Wiki
The long-form knowledge base. Concepts, operating model, trust posture, and the buyer questions that matter. Updated continuously as the platform evolves — every section links into the live system.
AI penetration testing — the working definition
AI penetration testing means running sequenced reasoning loops against a defined target to discover real vulnerabilities, exploit them with proof, and report them with remediation. Three details earn the "penetration testing" label rather than just "automated scanning":
- The agent reasons about authorisation logic, not only payload shape.
- Each finding is gated by an exploitation attempt. If we cannot produce evidence, the finding is marked unconfirmed and downgraded, not published as a high-severity issue.
- Output is paired with reproduction instructions and remediation code in the target stack's language, not a static CVE reference.
This is the difference between a regex DAST scanner that reports "X-Frame-Options is missing" and an AI pentester that reports "the /status endpoint returns the full paid product to unauthenticated callers — here is the curl command and here is the four-line fix".
Scan engine families
AssurePort runs four engines today. Each is a sequenced pipeline of agents built around a specific attack surface.
| Engine | Surface | Methodology base |
|---|---|---|
| Web Pentest | HTTP(S) web applications | OWASP Top 10 + recon |
| API Pentest | REST and GraphQL APIs | OWASP API Security Top 10 (2023) |
| Mobile APK | Android apps | OWASP MASVS — static + dynamic |
| GitHub Repo SAST | Source repositories | secrets + dependency audit + IaC + auth review |
Network and Cloud Misconfig engines are in the roadmap and will be marked "Coming soon" on the pricing page until they ship.
Anatomy of a scan
- Dispatch. The console (or the API) creates a scan record. The platform verifies DCV is current, the RoE document is signed and within its test window, and the tenant has reservation budget for the engine.
- Recon. The first agent enumerates the surface — endpoints, hostnames, technology fingerprints, public artefacts.
- Analysis. Parallel agents each pursue one risk class — for the Web engine, that means injection, XSS, auth, authz, and SSRF analysts running concurrently.
- Exploitation. For each analyst-flagged candidate, an exploit agent attempts a real proof. Only confirmed exploitations make the High / Critical severity tier.
- Post-exploitation and reporting. A synthesis agent produces the human-readable report — markdown + branded PDF — with CVSS scores, OWASP mapping, reproduction commands, and remediation code.
The full scan completes in roughly 30–45 minutes for a Web target and 10–25 minutes for the smaller engines. Progress events stream to the console live, and the report is auto-emailed on completion.
Evidence and proof-of-concept
Every High and Critical finding ships with reproduction evidence — a curl command, a Burp-importable request, or a step-by-step recipe. Anything that cannot be reproduced is marked unconfirmed with a lower severity floor. This is the line we draw between pattern-matching scanning and pentest output.
Domain Control Verification (DCV)
Every scan target must pass DCV before a single packet is sent. Three methods are accepted:
- DNS TXT record at
_assureport.<host> - HTML meta tag
<meta name="assureport-verification" content="…"> - HTTP file at
/.well-known/assureport-challenge.txt
Tokens are unique per asset and per attempt. Tampered or expired verification rejects the dispatch with HTTP 412 Precondition Failed and an audit-log entry. DCV is the most important security boundary in the platform; we will not lift it for any tier or any account.
Rules of Engagement (RoE)
A signed Rules of Engagement document records the legal authorisation to test, the in-scope and out-of-scope assets, the test window, and the signing party. Without it, no scan dispatches. The document is reviewed by an AI validator that scores the document for the required elements; below the confidence threshold, you receive an email listing the gaps and the dispatch is blocked.
Multi-tenant by design
Every row of customer data carries a tenant identifier. Every authenticated route enforces it through the same authorisation layer — there is no admin path that bypasses the check. Cross-tenant access is verified through automated tests on every release and is part of our self-pentest scope.
Audit trail
The audit log is append-only. Every authentication event, scan dispatch, asset change, member invitation, billing transaction, and admin action is recorded with the actor, the tenant, the action, the resource, and a JSON payload. The Activity tab in the console surfaces it; the API exposes it for export.
Data residency
All customer-bound data — accounts, scan artefacts, report PDFs, billing transactions — lives in the European Union. Compute, storage, vector indexes, and AI inference all route through EU regions. There is no US data leg in the architecture and no cross-border transfer path for customer data. Public free-tools traffic is anonymised before logging.
GDPR posture
AssurePort acts as data processor for scan artefacts and as data controller for account-level data. We meet Article 32 technical and organisational measures: encryption in transit and at rest, named-account access, append-only audit logging, 2FA available to every account, an incident response plan with a 72-hour breach notification path, and documented staff training.
Our DPA is bilateral until a public template ships in v1.3. Email legal@assureport.com to receive the current draft for countersignature.
Shared responsibility
AssurePort operates the platform. You operate your business. Some duties stay with you:
- Keeping your account credentials and team membership accurate.
- Maintaining a valid signed Rules of Engagement for every scan target.
- Reviewing findings, prioritising remediation, and integrating the output with your issue tracker.
- Notifying us promptly if you suspect a security incident affecting your tenant.
Vulnerability disclosure
We follow RFC 9116. Coordinated disclosure goes to abuse@assureport.com or via /.well-known/security.txt. We triage within 24 hours, communicate remediation timelines back to the reporter, and publish accepted findings — including from our own self-pentest — in the public changelog.
OWASP coverage
Web Pentest engine covers the OWASP Top 10 (2021): injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialisation, components with known vulnerabilities, insufficient logging and monitoring. The API engine covers OWASP API Security Top 10 (2023) — BOLA, broken authentication, broken object property level authorisation, unrestricted resource consumption, broken function level authorisation, unrestricted access to sensitive business flows, server-side request forgery, security misconfiguration, improper inventory management, unsafe consumption of APIs.
MSSP white-label
Managed security service providers and consultancies can run AssurePort as their delivery engine under their own brand. The Business tier ($799/month) unlocks white-label subdomains, branded PDF report templates, sub-tenant management for end-client accounts, an auditor read-only portal, and custom DPA / SLA terms.
AI vs human penetration testing
AI pentest is not a replacement for a senior human tester. Where humans dominate: chained exploits across deeply business-specific logic, novel attack chains, hardware or protocol research, and red-team engagements with social engineering. Where AI excels: weekly continuous coverage of automatable surface, finding logic bugs that pattern matchers miss, producing reproducible PoC evidence at a fraction of the cost.
The healthy stack in 2026 is AI pentest weekly, human pentest quarterly, bug bounty as the safety net. Each catches what the others miss.