FortiPenTest, Fortinet pentest-as-a-service cloud-based service has been recently updated to version 20.4.

This new version brings improvements to all parts of the portal and also new features, that we will be highlighting below.

 If you are already accustomed to FortiPenTest web user interface, you will be able to notice new changes here and there.

 The easiest one to spot, will be the threat level score, which is a numeric value ranging from 0 to 10. It is computed from the CVSS scores of each OWASP Top 10 categories.

Figure 1: Top right, threat score is displayed, 5.8/10 in the example

The threat score is also listed in the inventory asset page. It can give operators a quick glance to prioritize and choose an asset for vulnerability remediation. 

With our new big feature – schedule and recurring scans, there is no need for you to be in front of the interface to run a scan. You can plan your scan strategy way ahead of time. Schedule it for daily, weekly, monthly or for only during week-ends. It’s your choice!

Figure 2: Schedule/recurring scan configuration popup

What would be an automated schedule scan without being able to send an alert automatically?

Now, with the new email notification system, you can get notifications about the asset statuses straight to your mailbox. For example, when a scan is completed or a new high vulnerability is found on your asset, you will be notified.

Figure 3: Email notification configuration

The reports generated are now providing more content, especially sharing details regarding the scan processes. It includes stats on how long the scan lasted, the total number of requests that were made and the average server response time.

Please watch the short video showcasing the main new UI features, down below.

Under the hood, the components have also been beefed up.


Full scan mode was already using real browser automation to mimic user actions.

But now, simulated browsing has been greatly improved to provide much better performance.

Read here: faster and deeper scans.


Detection coverage is no exception; new OWASP Top 10 categories have also been added.

To mention a few:

  • new A1 injection attack technics for SQL, NoSQL, LDAP and XPATH
  • new A3 TLS/SSL weak ciphers usage
  • new A4-2010 insecure file upload supporting WebDAV
  • new A5 forced browsing, allowing custom wordlist for premium users

Furthermore, security modules can also now take full advantage of the new third-party command and control (C&C) server, allowing them to carry blind attacks.

Please log on to  to check out these exciting new features and much more (see the complete release note).

You can contact your Fortinet sales representative to get a free evaluation license.