AI Pentesting Scope¶
Scope defines what Escape is allowed to explore and test during an AI Pentesting assessment, and what it must stay away from.
Scope is separate from context (the free-text field in Fine-Tune). Context steers focus ("prioritize checkout"). Scope is structural: target URLs, exploration mode, and hard exclusions.
Configure scope in the Scope section of the New Pentest form. It's the first step when you create or edit a profile.
Scope Modes¶
| Mode | When to use | Behavior |
|---|---|---|
| Standard (recommended) | Most engagements | Escape starts from your listed URLs and can include related assets in the same application footprint (for example APIs your frontend calls). |
| Strict | Regulated or contained environments | Escape tests only the URLs you list. Anything omitted stays out of scope. |
In Strict mode, list every layer you care about: frontend, API, admin, and any other host the assessment should touch. In Standard, listing the main web app is often enough; related APIs may be picked up automatically.
Scope Restrictions¶
Restrictions are an optional blocklist: paths or GraphQL operations that must never reached. They apply in both Standard and Strict mode.
Add restrictions in the Scope restrictions section of the form.
| Type | What it blocks | Example |
|---|---|---|
| URL | HTTP traffic to a matching URL or path | https://*.example.com/admin/*, */internal/* |
| GraphQL | Any GraphQL request matching GraphQL operation | mutation.deleteAccount, mutation.delete* |
URL restrictions¶
- Use wildcards:
*matches any characters. - Optionally limit to one HTTP method (
GET,POST,PUT,DELETE,PATCH,OPTIONS,HEAD). Leave method as ANY to block all methods on that path.
Examples:
https://example.com/admin/*POSTonhttps://example.com/api/billing/charge
GraphQL restrictions¶
Target operations by canonical name: <type>.<field> (for example mutation.deleteAccount). Wildcards are supported (mutation.delete*).
How Restrictions Are Enforced¶
Escape enforces scope at multiple layers during an assessment:
- Network boundary: traffic from the assessment's browser and code-execution companions passes through a scope-aware proxy. Out-of-scope requests are blocked before they reach the target.
- In-process checks: agents and security checks consult the same scope rules when deciding where to navigate and what to attack.
- Agent prompts: scope is included in the authoritative context given to the AI Pentesting agents.
URL restrictions block matching endpoints. GraphQL restrictions parse request bodies to match operation names (for example query.users, mutation.deleteUser) and block matching operations.
Strict mode and static assets
In Strict mode, Escape also allows read-only loads (GET, OPTIONS, HEAD) from common CDNs and static file types so pages can still render. This is automatic; you don't configure it in the form.
CDN hostnames allowed (any URL whose host contains):
gstatic.comcloudflare.comakamai.commaxcdn.comcdnjs.comajax.googleapis.comcloudfront.net
File extensions allowed (URL path ends with):
.css,.js,.png,.jpg,.jpeg,.gif,.svg
Scope vs Other Guardrails¶
Scope controls where testing happens. Other guardrails control how hard or how long an assessment runs:
Related Documentation¶
- Quickstart: Configure Scope
- Guardrails: Kill switch, rate limit, and max duration
- How It Works: Full assessment workflow