Troubleshooting assessments

  • Public preview

If your assessment has paused, you need to fix the reported problem before you resume the assessment. If you resume without fixing the problem, the assessment is likely to pause again for the same problem and you may waste attack credits.

Note: Any assessment left in the “Paused” state for a week is automatically cancelled.

For more information, see Monitor assessment.

Expected pauses

Approved hours

No action required — resumes automatically

  • Pause reason: Your approved testing window is closed.
  • Resume: When the next approved testing window opens, the assessment automatically resumes.

Authentication problems

When XBOW cannot authenticate with the application, the assessment is blocked until you fix the authentication problems.

Account locked

Action required

  • Pause reason: Test account was locked on your server after repeated failed login attempts by XBOW.
  • Fix: Unlock the test account.
  • Optional prevention:
    • Implement lockout exemption for assessment service IP addresses or test accounts.
    • Increase lockout thresholds for assessment periods.
  • Resume: Confirm that you can log in to the account and resume the assessment.

For future tests, create and use a dedicated test account with lockout immunity.

Authentication error

Action required

  • Pause reason: An unexpected error occurred while XBOW was authenticating to your application.
  • Debug suggestions: Review your application logs for the error and check for recent changes to your authentication system.
  • Fix: Ensure that the authentication service is operational.
  • Resume: Confirm that you can log in to the account and resume the assessment.

Authentication network error

Action required

  • Pause reason: Network issues interrupted XBOW’s authentication to your application.
  • Debug suggestions:
    • Check connectivity.
    • Check DNS resolution.
    • Check that firewall rules for your authentication services allow XBOW requests.
  • Fix: Ensure that authentication endpoints are reachable.
  • Resume: Confirm that you can log in to the account and resume the assessment.

Authentication retry limit reached

Action required

  • Pause reason: XBOW reached the authentication retry limit while logging in to your application.
  • Debug suggestions: Check for dynamic tokens or session requirements.
  • Fix: Verify your authentication workflow and endpoints.
  • Optional prevention:
    • Simplify the login flow if it is overly complex.
    • Increase the authentication retry limit.
  • Resume: Confirm that you can log in to the account and resume the assessment.

Authentication status unknown

Action required

  • Pause reason: XBOW could not determine whether authentication to your application succeeded.
  • Fix: You may need to make changes to your authentication process before the assessment can continue. For example:
    • Configure explicit login success indicators.
    • Define markers for logged-in and logged-out pages.
    • Verify that session tokens are set correctly.
    • Check whether authentication uses any non-standard patterns.
  • Resume: Resume the assessment once the authentication state can be confirmed.

Bad signing credentials

Action required

  • Pause reason: Your request signing credentials appear to be invalid.
  • Fix: Verify your request signing configuration.
  • Resume: When the signing credentials are valid, resume the assessment.

CAPTCHA blocked

Action required

  • Pause reason: A CAPTCHA challenge on your application blocked XBOW.
  • Fix: Temporarily disable CAPTCHA for the assessment service IP addresses, or exempt authenticated test accounts from CAPTCHA.
  • Optional prevention:
    • Configure CAPTCHA bypass tokens or testing keys for the assessment window.
    • Use reCAPTCHA testing keys during assessment periods.
  • Resume: When CAPTCHA is no longer required for the test account, resume the assessment.

When the assessment is completed, re-enable CAPTCHA.

Invalid credentials

Action required

  • Pause reason: The test account credentials you provided appear to be invalid.
  • Debug suggestions:
    • Verify that the credentials you supplied are correct and active.
    • Confirm the test account has not expired or been disabled.
    • Check whether the password was recently changed.
    • Verify that the test account has access to the site you are testing.
  • Fix: If the configured credentials are wrong, you will need to cancel the assessment and define the correct credentials.
  • Resume: Confirm that you can log in to the account and resume the assessment.

Missing MFA factor

Action required

  • Pause reason: Your application requires a multi-factor authentication (MFA) factor that XBOW does not have.
  • Fix: Temporarily disable MFA for the test account, or disable MFA entirely during the assessment window.
  • Resume: When the test account can authenticate with MFA, resume the assessment.

If you choose to disable MFA entirely during the assessment window, ensure that you turn it back on again.

No authentication method found

Action required

  • Pause reason: XBOW was unable to authenticate with your application.
  • Fix: Cancel the current assessment. Create a new assessment and provide more explicit information on how to authenticate.
  • Optional prevention:
    • Describe the explicit login endpoints and parameters required.
    • Check whether authentication requires additional headers or tokens. If so, define these.
  • Resume: When you are confident that you have configured all the authentication details, start a new assessment.

WAF blocked

Action required

  • Pause reason: A Web Application Firewall (WAF) on your application is blocking XBOW’s traffic.
  • Fix: Allowlist assessment traffic with a time-bound exception for the assessment service IP addresses or test account.
  • Optional prevention:
    • Scope WAF rules away from the auth endpoints the assessment uses (login and token).
    • Tune or disable bot and rate-limit rules that match assessment traffic during the run.
  • Resume: When the WAF no longer blocks assessment traffic, resume the assessment.

Re-enable WAF controls after the assessment.

Target health

During the assessment, the health of your site is monitored for reachability, 5xx errors, and requests timing out. When it detects that your site is under load or struggling, the attack rate is automatically reduced.

If your site continues to show poor health, all attacks are stopped and only health checks are run.

  • Monitoring: If XBOW detects an improvement in site health, the assessment automatically resumes.
  • Paused: If your site continues to struggle, the assessment pauses with the status “Site unavailable”, and waits for you to respond.

HTTP errors

Action required

  • Pause reason: Your application returned repeated HTTP errors, exceeding the configured threshold.
  • Debug suggestions:
    • Check your application, gateway, and WAF logs for spikes in 4xx, 5xx, and timeout responses.
    • Verify any recent deployments or configuration changes that could affect error rates.
  • Fix: Reduce assessment concurrency or request rate if the application is under load.
  • Resume: When the application is healthy, resume the assessment.

Site unavailable

Action required

  • Pause reason: Your site was unavailable for over 30 minutes.
  • Fix:
    • Restore target availability or unblock assessment traffic.
    • Verify the target URL is reachable.
    • Confirm DNS resolves to the expected host.
    • Ensure the assessment service IP addresses are not blocked by a firewall or WAF.
  • Resume: When the site responds well, resume the assessment.

Other causes

The following statuses are rare but you may sometimes see them.

Model provider unavailable

No action required

  • Pause reason: A model provider that XBOW uses is unavailable.
  • Resume: No action is required. XBOW monitors the provider and resumes or follows up when the service recovers.

Unknown

No action required

  • Pause reason: The assessment paused for an unclear reason, and XBOW on-call has been alerted.
  • Resume: No action is required until XBOW support confirms the next step.