Skip to content

AI Pentesting Quickstart

How AI Pentesting Differs from DAST

AI Pentesting uses adaptive AI agents that reason about application behavior and adapt their testing strategies in real-time. DAST uses rule-based systematic testing with predictable coverage patterns.

Use AI Pentesting when you need:

  • Deep, adaptive testing that reasons about application behavior
  • Complex vulnerability discovery requiring multi-step attacks
  • Authorization testing with context understanding
  • Business logic flaw detection

Use DAST when you need:

  • Systematic, repeatable rule-based testing
  • Fast CI/CD integration
  • Comprehensive coverage of known vulnerability patterns
  • Custom rule enforcement

AI Pentesting explores your application, reasons about context, and attempts multi-step attack scenarios such as authorization bypass and business logic abuse.

This guide walks you through prerequisites, your first scan, and how to interpret results.

Prerequisites

Before running your first AI Pentesting scan, ensure you have:

  • An Escape account: Sign up at app.escape.tech
  • Access to AI Pentesting enabled for your organization
  • A target application (API or WebApp)
  • Authentication credentials (if required)
  • Schema or endpoint URL (for APIs: OpenAPI, Swagger, GraphQL introspection, or Postman collection)

Safety & Production Usage

AI Pentesting is designed to run safely against production environments.

It:

  • Respects rate limits
  • Avoids destructive payloads
  • Does not perform destructive actions
  • Limits proof-of-concept impact to validation only

If testing in production:

  • Ensure you have proper authorization
  • Configure rate limits
  • Use test accounts when possible

First Run

Step 1: Create a Scan Profile

  1. Navigate to your applications list
  2. Click New Scan Profile
  3. Select your application type:
    • REST API
    • GraphQL API
    • WebApp

New Scan Profile modal showing application type selection

Step 2: Configure Your Target

For APIs

  • Provide your API schema (OpenAPI, Swagger, GraphQL introspection, or Postman collection)
  • Enter your base URL

For Web Applications

  • Enter your application URL
  • Define crawl scope if needed

WebApp configuration screen with target URL

Step 3: Configure Authentication (If Required)

  1. Navigate to Settings > Authentication
  2. Configure your authentication method See: Authentication Configuration
  3. Test authentication to ensure it works correctly

Authentication is critical for discovering authorization and business logic vulnerabilities.

Authentication configuration screen

AI Agents

AI agents are enabled by default when running an AI Pentesting scan.

Depending on your application type, the system automatically activates relevant agents such as:

  • BOLA Agent – Authorization and access control testing
  • XSS Agent – Cross-Site Scripting testing
  • Additional agents depending on context and configuration

No manual activation is required.

Step 4: Start Your Scan

  1. Review your configuration
  2. Click Start Scan
  3. Monitor scan progress in real time
  4. Review agent logs and reasoning in the scan details

Scan running view with progress indicator, agent logs panel, and current tested endpoint

What Makes AI Pentesting Different?

Unlike traditional rule-based testing, AI Pentesting:

  • Adapts its strategy dynamically
  • Chains multiple requests to validate real impact
  • Tests authorization boundaries across multiple roles
  • Explores business logic instead of matching static patterns

This enables discovery of complex, multi-step vulnerabilities.

How to Read Results

AI Pentesting findings include:

  • Vulnerability type and severity
  • Concrete evidence (requests and responses)
  • Agent reasoning logs
  • Clear reproduction steps
  • Remediation guidance

Common First-Run Issues

No Findings

  • Review agent logs to confirm coverage
  • Verify authentication is correctly configured
  • Ensure your target scope is accessible

Authentication Failures

  • Confirm credentials are valid and not expired
  • Re-test authentication manually
  • Review authentication logs for errors

Slow Scans

  • Review rate limits
  • Reduce scope if testing a large application
  • Adjust timeout settings if necessary

For advanced troubleshooting, see: How It Works

Related Documentation