediationStrategy"></a>
The code remediation strategy for the pentest. Valid values are AUTOMATIC and DISABLED.  
Type: String  
Valid Values: `AUTOMATIC | DISABLED`   
Required: No

 ** [excludeRiskTypes](#API_CreatePentest_RequestSyntax) **   <a name="securityagent-CreatePentest-request-excludeRiskTypes"></a>
The list of risk types to exclude from the pentest.  
Type: Array of strings  
Valid Values: `CROSS_SITE_SCRIPTING | DEFAULT_CREDENTIALS | INSECURE_DIRECT_OBJECT_REFERENCE | PRIVILEGE_ESCALATION | SERVER_SIDE_TEMPLATE_INJECTION | COMMAND_INJECTION | CODE_INJECTION | SQL_INJECTION | ARBITRARY_FILE_UPLOAD | INSECURE_DESERIALIZATION | LOCAL_FILE_INCLUSION | INFORMATION_DISCLOSURE | PATH_TRAVERSAL | SERVER_SIDE_REQUEST_FORGERY | JSON_WEB_TOKEN_VULNERABILITIES | XML_EXTERNAL_ENTITY | FILE_DELETION | OTHER | GRAPHQL_VULNERABILITIES | BUSINESS_LOGIC_VULNERABILITIES | CRYPTOGRAPHIC_VULNERABILITIES | DENIAL_OF_SERVICE | FILE_ACCESS | FILE_CREATION | DATABASE_MODIFICATION | DATABASE_ACCESS | OUTBOUND_SERVICE_REQUEST | UNKNOWN`   
Required: No

 ** [logConfig](#API_CreatePentest_RequestSyntax) **   <a name="securityagent-CreatePentest-request-logConfig"></a>
The CloudWatch Logs configuration for the pentest.  
Type: [CloudWatchLog](API_CloudWatchLog.md) object  
Required: No

 ** [networkTrafficConfig](#API_CreatePentest_RequestSyntax) **   <a name="securityagent-CreatePentest-request-networkTrafficConfig"></a>
The network traffic configuration for the pentest, including custom headers and traffic rules.  
Type: [NetworkTrafficConfig](API_NetworkTrafficConfig.md) object  
Required: No

 ** [serviceRole](#API_CreatePentest_RequestSyntax) **   <a name="securityagent-CreatePentest-request-serviceRole"></a>
The IAM service role to use for the pentest.  
Type: String  
Required: No

 ** [title](#API_CreatePentest_RequestSyntax) **   <a name="securityagent-CreatePentest-request-title"></a>
The title of the pentest.  
Type: String  
Required: Yes

 ** [vpcConfig](#API_CreatePentest_RequestSyntax) **   <a name="securityagent-CreatePentest-request-vpcConfig"></a>
The VPC configuration for the pentest.  
Type: [VpcConfig](API_VpcConfig.md) object  
Required: No

## Response Syntax
<a name="API_CreatePentest_ResponseSyntax"></a>

```
HTTP/1.1 200
Content-type: application/json

{
   "agentSpaceId": "string",
   "assets": { 
      "actors": [ 
         { 
            "authentication": { 
               "providerType": "string",
               "value": "string"
            },
            "description": "string",
            "identifier": "string",
            "uris": [ "string" ]
         }
      ],
      "documents": [ 
         { 
            "artifactId": "string",
            "s3Location": "string"
         }
      ],
      "endpoints": [ 
         { 
            "uri": "string"
         }
      ],
      "integratedRepositories": [ 
         { 
            "integrationId": "string",
            "providerResourceId": "string"
         }
      ],
      "sourceCode": [ 
         { 
            "s3Location": "string"
         }
      ]
   },
   "createdAt": "string",
   "excludeRiskTypes": [ "string" ],
   "logConfig": { 
      "logGroup": "string",
      "logStream": "string"
   },
   "pentestId": "string",
   "serviceRole": "string",
   "title": "string",
   "updatedAt": "string"
}
```

## Response Elements
<a name="API_CreatePentest_ResponseElements"></a>

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [agentSpaceId](#API_CreatePentest_ResponseSyntax) **   <a name="securityagent-CreatePentest-response-agentSpaceId"></a>
The unique identifier of the agent space that contains the pentest.  
Type: String

 ** [assets](#API_CreatePentest_ResponseSyntax) **   <a name="securityagent-CreatePentest-response-assets"></a>
The assets included in the pentest.  
Type: [Assets](API_Assets.md) object

 ** [createdAt](#API_CreatePentest_ResponseSyntax) **   <a name="securityagent-CreatePentest-response-createdAt"></a>
The date and time the pentest was created, in UTC format.  
Type: Timestamp

 ** [excludeRiskTypes](#API_CreatePentest_ResponseSyntax) **   <a name="securityagent-CreatePentest-response-excludeRiskTypes"></a>
The list of risk types excluded from the pentest.  
Type: Array of strings  
Valid Values: `CROSS_SITE_SCRIPTING | DEFAULT_CREDENTIALS | INSECURE_DIRECT_OBJECT_REFERENCE | PRIVILEGE_ESCALATION | SERVER_SIDE_TEMPLATE_INJECTION | COMMAND_INJECTION | CODE_INJECTION | SQL_INJECTION | ARBITRARY_FILE_UPLOAD | INSECURE_DESERIALIZATION | LOCAL_FILE_INCLUSION | INFORMATION_DISCLOSURE | PATH_TRAVERSAL | SERVER_SIDE_REQUEST_FORGERY | JSON_WEB_TOKEN_VULNERABILITIES | XML_EXTERNAL_ENTITY | FILE_DELETION | OTHER | GRAPHQL_VULNERABILITIES | BUSINESS_LOGIC_VULNERABILITIES | CRYPTOGRAPHIC_VULNERABILITIES | DENIAL_OF_SERVICE | FILE_ACCESS | FILE_CREATION | DATABASE_MODIFICATION | DATABASE_ACCESS | OUTBOUND_SERVICE_REQUEST | UNKNOWN` 

 ** [logConfig](#API_CreatePentest_ResponseSyntax) **   <a name="securityagent-CreatePentest-response-logConfig"></a>
The CloudWatch Logs configuration for the pentest.  
Type: [CloudWatchLog](API_CloudWatchLog.md) object

 ** [pentestId](#API_CreatePentest_ResponseSyntax) **   <a name="securityagent-CreatePentest-response-pentestId"></a>
The unique identifier of the created pentest.  
Type: String

 ** [serviceRole](#API_CreatePentest_ResponseSyntax) **   <a name="securityagent-CreatePentest-response-serviceRole"></a>
The IAM service role used for the pentest.  
Type: String

 ** [title](#API_CreatePentest_ResponseSyntax) **   <a name="securityagent-CreatePentest-response-title"></a>
The title of the pentest.  
Type: String

 ** [updatedAt](#API_CreatePentest_ResponseSyntax) **   <a name="securityagent-CreatePentest-response-updatedAt"></a>
The date and time the pentest was last updated, in UTC format.  
Type: Timestamp

## Errors
<a name="API_CreatePentest_Errors"></a>

For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

## See Also
<a name="API_CreatePentest_SeeAlso"></a>

For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/securityagent-2025-09-06/CreatePentest) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/securityagent-2025-09-06/CreatePentest) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/securityagent-2025-09-06/CreatePentest) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/securityagent-2025-09-06/CreatePentest) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/securityagent-2025-09-06/CreatePentest) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/securityagent-2025-09-06/CreatePentest) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/securityagent-2025-09-06/CreatePentest) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/securityagent-2025-09-06/CreatePentest) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/securityagent-2025-09-06/CreatePentest) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/securityagent-2025-09-06/CreatePentest)