← Blog
July 6, 20269 min readMethodologyAppSecAI

Detection is not proof: inside exploit-verified pentesting

Most scanners flood you with maybes. Xalgorix runs a 22-phase offensive methodology, exploits what it finds, and independently re-verifies every result — so a finding is evidence, not a guess.

By The Xalgorix Team

Every security team knows the ritual. You run a scanner, it returns three hundred “potential” issues, and someone spends the next week proving that two hundred and ninety of them aren't real. The tool did the easy part — pattern-matching a response — and handed you the expensive part: proof.

Xalgorix was built around the opposite contract. We don't just find vulnerabilities; we prove them with a working exploit, then independently re-test the exploit before it ever reaches your report. This post walks through how that actually works — the methodology, the verifier, and the guardrails that let it run against production.

The false-positive tax

A detection is a hypothesis: “this parameter might be injectable.” A proof is a fact: “this parameter is injectable, here is the data I extracted, and here is the exact request that did it.” The gap between those two sentences is where security teams lose their time. Triage, re-testing, back-and-forth with engineering, and the slow erosion of trust that happens the third time a “critical” turns out to be noise.

The industry has largely accepted this tax as the cost of automation. We didn't. The design goal for Xalgorix was blunt: if we can't demonstrate impact, we don't call it a vulnerability.

Detect → exploit → report

The engine runs as an autonomous agent that routes across frontier models, picking the best fit for each phase. But the model isn't the product — the discipline around it is. The core rule the agent operates under never changes:

Never report a vulnerability you haven't exploited. The reporting tool rejects any medium-or-higher finding that arrives without concrete exploitation proof — extracted data, a reflected payload, command output, a timing measurement, or an out-of-band callback.

In practice that means the agent has to do the thing. Not observe that a login form lacks a header, but bypass the auth. Not note that a query looks concatenated, but pull a row out of the database. When it reports, it pastes the actual output of the exploit into the finding. A report without that evidence doesn't get downgraded — it gets refused.

Detect
surface a candidate
Exploit
prove impact
Verify
independent re-test
Report
evidence + remediation
Every finding passes through exploitation and an independent re-test before it reaches your report.

The independent verifier

Here is the part that makes the difference. Before a finding is persisted, it's handed to a separate verifier that re-tests the vulnerability from scratch — a fresh attempt, not a re-read of the first agent's notes. The verdict is one of three:

  • Confirmed — the verifier independently reproduced the issue. The finding is stamped verified.
  • Inconclusive — the verifier couldn't reach a verdict (a transient error, a budget limit). The finding is kept, but explicitly flagged for manual review, never presented as validated.
  • Rejected — the verifier actively disproved it. The finding is dropped.
Candidate finding (agent-exploited)
Confirmed
Reproduced → stamped verified.
Inconclusive
Kept, flagged for manual review.
Rejected
Disproved → dropped.
A candidate finding is re-tested from scratch; the verdict decides whether it's shown as verified, flagged for review, or dropped.

That three-way outcome is deliberate. A finding is never silently discarded because a re-test was flaky, and it's never dressed up as confirmed when it isn't. Every result you see carries its confidence on its sleeve: independently verified, proven by the agent's own exploit, or awaiting a human. You always know which.

A 22-phase methodology, not a checkbox sweep

Real offensive work is sequential — recon feeds discovery, discovery feeds exploitation, exploitation feeds verification. Xalgorix encodes that as 22 phases the agent moves through, from reconnaissance and directory discovery, through injection, SSRF, IDOR/BOLA and broken access control, deserialization and RCE, up to exploit verification and a final branded report. You can scope a scan to specific phases when you only care about a slice of the surface.

The methodology is also where authenticated testing earns its keep. Hand the engine a session — or two, for horizontal access-control proofs — and it exercises post-login surface the way a real tester would: reaching account A's objects with account B's session to prove IDOR with concrete evidence rather than a hunch.

Recon
ReconnaissanceDirectory discoveryFingerprinting
Discovery
Auth & sessionAccess controlInjection surfaceSSRF / XXE
Exploitation
InjectionIDOR / BOLADeserialization / RCEFile upload
Verification
Exploit verification
Report
Branded report
Recon feeds discovery, discovery feeds exploitation, exploitation feeds verification — then the report. Scope a scan to any subset.

Whitebox: source makes the hard bugs findable

Black-box testing guesses at internals from the outside. When you connect a repository, Xalgorix clones it and exposes it to the agent through a fast source-search tool. The methodology shifts to source → sink → exploit:

  • Map the framework, routing, and where user input enters.
  • Hunt sinks — dangerous calls for RCE, command and SQL injection, deserialization, SSRF, hardcoded secrets — directly in the code.
  • Trace reachability from each sink back to a user-reachable route.
  • Exploit on the live target and prove impact.
Clone repo
server-side, token-safe
Map
routes & inputs
Hunt sinks
code_search
Trace reachability
sink → route
Exploit live
prove impact
Source proves the bug exists; the live proof-of-concept proves it's exploitable. Xalgorix requires both.

Source proves a bug exists; the live proof-of-concept proves it's exploitable. Xalgorix wants both. Your token never touches the scan record or the logs — it's used server-side, at dispatch, only to clone.

Safe to point at production

Autonomy without guardrails is how a security tool becomes an incident. Xalgorix ships with a scope guard that keeps the agent on the hosts you authorized and blocks it from reaching your own infrastructure or local network. Testing intensity is configurable — passive when you want read-only checks, active when you want exploitation — and the engine is designed to prove impact without destructive payloads. Authorised testing only, enforced in code.

A report you can hand to an auditor

Each finding lands with a severity mapped to a CVSS score and vector, a technical analysis, a reproducible proof-of-concept, a concrete remediation — ideally a minimal patch — and its verification status. It exports as a branded PDF, streams live over the API as findings are confirmed, and can be shared as a read-only link. Findings deduplicate across runs, so a re-scan shows you what changed, not the same list again.

Try it

There's no install and no LLM keys to manage — pick a target, choose a mode, and watch the phases run live. Scans start at a dollar, and everything the dashboard does is available over the REST API and a GitHub Action, so you can wire Xalgorix into CI and fail a build on exploit-verified findings.

curl -X POST https://www.xalgorix.com/api/public/v1/scans \
  -H "Authorization: Bearer $XALGORIX_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "target": "https://staging.example.com", "mode": "single" }'

Detection is cheap and getting cheaper. Proof is the thing worth paying for — and the thing we built Xalgorix to deliver.

Ready to see it prove a bug?

Start a scan — from $1 →