Skip to content

Graph Reasoning

Traditional DAST hits one endpoint at a time and checks for a canned list of bugs. AI Pentesting plays a different game: it builds a graph of your application, walks it, and reasons about what an attacker could chain together. Graph reasoning is what turns a pile of individual findings into a real attack path.

What the Graph Contains

The reasoning graph Escape builds for every scan is populated from:

  • Endpoints with their parameters, auth requirements, and observed response shapes.
  • Data: the shape and classification of every value the app produces and consumes.
  • Identity: the roles and permissions exercised by each authenticated run.
  • State transitions: how a call to one endpoint changes the responses of another.

Put together, that graph tells the agent what happens when it pulls a particular thread: which other endpoints become reachable, which fields become predictable, which authorization boundaries are now crossable.

Why It Matters

Business-logic bugs live in the edges between endpoints, not inside any one. BOLA isn't a property of a single request, it's a property of the identity graph. Mass assignment only matters when the field you smuggle in lets you cross a privilege boundary. Graph reasoning is the substrate that lets the AI Pentesting agent find those patterns at scan time instead of relying on handcrafted rules.

What You See in the UI

Every finding from an AI Pentesting scan carries the chain of reasoning the agent followed: which endpoint it started from, which values it learned, what it tried next, and where the attack landed. That trace is what turns a claim into evidence. See Proof of Exploit for the evidence format and how to hand it to engineering.

See How It Works for the scan-time anatomy of AI Pentesting, and the individual agent pages under this section for the classes of attack each one runs.