Agentic Pentester
Agentic Pentester continuously evaluates your web applications by simulating an autonomous penetration test. It discovers exposed targets, triggers DAST scans, and reports exploitable findings directly in OX.
Filtering targets
The Targets panel displays all configured targets. For each target, you see the environment name, last scanned time, scanning status, and available actions (edit, duplicate, delete).
You can filter the list as follows:
Deployment Status
Shows targets by assigned environment
Issues
Filters targets based on detected issues
Severity
Filters by highest severity found on the target
Target Status
Not Scanned: The target has been created, but no scan has run yet.
Scanning: A scan is currently running.
Completed: The scan finished successfully.
Failed: The scan encountered an error.
Target Type
Filters by type of application scanned
Adding a new target
Creating a target defines the application that Agentic Pentester scans. After adding a target, OX can authenticate to the application, run penetration tests, and report vulnerabilities.
When you open the Agentic Pentester page for the first time, the Targets list is empty. To start scanning, you need to add at least one target.
You can modify any configured target at any time. Updating the URL, authentication settings, or exceptions does not delete scan history.
To create a target:
Go to the Agentic Pentester page and select Add Target.
Target name
A descriptive name for the application you want to test.
URL
The full URL to the application.
Target type
Currently only Web app scanning is supported (API scanning will be added later)
Authentication
No authentication
Simple authentication: Enter the username and password that the Agentic Pentester will use to authenticate against the target.
Deployment Environment
Select an existing deployment environment or create a new one. The following environments are available: - Staging - Production - Deployment
URL Exclusions
If there are areas of the application that should not be scanned, add URL exclusion rules. Any URL containing the specified pattern will be ignored during scans.
Select Add Target.
To ensure you own the target or are authorized to scan it, review the legal confirmation message and approve it. The target becomes active only after confirmation.
After the target is created, it appears in the Targets list. The status shows Not Scanned until the first scan is triggered.
Reviewing an existing target
When you select an existing target, OX opens the target details view. This view provides a summary of the target configuration, scan status, and all URLs discovered during scanning.
Target Overview
Displays the main details of the target, including the target name and URL, deployment environment, target type, overall accessibility status, total number of detected issues, and the last scan date and time. This helps you quickly understand whether the target is reachable, when it was last scanned, and whether security issues were identified.
Sub Targets
Lists all URLs discovered under the target during scanning.
Each entry represents:
A specific URL accessed by Agentic Pentester
HTTP method used
URL status: Not Scanned (was not scanned by OX), Accessible (was scanned by OX), Blocked (OX could not scan the URL)
Last scan time
Detected issues grouped by severity
The list is populated automatically after the first scan.
Filtering Sub Targets
Allows filtering the list of sub-targets to focus on relevant URLs.
With Issues: Shows only URLs with detected issues.
All: Displays all discovered URLs. A search field can be used to locate specific URLs.
URL Status and Issues
Shows whether each URL was accessible during scanning. When issues are detected, severity indicators appear in the Issues column. Selecting a severity indicator opens the Issues page filtered by the selected target and URL.
Configuration
Allows updating the target configuration, including authentication method, deployment environment, and URL exclusion rules. Configuration changes apply only to future scans and do not remove existing scan results.
Last updated