Testing methodology

A governed methodology for AI-assisted penetration testing

See how Revaizor structures authorization, scope, AI-assisted execution, finding validation, reporting, remediation, and engagement limits.

Govern before execution

The engagement starts with target ownership, written authorization, scope, permitted actions, contacts, and stop conditions.

Validate observations

Potential findings are reviewed for reproducibility and impact within the permissions and safety limits of the engagement.

Report boundaries

Deliverables state tested perspectives, assumptions, exclusions, constraints, and the difference between initial and retest results.

1. Authorization and objectives

The accountable target owner confirms written authorization and the intended security questions. The parties identify legal, regulatory, provider, and third-party constraints before active testing. An objective might assess an application release or a defined attack path; it is not an open-ended mandate.

2. Scope and rules of engagement

The scope names exact assets, environments, roles, test windows, permitted and prohibited techniques, data-handling expectations, escalation contacts, and stop conditions. Any scope change requires approval through the agreed process.

  • Targets are identified precisely enough to avoid adjacent or shared systems.
  • Availability-impacting, destructive, social-engineering, persistence, and third-party actions are excluded unless expressly authorized.
  • Credentials and test data are limited to the purpose and duration agreed for the engagement.

3. AI-assisted execution under constraints

Automation can help plan and sequence reconnaissance, hypothesis testing, and tool use. It remains bounded by the authorized scope and engagement rules. Human governance is still needed for target ownership, risk decisions, ambiguous conditions, escalation, and changes to permissions.

4. Validation and risk context

Candidate findings are checked for reproducibility, affected component, preconditions, observed result, and plausible impact. Validation stops when further action would exceed authorization or create disproportionate risk. Not every theoretical condition can or should be exploited.

5. Reporting and remediation

The report separates an executive view from technical evidence and records severity rationale, affected scope, reproduction guidance appropriate for authorized defenders, remediation direction, and limitations. Owners decide treatment, exceptions, and acceptance of residual risk.

6. Retest and closure

A retest examines the specific changed condition in an agreed scope. The result records whether the original behavior remains observable and any residual limits. Closure of one finding does not imply that unrelated systems or later changes are secure.

What the method cannot promise

No bounded assessment can guarantee discovery of every vulnerability, uninterrupted operation, future security, or compliance. Results reflect the accessible attack surface, permissions, techniques, environment, and time of testing.

Frequently asked questions

Does AI operate without engagement controls?

No. AI-assisted execution is bounded by the same authorization, scope, permitted techniques, operational safeguards, and escalation rules defined for the engagement.

Is every potential issue actively exploited?

No. Validation is proportional to authorization and risk. Testing stops before actions that are prohibited, unsafe, unnecessary, or outside scope, and the limitation is reported.

Does a clean result prove the target is secure?

No. It means no reportable finding was validated within the particular scope, access, techniques, constraints, and time. It is not proof that vulnerabilities do not exist.

Define your next security mission

Tell us the target type and desired outcome. Sensitive scope details are collected after qualification.

Request a scoped pentest