Skip to content
BreachVex
product··5 min read

How AI-Driven Penetration Testing Works (And What It Still Can't Do)

BreachVex is a blackbox web application pentester. It runs a multi-stage attack engine against a target URL, covers OWASP Top 10 and API security vulnerability classes, delivers proof-of-exploit within 60 minutes, and exports SARIF/PDF/JSON reports. It does not do social engineering, physical testing, source code review, or zero-day research.

How It Works

BreachVex runs a multi-step attack engine inside a fresh, single-use isolated environment with real, industry-standard offensive tooling. It maps the attack surface, then probes it the way a human pentester would — adapting what it tests to what it finds, and only reporting what it can prove. In practice that means four things happen on every scan:

  • It learns the target. It builds a picture of the application from the outside — exposed surface, technology stack, authentication mechanism (form-based, JWT, OAuth2, API key), endpoints and parameters — using DNS and certificate data, fingerprinting, crawling, JavaScript analysis, and route extraction.
  • It tailors the attack. Testing adapts to the discovered stack. A Next.js API route is tested differently than a Laravel monolith, so effort goes where it is actually relevant.
  • It exploits broadly. It attempts real exploitation across a wide range of vulnerability classes (covered below), rather than matching signatures.
  • It proves every finding. A result is only promoted to the report if exploitation can be verified. For XSS, that means executing the payload in a real headless browser. For IDOR, it means confirming cross-account data access with a response diff. Then PDF, JSON, and SARIF 2.1.0 reports are generated with full reproduction steps.

A full scan typically completes in 40–60 minutes depending on target complexity and the number of endpoints discovered.

What It Covers

BreachVex tests a broad range of vulnerability classes across the OWASP Top 10 — for example:

  • Injection: SQL, NoSQL, command, LDAP, SSTI, XPath
  • XSS: Reflected, stored, DOM-based, blind XSS with out-of-band callback
  • Broken Access Control: IDOR, BOLA, horizontal and vertical privilege escalation, JWT manipulation
  • Authentication/Session: Weak credentials, session fixation, session hijacking, JWT algorithm confusion, account enumeration
  • SSRF: Cloud metadata endpoint access (AWS IMDSv1/v2, GCP, Azure), internal service probing, OOB confirmation via DNS callback
  • API Security: OWASP API Top 10, GraphQL introspection/batching, mass assignment, rate limit bypass
  • Misconfiguration: Exposed debug endpoints, default credentials, verbose errors, open S3 references in source code, security header gaps
  • Business Logic: Workflow circumvention, price manipulation, discount stacking, function use limit bypass

Every finding in the report is backed by a working proof-of-exploit: the exact HTTP request, the server's response, and evidence of impact. Theoretical or signature-based findings that cannot be verified through execution are discarded.

Limitations

This section matters. An AI penetration tester is a tool with a defined scope, and overstating that scope does not help anyone.

What BreachVex does not do:

  • Social engineering — Phishing, vishing, pretexting, and human-factor attacks require human judgment and interaction. This is not automatable in any meaningful way.
  • Physical security — Badge cloning, physical intrusion, hardware attacks, and supply chain tampering require physical presence.
  • Source code review — BreachVex operates as a blackbox tester. It does not have access to your source code and cannot perform SAST or code-level security review.
  • Zero-day research — BreachVex exploits known vulnerability classes using proven techniques. It does not discover novel vulnerabilities in third-party software or operating systems.
  • Internal network penetration — The pipeline runs from an external vantage point. Testing internal network segmentation, Active Directory, or on-premise infrastructure requires different tooling and network access.
  • Compliance gap analysis — BreachVex produces security findings, not compliance mappings. It does not produce SOC 2 readiness reports, ISO 27001 gap analyses, or PCI-DSS compliance assessments.

Do not use BreachVex as a substitute for a full-scope manual penetration test where compliance standards require one. OWASP ASVS Level 3, PCI-DSS requirement 11.4, and most compliance frameworks specify human-led testing for certain scopes.

When to Use It vs a Traditional Pentest

The right tool depends on your situation:

Use BreachVex when:

  • You want continuous coverage on every deploy, not a point-in-time engagement
  • You need fast results for a new feature, integration, or API surface
  • You want to validate that a manual pentest's findings have been remediated
  • Your budget does not support quarterly manual engagements
  • You want machine-readable output (SARIF) that integrates with your CI/CD pipeline

Use a traditional human pentest when:

  • Compliance frameworks explicitly require it (PCI-DSS 11.4, SOC 2 Type II)
  • Your threat model includes social engineering or insider threat vectors
  • You need source code review as part of the engagement
  • Your application involves complex business logic that requires sustained human reasoning to model
  • You are testing internal infrastructure, VPN boundaries, or on-premise systems

The most effective security programs use both. Automated continuous coverage catches regressions and maintains a baseline. Human pentests go deeper on specific surfaces — typically once or twice per year — with the automated tool handling the intervals between.