Concepts
Key terminology and concepts used throughout ModernPentest
Asset Map
The asset graph every pentest is built on
Web Application Testing
How we test websites and web applications
API Testing
How we test REST APIs using OpenAPI specifications
Vulnerability Detection
How we find and validate security vulnerabilities
AI Agents Overview
Learn about our specialized security testing agents
Continuous Monitoring
24/7 automated security monitoring
How It Works
Every pentest is built on your asset map — a live graph of your application. AI agents build that graph, reason over it, and attack it:
Reconnaissance
The recon agent crawls your application and builds an asset map — every page, endpoint, service, and the relationships between them.
Auditing
The auditor reads the whole graph at once and decides what's worth attacking, emitting prioritized investigations.
Proving
A prover confirms or denies each investigation by actively exploiting it — capturing a reproducible proof of concept and chaining deeper from what it confirms.
Validation & Reporting
Findings are deduplicated, critiqued for false positives, prioritized by real risk, and compiled into a report with remediation guidance and SOC 2 mapping.
Application
An application represents a single product or service with a unified backend. In ModernPentest, you register one application per product—not separate entries for different interfaces or platforms.
Attack Surfaces
Applications expose functionality to users through attack surfaces. ModernPentest supports two surface types:
| Surface | Description | What We Test |
|---|---|---|
| Web | User-facing websites and web apps | OWASP Top 10, session management, authentication flows, client-side vulnerabilities |
| API | Programmatic REST/GraphQL endpoints | OWASP API Top 10, BOLA, injection, authorization bypass |
Most modern applications have both surfaces—a web dashboard and an API that share users, data, and business logic. Configure both to get complete coverage. You can also register web-only or API-only applications.
Examples
| Product Type | Surfaces | Configuration |
|---|---|---|
| SaaS with dashboard + public API | Web + API | Web URL + API URL with OpenAPI spec |
| Internal admin tool | Web only | Web URL with auth credentials |
| Developer platform (API-first) | API only | API URL with OpenAPI spec |
| Mobile app backend | API only | API URL (the mobile app hits this API) |
Automatic Platform Detection
You don't need to configure platform-specific settings. Our AI agents automatically detect technologies like:
- Supabase - RLS policies, storage buckets, edge functions
- Firebase - Firestore rules, RTDB permissions, storage rules
- Vercel/Next.js - Environment variables, API routes, middleware
- Convex - Database access, function permissions
If you add Supabase to your project next month, our agents will detect it and run platform-specific tests—no configuration changes needed.
See Adding Applications for setup details.
Application Settings
Each application has:
- Surfaces - Web and/or API configurations (editable anytime)
- Authentication - Test credentials for each surface
- Pentest configuration - Rate limits, exclusions, schedules
Vulnerability
A vulnerability is a security weakness that could be exploited by an attacker. We categorize vulnerabilities by:
Severity Levels
| Level | Description | Example | Action |
|---|---|---|---|
| Critical | Immediate exploitation risk with severe impact | SQL injection in login form | Fix within hours |
| High | Serious security impact, readily exploitable | Stored XSS in user comments | Fix within 24-48 hours |
| Medium | Moderate risk, may require specific conditions | Missing rate limiting on API | Fix within 1-2 weeks |
| Low | Minor issues with limited impact | Verbose error messages | Fix when convenient |
| Info | Observations and recommendations | Missing security headers | Review and acknowledge |
Common Vulnerability Types
Injection Flaws
- SQL Injection - Malicious SQL queries
- Command Injection - OS command execution
- XSS - Cross-site scripting attacks
Access Control Issues
- IDOR - Accessing other users' data
- Privilege Escalation - Gaining unauthorized access levels
- Missing Authorization - Unprotected endpoints
Authentication Problems
- Weak Sessions - Predictable or insecure session tokens
- Credential Issues - Password policy weaknesses
- JWT Vulnerabilities - Token security problems
Vulnerability Status
Vulnerabilities move through these statuses as you address them:
| Status | Meaning |
|---|---|
| Open | New vulnerability, not yet addressed |
| In Remediation | Being worked on |
| Remediated | Fix has been applied, pending verification |
| Fixed | Fix confirmed via rescan |
| Risk Accepted | Risk acknowledged, won't fix |
| False Positive | Not a real vulnerability |
Pentest (Penetration Test)
A pentest is a security assessment where we actively test your application for vulnerabilities. Unlike passive security scans, pentests attempt to exploit weaknesses just like a real attacker would.
Our Approach
ModernPentest performs automated penetration testing using AI agents:
- Reconnaissance - Mapping your application into an asset graph
- Auditing - Reasoning over the graph to decide what to attack
- Proving - Confirming findings by actively exploiting them
- Reporting - Documenting validated results with remediation guidance
Finding
A finding is a single discovered vulnerability or security issue. Each finding includes:
- Title - Brief description (e.g., "SQL Injection in /api/users")
- Severity - Risk level (Critical, High, Medium, Low, Info)
- Location - Where it exists (URL, parameter, code location)
- Evidence - Proof the vulnerability exists
- Remediation - How to fix it
- References - CWE, OWASP, and external documentation
Report
A report is a document summarizing pentest results. ModernPentest generates several report types:
Pentest Report
Comprehensive technical report including:
- Executive summary
- All findings with details
- Remediation guidance
- Evidence and proof-of-concept
- Risk scoring
See Understanding Results for more details.
SOC 2 Report
Auditor-ready compliance documentation including:
- Testing methodology
- Trust Services Criteria mapping (CC4.1, CC7.1)
- Vulnerability findings
- Remediation status
- Testing timeline
See SOC 2 Reports for more details.
Agent
An agent is an AI-powered specialist that performs specific security tests. Rather than running generic scans, agents understand the context of your application and test intelligently.
Agent Types
| Agent | Role | What It Does |
|---|---|---|
| Reconnaissance | Discovery | Builds the asset map — pages, endpoints, services, technologies, auth flows |
| Auditor | Reasoning | Reads the whole graph and emits prioritized investigations |
| Prover | Exploitation | Confirms or denies each investigation by actively exploiting it |
| Validation | Critic | Filters false positives, finalizes severity, verifies remediation |
Platform-specific weaknesses (Supabase RLS, Firebase rules, and so on) aren't a separate agent — recon detects the platform and tags the asset, and the auditor targets it. Learn more in AI Agents.
Pentest Execution
A pentest is a single execution of the testing pipeline. When you click "Start Pentest", a pentest begins. Each pentest:
- Has a unique ID for tracking
- Records all agent activity
- Produces findings
- Can be stopped or rerun
Pentest States
| State | Description |
|---|---|
| Queued | Waiting to start |
| Running | Actively testing |
| Completed | Finished successfully |
| Failed | Encountered an error |
| Cancelled | Manually stopped |
Organization
An organization is your team workspace in ModernPentest. Organizations:
- Group related applications
- Share team members and permissions
- Have unified billing
- Provide organization-wide reporting
Team members can have different roles:
- Admin - Manage applications and team
- Member - Run pentests, view results
Let us know at support@modernpentest.com if you would need more fine grained roles in your org.
Next Steps
Last updated: June 14, 2026