Pentesting Skills¶

Skills provide context that shapes how the AI reasons about your target. They are organised into two tiers:

Platform skills are always prioritised — their guidance overrides all other instructions for the session. Specialist skills add domain-specific knowledge on top.

Choosing a Specialist Skill¶

When you click New Strategy Session, the platform displays the skill picker. Each skill card shows the skill name and a short description.

• Select the skill that best matches your target type.
• If you are unsure, click Skip (General) to use the broad General Web Application skill.

The current session's skill is shown in the session list below the message count.

Available Specialist Skills¶

General Web Application Pentest¶

Best for: Any web application where no specific technology or concern has been pre-identified.

The AI follows a start wide, then narrow approach:

1. Reconnaissance and technology identification
2. Surface mapping via the crawler
3. Authentication and authorisation review
4. Input validation testing (SQL injection, XSS, SSRF, deserialization)
5. Security header and configuration review
6. Business logic and race condition testing

Typical starting modules: crawler, headers, auth, sqli, xss, data

API Security Assessment¶

Best for: Targets that expose a REST, GraphQL, or gRPC API as the primary or significant attack surface.

The AI focuses on API-specific risks:

• JWT algorithm confusion, alg:none, and weak secrets
• Broken Object Level Authorisation (BOLA/IDOR) via ID swapping
• Mass assignment and over-verbose data exposure
• OAuth2/OIDC redirect URI bypass and token leakage
• GraphQL introspection, alias abuse, and deep-query DoS
• SSRF via webhook or url parameters
• Shadow APIs from versioning (/v1/, /v2/, /internal/)

Typical starting modules: crawler, jwt, auth, data, ssrf, oauth

SaaS Multi-Tenant Application¶

Best for: Software-as-a-Service platforms where multiple customer organisations share the same codebase and infrastructure.

The AI focuses on the defining risk of multi-tenant systems — tenant isolation failure:

• Cross-tenant data access by swapping org_id / account_id values
• Subscription and billing logic bypass (accessing premium features without paying)
• SAML/OIDC mis-scoping across tenants
• Shared Redis cache enumeration and poisoning
• Background worker SSRF via user-supplied URLs
• Support impersonation endpoint abuse

Typical starting modules: crawler, auth, data, oauth, business_logic, ssrf

Authentication & Identity Deep Dive¶

Best for: Assessments where the primary concern is the strength of the authentication system, or when prior testing has identified auth-related issues.

The AI conducts a thorough review of:

• Weak password policies and account enumeration
• Brute-force protection (lockout, rate-limiting, CAPTCHA)
• Session token entropy, fixation, expiry, and cookie attributes
• Password-reset token predictability and host header injection
• MFA bypass, OTP reuse, and backup code weaknesses
• OAuth2/OIDC state parameter, PKCE, and redirect URI validation
• SAML XML signature wrapping and assertion replay
• JWT alg:none, algorithm confusion, and weak secrets

Typical starting modules: auth, jwt, oauth, headers

Tips for Effective Skill Use¶