Overview

Security agents probe authentication boundaries, authorization mismatches, injection surfaces, sensitive data exposure, and misconfigured headers. They support pre-production security regression without replacing dedicated penetration testing.

Enable agents per organization in Automation → AI Agents. Human review applies to generated output before release-critical use.

Who should read this

QA engineers, SREs, platform teams, and developers operating Zof Console and APIs.

Prerequisites

Organization administrator approval to enable agent category
Staging or approved test environment reachable from execution plane
Requirement linkage for audit-oriented teams (recommended)

When to use this workflow

Weekly security regression on externally exposed apps
Validation after auth provider migration
Compliance prep before SOC audit sampling

Step-by-step procedure

Security review alignment

Confirm scope with security team: staging-only, no production attack traffic.

Document allowed test accounts and IP allowlists.

Enable security agents

Automation → AI Agents → Security → Enable per application risk tier.

Triage findings

Quality → Test Health → cluster security failures by route.

Route critical findings to security backlog with run artifact links.

Key concepts

security validation scope: Authentication bypass and privilege escalation paths; Input validation on forms and API parameters; Security headers and cookie flags on key routes; Sensitive field masking in logs and error responses.
Check 1: Authentication bypass and privilege escalation paths
Check 2: Input validation on forms and API parameters
Check 3: Security headers and cookie flags on key routes

Best practices

Never aim aggressive security agents at production without explicit approval
Rotate test credentials used by security suites quarterly
Differentiate policy violations from exploitable findings in triage