Legacy: The Previous Agent System¶
Before Cascade, AI Pentesting shipped as a set of separate, single-purpose agents. Each vulnerability class had its own hardcoded agent with a fixed playbook, and each ran on a fixed slice of the application. This page keeps a short record of that model and maps each former agent to where its capability lives today.
You don't need to do anything to migrate. Cascade now runs all of these as dynamic capabilities, spawned on demand based on what a target exposes. There's no per-agent configuration to maintain.
How the Old Model Worked¶
A scan ran a fixed list of named agents, one per vulnerability class. Each agent:
- Owned a single class of issue (cross-site scripting, SQL injection, and so on).
- Followed a fixed playbook for that class.
- Ran independently, with limited shared context between agents.
The limitation was rigidity: the agent list was fixed, the agents didn't pool what they learned, and coverage didn't adapt to the application in front of them. Cascade replaces this with one orchestrated swarm that spawns the specialists a target actually needs, shares context across them, and independently verifies every finding.
Former Agents and Where They Live Now¶
| Former agent | Vulnerability class | Today in Cascade |
|---|---|---|
| XSS Agent | Reflected, stored, and DOM-based cross-site scripting | Cross-site scripting capability |
| SQLi Agent | Error, union, blind, and time-based SQL injection | SQL injection capability |
| BOLA Agent | BOLA, IDOR, tenant isolation, and privilege escalation | Access control capability |
| Business Logic Agent | Workflow bypasses, replay, idempotency, and state manipulation | Business logic capability |
All four classes are covered by the same Cascade swarm. See How It Works for the full list of what Cascade tests for, and Cascade: Multi-Agent Pentest for the engine reference.
Steering Coverage Today¶
The old per-agent toggles are gone. You steer coverage through the AI Pentesting stepper instead:
- Scope: add target and extra URLs, and restrict crawling or active testing where needed.
- Authentication: add one or more users with natural-language sign-in instructions. Multiple users unlock access control testing across roles and tenants.
- Fine-Tune (Optional) > Context: name high-value workflows, risky surfaces, vulnerability classes to focus on, and areas to avoid.
See the Quickstart for the full setup walkthrough.
Related Documentation¶
- How It Works: The Cascade workflow end to end
- Cascade: Multi-Agent Pentest: The engine that replaced the per-agent model
- Quickstart: Set up and launch a scan