ModernPentestModernPentest
AI Agents

Auditor

The graph-wide reasoning agent that decides what to attack

Role

The auditor is the brain of the pentest. Once recon has built the asset map, the auditor reads the entire graph at once and decides what is worth attacking.

This is the key difference from a traditional scanner. A scanner runs the same rules against every endpoint in isolation. The auditor reasons about your application as a whole — how assets connect, where trust boundaries sit, which paths are high-value — and produces a focused, prioritized plan.

Investigations

The auditor's output is a set of investigations. Each investigation is a concrete hypothesis about a weakness, paired with:

  • A hypothesis — what might be wrong and why (e.g. "/api/applications/:id resolves records by id but the dashboard only ever loads your own org — likely missing an ownership check")
  • A capability profile — the kind of testing required to confirm it (access control, injection, authentication, business logic, and so on)
  • A scope — the specific assets on the map the investigation targets

Investigations are how the auditor turns whole-graph understanding into precise, testable work for the prover.

Reasoning over the whole graph

Because it sees everything at once, the auditor can spot issues that per-endpoint scanning misses:

  • Cross-asset inconsistencies — An endpoint that expects authentication, reachable from a page that doesn't
  • High-value targets — Admin APIs, billing flows, and anything touching multi-tenant data
  • Platform-specific exposure — Weaknesses implied by the platforms recon detected (Supabase RLS, Firebase rules, and the like)
  • Promising entry points for chains — Assets that, if compromised, unlock deeper parts of the graph

The round loop

The auditor and prover work in a bounded loop rather than a single pass:

Emit

The auditor reads the asset map and emits its first round of investigations.

Prove

A prover runs each investigation and reports back what it confirmed or ruled out.

Chain

The auditor reviews confirmed findings, promotes the strongest follow-up leads, and emits new investigations that chain from what's now known — turning a confirmed SSRF into a hunt for what it can reach next.

The loop repeats for a bounded number of rounds, then closes so results can be consolidated and validated. This is what lets ModernPentest pursue multi-step attacks instead of stopping at the first finding.

The auditor runs on a high-capability reasoning model because whole-graph judgment is where the leverage is. Provers run a leaner, faster model — there are many of them, and each has a narrow, well-scoped job.

Next steps

Last updated: June 11, 2026

Reconnaissance

How the recon agent maps your application into an asset graph

Prover

The agent that confirms or denies each investigation by actively exploiting it

On this page

Role
Investigations
Reasoning over the whole graph
The round loop
Emit
Prove
Chain
Next steps