Automated Penetration Test of an Enterprise ITSM Platform in 3.5 Hours
How Strobes AI completed a comprehensive penetration test of a complex enterprise ITSM platform in just 3.5 hours — uncovering critical vulnerabilities that traditional scanners would have missed entirely.
3.5h
Total test duration
97%
Time savings vs. manual
0%
False positive rate
30
Findings (10 critical/high)
The Challenge
Complex Architecture Beyond Traditional Scanner Capabilities
The platform featured a complex architecture that would require 2-3 senior pentesters working in parallel for 10-15 business days, with separate expertise in ASP.NET, Angular, REST API, and AI/ML security.
- Application size fragmented across tools and services with partial support from existing scanners
- Dual frontend architecture (Angular + WebForms) with separate API auth system and AI/ML integration
- Two completely independent authentication systems (cookie-based + token-based) with no shared session state
- 14 ITSM modules (Incident, Problem, Change, Knowledge, CMDB, SLA, Reports, Admin, etc.)
- Multiple test roles required: end user, administrator, and unauthenticated access
What Strobes AI Delivered
5-Phase Automated Assessment in 3.5 Hours
Strobes AI Workspaces executed a complete penetration test autonomously, from target URL to full report, using 6 parallel testing agents.
Phase 1: Discover (~45 min)
Authenticated with multiple roles, crawled the application, analyzed JS bundles, and enumerated 89 URLs and 58+ API endpoints. Discovered 15 hidden server-side methods from JavaScript bundle analysis.
Phase 2: Plan (~20 min)
Grouped URLs into 6 functional categories and generated 34 test cases across all groups — covering auth, API, injection, access control, business logic, and configuration.
Phase 3: Test (~2 hours)
6 parallel agents executed tests simultaneously across all categories. Identified dual authentication architecture gaps, hidden high-risk server-side methods, and critical API vulnerabilities.
Phase 4-5: Consolidate & Report (~25 min)
Deduplicated findings, scored CVSS, verified confirmed issues, filtered false positives. Generated executive summary, 45+ page technical report, findings table, and per-vulnerability deep dives with PoC scripts.
“Strobes AI compresses a multi-week penetration test into hours, delivering deep surface coverage, validated findings, and immediate remediation guidance without sacrificing technical depth.”
Get the Full Case Study
Download the complete report with detailed methodology, technical findings, and strategic recommendations.
Results & Customer Outcome
Following the automated assessment, the organization immediately patched the most critical findings and deployed fixes within 8 hours of test initiation.
30 Total Findings (10 Critical/High)
5 Critical, 5 High, 10 Medium, 5 Low, and 5 Informational findings — with 0% false positive rate on confirmed findings.
15 Hidden Methods Discovered
AI analyzed compiled JavaScript bundles to extract server-side method signatures that standard crawlers completely missed — including path traversal, cache poisoning, and data exfiltration risks.
Dual Auth Architecture Gaps
Identified that API tokens persist after web logout, cookie-based users can't access API endpoints (and vice versa), and inconsistent access controls between the two systems.
97% Time Savings vs. Manual
Complete pentest from URL to report in 3.5 hours vs. 10-15 business days with 2-3 senior testers. First critical fix deployed within 8 hours.
Ready to see similar results?
Get a personalized demo of Strobes CTEM
See how Strobes can transform your security operations with continuous threat exposure management.