Troubleshooting assessments
- Public preview
If your assessment has paused, you need to fix the reported problem before you resume the assessment. If you resume without fixing the problem, the assessment is likely to pause again for the same problem and you may waste attack credits.
Note: Any assessment left in the “Paused” state for a week is automatically cancelled.
For more information, see Monitor assessment.
Expected pauses
These pauses are expected and require no action — the assessment resumes automatically when the condition clears.
| Reason | Notes |
|---|---|
| Approved hours Your approved testing window is closed. | When the next approved testing window opens, the assessment automatically resumes. |
Authentication problems
When XBOW cannot authenticate with the application, the assessment is blocked until you fix the authentication problems. Each of the following requires action before you can resume.
| Reason | Fix | Notes |
|---|---|---|
| Account locked Test account was locked on your server after repeated failed login attempts by XBOW. | Unlock the test account. Confirm that you can log in to the account and resume the assessment. | Optional prevention:
|
| Authentication error An unexpected error occurred while XBOW was authenticating to your application. | Ensure that the authentication service is operational. Confirm that you can log in to the account and resume the assessment. | Debug: Review your application logs for the error and check for recent changes to your authentication system. |
| Authentication network error Network issues interrupted XBOW’s authentication to your application. | Ensure that authentication endpoints are reachable. Confirm that you can log in to the account and resume the assessment. | Debug:
|
| Authentication retry limit reached XBOW reached the authentication retry limit while logging in to your application. | Verify your authentication workflow and endpoints. Confirm that you can log in to the account and resume the assessment. | Debug: Check for dynamic tokens or session requirements. Optional prevention:
|
| Authentication status unknown XBOW could not determine whether authentication to your application succeeded. | You may need to make changes to your authentication process before the assessment can continue. Resume the assessment once the authentication state can be confirmed. | Example changes:
|
| Bad signing credentials Your request signing credentials appear to be invalid. | Verify your request signing configuration. When the signing credentials are valid, resume the assessment. | — |
| CAPTCHA blocked A CAPTCHA challenge on your application blocked XBOW. | Temporarily disable CAPTCHA for the assessment service IP addresses, or exempt authenticated test accounts from CAPTCHA. When CAPTCHA is no longer required for the test account, resume the assessment. | Optional prevention:
|
| Invalid credentials The test account credentials you provided appear to be invalid. | If the configured credentials are wrong, you will need to cancel the assessment and define the correct credentials. Confirm that you can log in to the account and start a new assessment. | Debug:
|
| Missing MFA factor Your application requires a multi-factor authentication (MFA) factor that XBOW does not have. | Temporarily disable MFA for the test account, or disable MFA entirely during the assessment window. When the test account can authenticate with MFA, resume the assessment. | If you choose to disable MFA entirely during the assessment window, ensure that you turn it back on again. |
| No authentication method found XBOW was unable to authenticate with your application. | Cancel the current assessment. Create a new assessment and provide more explicit information on how to authenticate. When you are confident that you have configured all the authentication details, start a new assessment. | Optional prevention:
|
| WAF blocked A Web Application Firewall (WAF) on your application is blocking XBOW’s traffic. | Allowlist assessment traffic with a time-bound exception for the assessment service IP addresses or test account. When the WAF no longer blocks assessment traffic, resume the assessment. | Optional prevention:
|
Target health
During the assessment, the health of your site is monitored for reachability, 5xx errors, and requests timing out. When XBOW detects that your site is under load or struggling, the attack rate is automatically reduced.
If your site continues to show poor health, all attacks are stopped and only health checks are run.
- Monitoring: If XBOW detects an improvement in site health, the assessment automatically resumes.
- Paused: If your site continues to struggle, the assessment pauses with the status “Site unavailable”, and waits for you to respond.
Each of the following requires action before you can resume.
| Reason | Fix | Notes |
|---|---|---|
| HTTP errors Your application returned repeated HTTP errors, exceeding the configured threshold. | Reduce assessment concurrency or request rate if the application is under load. When the application is healthy, resume the assessment. | Debug:
|
| Site unavailable Your site was unavailable for over 30 minutes. | Restore target availability or unblock assessment traffic. When the site responds well, resume the assessment. | Debug:
|
Other causes
These pauses are rare, and both show a Reviewing status. The assessment is paused.
| Reason | Fix | Notes |
|---|---|---|
| Model provider unavailable A model provider that XBOW uses is unavailable. | No action is required. XBOW monitors the provider and resumes or follows up when the service recovers. | — |
| Unknown The assessment paused but the cause could not be determined. | Check target availability, authentication health, WAF or rate-limit rules, and recent deployments. When your checks show that the site is healthy, resume the assessment when you are ready. | If the assessment pauses again for the same reason, contact XBOW support. |