AI pen-test scans
An AI pen-test scan turns Vortex into an agentic, ML-driven pen-tester. Instead of running a fixed checklist, it reasons about your application the way a human attacker would: it explores, forms hypotheses, and attempts to exploit what it finds — working through distinct phases and narrating its reasoning as it goes.
The AI pen-tester is generally available on Growth and higher.
What it does
Section titled “What it does”The AI pen-test works in four phases, shown as a timeline on the report. The phase indicator advances as the scan progresses, so you can watch it move from reconnaissance toward exploitation in real time.
| Phase | What happens |
|---|---|
| Reconnaissance | Maps the application, discovers surfaces, and gathers context |
| Vulnerability Scanning | Probes the discovered surfaces for weaknesses |
| Exploitation | Attempts to actively exploit promising findings to confirm impact |
| Reporting | Consolidates confirmed findings into the report |
The thought trail
Section titled “The thought trail”Throughout the scan, the report shows a live thought trail — a running log of the AI’s reasoning. You can follow why it chose a particular surface, what it tried, and what it concluded. This makes the results auditable: you see not just what was found but how.
Run an AI pen-test
Section titled “Run an AI pen-test”- Go to Vortex → Run scan.
- Choose your target site.
- Set the scan type to AI.
- Choose an intensity — higher intensities let the pen-tester go deeper.
- Optionally scope the test to specific routes. If you’ve configured routes for the site, you can point the pen-tester at the whole site or narrow it to particular routes.
- Optionally attach test users for authenticated testing (see below).
- Launch, then watch the phase timeline and thought trail on the report page.
Authenticated testing
Section titled “Authenticated testing”To let the pen-tester reach surfaces behind a login, attach pre-configured test users when you launch. The AI signs in with those credentials and reasons about the authenticated parts of your application — often where the most serious issues live. Configure test users ahead of time so they’re ready to attach — see Authenticated scanning.
Plan and credit notes
Section titled “Plan and credit notes”- The AI pen-tester generally requires Growth or higher. If the AI scan type is unavailable, your plan may need an upgrade — check pricing in the app.
- Acting on a finding with Fix with AI consumes a remediation credit and requires a connected version-control integration — see AI remediation.
Next steps
Section titled “Next steps”- Reading a Vortex report — including the AI phase timeline.
- Findings & accepting risk
- AI remediation