AI pen testing for application-layer flaws

No, and the framing matters. A scoped engagement against your infra (network scanning, kernel and OS hardening, supply-chain auditing, social engineering) is a different exercise; an external firm is still the right answer for the once-a-year deep dive. What this approach replaces is the gap in between: the application-layer regressions that show up week to week as you ship features. OWASP A01 broken access control, A07 identification and authentication failures, and A04 insecure design issues like OTP rate limits and password reset replay are exactly what a per-build agent loop catches and a once-a-year engagement misses by months. Read the OWASP Top 10 2021 list and notice how many entries describe behaviour you can only verify by being a logged-in user inside the app; that is the slice this approach is for.

Traditional scanners excel at known-pattern fuzzing: SQL injection probes, well-known XSS payloads, header misconfiguration, deprecated TLS. They do not excel at intent-driven checks like "a user without project membership must NOT be able to GET /api/projects/{id}/runs". To answer that you need to log in as user A, navigate or call as user A, then log out and try again as user B, and assert the second response is 401 or 403. That logic is trivial to write as five English sentences and very hard to write as a payload set. The agent loop reads those English sentences, reads the live accessibility tree of your app, and drives the browser. Look at /Users/matthewdi/assrt-mcp/src/core/agent.ts at lines 16-196: every tool the agent can call is listed there, including http_request (line 172) for raw API probing and evaluate (line 106) for arbitrary in-page JavaScript.

Two scenarios in one plan, run sequentially in the same browser session. #Case 1 logs in as user A and creates a private resource, recording the URL and ID. #Case 2 logs out, logs in as user B, and tries to access user A's resource by URL and via http_request to the API. The trick is that browser state carries over between scenarios, which is documented as 'Scenario Continuity' in the system prompt at /Users/matthewdi/assrt-mcp/src/core/agent.ts lines 238-241. The plan files live at /tmp/assrt/scenario.md (see scenario-files.ts line 17), so they are easy to keep next to the rest of your repo.

Three layers of help, all built-in. For OTP and magic-link logins, create_temp_email at /Users/matthewdi/assrt-mcp/src/core/agent.ts line 115 spins up a disposable inbox and wait_for_verification_code at line 120 polls for the message; that is enough to test signup rate limits and code replay without owning email infrastructure. For passwords kept in your real browser, the --extension flag at /Users/matthewdi/assrt-mcp/src/core/browser.ts lines 299-306 attaches the agent to your already-running Chrome, so SSO, 2FA, and password manager autofill all work as the user already configured them. For the split-input OTP pattern (six single-digit fields), the system prompt at lines 233-236 hard-codes a clipboard-paste expression so the agent never has to type one digit per field and lose focus.

Both. The http_request tool at /Users/matthewdi/assrt-mcp/src/core/agent.ts line 172 takes url, method, headers, and body. After the agent has logged in via the UI, the auth cookie is in the Playwright-controlled browser, but evaluate (line 106) can read document.cookie or call fetch() from within the page. That gives you a real session-bound API call without exporting cookies to a separate tool. This is the pattern for verifying that closing a UI access path actually closes the corresponding API path: the front-end fix that hides the Delete button is meaningless if DELETE /api/projects/{id} still returns 200 for an unauthorised user.

One scenario that asks for a code, then asks again, then again, all within a few seconds. Each request goes through the live signup form so the rate limiter sees the same client fingerprint a real attacker would generate. assert lines (agent tool at line 132) record after each request whether the response was "code sent" or "too many requests". A pass is the second or third attempt being rate-limited. A fail is the tenth attempt still going through. The whole scenario is roughly fifteen lines of Markdown; the agent figures out the snapshot-act loop on its own. The same pattern catches password-reset enumeration when the response time differs between known and unknown email addresses.

Two JSON files written by writeResultsFile at /Users/matthewdi/assrt-mcp/src/core/scenario-files.ts lines 77-84: /tmp/assrt/results/latest.json (overwritten each run) and /tmp/assrt/results/<runId>.json (UUID-keyed historical). The shape is a TestReport (types.ts lines 28-35) wrapping a ScenarioResult[] (lines 19-26). Each scenario carries name, passed (boolean), assertions[], and steps[]. In CI, run assrt with --json and pipe into jq; if any .scenarios[].passed is false, exit non-zero. There is no proprietary report format, no cloud you have to sign into, and no rate limit on how often you can run.

Same answer as for any other functional check: it depends on what your scenarios do. The agent only does what the plan tells it to do. A scenario that creates and deletes a test project is fine in production with a dedicated test account. A scenario that fuzzes ten thousand login attempts is not, and the rate-limit scenario above is the better shape for that question anyway (you want the rate limiter to fire). For destructive checks (mass-delete authorisation, billing-edge cases, real-user data), point it at staging with a synthetic dataset. The point of writing these as plain-English #Case files is that the diff is human-readable and you can decide per-environment what runs.

Burp and ZAP both expect you to bring your own request templates and macros. Their authoring surface is HTTP requests, not English sentences. They are excellent at the pattern-fuzzing slice of pen testing and they remain the right tool for that. The agent-loop approach is for the slice that requires per-step reasoning: read the page, decide what 'create a new project' looks like in this UI today, do that, then verify a different user cannot see it. The artifact in your repo is also different: a Burp project file is binary; a #Case plan is Markdown you can review in a pull request. For most application-layer regressions, the second one is the artifact you want.

The default is Claude Haiku 4.5, pinned as claude-haiku-4-5-20251001 at /Users/matthewdi/assrt-mcp/src/core/agent.ts line 9. A typical security #Case is twenty to thirty steps (login as user A, do thing, log out, login as user B, try thing, assert), where each step is one snapshot plus one action plus one short reasoning turn. At Haiku April 2026 rates that lands on the order of a few cents per scenario; running ten such checks every CI build is well under a dollar per build. Provider is pluggable: the Gemini path lives at lines 342-367 with default gemini-3.1-pro-preview, so you can run the same scenarios on a different model if you want a second opinion.

That is a different topic and a real one, but it is not what this page is about. If your app embeds an LLM (chatbots, agentic features, retrieval-augmented generation), you also want a separate set of #Case files that send hostile inputs (system-prompt extraction, tool-call hijacking, output-poisoning) and verify the model refuses or the application sanitises. The agent loop here is just a runner; the scenario you write decides whether it is exercising an authorisation gate or a guardrail. Both are valid uses, both produce the same TestReport shape, both can fail a CI build the same way.

Yes. The MCP server lives at github.com/m13v/assrt-mcp under the MIT license. The Playwright MCP package it spawns (@playwright/mcp) is Microsoft's, also open source. There is an optional hosted runner at app.assrt.ai for sharing results in a browser, but the local CLI produces identical reports without it. There is no proprietary YAML, no closed-source rule engine, no monthly per-seat fee. The npm package's dependencies are listed in plain view: @anthropic-ai/sdk, @google/genai, @modelcontextprotocol/sdk, @playwright/mcp.