[2603.00960] AWE: Adaptive Agents for Dynamic Web Penetration Testing

Computer Science > Cryptography and Security arXiv:2603.00960 (cs) [Submitted on 1 Mar 2026] Title:AWE: Adaptive Agents for Dynamic Web Penetration Testing Authors:Akshat Singh Jaswal, Ashish Baghel View a PDF of the paper titled AWE: Adaptive Agents for Dynamic Web Penetration Testing, by Akshat Singh Jaswal and Ashish Baghel View PDF HTML (experimental) Abstract:Modern web applications are increasingly produced through AI-assisted development and rapid no-code deployment pipelines, widening the gap between accelerating software velocity and the limited adaptability of existing security tooling. Pattern-driven scanners fail to reason about novel contexts, while emerging LLM-based penetration testers rely on unconstrained exploration, yielding high cost, unstable behavior, and poor reproducibility. We introduce AWE, a memory-augmented multi-agent framework for autonomous web penetration testing that embeds structured, vulnerability-specific analysis pipelines within a lightweight LLM orchestration layer. Unlike general-purpose agents, AWE couples context aware payload mutations and generations with persistent memory and browser-backed verification to produce deterministic, exploitation-driven results. Evaluated on the 104-challenge XBOW benchmark, AWE achieves substantial gains on injection-class vulnerabilities - 87% XSS success (+30.5% over MAPTA) and 66.7% blind SQL injection success (+33.3%) - while being much faster, cheaper, and more token-efficient than MAPTA, despi...