AI agents that systematically test your web applications against OWASP standards. Launch a full-scope assessment with a single click. Now in private beta.
SCARAB is an autonomous penetration testing platform that uses AI agents to systematically assess the security of your web applications and APIs. Instead of point-and-click scanners that check for known signatures, SCARAB deploys a team of specialized agents — each an expert in a different domain of security testing — that reason, adapt, and collaborate like a human penetration testing team.
Every assessment is grounded in industry-standard methodology with comprehensive coverage across reconnaissance, authentication, injection, authorization, configuration, business logic, and client-side testing. Results stream to your dashboard in real time, complete with evidence and remediation guidance. When testing is complete, generate formal PDF reports with AI-powered executive summaries, track finding remediation status, and get notified via Slack as vulnerabilities are discovered.
Add your target URL, configure scope rules, and provide credentials for authenticated testing. SCARAB validates connectivity and supports multi-role testing with separate user and admin accounts.
Choose a checklist preset — OWASP Top 10, API Top 10, or the full WSTG with 82 test cases. Pick your AI model, set agent iterations, and launch. Assessments run in isolated cloud containers or on your own infrastructure.
Watch findings stream in real time with full HTTP evidence. Get Slack notifications as vulnerabilities are discovered. When complete, generate a formal PDF penetration testing report with an AI-powered executive summary.
Six specialist agents coordinate through shared state. No fixed playbooks — agents reason about what to test and adapt to what they find, just like a human pentester would.
Server-sent events stream every finding, endpoint, and checklist update to your browser as it happens. Full visibility into what each agent is doing and why.
Choose from curated checklist presets — OWASP Top 10, API Top 10, or the full WSTG with 82 test cases. Track progress with per-item status and visual completion rings.
Every finding includes the complete HTTP request and response that triggered it. No false positives without proof — every vulnerability is demonstrated with reproducible evidence.
Generate formal penetration testing reports ready for stakeholders. Each report includes an AI-powered executive summary, detailed findings, severity breakdowns, and remediation guidance.
Connect your Slack workspace to receive real-time notifications as findings are discovered. Configure per-assessment channel overrides and get severity summaries delivered automatically.
Run assessments in SCARAB’s managed cloud infrastructure on AWS, or deploy on-premise runners in your own environment. Customer-managed runners poll for work and report results back securely.
Collaborate with role-based access control across multiple workspaces. Invite team members as owners, admins, or members. Share findings, assessments, and applications across your organization.
Bring your own Anthropic API key or use platform credits. Choose models per assessment, add a reviewer model for higher accuracy, and configure up to 400 agent iterations for deep testing.
Six specialist agents, each responsible for a different domain of security testing.
Server fingerprinting, endpoint discovery, technology mapping, API documentation analysis, and application route extraction.
Credential testing, session management, MFA bypass, password reset flaws, cookie security, session fixation, and cross-site request forgery.
Platform configuration, HTTP methods, security headers, error handling, stack trace leakage, TLS/SSL scanning, and encryption verification.
Cross-site scripting, SQL injection, command injection, template injection, server-side request forgery, path traversal, and more.
Insecure direct object references, privilege escalation, authorization bypass, and cross-role comparison testing with multi-credential support.
Workflow bypass, race conditions, constraint violations, and application-specific logic flaws that traditional scanners miss entirely.
SCARAB is currently in private beta. Pricing plans will be available at launch.
Pay only for the tokens you use
Tailored to your organization’s requirements
SCARAB is currently in private beta. Sign up below to get early access and be among the first to try autonomous penetration testing.