Skip to main content

AI Penetration Testing

Get an in-depth, AI-driven penetration test of a web app on demand — one that reads your code, tests the live app to prove what's exploitable, and hands you an audit-ready report.

Written by Joe Haigh

An AI Full Pentest is a deep, on-demand penetration test of a web application, run end-to-end by Intruder's autonomous AI pentesting agents. It gives you the depth of a manual pentest, on demand: time to exploit has gone from months to hours, and annual or quarterly pentests can't keep up, so you can test with every release. It covers your web apps specifically — not your whole external network — in a fraction of the time and cost of a manual engagement.

It's code-assisted: the agents read your source to see how the app is built and map your APIs from the code (no schema to upload), then actively test the live app — using the same methods as experienced pentesters — to discover new vulnerabilities, not just validate known ones. Every finding is proven exploitable, with live evidence and the exact source file and line where it originates.

That reach is the point: it regularly surfaces critical issues that scanners and human testers both miss — authentication and authorization bypasses, cross-tenant access to another customer's data, and business-logic flaws with direct financial impact. Scanners flag what they can detect but can't tell you what's a real risk in your environment; the agents confirm each finding against the live app, so you get fewer rabbit holes and faster remediation. When it's done, you get a detailed PDF report suitable for compliance evidence under SOC 2, ISO 27001, and PCI DSS.

An AI Full Pentest is separate from AI Issue Triage & Investigation, the credit-based feature that validates issues you've already detected; a Full Pentest tests a whole application from scratch and is a one-off purchase. You set one up in a short guided flow — scope, source code, optional credentials and context, then pay — and your progress saves as you go. For how it differs from scanning, see AI Pentest Features in Intruder: Overview.


🆕 Note: AI Full Pentest is a new capability, currently in early access and being rolled out to selected accounts. If you don't see it in your account yet, contact your account manager or support.


Setting up an AI Full Pentest

📌 Prerequisites

  • The Admin role in Intruder. Only admins can create, pay for, or cancel an AI Full Pentest.

  • A connectable GitHub or GitLab repository for the app you want to test.

  • A card saved on your account, or an invoice arrangement, for the one-off pentest fee.

To start, go to Pentests, begin a new pentest, and choose AI pentest. The setup opens with a progress bar and a tracker down the side so you can see what's left. Everything you enter saves automatically — close the tab and come back, and your setup is still there.

Two parts are required (Scope and Source), and two are optional (Accounts and Context).

Scope

Scope tells the AI agent what to test.

  • Environment

    Choose Development, Staging, or Production (not recommended).

⚠️ Important

We explicitly advise against running an AI Full Pentest in Production. The agent takes real, sometimes destructive actions and its behavior can't be fully predicted — a production test can disrupt your live service, your users, and third parties you rely on. Use a staging, test, or development environment wherever possible.

If you have no alternative, the AI Pentesting terms require that you've taken full backups or snapshots beforehand, can roll back any changes, and have accepted the risk of disruption. These are conditions of testing production, not an assurance that it's safe.

  • Entrypoint URL

    Select an existing target, or enter a custom URL for the agent to start testing from.

🛑 Critical

Never run an AI Full Pentest against safety-critical or physical systems — industrial control, OT or SCADA systems; medical or life-safety systems; vehicles, aircraft or marine systems — or against any system you don't own or aren't authorized to test.

These are prohibited targets under the AI Pentesting terms.

  • App name

    Name your application — this is how it appears in your report.

  • App overview (optional)

    Briefly describe what the app does and who uses it, for example: "B2B SaaS platform for managing invoices. Used by accountants and their clients." This gives the agent context before testing starts.

Test Accounts (optional)

Test accounts let the agent log in and test the authenticated parts of your app, which is usually where the interesting risk lives. If your app has any kind of login, adding credentials matters: without them, the agent can only test what's reachable when logged out, so most of the application goes untested. Only skip this step if the target is a fully public site with no authenticated area.

Add as many accounts as you can, covering every access level in your app — and, if it's multi-tenant, accounts belonging to different tenants or customers. This lets the agent test for privilege escalation and cross-tenant authorization failures, where a user reaches data or actions they shouldn't, which are among the most common critical issues it finds. As a rule of thumb, more is better — we test our own platform with roughly a dozen accounts covering every access level.

To add an account:

  1. Select Add account and choose either User account or API account

  2. For a User account, enter a username or email, a password, and a note under Account access describing what the account can reach, for example: "Admin with full access."

  3. For an API account, enter a name, the header or parameter that carries the key (e.g. X-API-Key), the API key value, and a note describing what the account can access.

  4. Repeat to add more. Each account card can be collapsed, expanded, or deleted.

💡 Tip

Provide accounts covering as many access levels as you can so the agent can reach more of your app. Because the agent may take destructive actions to confirm a weakness is real, the safeguard that matters is running against a non-production environment: if the test affects data there, it doesn't matter.

Source code

Source code is where you connect the repository that the agent reviews. This is a required part of an AI Full Pentest — the test is code-assisted, so the agent needs to read your code to pinpoint where issues originate.

  1. Select GitHub or GitLab. If the provider isn't connected yet, you'll be prompted to connect the integration first.

  2. Select a repository and a branch.

  3. Add notes to guide the agent, for example: "Monorepo — focus on /services/auth. Ignore generated code in /dist."

  4. Select Add repository to include more than one repo (these need to be from the same platform). You should connect as many repos as you need to cover the application.

Repositories are connected read-only, are not accessed by a person, and are deleted once the pentest completes.

⚠️ Important

Switching providers after adding repositories removes any repositories already added under the previous provider. The agent asks you to confirm ("Switch to GitLab? Your GitHub repositories will be removed") before it clears them. Add all repositories from one provider before switching.

Context (optional)

Context is where you point the agent at what matters. Every field is optional, but the more you give, the more targeted the results.

  • Tech stack

    • What the app is built on, for example: "Next.js frontend, Rails API, PostgreSQL, Redis". This field is more useful for external technical dependencies the agent can't infer — for example a third-party payment provider or API the app relies on.

  • Areas of concern

    • The best place to set scope expectations when you don't want the whole application tested. Say what to prioritize, and call out anything that should not be tested, for example: "Focus on the checkout and admin panel. Don't test the data-export endpoint."

  • Other

    • Anything else that helps. It's especially worth flagging intentional behavior that might otherwise be reported as a vulnerability — for example, a deliberately public endpoint, or a debug header that's expected in staging — so the agent doesn't raise it as a finding.

💡 Tip

Areas of concern is the highest-leverage field — it's where you both point the agent at what matters and mention anything that shouldn't be tested.

Checkout

Checkout shows a summary of your configuration to review, then handles payment.

  1. Check the summary matches what you intended. You can go back to any earlier section to make changes.

  2. Accept the terms and conditions.

  3. If you chose a Production environment, you'll also confirm you understand you've selected a production environment and accept that the test may affect your live systems.

  4. Complete payment. An AI Full Pentest is a one-off payment per pentest and is separate from your AI pentest credits (the monthly allowance used for AI Issue Validation, shown in the portal under Triage & investigation). Payment is handled by Stripe (card, Apple Pay, Google Pay, and more). Depending on your account, an invoice option may also be available.

  5. Once payment completes, the pentest starts.

Starting over

To discard your progress and start fresh, open the menu at the top of the setup and select Start again. This menu is available throughout setup. Starting again clears your saved draft completely — there's no undo.

⚠️ Important

Start again wipes the entire draft, including any credentials, repositories, and context notes you've added. If you only want to change one thing, go back to that specific section instead.


What happens after you submit

After you submit, you're taken to the pentest's status page, where the AI agent's progress is shown in real time — moving from Pending to Running to Completed. You can leave and return; the pentest keeps running regardless.

Before testing gets fully underway, Intruder runs preflight checks that confirm it can access your repository and log in with any credentials you supplied. If a check fails, you'll see a clear error — "Source code check failed" or "Accounts check failed" — with a Contact us button, so a misconfigured repo or credential doesn't quietly waste a test.

⚠️ Important

To prove what's exploitable, the agent takes real actions on your target — it may create, modify, or delete data, submit forms, upload files, or trigger notifications, workflows, and third-party integrations. This is by design and stays within the scope you authorize. It's why staging is the safe default, and why you should take a backup before testing production.

You can cancel at any point up until a report has been generated — while the pentest is still running, a Cancel pentest button is available on the status page. Canceling stops further testing, but can't undo actions the agent has already taken. It does not refund the test, and it won't produce a report for that engagement. If you want to resume a canceled pentest, contact us — but we can't guarantee it can be continued. Once the report exists, the pentest is complete and can't be canceled, but you can still leave feedback or raise questions with support.


Your report

The deliverable is a downloadable PDF report, accessed through a secure, time-limited link, and built to be handed to a third party. It follows a consistent structure:

  • Executive summary — a plain-language account of what was found and the business risk, with recommended remediation timelines.

  • Overview — the scope, the accounts used, what was out of scope, and the test's limitations.

  • Summary table — every finding ranked by risk, each with a reference (VULN-001, VULN-002, …).

  • Findings — for each issue: a risk rating, its impact and likelihood, a description, live evidence, technical detail, remediation advice, and the exact source file and line where it originates.

  • Appendices — the risk-rating methodology (risk is impact × likelihood, rated Info / Low / Medium / High / Critical), the testing methodology, and an About Intruder section covering accreditations and the team behind the agent.

Findings come with built-in recommended remediation SLAs — Critical within 24 hours, High within 7 days, Medium within 30 days, Low by the next release — so you have a timeline you can commit to internally or show an auditor.

ℹ️ Note

Intruder's reports are routinely used to satisfy compliance frameworks such as SOC 2, ISO 27001, PCI DSS, and Cyber Essentials, and have been accepted in B2B supplier security audits. An AI Full Pentest report is designed to stand in for — or supplement — a traditional manual pentest report for these purposes.

You can use the report internally and share it with your own customers, regulators, auditors, and professional advisors to demonstrate your security posture. You can't share it with other third parties — in particular, providers of competing security testing services — without Intruder's written consent.


FAQ

Do I have to connect source code?

Yes. An AI Full Pentest is code-assisted, so a connectable GitHub or GitLab repository is required — the agent reviews your source as part of the test. If you can't connect a repo, you can't run one yet.

Do I have to add test accounts?

Test accounts are optional in the wizard, but if any part of your app sits behind a login you should add them — without credentials the agent can't reach those areas, and most of the app goes untested. For a site with no authenticated area, you can skip this.

What does an AI Full Pentest cover?

It's a web application penetration test, run both unauthenticated and (if you supply credentials) authenticated. It covers the OWASP Top 10 and beyond — authentication and session handling, authorization, business logic, input validation and injection (XSS, SQL injection, command injection, and similar), file uploads, information leakage, and server configuration. Denial-of-service, social engineering, phishing, and physical security testing are out of scope.

How much does an AI Full Pentest cost?

Each AI Full Pentest is a one-off, per-engagement payment, separate from your AI pentest credits. The exact price is shown at checkout before you pay; it varies by currency and by whether you're on a paid plan, and existing paying customers and early adopters currently get a discount.

Do my AI pentest credits cover an AI Full Pentest?

No. AI pentest credits are the monthly allowance used for AI Issue Validation (shown in the portal under Triage & investigation). An AI Full Pentest is billed separately as a one-off payment per pentest.

How long does an AI Full Pentest take?

Most run in minutes to hours, depending on the size and complexity of your app and how much context you've given the agents. You don't need to wait around — progress shows on the status page in real time, and you can leave and come back while it runs.

Can I cancel an AI Full Pentest after starting?

You can, up until a report has been generated, using the Cancel pentest button on the status page. However, canceling stops the test, but it isn't refunded, and won't produce a report for that engagement. Resuming a canceled pentest isn't always possible, so contact us if you need to. Once the report exists, the pentest is complete.

What happens to the credentials and code I submit?

Credentials are encrypted at rest and never included in reports or logs. Source code and anything else you provide is processed only inside the engagement's isolated testing container, deleted after the engagement, and never accessed as a complete repository copy by Intruder staff. Your data is never used to train AI models.

For the exact retention periods, sub-processors, and data flows, see the AI Pentesting terms and our Intruder Trust Center - AI FAQs.

Who's behind the AI agent's methodology?

The methodology is distilled from Intruder's in-house security team, whose qualifications include CREST certifications and the Offensive Security Certified Professional (OSCP). Intruder is a CREST member company, is SOC 2 Type II compliant, holds Cyber Essentials, and was selected for the UK government's GCHQ Cyber Accelerator. The agent applies the same methods as a human tester — sending requests, analyzing responses, and validating findings against the live app. Full details are in the About Intruder appendix of every report.

Is my data used to train AI models?

No. Your data, including any source code, is never used to train or fine-tune any AI model, and each customer's data is kept isolated from every other customer's. The Intruder Trust Centre has the full breakdown of what's sent where.

Does an AI Full Pentest expire, and can I re-run it?

An AI Full Pentest is a one-off engagement that produces a single report. You can't re-run it, extend it, or change the target after it launches without buying another. A purchased pentest must be used within 12 months.


Troubleshooting

Setup won't let me leave the Scope section.

  • Cause: A required field is missing — Environment, Entrypoint URL, or App name.

    • Fix: Fill in all three before continuing. (These are the only fields Scope checks; App overview is optional.)

  • Cause: A pentest is already running on the target you selected.

    • Fix: Wait for it to complete, or choose a different entrypoint. You can't start a second pentest against a target that already has one in progress.

Setup won't let me leave the Source code section.

  • Cause: No repository is added, or a repository is missing its branch.

    • Fix: Add at least one repository and select a branch for it. Source code is required for an AI Full Pentest.

My pentest failed a preflight check.

  • Cause: "Source code check failed" — the scanner couldn't access your repository.

    • Fix: Check the integration is still connected and the repo and branch still exist, then use the Contact us button on the error and we'll help you resolve it.

  • Cause: "Accounts check failed" — the scanner couldn't log in with one of the accounts you supplied.

    • Fix: Confirm the username, password, or API key are correct and still active, then use Contact us for help.

I didn't type https:// — will my Entrypoint URL still work?

  • Cause: You entered a URL without a scheme.

    • Fix: This is fine. If you leave off the scheme, https:// is added automatically, and surrounding spaces are trimmed. There's no need to strip trailing slashes.

I selected GitHub, added a repo, then switched to GitLab — my repo is gone.

  • Cause: Switching providers removes any repositories added under the previous provider (you're warned first).

    • Fix: Pick one provider and add every repository before switching. If you need to change provider, expect to re-add everything.

The GitHub or GitLab integration won't connect.

  • Cause: You're connecting a self-hosted GitLab (or similar) instance that sits behind a firewall or WAF, or is only reachable over a VPN.

    • Fix: A self-hosted instance behind a WAF needs our scanner IP ranges allowlisted, and may also need an additional address to be allowlisted — contact support and we'll work through it with you, case by case.

    • Instances that are only reachable over a VPN can't be supported.

  • Cause: Your Intruder user can't authorize integrations.

    • Fix: Ask an admin to connect it, or have them grant you the permission.

  • Cause: The OAuth flow was blocked by your browser.

    • Fix: Allow pop-ups for intruder.io and retry.

Payment failed at checkout.

  • Cause: The card was declined.

    • Fix: Update the card on file in Account settings > Billing and try again.

  • Cause: Your account is set up for invoicing but the invoice option isn't showing.

    • Fix: Contact support — the invoicing arrangement on your account may need enabling.

I want to change a setting after starting the pentest.

  • Cause: Configuration is locked once the pentest is submitted.

    • Fix: Cancel the pentest (as long as no report has been generated), then start a new one with the corrected settings. Canceling doesn't refund the original, and a pentest that produced a report still counts as billable, so you'll pay again for the corrected run.

Glossary

  • AI Full Pentest — An in-depth, code-assisted penetration test of a web application, run by an AI agent and paid for as a one-off. Distinct from AI Issue Validation.

  • AI Issue Validation — The credit-based feature (shown in the portal under Triage & investigation) that uses your monthly AI pentest credits to confirm individual issues, rather than testing a whole application.

  • Code-assisted penetration test — A test that combines review of the application's source code with live testing of the running app, so each finding is backed by real evidence and mapped to the exact code responsible.

  • AI pentesting agents — The autonomous system that runs the pentest: a pipeline of specialized agents that interpret your scope, source code, credentials, and context, test the target, and produce a report.

  • Preflight check — An automated check run before testing proceeds, confirming the agent can access your repository and log in with any supplied credentials.

  • Entrypoint URL — The URL the AI agent uses as its starting point when testing the app.

Did this answer your question?