惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

酷 壳 – CoolShell
酷 壳 – CoolShell
GbyAI
GbyAI
SecWiki News
SecWiki News
Project Zero
Project Zero
C
Cisco Blogs
Simon Willison's Weblog
Simon Willison's Weblog
P
Privacy International News Feed
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Scott Helme
Scott Helme
A
Arctic Wolf
Security Latest
Security Latest
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy & Cybersecurity Law Blog
Apple Machine Learning Research
Apple Machine Learning Research
T
Tailwind CSS Blog
The Hacker News
The Hacker News
T
Tenable Blog
雷峰网
雷峰网
有赞技术团队
有赞技术团队
V
V2EX
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
Threat Research - Cisco Blogs
T
Threatpost
AWS News Blog
AWS News Blog
L
LINUX DO - 热门话题
Application and Cybersecurity Blog
Application and Cybersecurity Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
S
SegmentFault 最新的问题
月光博客
月光博客
Spread Privacy
Spread Privacy
S
Secure Thoughts
宝玉的分享
宝玉的分享
博客园 - 三生石上(FineUI控件)
Forbes - Security
Forbes - Security
T
The Exploit Database - CXSecurity.com
G
GRAHAM CLULEY
The Last Watchdog
The Last Watchdog
Y
Y Combinator Blog
I
Intezer
博客园 - 【当耐特】
B
Blog RSS Feed
Attack and Defense Labs
Attack and Defense Labs
I
InfoQ
博客园 - 叶小钗
Cyberwarzone
Cyberwarzone
V2EX - 技术
V2EX - 技术
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Hugging Face - Blog
Hugging Face - Blog
H
Help Net Security
C
CERT Recently Published Vulnerability Notes

Aikido Security's Blog

Axios CVE-2026-40175: a critical bug that’s… not exploitable GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Shai Hulud strikes again - The golden path MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens The Top 7 Threat Intelligence Tools in 2026 React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Top 7 Cloud Security Vulnerabilities Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know Top 10 JavaScript Security Vulnerabilities in Modern Web Apps The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
AI Pentesting in Action: A TL;DV Recap of Our Live Demo
Trusha Sharma · 2025-12-15 · via Aikido Security's Blog

If you missed the live walkthrough of Aikido AI Pentesting, here is the short version of what happened. We set up a real application, configured the assessment, and watched the agents test live flows, explore the app, and surface confirmed findings with full traces.

Pentesting is one of the slowest parts of modern security. Teams deploy every day, while offensive testing still happens once a year and arrives as a static PDF that is already outdated. The demo opened with this gap, then immediately moved into showing how Aikido Attack works inside the product.

Setting up a pentest in Aikido feels like briefing a red team. You define the scope in plain language, choose which domains agents may attack and which must remain reachable, and describe the authentication flow exactly as you would to a human tester. You can include MFA, SSO flows, redirects, or multi-step sequences. The agents follow it.

You can also connect repositories and upload context like API specs, earlier reports, and documentation. More context improves the assessment, which is consistent across both the demo and our documentation.

Once the run began, the dashboard populated with agent terminals and browser sessions. You could watch them explore routes, execute attack attempts, adapt when something succeeded, and validate findings directly in the live environment. Every action was visible, down to request logs and screenshots.

The findings page showed confirmed vulnerabilities with full traces and reproduction steps.

One example in the live session was an improper access control issue where private notes could be fetched through an API call.

Another was a command injection that AutoFix could repair automatically. With one click, the platform generated a pull request and allowed a retest to confirm the fix.

Aikido’s platform is the biggest advantage. Because the product already understands your repositories, your security context, and how your application behaves, the agents test with background knowledge that traditional approaches lack. That context improves the depth of the assessment and allows AutoFix to produce meaningful, targeted fixes.

The session ended with the audit-ready PDF report and a Q&A covering scope control, validation, business logic testing, and how continuous pentesting will fit into normal development workflows.

AI Pentesting FAQs

What is AI pentesting inside Aikido?

Aikido uses coordinated agents that explore the application, follow real user flows, test attack paths, and validate exploitability. They use a browser, a terminal environment, and an HTTP client. When you connect code and upload context, the agents reason through logic and intended behavior instead of relying on static payloads.

The result is a pentest that adapts, explores, and validates.

read more → https://help.aikido.dev/pentests/aikido-pentest

How is this different from traditional DAST tools?

DAST tools rely on fixed patterns. They struggle with authentication steps, roles, and multi-step workflows. They also tend to produce noise.

Aikido Attack behaves more like human offensive testing. Agents read context, plan actions, execute attacks, observe outcomes, and adjust. Every finding must be validated in the target environment before it appears in the report.

What kinds of issues can the agents find?

Everything expected from a penetration test:

  • SQL injection
  • Command injection / RCE
  • XSS
  • SSRF
  • Broken access control
  • IDOR / BOLA
  • Authentication flaws
  • Unsafe or sensitive API paths

And critically, business logic issues that depend on understanding how the application is supposed to behave.

In the demo, the agents identified a private data exposure through an API. In customer environments, they have found permission mismatches, workflow bypasses, and cross-tenant data access issues.

More details → https://help.aikido.dev/pentests/what-issues-can-aikido-pentest-find

Can it really detect IDOR and business logic flaws?

Yes. When the platform understands roles, data flows, and expected behavior, the agents can test whether users can access or modify resources they should not. In several comparisons with human penetration testers, the autonomous run surfaced more logic flaws.

More details → https://help.aikido.dev/pentests/understanding-and-detecting-idor-vulnerabilities

How do you prevent hallucinations or false positives?

The agents may generate hypotheses, but the platform does not trust them until they are validated.

For each proposed issue, Aikido runs a reproducibility test directly against the target.

Only validated findings appear in the report.

How do you keep the pentest safe and in scope?

You define:

  • Attackable domains
  • Reachable but non-attackable domains
  • Authentication instructions
  • Maximum number of agents
  • Allowed testing hours

All network traffic flows through a proxy that blocks anything outside scope.

Pre-flight checks confirm that authentication and connectivity work before the run begins.

If pre-flight fails, credits are refunded. A panic button stops the test within seconds.

more details on scope → https://help.aikido.dev/pentests/scope-of-assessment

Is the final report accepted for SOC 2 and ISO 27001?

Yes. The generated PDF includes methodology, scope, issue details, reproduction steps, and remediation guidance.

Customers already use these reports for SOC 2, ISO 27001, and vendor assessments.

You can also download a sample PDF report here: https://www.aikido.dev/attack/aipentest#report

How does AI pentesting compare to a human pentest?

This was covered in the demo. For web applications, the autonomous run delivers coverage comparable to a manual pentest, and in multiple cases it uncovered logic flaws the human team missed.

Our whitepaper findings match this: AI identified deep logic issues such as IDORs, authentication bypasses, and e-signature forgeries that humans overlooked, while humans tended to focus more on configuration and compliance.

AI finishes in hours instead of weeks.

Most teams use AI pentesting as the foundation and add human review when needed.

Do I need to give access to my code?

You don’t have to, but connecting repositories makes the assessment significantly stronger. With code access, the agents can understand logic paths, data rules, roles, and workflow assumptions. That context improves coverage and reduces guesswork.

Black-box mode still works, but it is naturally slower and less complete because the agents have to infer structure from the outside.

How does pricing work?

Three common entry points:

  • Feature Pentest: CI/CD and new feature deployments
  • Standard Pentest: Comprehensive audit
  • Advanced Pentest: Deeper analysis of mature applications
  • Enterprise (Custom Pricing): For organizations with advanced offensive testing needs

A more detailed breakdown is available here: https://www.aikido.dev/attack/aipentest

What role does AutoFix play?

AutoFix takes a confirmed vulnerability and turns it into a concrete code change. In the demo, a command-injection finding produced a pull request with the exact fix.

The value is the loop:

Attack finds → AutoFix proposes a PR → you merge → Attack retests the fix.

Because Aikido already understands your repositories and structure, the fixes are targeted and the verification is immediate.

How does retesting work?

You can retest any issue as many times as needed for three months after the assessment. Each retest launches new agents to attempt the exploit again and ensure the fix holds.

Where is this heading next?

Two directions discussed in the demo:

  • Smoother onboarding with improved pre-flight checks and automatic credit estimation.
  • Continuous pentesting. Running Attack on staging by default, triggering it on deployments or pull requests, and shifting from a yearly PDF to ongoing verification.

Pentesting becomes part of how you ship.

See it yourself