Skip to main content Skip to section navigation
U.S. flag

An official website of the United States government

Penetration and load test notification

If you, or a third party acting on your behalf, plan to perform a penetration test or significant load testing on your Platform applications, or Pages sites, please send the following information to support ahead of your planned test:

* Web applications or website under test: Examples would include: or or
* Testing organization and contact/liaison information:
* Source IPs or IP ranges (for testers and their tools):
* Expected start date, (or "starting immediately"):
* Expected end date:
* Acknowledgement that you are abiding by the terms at

This notification is only necessary for in-depth security testing or significant load-testing, which is a common step in agency ATO processes for customer systems and in the software development lifecycle. You don’t need an approval, and doesn’t provide approvals. Simply sending the notification is sufficient. You can always run routine automated vulnerability scans on your own applications without special notification.

When arranging a security assessment or penetration test, the system under test is one of:

  • Platform: your application at, or your external domain (e.g.
  • Pages: your website at your preview URL (at, or your external domain (e.g.

For Platform systems, you can also conduct testing of:

  • Your application instance via cf ssh
  • Your brokered services either directly or via cf ssh or ssh proxy.

You are not permitted to attempt any scanning or reconnaissance from your instances or brokered services.

You are not permitted to test the infrastructure, which comprises the following sites and web applications:

(If you have a legacy application in the subdomain, please contact support.)

Your assessment must not target other customers, nor perform or simulate denial of service attacks or otherwise violate the Amazon AWS testing policy.

If you suspect that you have uncovered a vulnerability in any of’s products, please reference our security.txt

All products are under regular testing by our team, and by third-party assessors, as part of our Continuous Monitoring plan. FedRAMP® makes the results available to authorized users.

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?