Concepts
Key terminology and concepts used throughout ModernPentest
Concepts
Understanding the key terms and concepts used in ModernPentest will help you get the most out of the platform.
Related Topics
Web Application Testing
How we test websites and web applications
API Testing
How we test REST APIs using OpenAPI specifications
Vulnerability Detection
How we find and validate security vulnerabilities
AI Agents Overview
Learn about our specialized security testing agents
Continuous Monitoring
24/7 automated security monitoring
How It Works
ModernPentest uses AI-powered agents to perform comprehensive security testing:
Discovery Phase
- Map endpoints and routes
- Identify technologies
- Understand authentication flows
- Build a testing plan
Parallel Testing Phase
Multiple specialized agents test your application simultaneously:
- Access Control Agent — Tests authorization and access bypass
- Injection Agent — Tests for SQL injection, XSS, and command injection
- Auth Agent — Tests authentication and session management
- And more specialized agents...
Consolidation Phase
- Deduplicate findings
- Validate exploitability
- Enrich with context
- Prioritize by risk
Report Generation
- Prioritized vulnerability list
- Remediation guidance
- SOC 2-ready compliance reports
Application
An application represents a single product or service with a unified backend. In ModernPentest, you register one application per product—not separate entries for different interfaces or platforms.
Attack Surfaces
Applications expose functionality to users through attack surfaces. ModernPentest supports two surface types:
| Surface | Description | What We Test |
|---|---|---|
| Web | User-facing websites and web apps | OWASP Top 10, session management, authentication flows, client-side vulnerabilities |
| API | Programmatic REST/GraphQL endpoints | OWASP API Top 10, BOLA, injection, authorization bypass |
Most modern applications have both surfaces—a web dashboard and an API that share users, data, and business logic. Configure both to get complete coverage. You can also register web-only or API-only applications.
Examples
| Product Type | Surfaces | Configuration |
|---|---|---|
| SaaS with dashboard + public API | Web + API | Web URL + API URL with OpenAPI spec |
| Internal admin tool | Web only | Web URL with auth credentials |
| Developer platform (API-first) | API only | API URL with OpenAPI spec |
| Mobile app backend | API only | API URL (the mobile app hits this API) |
Automatic Platform Detection
You don't need to configure platform-specific settings. Our AI agents automatically detect technologies like:
- Supabase - RLS policies, storage buckets, edge functions
- Firebase - Firestore rules, RTDB permissions, storage rules
- Vercel/Next.js - Environment variables, API routes, middleware
- Convex - Database access, function permissions
If you add Supabase to your project next month, our agents will detect it and run platform-specific tests—no configuration changes needed.
See Adding Applications for setup details.
Application Settings
Each application has:
- Surfaces - Web and/or API configurations (editable anytime)
- Authentication - Test credentials for each surface
- Pentest configuration - Rate limits, exclusions, schedules
Vulnerability
A vulnerability is a security weakness that could be exploited by an attacker. We categorize vulnerabilities by:
Severity Levels
| Level | Description | Example | Action |
|---|---|---|---|
| Critical | Immediate exploitation risk with severe impact | SQL injection in login form | Fix within hours |
| High | Serious security impact, readily exploitable | Stored XSS in user comments | Fix within 24-48 hours |
| Medium | Moderate risk, may require specific conditions | Missing rate limiting on API | Fix within 1-2 weeks |
| Low | Minor issues with limited impact | Verbose error messages | Fix when convenient |
| Info | Observations and recommendations | Missing security headers | Review and acknowledge |
Common Vulnerability Types
Injection Flaws
- SQL Injection - Malicious SQL queries
- Command Injection - OS command execution
- XSS - Cross-site scripting attacks
Access Control Issues
- IDOR - Accessing other users' data
- Privilege Escalation - Gaining unauthorized access levels
- Missing Authorization - Unprotected endpoints
Authentication Problems
- Weak Sessions - Predictable or insecure session tokens
- Credential Issues - Password policy weaknesses
- JWT Vulnerabilities - Token security problems
Vulnerability Status
Vulnerabilities move through these statuses as you address them:
| Status | Meaning |
|---|---|
| Open | New vulnerability, not yet addressed |
| In Remediation | Being worked on |
| Remediated | Fix has been applied, pending verification |
| Fixed | Fix confirmed via rescan |
| Risk Accepted | Risk acknowledged, won't fix |
| False Positive | Not a real vulnerability |
Pentest (Penetration Test)
A pentest is a security assessment where we actively test your application for vulnerabilities. Unlike passive security scans, pentests attempt to exploit weaknesses just like a real attacker would.
Our Approach
ModernPentest performs automated penetration testing using AI agents:
- Reconnaissance - Understanding your application
- Testing - Actively probing for vulnerabilities
- Validation - Confirming findings are real
- Reporting - Documenting results with remediation guidance
Finding
A finding is a single discovered vulnerability or security issue. Each finding includes:
- Title - Brief description (e.g., "SQL Injection in /api/users")
- Severity - Risk level (Critical, High, Medium, Low, Info)
- Location - Where it exists (URL, parameter, code location)
- Evidence - Proof the vulnerability exists
- Remediation - How to fix it
- References - CWE, OWASP, and external documentation
Report
A report is a document summarizing pentest results. ModernPentest generates several report types:
Pentest Report
Comprehensive technical report including:
- Executive summary
- All findings with details
- Remediation guidance
- Evidence and proof-of-concept
- Risk scoring
See Understanding Results for more details.
SOC 2 Report
Auditor-ready compliance documentation including:
- Testing methodology
- Trust Services Criteria mapping (CC4.1, CC7.1)
- Vulnerability findings
- Remediation status
- Testing timeline
See SOC 2 Reports for more details.
Agent
An agent is an AI-powered specialist that performs specific security tests. Rather than running generic scans, agents understand the context of your application and test intelligently.
Agent Types
| Agent | Focus Area | What It Tests |
|---|---|---|
| Recon Agent | Discovery | Endpoints, technologies, auth flows |
| Access Control Agent | Authorization | IDOR, privilege escalation, access bypass |
| Injection Agent | Input validation | SQL injection, XSS, command injection |
| Auth Agent | Authentication | JWT security, session management |
| Platform Agents | Auto-detected platforms | Supabase RLS, Firebase rules, Vercel configs, Convex permissions |
Learn more in AI Agents.
Pentest Execution
A pentest is a single execution of the testing pipeline. When you click "Start Pentest", a pentest begins. Each pentest:
- Has a unique ID for tracking
- Records all agent activity
- Produces findings
- Can be stopped or rerun
Pentest States
| State | Description |
|---|---|
| Queued | Waiting to start |
| Running | Actively testing |
| Completed | Finished successfully |
| Failed | Encountered an error |
| Cancelled | Manually stopped |
Organization
An organization is your team workspace in ModernPentest. Organizations:
- Group related applications
- Share team members and permissions
- Have unified billing
- Provide organization-wide reporting
Team members can have different roles:
- Admin - Manage applications and team
- Member - Run pentests, view results
Let us know at support@modernpentest.com if you would need more fine grained roles in your org.
Next Steps
Last updated: December 7, 2025