AI agents that systematically test your web applications against OWASP standards. Launch a full-scope assessment with a single click.
SCARAB is an autonomous penetration testing platform that uses AI agents to systematically assess the security of your web applications and APIs. Instead of point-and-click scanners that check for known signatures, SCARAB deploys a team of specialized agents — each an expert in a different domain of security testing — that reason, adapt, and collaborate like a human penetration testing team.
Every assessment is grounded in industry-standard methodology with comprehensive coverage across reconnaissance, authentication, injection, authorization, configuration, business logic, and client-side testing. Results stream to your dashboard in real time, complete with evidence and remediation guidance.
Add your target URL, configure scope boundaries, and provide any credentials needed for authenticated testing. SCARAB supports multi-role testing with separate user and admin accounts.
One click spins up an isolated container with the full testing toolkit. AI agents execute in sequence — recon, auth, config, injection, authorization, business logic — each building on prior findings.
Watch findings stream in live as agents work. Each finding includes severity, affected endpoints, full HTTP evidence, and remediation guidance. Export a self-contained HTML report when complete.
Six specialist agents coordinate through shared state. No fixed playbooks — agents reason about what to test and adapt to what they find, just like a human pentester would.
Server-sent events stream every finding, endpoint, and checklist update to your browser as it happens. Full visibility into what each agent is doing and why.
Tests mapped to established security methodologies including the OWASP Web Security Testing Guide. Systematic baseline coverage with the flexibility to go deeper where it matters.
Every finding includes the complete HTTP request and response that triggered it. No false positives without proof — every vulnerability is demonstrated with reproducible evidence.
Run assessments with your choice of AI provider. Mix and match models per agent — use a powerful model for complex testing, a fast one for reconnaissance.
Each assessment runs in its own isolated container with a full security testing toolkit. Completely sandboxed, fully reproducible, zero infrastructure to manage.
Six specialist agents, each responsible for a different domain of security testing.
Server fingerprinting, endpoint discovery, technology mapping, API documentation analysis, and application route extraction.
Credential testing, session management, MFA bypass, password reset flaws, cookie security, session fixation, and cross-site request forgery.
Platform configuration, HTTP methods, security headers, error handling, stack trace leakage, TLS/SSL scanning, and encryption verification.
Cross-site scripting, SQL injection, command injection, template injection, server-side request forgery, path traversal, and more.
Insecure direct object references, privilege escalation, authorization bypass, and cross-role comparison testing with multi-credential support.
Workflow bypass, race conditions, constraint violations, and application-specific logic flaws that traditional scanners miss entirely.