How AI-Driven Penetration Testing Works (And What It Still Can't Do)

How It Works#

BreachVex is built on a multi-stage attack engine running inside a fresh, single-use isolated container with real, industry-standard offensive tooling. Each scan follows a fixed sequence of stages, each responsible for a distinct phase of the engagement:

1. Passive recon — DNS records, certificate transparency logs, public exposure data.
2. Probing — HTTP fingerprinting, technology stack detection, authentication type detection (form-based, JWT, OAuth2, API key).
3. Cartography — Endpoint discovery using JavaScript bundle analysis, Katana crawling, Gobuster path enumeration, and SPA route extraction.
4. Active recon — Deeper surface mapping including parameter discovery (Arjun), subdomain enumeration, open redirect detection.
5. Attack planning — The planning stage selects which vulnerability classes to test based on the discovered stack. A Next.js API route is tested differently than a Laravel monolith.
6. Squad execution — Nine specialist agent squads run, each covering a vulnerability category: XSS, SQL injection, SSRF, XXE, authentication/session, business logic, API security, misconfigurations, and advanced attacks.
7. Proof engine — Findings are only promoted to the report if the proof engine can verify exploitation. For XSS, this means executing the payload in a real Playwright browser. For IDOR, it means confirming cross-account data access with a response diff.
8. Reporting — PDF, JSON, and SARIF 2.1.0 outputs are generated with full reproduction steps.

The full pipeline typically completes in 40–60 minutes depending on target complexity and the number of endpoints discovered.

What It Covers#

BreachVex tests over 120 vulnerability classes across these categories:

• Injection: SQL, NoSQL, command, LDAP, SSTI, XPath
• XSS: Reflected, stored, DOM-based, blind XSS with out-of-band callback
• Broken Access Control: IDOR, BOLA, horizontal and vertical privilege escalation, JWT manipulation
• Authentication/Session: Weak credentials, session fixation, session hijacking, JWT algorithm confusion, account enumeration
• SSRF: Cloud metadata endpoint access (AWS IMDSv1/v2, GCP, Azure), internal service probing, OOB confirmation via DNS callback
• API Security: OWASP API Top 10, GraphQL introspection/batching, mass assignment, rate limit bypass
• Misconfiguration: Exposed debug endpoints, default credentials, verbose errors, open S3 references in source code, security header gaps
• Business Logic: Workflow circumvention, price manipulation, discount stacking, function use limit bypass

Limitations#

This section matters. An AI penetration tester is a tool with a defined scope, and overstating that scope does not help anyone.

What BreachVex does not do:

• Social engineering — Phishing, vishing, pretexting, and human-factor attacks require human judgment and interaction. This is not automatable in any meaningful way.
• Physical security — Badge cloning, physical intrusion, hardware attacks, and supply chain tampering require physical presence.
• Source code review — BreachVex operates as a blackbox tester. It does not have access to your source code and cannot perform SAST or code-level security review.
• Zero-day research — BreachVex exploits known vulnerability classes using proven techniques. It does not discover novel vulnerabilities in third-party software or operating systems.
• Internal network penetration — The pipeline runs from an external vantage point. Testing internal network segmentation, Active Directory, or on-premise infrastructure requires different tooling and network access.
• Compliance gap analysis — BreachVex produces security findings, not compliance mappings. It does not produce SOC 2 readiness reports, ISO 27001 gap analyses, or PCI-DSS compliance assessments.

When to Use It vs a Traditional Pentest#

The right tool depends on your situation:

Use BreachVex when:

• You want continuous coverage on every deploy, not a point-in-time engagement
• You need fast results for a new feature, integration, or API surface
• You want to validate that a manual pentest's findings have been remediated
• Your budget does not support quarterly manual engagements
• You want machine-readable output (SARIF) that integrates with your CI/CD pipeline

Use a traditional human pentest when:

• Compliance frameworks explicitly require it (PCI-DSS 11.4, SOC 2 Type II)
• Your threat model includes social engineering or insider threat vectors
• You need source code review as part of the engagement
• Your application involves complex business logic that requires sustained human reasoning to model
• You are testing internal infrastructure, VPN boundaries, or on-premise systems

The most effective security programs use both. Automated continuous coverage catches regressions and maintains a baseline. Human pentests go deeper on specific surfaces — typically once or twice per year — with the automated tool handling the intervals between.