Ostorlab

We’ve published a new Ostorlab security article. As we approach the release of our mobile AI Pentest Engine, we’re sharing another example of a complex vulnerability it identified during benchmark testing. The article breaks down how our Pentest Engine found a JavaScript interface exposure in an Android WebView, where insecure deep link handling allowed unauthenticated access to native methods, confirming a realistic social engineering risk through native UI manipulation. Read the full article here: https://lnkd.in/dQZGXQZ3

We’ve just published a new Ostorlab article on mobile app security in 2026. As development cycles accelerate thanks to coding agents, attackers are able to leverage hack bots to automate vulnerability exploitation. Choosing the right security testing platform is no longer just a checklist; it’s about keeping up with how apps are built and deployed. The article explains how modern tools can help teams integrate security into CI/CD, reduce noise, and catch issues before they reach users. Read the full article here: https://lnkd.in/dccNVjZ5

Ostorlab’s AI Pentest Engine just caught a real GraphQL/WebSocket BFLA in the wild. It walked the full attacker path: • Unauthenticated WebSocket handshake accepted on the subscriptions endpoint • Unauthenticated GraphQL introspection over WebSocket, exposing multiple subscription operations • Unauthenticated translateContent subscription returning live translation data • Inconsistent controls on the same endpoint, with another subscription correctly rejecting unauthenticated access This article details the Engine’s methodology, from baseline handshake to schema enumeration, to per-operation authorization checks and data-level proof, as well as concrete remediation guidance for GraphQL subscriptions over WebSockets. Read the full article here 👉 https://lnkd.in/dTW3UexR

We’re happy to announce a new Ostorlab release. This update includes enhancements to AI Pentest, refining how scans explore applications and report issues, with the goal of improving depth, coverage, and overall signal quality. We’re also introducing a native ServiceNow integration, so you can send findings from Ostorlab directly into ServiceNow and keep everything within your existing workflows. In addition, we’ve rolled out Owner-Based Access Control (Owner-Based RBAC) to better align access with ownership and control who can view and manage specific assets and results. You can find all the details in the full December changelog here: https://lnkd.in/ejEtJ-S4

We’ve put together practical Mobile App Security Checklists for: - iOS - Android - Flutter It contains the best practices, and what to verify before going live. The best part? It’s completely free and ungated, no forms, no emails, just a public link you can bookmark and share with your team. 👇 https://lnkd.in/esbvmQsn

Dropping the full AI pentest report from our banking app demo. No edits, no cherry‑picking. From a plain‑English prompt, the AI planned its own test, navigated real app flows, and ended up with a high‑impact, exploitable vuln that would be a serious finding in any security review. Every step is visible: reasoning, HTTP traces, replayable PoC, impact, and how to fix it. If you want to see what an autonomous AI pentest actually catches in a real app, this is the whole thing, end‑to‑end: 👉https://lnkd.in/epyAasAp

During a live demo of Ostorlab AI Pentest Engine, an experienced security professional threw one of those "but can it detect this?", an account takeover using API version downgrade. The kind of vulnerabilities that traditional vulnerability scanners have no chance of detecting and a human pentester would require a mix of extensive experience and patience. Throwing our Engine on it, we had no expectation that it would test it, let alone find it. In this article we share how the engine detected and reported the bug: https://lnkd.in/egVZQ_Bc #security #automation #ai #pentest

You know how web app testing is supposed to be thorough, methodical, and… painfully slow? This is the opposite of that. Ostorlab’s AI Engine takes the stuff we normally spend days poking at and compresses it into a workflow that’s basically: click, configure, confirm, done. In this demo you’ll see: · How to kick off a new web app scan with just a few inputs · How to tailor the AI prompts so it behaves like a real attacker, not a lab toy · How the results come back with proper evidence, clear impact, and are actually ready for an audit Instead of trawling through noisy findings or waiting on long test cycles, you get a prioritized list of real issues with the proof to back them up—and a clear path to fix them before someone less friendly finds them. If you’re trying to move your AppSec program from “we’ll get to it eventually” to “we can ship this safely, today”, this is worth your time. Watch the demo and see how to go from zero to meaningful, actionable findings in minutes instead of days.

This technical deep dive walks through how Ostorlab automated pentest agent mapped and proved a second-order client-side data exfiltration chain that evaded traditional detection. Read the full Article: https://lnkd.in/ddZTMTyd

The first reported AI‑orchestrated cyber‑espionage incident is here. Anthropic’s report shows AI executing 80–90% of the attack lifecycle, end to end, and at speed. The reality? If we're not using AI to defend, we're bringing a knife to a gunfight. Attackers iterate daily. Most testing doesn’t. It’s time to rethink our approach towards testing.  #AI #pentest #security #automation