Agent Catalog
Security agents
Security testing.
Overview
Security agents probe authentication boundaries, authorization mismatches, injection surfaces, sensitive data exposure, and misconfigured headers. They support pre-production security regression without replacing dedicated penetration testing.
Enable agents per organization in Automation → AI Agents. Human review applies to generated output before release-critical use.
Who should read this
- QA engineers, SREs, platform teams, and developers operating Zof Console and APIs.
Prerequisites
- Organization administrator approval to enable agent category
- Staging or approved test environment reachable from execution plane
- Requirement linkage for audit-oriented teams (recommended)
When to use this workflow
- Weekly security regression on externally exposed apps
- Validation after auth provider migration
- Compliance prep before SOC audit sampling
Step-by-step procedure
Security review alignment
Confirm scope with security team: staging-only, no production attack traffic.
Document allowed test accounts and IP allowlists.
Enable security agents
Automation → AI Agents → Security → Enable per application risk tier.
Triage findings
Quality → Test Health → cluster security failures by route.
Route critical findings to security backlog with run artifact links.
Key concepts
- security validation scope
- Authentication bypass and privilege escalation paths; Input validation on forms and API parameters; Security headers and cookie flags on key routes; Sensitive field masking in logs and error responses.
- Check 1
- Authentication bypass and privilege escalation paths
- Check 2
- Input validation on forms and API parameters
- Check 3
- Security headers and cookie flags on key routes
Best practices
- Never aim aggressive security agents at production without explicit approval
- Rotate test credentials used by security suites quarterly
- Differentiate policy violations from exploitable findings in triage
Was this page helpful?
