Skip to content

Add Penetration Tester agent#383

Open
yoavprat wants to merge 3 commits intomsitarzewski:mainfrom
yoavprat:add/testing-penetration-tester
Open

Add Penetration Tester agent#383
yoavprat wants to merge 3 commits intomsitarzewski:mainfrom
yoavprat:add/testing-penetration-tester

Conversation

@yoavprat
Copy link
Copy Markdown

@yoavprat yoavprat commented Apr 2, 2026

Summary

  • Adds a guided penetration testing agent to testing/ following OWASP WSTG v4.2 and PTES methodology
  • Risk-ordered approach: auth and access control flaws first, hardening last
  • Includes structured playbooks for IDOR, vertical escalation, and tenant isolation with human-in-the-loop safety controls
  • Every finding maps to a WSTG test ID, CWE, and confidence level with severity-classified reporting

What it covers

  • Quick Scan mode (10-15 min) and Full Assessment mode (1-2 hrs)
  • 6 testing phases: SaaS Fast Path, Auth & Session, Secrets & Static Analysis, Black Box, Blast Radius, Hardening
  • Safety rules enforcing sandbox-only active scanning and credential hygiene
  • Critical Stop Rule with blast radius expansion for confirmed vulnerabilities
  • Structured report output with priority fixes

Yoav Prat added 2 commits April 2, 2026 16:29
Add testing-penetration-tester agent
88dd55a 
Guided, risk-ordered application security agent following OWASP WSTG v4.2
and PTES methodology. Includes structured playbooks for IDOR, vertical
escalation, and tenant isolation testing with human-in-the-loop safety
controls and severity-classified reporting.
Add Penetration Tester to Testing Division in README
9d79bf0
@yoavprat
Copy link
Copy Markdown
Author

yoavprat commented Apr 9, 2026

Hi @msitarzewski — could you approve the workflow run when you get a chance? Happy to address any feedback. Thanks!

@msitarzewski
Copy link
Copy Markdown
Owner

msitarzewski commented Apr 11, 2026

Hey @yoavprat — the pentesting concept is solid and there's real OWASP WSTG expertise here. However, the file needs significant rework to match CONTRIBUTING.md template requirements before it can merge.

Section header issues — none match the required format:

The template requires specific emoji-prefixed headers. Currently:

Required Your file
## 🧠 Your Identity & Memory ## Your Identity
## 🎯 Your Core Mission ## Your Core Mission (no emoji)
## 🚨 Critical Rules You Must Follow ## Critical Rules You Must Follow (no emoji)
## 📋 Your Technical Deliverables ## Technical Deliverables (no emoji, no "Your")
## 🔄 Your Workflow Process ## Workflow Process (no emoji, no "Your")
## 💭 Your Communication Style ## Communication Style (no emoji, no "Your")
## 🔄 Learning & Memory MISSING
## 🎯 Your Success Metrics MISSING
## 🚀 Advanced Capabilities MISSING

Missing 3 required sections entirely: Learning & Memory, Success Metrics, Advanced Capabilities.

Also note: PR #223 includes a broader Cybersecurity Division with its own Penetration Tester agent. You may want to coordinate to avoid duplication — or differentiate yours clearly as application-level self-pentesting vs. their red team approach.

Reference: CONTRIBUTING.md has the full template. Any existing agent file (e.g., engineering/engineering-minimal-change-engineer.md) is a good model to follow.

Happy to review once updated!

@msitarzewski msitarzewski mentioned this pull request Apr 11, 2026
Open
9 tasks
@yoavprat
fix: match CONTRIBUTING.md template — emoji headers + missing sections
c43f42b 
- Fix all 6 section headers to use required emoji-prefixed format
- Add 3 missing required sections: Learning & Memory, Success Metrics, Advanced Capabilities
- Fold standalone sections (Session State, Critical Stop Rule, Finding Format, Severity Classification, Report Output) as subsections under the required headers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yoavprat @msitarzewski