Asset Map
The asset graph every pentest is built on — how ModernPentest maps your application and reasons over it
What is the asset map?
The asset map is the foundation of every pentest. Before any testing happens, ModernPentest builds a live graph of your application — every page, API endpoint, backend service, auth provider, third-party integration, and data store it can reach, plus the relationships between them.
Everything that follows reasons over this graph. Instead of running a fixed checklist against one URL at a time, our AI auditor sees the whole map at once — how your sign-in flow connects to your dashboard, which API an authenticated page calls, where that API stores data — and decides what is actually worth attacking.
The full topology after recon — every asset and how it connects. Color shows test coverage and findings.
The map above is interactive sample data. Toggle between Surface, Live scan, and Attack path to see the three ways you'll view your own asset map. Scroll to zoom, drag to pan, and click a node for its details.
Why a graph?
Most real-world vulnerabilities live in the connections between components, not in any single request. A graph lets us:
- Reason with context — An endpoint that returns user data is only interesting once we know which page calls it, what authentication it expects, and which database it reads. The graph makes those relationships explicit.
- Chain findings — A confirmed SSRF on one node becomes the starting point for reaching an internal service two hops away. The map is what makes that pivot visible.
- Measure coverage honestly — Because every asset is a node, we can show exactly what was tested, what is in progress, and what we couldn't reach — instead of an opaque "scan complete."
- Track change over time — Re-running recon diffs the new graph against the old one, so you see what appeared, what went away, and what's newly exposed.
Nodes: your assets
Each node is a discovered asset. The layout reads left to right by discovery depth — the public internet on the left, flowing inward through pages and auth to APIs, backends, and data stores.
| Kind | What it represents |
|---|---|
| Domain | A registered domain or host |
| Page | An HTML page or route in your web app |
| API Endpoint | A REST/GraphQL endpoint, with its HTTP methods |
| Backend | An application server or serverless backend |
| Auth Provider | An identity provider (Clerk, Auth0, Cognito…) |
| Third-Party Service | A SaaS dependency (Stripe, SendGrid…) |
| Cloud Resource | A cloud resource (bucket, queue, runner…) |
| Database | A data store or table |
| Static Asset | A file server or well-known/static asset |
Every node also carries the signal the auditor needs: the authentication it expects (public, authenticated, admin, or signed), the technology recon fingerprinted, and a running vulnerability count by severity.
Edges: relationships
Edges are the traversals recon discovered between assets. The relationship type is what lets the auditor reason about data flow and trust boundaries.
| Relationship | Meaning |
|---|---|
| Links to | A page links or navigates to another page |
| Calls API | A page or service calls an API endpoint |
| Uses backend | An endpoint depends on a backend service |
| Authenticates via | A surface authenticates through a provider |
| Stores in / Reads from / Writes to | Data flow to and from a store |
| Depends on | A generic structural dependency |
| Redirects to / Embeds / Propagates state | Redirects, embedded content, session/cookie flow |
Test status & coverage
Every node shows where it stands in the current pentest:
| Status | Meaning |
|---|---|
| Untested | Discovered by recon, not yet probed |
| In progress | An agent is actively testing it now |
| Tested | Testing finished against this node |
Tested nodes also carry a coverage percentage — the share of in-scope probes that actually ran against that asset — so "tested" never hides a half-finished job.
Discovery blockers
Sometimes recon reaches a node but can't go further — a login wall, a CAPTCHA, a rate limit. Rather than silently dropping that branch, the map flags it with a discovery blocker so you know precisely where coverage stopped and why.
| Blocker | Typical cause |
|---|---|
| No credentials / Auth failed | Missing or rejected test credentials |
| MFA required | A second factor is gating the flow |
| CAPTCHA | A human-challenge wall |
| Rate limited | The target throttled the crawl (HTTP 429) |
| JS required | Content needs JavaScript recon couldn't execute |
| Network error | DNS, TLS, or connectivity failure |
Each blocker is tagged with who can clear it. Most are actionable by you (supply credentials, allow-list our scanner, relax a challenge) and come with a resolution hint. A few are flagged as platform issues that our team is already alerted to. See WAF Bypass Configuration for the most common fix.
The live lens
While a pentest runs, switch the map to its live lens (the Live scan toggle in the demo above) to watch testing happen in real time:
- Agent avatars sit on the nodes each agent is working. They show three states — scheduled (queued), testing (active, pulsing), and completed.
- Newly discovered assets flash as recon surfaces them, so the graph visibly grows.
- Findings pulse on their node the moment a prover confirms one, tinted by severity.
- An activity rail streams the distilled events — discoveries, findings, status changes — without drowning you in raw tool calls.
Attack paths
For each confirmed vulnerability, ModernPentest extracts an attack path — the chain through your asset map an attacker would walk, from entry point to impact, told as a story. A synthetic attacker node anchors the left side; each step is a real asset on your map, annotated with the technique used. It turns "BOLA on /api/applications" into a concrete narrative your team can follow and reproduce.
Asset lifecycle
Because the map persists across scans, each node carries a lifecycle status:
| Status | Meaning |
|---|---|
| Active | Seen in the most recent recon |
| Stale | Missing from the latest scan (dimmed) |
| Retired | Absent across several scans (hidden by default) |
This is what powers change alerting — a new admin endpoint or a freshly exposed service stands out instead of getting lost in the noise.
How the map is built
Three agent roles turn a URL into a fully tested asset map:
Reconnaissance
Crawls your application and builds the asset graph — nodes, edges, technologies, and blockers.
Auditor
Reasons over the whole graph and decides what to attack, emitting prioritized investigations.
Prover
Confirms or denies each investigation by actively exploiting it — and chains from what it confirms.
Next steps
- Meet the AI agents that build and attack the map
- Run your first pentest and watch the live lens
- Configure WAF bypass so recon can reach everything
Last updated: June 11, 2026