Broken access control has topped the OWASP Top 10 for years, and for good reason — it's the class of vulnerability most likely to let an attacker read someone else's data, escalate to admin, or pivot across tenants. The problem is that testing it thoroughly is tedious. You need multiple accounts, multiple roles, and a systematic way to check every combination. Most teams test a handful of happy paths and hope for the best.
Today we're shipping Authorization Matrix Testing — a new dedicated test type that maps every user role against your resource and function in your app, then systematically verifies who can access what. RedVeil's AI agent does the cross-referencing so you don't have to.
The problem
Imagine an app with five roles — Admin, Manager, Editor, Viewer, and Billing — and dozens of API endpoints. Testing every combination manually means hundreds of individual checks. Now add tenant isolation, unauthenticated access, and edge cases like direct object references. The matrix explodes. Traditional pentests either skip most of it or charge a premium for the hours.
How it works
-
Add your accounts. Define two or more user accounts with role labels and credentials. RedVeil supports HTML form login, HTTP Basic, Bearer tokens, custom headers, and session cookies — including optional time based 2FA.
-
Set expectations. Optionally add role guidance per account — plain-English descriptions like "Viewer should only have read access" or "Billing should not access user management." The agent uses these as ground truth when classifying results.
-
Start the test. RedVeil's AI agent logs in as each account, discovers resources (with optional OpenAPI/Swagger import for full coverage), and systematically tests every actor-resource combination. It swaps sessions, replays requests cross-account, probes for IDOR with manipulated identifiers, and checks unauthenticated access if enabled.
-
Watch results populate in real time. An authorization matrix is built during the test: actor, resource, expected outcome, observed outcome, and a clear classification — expected allow, expected deny, unexpected allow, or unexpected deny. Unexpected results are flagged immediately.
-
Review findings with evidence. Every broken access control issue includes the acting account, the target resource, full request/response proof, business impact, and remediation guidance. Fix, then one-click retest.
What the agent tests
- Vertical privilege escalation: Can a Viewer hit Admin-only endpoints?
- Horizontal privilege escalation: Can User A access User B's data at the same role level?
- IDOR / BOLA: Can swapping object IDs in requests expose other users' resources?
- Function-level access control: Are sensitive operations (delete, export, config changes) properly gated?
- Unauthenticated access: Are authenticated endpoints actually enforced? Enable Include unauthenticated testing to add a no-auth actor to the matrix.
CLI support
Prefer the command line? Create an auth matrix project with the CLI:
pentest-agent project create auth_matrix \
--target "https://app.example.com" \
--auth-type form \
--auth-matrix-accounts '[
{"label": "Admin", "username": "admin@co.com", "password": "..."},
{"label": "Viewer", "username": "viewer@co.com", "password": "..."}
]' \
--auth-matrix-test-unauthenticatedPass --auth-matrix-open-api-docs with a URL or file path to feed the agent your API spec for deeper coverage.
Why this matters
Access control bugs are the #1 web application security risk because they're easy to introduce and hard to catch at scale. Auth matrix testing turns what used to be a manual, error-prone checklist into an automated, repeatable process — with a clear visual of exactly where your authorization model holds up and where it breaks.
Ready to map your access control? Create an auth matrix project and let RedVeil do the cross-referencing.