Skip to content

Regression Testing Agent

Unitary regression testing is one of Cascade's capabilities. When you attach a previous pentest report, Cascade replays each previously reported vulnerability against the asset under assessment, one at a time, to verify whether it's still reproducible.

It's designed for retesting after a fix, before release, or during recurring security validation campaigns.

What It Does

  • Consumes uploaded pentest reports: Uses uploaded report files as replay source material
  • Builds executable replay plans: Extracts reproducible vulnerabilities and converts them into ordered action checklists
  • Replays each plan item: Executes one vulnerability at a time on the current target asset
  • Validates replay signals: Confirms findings with concrete evidence before reporting
  • Publishes replay issues: Produces findings with report context and execution evidence

Supported Assets

  • Frontend web applications (frontend)
  • REST API services (api_service_rest)
  • GraphQL API services (api_service_graphql)

The agent automatically switches to browser-driven replay for frontend assets and HTTP-driven replay for API assets.

How It Is Used

In the New Pentest form, open Fine-Tune (Optional), then Artifacts. Upload the PDF pentest reports you want the Regression Testing Agent to replay.

Uploaded artifacts are attached to the pentest profile and forwarded to the scanner as file IDs. The agent uses those files as source material for replay planning.

You cannot enable, disable, or tune the Regression Testing Agent directly from the agent page. It runs when uploaded artifacts provide replay material for the assessment.

Authentication and scope

Replay execution honors the standard authentication and scope configuration of the asset under assessment:

  • Frontend replay uses frontend auth and frontend scope settings
  • API replay uses REST/GraphQL scope settings and authenticated HTTP client execution

Current Constraints

  • Only PDF replay source files are currently supported for plan extraction
  • Replay quality depends on how actionable the original report reproduction steps are
  • All actions stay within configured scope boundaries
  • Replay execution remains bounded by assessment timeout and model budget limits

Best Practices

  • Upload pentest reports with clear, step-by-step reproduction instructions
  • Include expected signals (error messages, DOM changes, outbound callbacks) in reports
  • Run replay assessments after remediation to confirm closure
  • Keep scope precise to reduce noisy or irrelevant replays