thesis project · c00290959 · final year 2026

RedTeam Agent
API Security Scanner

An AI-assisted, human-in-the-loop red-team agent for API security testing. Maps attack surfaces, fuzzes endpoints with curated payloads, evaluates responses, and generates OWASP-aligned reports through a role-based web UI.

$ ./agent scan --target http://api.target.local --profile aggressive ▶ Surface Mapper: 14 endpoints discovered via OpenAPI spec ▶ Payload Engine: 6 vuln modules · 240 payloads loaded ▶ Findings: SQLI[3] XSS[2] IDOR[1] SSRF[1] · Grade: D · Generating report...
▶ View on GitHub ↓ Final Report ↓ Research Doc
Denys Dmytrenko
Denys Dmytrenko
BSc Cybercrime and IT Security · South East Technological University · 2026
Project Overview
What is RedTeam Agent?

RedTeam Agent is a full-stack web application that automates the red-team phase of API security testing. It combines a Python/FastAPI scanning engine with a React role-based UI, enabling security teams to discover, triage, and verify vulnerabilities with structured human oversight.

The agent pipeline ingests an API target, auto-discovers endpoints through OpenAPI/Swagger parsing or heuristic probing, then fires curated vulnerability payloads across 6 vulnerability modules. Responses are evaluated by a detection engine and surfaced through a structured findings lifecycle workflow.

An AI layer powered by Groq Llama 3.3 70B generates multi-step chained attack sequences — synthesising contextual exploitation paths that go beyond individual endpoint scanning, giving analysts actionable POCs with per-step approval controls.

6
Vulnerability Types Detected
3
RBAC User Roles
AI
Groq Llama 3.3 70B Chains
PASS
Security Review Status
System Design
Pipeline Architecture
Surface Mapper
OpenAPI/Swagger + heuristic probing
──▶
Payload Engine
Curated payloads · basic & aggressive
──▶
SafeExecutor
Rate limiting · scope · TLS
──▶
Evaluator
Pattern-based response analysis
──▶
Findings DB
SQLite · dedupe · lifecycle
──▶
Report Builder
OWASP WSTG · CWE · PDF/JSON
Human-in-the-Loop UI
Approve · Deny · Retest · Triage · Assign
BACKEND
FastAPI + SQLite (WAL mode) · Async Python · httpx · Pydantic v2 · JWT Auth
FRONTEND
React 18 + Vite + TypeScript · Tailwind CSS · shadcn/ui · Radix UI
INFRA
nginx reverse proxy · Docker Compose · single-command deployment
Capabilities
Key Features
Auto-Discovery

Parses OpenAPI/Swagger specs at 10+ common paths with heuristic fallback probing for undocumented or non-standard endpoints.

Surface Mapper
6 Vuln Modules

SQL Injection, XSS, IDOR, SSRF, Command Injection, and Path Traversal — each with curated payload sets, error-based, time-based, and behavioural detection.

Payload Engine
AI Attack Chains

Groq Llama 3.3 70B generates 3 chained attack sequences with step-by-step POCs, per-step human approval, and chain regeneration if results are unsatisfactory.

Groq AI
Human-in-the-Loop

Full findings lifecycle: OPEN → IN_PROGRESS → FIXED_PENDING_VERIFICATION → VERIFIED_FIXED. RBAC-enforced status transitions across admin, analyst, and developer roles.

Triage Workflow
Probe Panel

Burp Repeater-equivalent HTTP editor. Craft and send arbitrary requests with syntax highlighting, rate limiting, role gating, and full audit logging of every transaction.

Manual Testing
OWASP Reporting

WSTG-aligned reports with CWE and OWASP API Top 10 mappings, executive summary, retest evidence, appendices, and export to JSON or PDF.

Compliance
Security Toolkit

Client-side JWT Inspector — decode header/payload, highlight expiry and algorithm. Encoder/Decoder for Base64, URL encoding, HTML entities, and hex. No data sent to server.

Toolkit
Security Dashboard

Real-time grade card with risk breakdown across all findings, timeline chart of vulnerabilities discovered per scan run, and at-a-glance run statistics.

Analytics
Vulnerable Sandbox

Intentionally insecure FastAPI app with 11 vuln endpoints — SQLi, XSS, IDOR, SSRF, CMD, Path Traversal, BFLA, Mass Assignment, Open Redirect — for safe local testing.

Sandbox Target
Detection Results
Vulnerability Coverage
◈ detection_matrix.log
Vuln Type Sandbox Juice Shop
SQL Injection✓ DETECTED✓ DETECTED
XSS✓ DETECTED✓ DETECTED
IDOR✓ DETECTED✓ DETECTED
SSRF✓ DETECTED— N/A
Path Traversal✓ DETECTED— N/A
Cmd Injection✓ DETECTED— N/A
SECURITY REVIEW: PASS

No actionable vulnerabilities identified in the scanner codebase itself. All 7 initial findings were determined to be intentional features, standard patterns, or covered by hard exclusion rules.

// Known Limitations
  • In-memory session singleton — one active scan run at a time; restart discards run state
  • Single-process concurrency — large scans may block background tasks
  • BFLA, Mass Assignment, Open Redirect detection not yet implemented
  • No OWASP ZAP baseline cross-validation (scope cut)
Technology
Tech Stack
Backend
Python 3.11+
FastAPI
httpx / asyncio
Pydantic v2
SQLite (WAL mode)
JWT Auth / RBAC
Frontend
React 18
TypeScript
Vite
Tailwind CSS
shadcn/ui
Radix UI
AI & Standards
Groq API
Llama 3.3 70B
OpenAPI / Swagger
OWASP WSTG
OWASP API Top 10
CWE Mappings
Infrastructure
Docker
Docker Compose
nginx
Reverse Proxy
OWASP Juice Shop
Vulnerable Sandbox
Research Materials
Project Documents
Final Report
Project Final Report
DenysDmytrenko_FinalRep_C00290959.docx
↓ Download Report
Research Document
Research Documentation
DenysDmytrenko_ResearchDoc_C00290959.docx
↓ Download Research Doc
Source Code
GitHub Repository

DenysDmytrenko / RedTeam-Agent-API-Security

Full source code, Docker Compose setup, documentation, and intentionally vulnerable sandbox for local testing. Clone and run the entire stack with a single docker-compose up --build.

https://github.com/DenysDmytrenko
View Repository →