# Agentic Pentester
> **Notes:**
>
> * This capability is currently in Early Access (EA) and is not generally available. To request access, please contact OX technical support.
> * Currently, automatic scans are not available in Agentic Pentest. You can trigger a scan manually only, using the **Scan All Targets** option.
Agentic Pentest evaluates your web applications by simulating an autonomous penetration test. It discovers exposed targets, triggers DAST scans, and reports exploitable findings directly in OX.
You can view the Agentic Pentest issues in the Active Issues page, Category > Dynamic App Security.
## Adding a new target
Creating a target defines the application that Agentic Pentester scans. After adding a target, OX can authenticate to the application, run penetration tests, and report vulnerabilities.
When you open the Agentic Pentest page for the first time, the Targets list is empty. To start scanning, you need to add at least one target.
You can modify any configured target at any time. Updating the URL, authentication settings, custom headers, or exceptions does not delete scan history.
**To create a target:**
1. Go to the **Agentic Pentest** page and select **Add Target**.
| Field | Description |
| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Target name** | A descriptive name for the application you want to test. |
| **URL** | The full URL to the application. |
| **Target type** | Currently only **Web app** scanning is supported. |
| **Authentication** | The authentication method OX uses to access the target. See [Authentication](https://claude.ai/local_sessions/local_9d8ca4f1-0e4f-4137-9ec9-f9c480e722b5#authentication). |
| **Custom Headers** |
Optional. Add one or more custom HTTP headers (name and value) that OX includes on every request sent to the target.
Use custom headers when the target requires additional request parameters that cannot be provided through standard authentication, for example:
Bypassing CAPTCHA or bot-protection challenges that accept a known header.
Passing a static API token, session token, or feature flag required by the application.
You can add and remove headers at any time. Custom headers are optional and apply only to the target they are configured on.
|
| **Deployment Environment** |
Select the relevant deployment environment for the targeted web application, either from a pre-existing list or by adding environments relevant to your organization.
The following environments are available: - Staging - Production - Deployment Note: Scanning web applications in Production is not recommended and may cause performance degradation or temporary instability to your services.
|
| **URL Exclusions** | If there are areas of the application that should not be scanned, add URL exclusion rules. Any URL containing the specified pattern will be ignored during scans. |
2. Select **Add Target**.
3. To ensure you own the target or are authorized to scan it, review the legal confirmation message and approve it. The target becomes active only after confirmation.
After the target is created, it appears in the **Targets** list. The status shows **Not Scanned** until the first scan is triggered.
## Connectivity Check
When a new target is added, OX automatically runs a Connectivity Check in the background so you can immediately see whether the target is reachable and whether OX can authenticate to it. It surfaces configuration problems early, without waiting for a full scan to fail.
Outcome
Description
Connectivity verified
Both Reachability and Authentication succeeded. The target is ready to be scanned.
Connectivity issue detected
One or both stages failed. OX displays a clear explanation of what went wrong and a set of action items you can follow to fix it on your side, such as checking the target URL for typos, confirming the credentials provided to OX are correct, or reviewing custom headers configured for the target. Selecting an action item opens the relevant configuration page so you can update the settings and re-verify in place.
The check runs in two stages:
1. **Reachability:** OX confirms that the target URL is reachable over the network.
2. **Authentication:** OX attempts to authenticate against the target using the configured authentication method and any custom headers.
When the check runs:
* **Automatically**, in the background, whenever a new target is added.
* **On demand**, whenever you select **Verify Connectivity**. Useful after you change configuration (credentials, URL, custom headers) and want to re-test immediately.
Where to view the result:
* On the Targets list, hover over the connectivity label next to a target to see the current status and the timestamp of the last check.
* Select a target to open its side panel, where the **Reachability** and **Authentication** steps are shown along with the time of the last check. The side panel also includes a **Verify Connectivity** button so you can re-run the check directly from there.
The timestamp is shown so you always know how recent the result is. Because configurations and network conditions change over time, OX recommends re-running the check rather than relying on results that are more than a few days old.
## Running Agentic Pentester scans
Agentic Pentest scans run independently from the main OX scan.
Triggering Scan All Targets runs only the Agentic Pentest scan against the configured targets, it does not trigger or depend on the OX SAST scan, and vice versa. This separation lets you run pentest scans on their own schedule without waiting for, or impacting, the rest of the OX platform scan.
**To start a scan:**
* From the upper right corner, select **Scan All Targets.** The progress bar appears, with the details that include how many targets are being scanned.
## Reviewing an existing target
When you select an existing target, OX opens the target details view. This view provides a summary of the target configuration, scan status, and all URLs discovered during scanning.
Section
Description
Target Overview
Displays the main details of the target, including the target name and URL, deployment environment, target type, overall accessibility status, total number of detected issues, and the last scan date and time. This helps you quickly understand whether the target is reachable, when it was last scanned, and whether security issues were identified.
Connectivity Status
The side panel shows the result of the most recent Connectivity Check, including the Reachability and Authentication steps and the timestamp of the last check. Select Verify Connectivity to run the check again on demand.
Sub Targets
Lists all URLs discovered under the target during scanning.
Each entry represents:
A specific URL accessed by Agentic Pentester
HTTP method used
URL status: Not Scanned (was not scanned by OX), Accessible (was scanned by OX), Blocked (OX could not scan the URL)
Last scan time
Detected issues grouped by severity
The list is populated automatically after the first scan.
Filtering Sub Targets
Allows filtering the list of sub-targets to focus on relevant URLs.
With Issues: Shows only URLs with detected issues.
All: Displays all discovered URLs. A search field can be used to locate specific URLs.
URL Status and Issues
Shows whether each URL was accessible during scanning. When issues are detected, severity indicators appear in the Issues column. Selecting a severity indicator opens the Issues page filtered by the selected target and URL.
Configuration
Allows updating the target configuration, including:
Target Name
Authentication Method
Custom Headers
Deployment Environment
URL exclusion rules
Configuration changes apply only to future scans and do not remove existing scan results.
## Exporting a Pen Test Report
Agentic Pentester can generate a Pen Test Report for any target. This report follows the structure commonly used in the penetration testing industry and is designed to be shared with internal stakeholders or external auditors — for example, as part of an annual compliance review.
**To generate a report:**
1. Open the target you want to report on.
2. Select **Export** in the top-right corner of the target view.
3. Choose **Pen Test Report**.
OX generates the report and makes it available for download.
The report includes the sections typically expected in a pen test deliverable:
* **Executive Summary:** A high-level overview of the assessment results, suitable for leadership and external auditors.
* **Confidentiality Statement:** Standard notice describing how the report should be handled and distributed.
* **Assessment Overview:** The scope of the assessment, including the targets covered and the timeframe of testing.
* **Testing Framework:** The methodology and standards followed during testing.
* **Severity Distribution:** A breakdown of findings by severity, providing a quick view of the overall risk posture.
* **Findings:** The detailed list of vulnerabilities identified during the assessment, including supporting context for each finding.
Use this report when you need to demonstrate the security posture of the assessed application to an external party, or to keep an auditable record of each round of testing.
## Scanning protected applications (whitelisting)
Some web applications are protected by security measures such as Web Application Firewalls (WAFs) or network firewalls that may block incoming scan traffic.
To ensure Agentic Pentester can successfully access and assess these targets without interruption, OX provides a set of dedicated Static IPs: 18.202.47.201, 63.33.147.64.
If your application is protected by a CAPTCHA, a token-based gate, or another mechanism that an IP allowlist alone cannot bypass, you can also provide a custom header (for example, a known bypass token) on the target so that OX requests are accepted by the application.
## Automatic matching with repositories
OX provides a unified view of your application by connecting the running target with the source code behind it. You can see which APIs are exposed, understand where they are implemented in the code, and identify gaps between the application and the codebase.
* **Dual discovery:** OX analyzes the application from two directions. It discovers exposed endpoints from the running application and builds an API BOM from connected repositories.
* **Matching and validation:** OX compares endpoints from the application with APIs from the code, validates matches against the running target, and associates verified APIs with the target.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.ox.security/scan-and-analyze-with-ox/scanning/agentic-pentester.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.