48+ Testing Engines

What we test and how we protect you

Agent Breach combines 48+ specialised testing engines to find the vulnerabilities that put your business at risk — automatically, continuously, and without false alarms.

Assessment Levels

Choose the right depth for your needs, or let Agent Breach recommend the best option for your application.

Quick Check

7 engines

A fast sweep of the most common risks. Perfect for CI/CD pipelines or quick sanity checks. Completes in minutes.

Comprehensive

17+ engines • Recommended

Our recommended assessment. Covers the risks that matter most, with balanced speed and depth.

Full Audit

48 engines

Maximum coverage for pre-release, compliance audits, or when you need complete confidence. May take over an hour.

Vulnerability Discovery

5 engines

Automatically crawl and test every page, endpoint, and form in your application for known weaknesses.

Template-based vulnerability scanning

Finds known CVEs, misconfigurations, and exposed panels across your entire application.

Fast, customisable scanner powered by thousands of community-maintained templates covering CVEs, misconfigurations, default credentials, and technology-specific weaknesses.

Powered by Nuclei

Web server vulnerability scanning

Detects dangerous files, outdated software, and server misconfigurations that attackers exploit.

Comprehensive server scanner that checks for dangerous files, outdated software versions, and over 6,700 potentially risky files and programs.

Powered by Nikto

WordPress vulnerability scanning

Identifies vulnerable plugins, themes, and core versions that could compromise your WordPress site.

Specialised scanner for WordPress sites. Detects vulnerable plugins, themes, and core versions, enumerates users, and checks for common misconfigurations.

Powered by WPScan

Technology fingerprinting

Maps your technology stack so the right tests are applied automatically.

Identifies CMS platforms, JavaScript frameworks, web servers, analytics tools, and more. Knowing your stack helps prioritise the most relevant security tests.

Powered by WhatWeb

Advanced module-based validation

Supports safe module checks and tightly controlled exploit validation for authorized environments.

Runs Metasploit modules in safe audit mode by default, with controlled exploit mode available only with explicit authorization and guardrails.

Powered by Metasploit

Data Theft Prevention

7 engines

Protect your databases and backend systems from the injection attacks that cause the majority of data breaches.

SQL injection detection

Finds SQL injection flaws that could let attackers steal or modify your database.

Automatically detects and validates SQL injection flaws across all major database engines with support for blind, error-based, UNION, and time-based techniques.

Powered by SQLMap

Cross-Site Scripting detection

Catches XSS flaws that could let attackers hijack user sessions or steal credentials.

Intelligent XSS scanner that analyses context, generates custom payloads, and tests for reflected, stored, and DOM-based cross-site scripting.

Powered by XSStrike

Server-Side Template Injection

Detects template injection that could give attackers full server access.

Tests for injection across popular engines (Jinja2, Twig, Freemarker, Velocity, etc.). SSTI can lead to remote code execution — one of the most critical web vulnerabilities.

LDAP injection testing

Prevents attackers from bypassing authentication or extracting directory information.

Probes login forms and search fields for LDAP injection vulnerabilities that could allow authentication bypass or directory information extraction.

API endpoint fuzzing

Uncovers crashes, data leaks, and logic flaws in your REST and GraphQL APIs.

Sends a wide variety of unexpected payloads to API endpoints — boundary values, special characters, oversized inputs, and injection strings. Complements schema-aware OpenAPI testing when no spec is published.

OpenAPI discovery & schema-aware fuzzing

Finds API flaws that generic fuzzers miss by importing your OpenAPI/Swagger spec.

Discovers OpenAPI and Swagger documents, imports each operation, and fuzzes parameters with schema-aware payloads. Runs an auth matrix comparing unauthenticated vs authenticated responses per endpoint.

Web application fuzzing

Tests every input point for unexpected behaviour that could lead to data exposure.

Flexible, modular fuzzer for brute-forcing parameters, headers, cookies, and form fields with custom wordlists and encoders.

Powered by Wfuzz

Access Security

8 engines

Ensure only the right people can access the right data — and that your login, session, and permission systems can't be bypassed.

JWT security testing

Prevents token-based authentication bypass that could expose all user accounts.

Tests for common JWT vulnerabilities: algorithm confusion, weak signing keys, missing expiration, token replay, and information disclosure in claims.

Role-based access testing

Verifies that users can only access what they should — no privilege escalation.

Tests whether low-privilege users can access admin endpoints, escalate privileges, or access other users' data through role boundary violations.

Object-level access testing

Catches flaws where users can access other users' data by manipulating IDs.

Tests whether users can access or modify resources belonging to other users by manipulating IDs in URLs, request bodies, or headers — one of the most common API security flaws.

Cross-profile authorization (BOLA)

Verifies that one authenticated role cannot access another user's objects.

Replays object-level requests across multiple auth profiles to catch broken object-level authorization — the same user ID accessed with different sessions should not leak data.

Login resistance testing

Ensures your login pages resist credential stuffing and brute-force attacks.

Simulates credential stuffing and brute-force attacks. Verifies account lockout policies, rate limiting, CAPTCHA enforcement, and response timing leaks.

Password policy validation

Confirms your password requirements meet industry standards.

Validates that your password policy enforces sufficient complexity, length, and character requirements. Tests for acceptance of common or breached passwords.

Credential attack simulation

Tests resistance against weak credentials for HTTP login flows and network services.

Runs controlled Hydra credential checks for web login forms and services such as SSH/FTP/SMTP to validate lockout, monitoring, and password hygiene.

Powered by Hydra

OAuth / OIDC security testing

Finds redirect_uri bypass, PKCE, and token-handling flaws in external identity flows.

Discovers OIDC discovery documents and authorization servers, then tests redirect URI validation, PKCE enforcement, and common OAuth misconfigurations on public login flows.

Infrastructure Hardening

7 engines

Verify your servers, certificates, and security headers follow industry best practices and don't leak information.

CORS configuration audit

Prevents cross-site data theft caused by misconfigured resource sharing.

Tests for dangerous CORS misconfigurations: wildcard origins, reflected origins, null origin acceptance, and credential exposure.

Security header analysis

Ensures your HTTP headers protect against clickjacking, XSS, and data sniffing.

Checks for the presence and correct configuration of critical headers: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, Permissions-Policy, and more.

SSL/TLS configuration testing

Identifies weak encryption that could let attackers intercept sensitive data.

Analyses your TLS configuration for weak ciphers, deprecated protocols, certificate issues, and HSTS misconfiguration.

Powered by SSLyze

Comprehensive TLS scanning

Deep analysis of your encryption setup against known vulnerabilities.

In-depth TLS analysis covering protocol support, cipher suites, key exchange, certificate chain validation, and known vulnerabilities (Heartbleed, POODLE, ROBOT).

Powered by TestSSL

DNS and email security

Prevents subdomain takeover and email spoofing attacks against your domain.

Tests for subdomain takeover risks, validates SPF/DKIM/DMARC email authentication records, checks for dangling CNAME entries, and identifies DNS zone transfer vulnerabilities.

Clickjacking protection testing

Verifies your pages can't be embedded in malicious iframes to trick users.

Tests X-Frame-Options headers and Content-Security-Policy frame-ancestors directives to prevent UI redress attacks.

WAF-aware scanning

Detects when a WAF blocks tests and adapts so real vulnerabilities aren't missed.

Identifies Cloudflare, AWS WAF, and other edge protections from block pages, then retries with adjusted payloads and surfaces WAF interference in scan telemetry.

Business Logic Protection

11 engines

Detect flaws in your application's workflows that let attackers bypass payments, escalate privileges, or abuse functionality.

Request forgery protection

Prevents attackers from tricking users into performing unwanted actions.

Verifies that state-changing requests require valid anti-CSRF tokens or use SameSite cookies. Tests for token bypass techniques and missing validation.

Server-side request forgery

Stops attackers from using your server to access internal systems and cloud metadata.

Tests whether your application can be tricked into making requests to internal services, cloud metadata endpoints, or arbitrary external servers.

SSRF internal pivot

Probes internal reach through a confirmed SSRF — zero-install, cloud-only.

After SSRF is confirmed, attempts controlled reach to internal hostnames, metadata endpoints, and common internal services to measure blast radius without an in-network agent.

File upload security

Prevents malicious file uploads that could compromise your server.

Attempts to upload dangerous file types (web shells, SVG with XSS, polyglot files) to test content-type validation, extension filtering, and server-side handling.

Deserialization testing

Finds insecure deserialization that could lead to remote code execution.

Tests for insecure deserialization in Java, PHP, Python, and .NET applications that could lead to remote code execution, denial of service, or privilege escalation.

WebSocket security

Protects real-time communication channels from hijacking and injection.

Tests WebSocket connections for missing authentication, cross-site hijacking, message injection, and lack of origin validation.

Rate limit testing

Ensures your API can't be overwhelmed or abused through excessive requests.

Verifies that your API and critical endpoints enforce rate limits. Tests for bypass techniques using different headers and concurrent request flooding.

Business logic testing

Catches workflow flaws like price manipulation, coupon abuse, and process bypass.

Tests for price manipulation, workflow bypass, negative quantity attacks, coupon abuse, and other application-specific logic vulnerabilities.

Stateful workflow testing

Finds multi-step bypasses in checkout, onboarding, and approval flows.

Replays recorded browser workflow macros and mutates stateful POST chains to skip steps, reorder transitions, or abuse multi-step business processes.

Second-order / stored validation

Confirms stored injection by polling secondary pages for planted canaries.

Plants unique canary markers during injection tests, then polls other pages and endpoints to confirm stored XSS, SQLi, or template injection that only appears after a delay.

Race condition testing

Detects concurrency bugs that could lead to double-spend or data corruption.

Sends concurrent requests to detect time-of-check-to-time-of-use bugs, double-spend vulnerabilities, and other race conditions.

Attack Surface Mapping

10 engines

Discover what's exposed to the internet — subdomains, open ports, hidden endpoints, and forgotten cloud resources.

Hidden path discovery

Finds admin panels, backup files, and config files that shouldn't be public.

Discovers hidden directories, backup files, admin panels, and configuration files by testing thousands of common paths.

Subdomain discovery

Reveals forgotten subdomains that could be entry points for attackers.

Discovers subdomains using passive sources — certificate transparency logs, DNS datasets, search engines, and web archives — without sending traffic to your infrastructure.

Powered by Subfinder

Comprehensive subdomain mapping

Provides the most thorough mapping of your domain's external footprint.

Combines DNS brute-forcing, web scraping, certificate analysis, and API integrations for comprehensive subdomain enumeration.

Powered by Amass (OWASP)

GraphQL endpoint discovery

Finds exposed GraphQL schemas that could leak your entire data model.

Discovers GraphQL endpoints, performs introspection queries to map the schema, and tests for batching attacks and information disclosure.

GraphQL depth & alias abuse

Tests query cost limits, alias flooding, and batching DoS against GraphQL APIs.

Probes alias nesting, batch query abuse, depth limits, and persisted-query handling to find denial-of-service and authorization bypass paths unique to GraphQL.

API version drift discovery

Finds deprecated or internal API versions still reachable from the internet.

Probes versioned API roots (/v1, /v2, /internal) and flags deprecated endpoints, auth mismatches, and shadow APIs that engineering forgot to retire.

Digital footprint analysis

Reveals what information about your organisation is publicly available to attackers.

Gathers emails, subdomains, hosts, and employee names from public sources like search engines, PGP key servers, and SHODAN.

Powered by theHarvester

Port and service scanning

Discovers open ports and running services that expand your attack surface.

Discovers open ports, identifies running services and their versions, detects operating systems, and maps firewall rules.

Powered by Nmap

Cloud exposure testing

Finds exposed storage buckets, open metadata endpoints, and cloud misconfigurations.

Tests for exposed S3 buckets, open cloud metadata endpoints, misconfigured storage containers, and other cloud-specific attack vectors across AWS, Azure, and GCP.

External attack surface (EASM)

Flags VPN, Citrix, RDP, and internal-looking hostnames exposed to the internet.

Classifies nmap banners and discovery output to highlight remote-access services and internal hostname patterns — external attack surface intelligence without an in-network scanner.

Start reducing risk today

Your first scan is free — see real results in minutes, not weeks.