Skip to main content
Phase 2 of Indie Security’s assessment leverages AI agents to identify, exploit, and validate vulnerabilities across your application surface discovered in Phase 1.

Overview

The Analysis Phase combines AI-driven testing with human analyst verification:

Analysis Modes

Best for: Continuous security monitoringThe AI agent autonomously:
  • Prioritizes high-risk endpoints
  • Chains vulnerabilities together
  • Adapts testing based on findings
  • Optimizes for coverage vs depth
Recommended for CI/CD integration and regular assessments.

Vulnerability Categories

  • SQL Injection: Error-based, blind, time-based, UNION-based
  • NoSQL Injection: MongoDB, Redis command injection
  • Command Injection: OS command execution
  • LDAP Injection: Directory traversal
  • XPath Injection: XML document exploitation
  • Reflected XSS: URL parameter reflection
  • Stored XSS: Persistent script injection
  • DOM-based XSS: Client-side JavaScript manipulation
  • Template Injection: Server-Side Template Injection (SSTI)
  • IDOR: Insecure Direct Object References
  • Privilege Escalation: Vertical/horizontal access bypass
  • Forced Browsing: Unauthorized resource access
  • Function-Level Access: Missing authorization checks
  • SSRF: Server-Side Request Forgery
  • XXE: XML External Entity injection
  • File Inclusion: LFI/RFI vulnerabilities
  • Path Traversal: Directory traversal attacks
  • Race Conditions: TOCTOU vulnerabilities
  • Workflow Bypass: State manipulation
  • Parameter Pollution: HTTP parameter injection
  • Mass Assignment: Object property manipulation
  • Session Management: Fixation, prediction, hijacking
  • Password Policies: Weak credentials
  • Multi-Factor Bypass: 2FA implementation flaws
  • JWT Attacks: Algorithm confusion, key leakage

Exploitation Evidence

Each validated finding includes comprehensive evidence:

Proof of Concept

Working exploit code that demonstrates the vulnerability.

Screenshots

Visual evidence of successful exploitation.

Request/Response

Full HTTP traffic showing the attack and response.

Impact Analysis

Business impact assessment and risk scoring.
{
  "id": "vuln_abc123",
  "type": "sql_injection",
  "severity": "critical",
  "endpoint": "POST /api/users/search",
  "parameter": "query",
  "payload": "' OR '1'='1",
  "evidence": {
    "request": "POST /api/users/search HTTP/1.1...",
    "response": "HTTP/1.1 200 OK...[500 user records]",
    "screenshot_url": "/evidence/vuln_abc123.png"
  },
  "business_impact": "Full database access - all user records exposed",
  "remediation": "Use parameterized queries..."
}

Human Analyst Verification

Critical findings receive human review:
1

AI Detection

AI agent identifies potential vulnerability and creates initial finding.
2

Automated Validation

Exploit is verified through successful execution.
3

Confidence Scoring

Finding receives confidence score (Low/Medium/High/Critical).
4

Human Review

Security analyst verifies high-impact findings and refines context.
5

Remediation Guidance

Detailed fix recommendations with code examples added.

Real-Time Monitoring

Track analysis progress from the dashboard:
  • Live vulnerability count
  • Coverage percentage
  • Endpoints tested vs remaining
  • Attack success rate
Enable notifications to receive alerts when critical vulnerabilities are discovered.

Next Steps

Managing Findings

Learn how to triage and remediate discovered vulnerabilities.

Generate Reports

Create stakeholder-ready PDF reports.