AI Agents

PreBreach scans are powered by 8 specialized AI agents, each focused on a distinct security domain. Rather than running a single monolithic scanner, PreBreach decomposes the penetration testing workflow into targeted operations that mirror how a human red team divides responsibilities.

Architecture Overview

Every scan follows a three-phase architecture:

1. Reconnaissance -- The Recon Analysis agent collects and structures information about the target domain, including DNS records, HTTP headers, technology fingerprints, exposed endpoints, and public-facing assets.
2. Orchestration -- The orchestrator analyzes the recon data and determines which agents to deploy. If the target runs a JavaScript framework with an API layer, for example, the orchestrator activates the Client-Side, API Security, and Injection agents. If authentication endpoints are detected, the Authentication and Authorization agents are queued.
3. Parallel Execution -- The selected agents run concurrently, each probing its designated attack surface. Findings from every agent are collected, deduplicated, and passed to the multi-model validation pipeline.

This architecture ensures that scan time scales efficiently. Agents that are not relevant to the target's technology stack are skipped entirely, reducing both execution time and noise.

Model and Cost Efficiency

All agents are powered by Claude Opus with prompt caching enabled. Prompt caching allows the model to reuse previously computed context across agent invocations within the same scan, significantly reducing token consumption and cost. The result is enterprise-grade analysis at a fraction of the cost of traditional penetration testing engagements.

The 8 Agents

1. Authentication Agent

OWASP Coverage: A07:2021 -- Identification and Authentication Failures

Tests for weaknesses in login flows, session management, credential handling, and multi-factor authentication. Checks include brute-force resistance, session fixation, token entropy, password policy enforcement, and account enumeration vectors.

2. Authorization Agent

OWASP Coverage: A01:2021 -- Broken Access Control

Probes for privilege escalation paths, insecure direct object references (IDOR), missing function-level access controls, and horizontal/vertical authorization bypasses. This agent maps user roles and tests whether lower-privileged users can access restricted resources.

3. Injection Agent

OWASP Coverage: A03:2021 -- Injection, A10:2021 -- Server-Side Request Forgery (SSRF)

Tests input handling across all detected entry points for SQL injection, NoSQL injection, command injection, LDAP injection, SSRF, and template injection. The agent crafts context-aware payloads based on the detected backend technology.

4. Infrastructure Agent

OWASP Coverage: A02:2021 -- Cryptographic Failures, A05:2021 -- Security Misconfiguration

Evaluates server configuration, TLS/SSL implementation, exposed administrative interfaces, default credentials, unnecessary open ports, and misconfigured cloud services. Also assesses cryptographic practices including certificate validity, cipher suite strength, and key management.

5. Business Logic Agent

OWASP Coverage: A04:2021 -- Insecure Design

Targets vulnerabilities that arise from flawed application logic rather than implementation bugs. Tests include price manipulation, workflow bypasses, rate limiting gaps, race conditions, and abuse of legitimate features for unintended outcomes. Business logic flaws are notoriously difficult to detect with traditional scanners, making AI-driven analysis especially valuable here.

6. Client-Side Agent

OWASP Coverage: A03:2021 -- Injection, A08:2021 -- Software and Data Integrity Failures

Focuses on browser-executed code including cross-site scripting (XSS), DOM manipulation, insecure client-side storage, postMessage vulnerabilities, and subresource integrity failures. The agent renders pages in a headless browser to detect runtime-only issues that static analysis misses.

7. API Security Agent

OWASP Coverage: A01:2021 -- Broken Access Control, A03:2021 -- Injection

Specifically targets API endpoints discovered during reconnaissance. Tests include mass assignment, excessive data exposure, broken object-level authorization, rate limiting, improper input validation on API parameters, and GraphQL-specific vulnerabilities when applicable.

8. Recon Analysis Agent

OWASP Coverage: A05:2021 -- Security Misconfiguration, A06:2021 -- Vulnerable and Outdated Components

The first agent to run on every scan. Performs passive and active reconnaissance to build a comprehensive target profile. Outputs include subdomain enumeration, technology stack detection, endpoint discovery, exposed files and directories, version fingerprinting, and identification of known vulnerable components.

The Recon Analysis agent's output feeds directly into the orchestrator, which uses it to determine the optimal combination of agents for the target.

Agent Coordination

Agents operate independently but share a common context layer. When one agent discovers an endpoint or parameter that is relevant to another agent's domain, that information is available for cross-referencing during validation. This coordination eliminates blind spots that occur when security tools operate in complete isolation.

After all agents complete their work, findings are deduplicated and sent to the multi-model validation pipeline for independent assessment before they appear in your report.

Next Steps

• Multi-Model Validation -- Learn how findings are validated by independent AI models to minimize false positives.
• Understanding Findings -- Explore the anatomy of a finding including severity, CVSS scores, and remediation guidance.