Hybrid Testing Methodology

Overview

Pensar uses a hybrid testing methodology that combines source code analysis with live exploitation against your running applications. Rather than choosing between blackbox or whitebox testing, Pensar’s AI agents leverage every available source of information — source code, live domains, authentication credentials, API schemas — to deliver the highest-precision pentest findings.

We strongly encourage providing both source code access and live domain credentials. The more context the agent has, the more thorough and accurate the results. With Pensar’s hybrid approach, this isn’t a matter of cost or time — the agent can use all these sources simultaneously for maximum coverage.

Why Hybrid Testing?

Traditional pentesting forces a choice: test from the outside (blackbox) or analyze the code (whitebox). Each approach alone has blind spots:

Code analysis alone finds potential vulnerabilities but can’t confirm exploitability against a live system
Live testing alone misses vulnerabilities hidden in code paths that are hard to discover externally

Pensar eliminates this tradeoff. The AI agent uses source code to understand your application’s internals, then validates findings against your live environment with real exploitation — producing confirmed, high-confidence results with full proof-of-concepts.

Source Code Analysis

Understand all routes, data flows, authentication logic, and business rules from your codebase.

Live Exploitation

Validate vulnerabilities against running applications with real proof-of-concept exploits.

Credential-Aware Testing

Test authenticated endpoints, authorization logic, and privilege boundaries using your provided credentials.

How It Works

Provide Your Sources

Connect your source code (via VCS integration or zip upload) and add the domains where your application is deployed. Provide authentication credentials for testing protected areas.

Source Code Analysis

AI agents analyze your codebase to understand:

Application architecture and data flows
All routes, endpoints, and entry points
Authentication and authorization logic
Database schemas and queries
Third-party dependencies and integrations

Attack Surface Generation

Using source code insights combined with live domain reconnaissance, Pensar generates a comprehensive attack surface map with detailed understanding of each endpoint’s internal behavior.

Hybrid Exploitation

The AI agent executes pentest objectives with full knowledge of the application internals, testing against your live environment — with and without authentication — for maximum precision.

Results & Reporting

Findings include precise code locations, proof-of-concept exploits validated against the live system, and actionable remediation guidance. Reports are generated automatically in compliance-ready formats.

What You Should Provide

The agent can work with whatever you give it, but providing all three sources unlocks the full power of hybrid testing:

Source Code (Strongly Recommended)

Live Domains (Strongly Recommended)

Authentication Credentials (Strongly Recommended)

Source code access enables the agent to understand your application from the inside out:

VCS Integration: Connect GitHub, GitLab, or Bitbucket for automatic repository analysis
Zip Upload: Upload source code directly for one-time assessments
Benefits: Complete code path coverage, precise vulnerability localization, auto-remediation with AI-generated patches

Source code access transforms the quality of findings. The agent maps every vulnerability to specific files, functions, and line numbers — and can generate verified fixes automatically.

Testing Approaches

Depending on your infrastructure, hybrid testing can execute against different environments:

Sandbox Testing

Live Environment Testing

If your application is configured for sandbox deployment, Pensar can:

Create an isolated sandbox environment using container technology
Clone your repository into the sandbox
Automatically detect and start your development environment
Execute comprehensive testing with full environment access
Tear down the environment when testing completes

Sandbox testing is ideal for applications with complex dependencies, providing safe, isolated testing with automatic environment setup. Learn more about sandbox configuration.

What the Agent Tests

Pensar’s hybrid methodology covers vulnerabilities from industry-standard frameworks, enhanced by source-code-aware precision:

OWASP Top 10

Complete coverage of the OWASP Top 10 web application security risks including:

Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server-Side Request Forgery (SSRF)

OWASP API Top 10

Specialized testing for API endpoints:

Broken Object Level Authorization (BOLA/IDOR)
Broken User Authentication
Excessive Data Exposure
Lack of Resources & Rate Limiting
Broken Function Level Authorization
Mass Assignment
Security Misconfiguration
Injection
Improper Assets Management
Insufficient Logging & Monitoring

Code-Level Vulnerabilities

With source code access, the agent detects vulnerabilities that require internal knowledge:

Hardcoded credentials and secrets
Insecure cryptographic implementations
Race conditions in concurrent code
Memory safety issues
Unsafe deserialization
Path traversal vulnerabilities in file operations

Business Logic Flaws

Source code understanding enables detection of complex business logic vulnerabilities:

Improper authorization checks
State management issues
Price manipulation vulnerabilities
Workflow bypass vulnerabilities
Time-of-check to time-of-use (TOCTOU) issues

Data Flow Vulnerabilities

Trace data flows through your application:

SQL injection across multiple layers
XSS vulnerabilities through template rendering
Command injection in system calls
Sensitive data exposure in logs
Insecure data storage

Dependency Vulnerabilities

Analyze third-party dependencies:

Known vulnerable package versions
Insecure dependency configurations
Supply chain security risks
Outdated framework versions

Additional Testing

Beyond standard frameworks, testing includes:

Business logic vulnerabilities
Race conditions
CSRF and clickjacking
Information disclosure
Session management flaws
CORS misconfigurations

Proof-of-Concept Generation

For every vulnerability discovered, Pensar automatically generates a proof-of-concept (POC) validated against your live environment:

Verify the vulnerability exists and is exploitable
Understand the attack methodology
Reproduce the issue in your own testing
Validate that fixes resolve the vulnerability

POCs are provided in multiple formats including curl commands, HTTP requests, and scripted exploits when applicable.

Example POC

For an SQL injection vulnerability, a POC might include:

$ curl -X POST https://example.com/api/login \
>   -H "Content-Type: application/json" \
>   -d '{
>     "username": "admin'\'' OR 1=1--",
>     "password": "anything"
>   }'
$ 
$ # Expected behavior: Authentication bypass due to SQL injection
$ # Affected code: src/auth/login.ts:45 (parameterized query missing)

Code-to-Vulnerability Mapping

With source code access, every vulnerability is mapped to precise locations in your codebase:

Affected Files: Exact file paths where the vulnerability exists
Line Numbers: Specific lines of code containing the vulnerability
Code Context: Surrounding code for understanding the issue
Data Flow: How user input reaches the vulnerable code
Proof-of-Concept: Working exploit validated against the live system
Fix Recommendation: Specific code changes to remediate the issue

This precise mapping is what enables auto-remediation — AI-generated patches verified against your codebase and live environment.

Penetration Test Reports

When testing completes, a comprehensive report is generated including:

Executive Summary

High-level overview of findings, risk assessment, and business impact for stakeholders.

Technical Details

In-depth vulnerability descriptions, affected endpoints, code locations, and technical analysis.

Proof-of-Concepts

Reproducible exploits validated against the live system for each finding.

Remediation Guidance

Specific recommendations and code examples for fixing each vulnerability.

Reports are available for download in multiple formats for compliance, audit, and documentation purposes. Learn more about pentest reports.

Continuous Testing

Integrate hybrid testing into your development workflow:

Pull Request Scanning

Automatically test changes in pull requests:

Tests run on every PR
Focus on changed files and affected code paths
Results posted as PR comments
Block merging if critical vulnerabilities are found

Commit-Based Scanning

Test on every commit to specific branches:

Continuous security validation
Rapid feedback on new code
Prevent vulnerabilities from reaching production

On-Demand & Scheduled

Run comprehensive tests whenever needed:

Launch tests manually at any time
Set up recurring tests (daily, weekly, monthly)
Monitor for new attack surfaces with automatic testing

Best Practices

Provide Everything You Can

The hybrid methodology shines when the agent has maximum context:

Connect your source code via VCS integration
Add and verify all relevant domains
Provide authentication credentials for every user role
Upload API schemas and sitemaps
Include context about your application’s purpose and architecture

More context means higher precision and fewer false positives.

Provide Multiple Credential Sets

Supply credentials for different user roles to test authorization boundaries:

Regular user account
Admin or power user account
API tokens with different permission levels

The agent tests with each credential set and also without credentials to find authentication bypass and privilege escalation vulnerabilities.

Start with Staging

Test staging environments before production:

Lower risk of service disruption
Safe environment for aggressive testing
Same codebase, safer environment
Validate findings before production tests

Enable Auto-Remediation

Take advantage of automatic fixes:

Configure PR creation for approved fixes
Set severity thresholds for auto-remediation
Review and merge fixes promptly

Monitor Testing Progress

Stay informed about testing activities:

Review real-time testing progress in the console
Address findings as they’re discovered
Track remediation progress

Next Steps

Getting Started

Set up your workspace, connect source code, and run your first hybrid pentest.

Adding Domains

Add and verify domains for live exploitation testing.

Authentication

Configure authentication credentials for comprehensive coverage.

Auto-Remediation

Automatically fix vulnerabilities with AI-generated patches.

Attack Surface Mapping

Understand how Pensar discovers and maps your attack surface.

Sandboxing

Run tests in isolated, ephemeral sandbox environments.