Troubleshooting assessments

  • Public preview

If your assessment has paused, you need to fix the reported problem before you resume the assessment. If you resume without fixing the problem, the assessment is likely to pause again for the same problem and you may waste attack credits.

Note: Any assessment left in the “Paused” state for a week is automatically cancelled.

For more information, see Monitor assessment.

Expected pauses

These pauses are expected and require no action — the assessment resumes automatically when the condition clears.

ReasonNotes
Approved hours

Your approved testing window is closed.
When the next approved testing window opens, the assessment automatically resumes.

Authentication problems

When XBOW cannot authenticate with the application, the assessment is blocked until you fix the authentication problems. Each of the following requires action before you can resume.

ReasonFixNotes
Account locked

Test account was locked on your server after repeated failed login attempts by XBOW.
Unlock the test account. Confirm that you can log in to the account and resume the assessment.Optional prevention:
  • Implement lockout exemption for assessment service IP addresses or test accounts.
  • Increase lockout thresholds for assessment periods.
For future tests, create and use a dedicated test account with lockout immunity.
Authentication error

An unexpected error occurred while XBOW was authenticating to your application.
Ensure that the authentication service is operational. Confirm that you can log in to the account and resume the assessment.Debug: Review your application logs for the error and check for recent changes to your authentication system.
Authentication network error

Network issues interrupted XBOW’s authentication to your application.
Ensure that authentication endpoints are reachable. Confirm that you can log in to the account and resume the assessment.Debug:
  • Check connectivity.
  • Check DNS resolution.
  • Check that firewall rules for your authentication services allow XBOW requests.
Authentication retry limit reached

XBOW reached the authentication retry limit while logging in to your application.
Verify your authentication workflow and endpoints. Confirm that you can log in to the account and resume the assessment.Debug: Check for dynamic tokens or session requirements.

Optional prevention:
  • Simplify the login flow if it is overly complex.
  • Increase the authentication retry limit.
Authentication status unknown

XBOW could not determine whether authentication to your application succeeded.
You may need to make changes to your authentication process before the assessment can continue. Resume the assessment once the authentication state can be confirmed.Example changes:
  • Configure explicit login success indicators.
  • Define markers for logged-in and logged-out pages.
  • Verify that session tokens are set correctly.
  • Check whether authentication uses any non-standard patterns.
Bad signing credentials

Your request signing credentials appear to be invalid.
Verify your request signing configuration. When the signing credentials are valid, resume the assessment.
CAPTCHA blocked

A CAPTCHA challenge on your application blocked XBOW.
Temporarily disable CAPTCHA for the assessment service IP addresses, or exempt authenticated test accounts from CAPTCHA. When CAPTCHA is no longer required for the test account, resume the assessment.Optional prevention:
  • Configure CAPTCHA bypass tokens or testing keys for the assessment window.
  • Use reCAPTCHA testing keys during assessment periods.
When the assessment is completed, re-enable CAPTCHA.
Invalid credentials

The test account credentials you provided appear to be invalid.
If the configured credentials are wrong, you will need to cancel the assessment and define the correct credentials. Confirm that you can log in to the account and start a new assessment.Debug:
  • Verify that the credentials you supplied are correct and active.
  • Confirm the test account has not expired or been disabled.
  • Check whether the password was recently changed.
  • Verify that the test account has access to the site you are testing.
Missing MFA factor

Your application requires a multi-factor authentication (MFA) factor that XBOW does not have.
Temporarily disable MFA for the test account, or disable MFA entirely during the assessment window. When the test account can authenticate with MFA, resume the assessment.If you choose to disable MFA entirely during the assessment window, ensure that you turn it back on again.
No authentication method found

XBOW was unable to authenticate with your application.
Cancel the current assessment. Create a new assessment and provide more explicit information on how to authenticate. When you are confident that you have configured all the authentication details, start a new assessment.Optional prevention:
  • Describe the explicit login endpoints and parameters required.
  • Check whether authentication requires additional headers or tokens. If so, define these.
WAF blocked

A Web Application Firewall (WAF) on your application is blocking XBOW’s traffic.
Allowlist assessment traffic with a time-bound exception for the assessment service IP addresses or test account. When the WAF no longer blocks assessment traffic, resume the assessment.Optional prevention:
  • Scope WAF rules away from the auth endpoints the assessment uses (login and token).
  • Tune or disable bot and rate-limit rules that match assessment traffic during the run.
Re-enable WAF controls after the assessment.

Target health

During the assessment, the health of your site is monitored for reachability, 5xx errors, and requests timing out. When XBOW detects that your site is under load or struggling, the attack rate is automatically reduced.

If your site continues to show poor health, all attacks are stopped and only health checks are run.

  • Monitoring: If XBOW detects an improvement in site health, the assessment automatically resumes.
  • Paused: If your site continues to struggle, the assessment pauses with the status “Site unavailable”, and waits for you to respond.

Each of the following requires action before you can resume.

ReasonFixNotes
HTTP errors

Your application returned repeated HTTP errors, exceeding the configured threshold.
Reduce assessment concurrency or request rate if the application is under load. When the application is healthy, resume the assessment.Debug:
  • Check your application, gateway, and WAF logs for spikes in 4xx, 5xx, and timeout responses.
  • Verify any recent deployments or configuration changes that could affect error rates.
Site unavailable

Your site was unavailable for over 30 minutes.
Restore target availability or unblock assessment traffic. When the site responds well, resume the assessment.Debug:
  • Verify the target URL is reachable.
  • Confirm DNS resolves to the expected host.
  • Ensure the assessment service IP addresses are not blocked by a firewall or WAF.

Other causes

These pauses are rare, and both show a Reviewing status. The assessment is paused.

ReasonFixNotes
Model provider unavailable

A model provider that XBOW uses is unavailable.
No action is required. XBOW monitors the provider and resumes or follows up when the service recovers.
Unknown

The assessment paused but the cause could not be determined.
Check target availability, authentication health, WAF or rate-limit rules, and recent deployments. When your checks show that the site is healthy, resume the assessment when you are ready.If the assessment pauses again for the same reason, contact XBOW support.

Was this helpful?