DAST and AI Pentest
Plexicus offers two dynamic testing modes for web applications: DAST (dynamic application security testing) for automated vulnerability probing, and AI Pentest (Plexicus AI Pentest) for autonomous, AI-powered penetration testing that discovers complex business-logic flaws and attack chains.
Prerequisites
Scaleplan or above (DAST and AI Pentest are Scale+ features).- A verified domain (both DAST and AI Pentest require domain verification; see Domain Verification).
- A running web application accessible at the verified domain.
DAST — Dynamic Application Security Testing
plexicus-dast probes a running application with network requests to discover HTTP misconfigurations, default credentials, and known CVE-based exploits.
How DAST Works
- You point DAST at a target URL on a verified domain.
- Plexicus sends a series of probes (GET, POST, OPTIONS requests) to discover:
- Missing security headers (X-Frame-Options, Content-Security-Policy, etc.)
- Default credentials (admin/admin, etc.)
- Known CVEs in server technology (Apache, nginx, etc.)
- SSL/TLS misconfigurations
- Findings are returned immediately and appear in the dashboard.
DAST is fast (typically minutes) and generates low false-positive rates, but does not test authentication-protected flows or discover business-logic flaws.
Running a DAST Scan
- Verify at least one domain in Settings → Domain Verification.
- In Assets, create a new application or select an existing one.
- Enable plexicus-dast in the tool configuration.
- Click Scan Now or wait for the scheduled scan to run.
- When the scan completes, findings appear on the Findings page.
DAST Parameters
When you configure plexicus-dast, you can tune:
- severity — minimum severity to report (info, low, medium, high, critical)
- templates / tags — select which probe templates to run
- exclude_tags — exclude specific probe categories
- type — limit to a vulnerability class (dns, http, network, ssl)
- timeout, retries, max_redirects — network tuning
- passive — run only non-intrusive checks (no active payloads)
See Security Scanner Bundles for all parameters.
AI Pentest — Autonomous Penetration Testing
Plexicus AI Pentest (branded as "AI Pentest" in the UI) deploys AI-powered agents to autonomously test your application. Unlike DAST, AI agents:
- Explore your application interactively (clicking buttons, filling forms).
- Test authenticated flows if you provide credentials.
- Discover complex attack chains and business-logic flaws.
- Generate a detailed markdown report with findings and reproduction steps.
AI Pentest runs longer than DAST (up to 2 hours) but discovers vulnerabilities that static DAST probes miss.
Prerequisites for AI Pentest
- Domain Verification — at least one verified domain (same as DAST).
- AI Pentest Connector — ensure the AI Pentest connector is enabled in Settings → Connectors.
- Quota — AI Pentest consumes a separate quota (e.g., Scale = 3 sessions/month). Check your plan entitlements.
Creating an AI Pentest Assessment
- In Assets, look for the "App" sub-label (the pentest section).
- Click New AI Pentest.
- A multi-step wizard opens:
Step 1: Define Your Target
- Assessment Name — a descriptive name (e.g., "Production API Q2 Pentest").
- Target URL — select from your verified domains. This is the main entry point the AI agents will test.
- If no domains are verified, you'll see a link to Domain Verification. Verify at least one domain first.
Step 2: Authentication (Optional)
Choose how AI agents will test authenticated areas:
- No Authentication — test only publicly accessible endpoints. Select this for unauthenticated testing.
- Username / Password — provide login credentials (email, password). AI agents will log in and test authenticated flows.
- API Keys / Headers — provide API keys or custom request headers (e.g.,
Authorization: Bearer <token>). Click Add Key to add multiple headers.
Credentials are encrypted and never logged. Use a test account if possible.
Step 3: Review & Launch
- Additional Notes (optional) — paste previous pentest findings, architecture notes, or known vulnerabilities. For example: "Uses Node.js backend, PostgreSQL DB. Previous pentest found XSS in search bar." This helps AI agents focus their testing.
- Review your configuration summary.
- Check the safety warning: "Running a pentest may generate a high volume of requests. Ensure you are testing a non-production environment or have appropriate approvals."
- Click Launch AI Pentest.
Monitoring an AI Pentest
Once launched, an AI Pentest runs asynchronously. The detail page shows:
- Status — Draft, Pending, Running, Completed, Failed, or Cancelled.
- Elapsed time — how long the pentest has been running (up to 2 hours).
- Live Scan Logs — a stream of probe and test activities (auto-updating every few seconds).
- Live Browser View — a view of the browser agents are using (read-only; shows what AI agents see).
You can cancel a running pentest at any time by clicking Cancel Scan.
AI Pentest Findings & Report
When a pentest completes:
- Findings appear in a dedicated list showing vulnerability type, severity, and reproduction steps.
- Screenshots — the agent captured screenshots of vulnerable flows (e.g., form injection, auth bypass).
- Attack Surface diagram — a visual map of the application's entry points discovered during testing.
- Pentest Report — a markdown document with an executive summary, detailed findings, and step-by-step reproduction instructions. Click Download Report to save it.
You can view findings directly in the pentest detail page or filter them in the main Findings dashboard (filter by pentest source).
AI Pentest Parameters
When you create an AI Pentest, you can customize:
- custom_prompt — up to 500 characters of custom instructions for the AI agents (e.g., "Focus on payment flow. Previous testing found race conditions in the checkout."). The prompt is sanitized to prevent injection.
Safety & Legal
Both DAST and AI Pentest generate HTTP traffic to your application. Only run these tests against applications you own or have explicit permission to test. Unauthorized testing violates law (CFAA in the US, etc.).
- Use a staging or QA environment when possible, not production.
- If you must test production, notify your infrastructure team to expect high request volume.
- Ensure your cloud provider's terms allow penetration testing.
Troubleshooting
AI Pentest Won't Start
Check:
- Domain verified? — verify at least one domain in Settings → Domain Verification.
- Connector enabled? — enable AI Pentest in Settings → Connectors.
- Quota available? — check Settings for your AI Pentest quota (e.g., "1 of 3 sessions used this month").
- Target accessible? — confirm the target URL responds to HTTP requests.
Scan Takes Longer Than Expected
AI Pentests can run up to 2 hours. If a scan seems stuck:
- Check Live Scan Logs for recent activity.
- Wait a bit longer (AI agents are thorough).
- If no activity for >30 minutes, cancel and retry.
No Findings Reported
- AI agents may not have found vulnerabilities (your app is secure!).
- Confirm in Live Scan Logs that agents were testing your target.
- Add authentication or custom notes to help agents explore deeper.
See Also
- Domain Verification — verify domains before running DAST/Pentest
- Finding Triage — manage pentest findings in the dashboard
- Security Scanner Bundles — reference for plexicus-dast parameters