AWE: Adaptive Agents for Dynamic Web Penetration Testing
Akshat Singh Jaswal, Ashish Baghel
TL;DR
AWE is a multi-agent framework that uses structured analysis, memory, and lightweight LLMs to improve the accuracy, efficiency, and reproducibility of web penetration testing, especially for injection vulnerabilities.
Contribution
We introduce AWE, a novel adaptive multi-agent system integrating vulnerability-specific pipelines with LLMs for deterministic web security testing.
Findings
Achieves 87% XSS success rate, 66.7% blind SQL injection success.
Faster, cheaper, and more token-efficient than MAPTA.
Demonstrates architecture's importance alongside model reasoning capabilities.
Abstract
Modern web applications are increasingly produced through AI-assisted development and rapid no-code deployment pipelines, widening the gap between accelerating software velocity and the limited adaptability of existing security tooling. Pattern-driven scanners fail to reason about novel contexts, while emerging LLM-based penetration testers rely on unconstrained exploration, yielding high cost, unstable behavior, and poor reproducibility. We introduce AWE, a memory-augmented multi-agent framework for autonomous web penetration testing that embeds structured, vulnerability-specific analysis pipelines within a lightweight LLM orchestration layer. Unlike general-purpose agents, AWE couples context aware payload mutations and generations with persistent memory and browser-backed verification to produce deterministic, exploitation-driven results. Evaluated on the 104-challenge XBOW…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsWeb Application Security Vulnerabilities · Software Testing and Debugging Techniques · Security and Verification in Computing