RedVeil.ai | Autonomous Penetration Testing

Systematic cross-account authorization testing for a single web application in RedVeil.

Authorization Matrix Testing is a project type in RedVeil that performs systematic cross-account authorization testing against a single web application. It validates that every role in your application can only access the resources it is supposed to, and flags cases where one role can reach another role's endpoints or data.

How it works

An auth matrix test takes a target URL and two or more user accounts with different privilege levels. RedVeil's AI agent then:

Authenticates each account — logs in (or applies tokens/cookies) for every configured role and, optionally, an unauthenticated session.
Discovers resources — crawls the application and, if provided, imports routes from an OpenAPI/Swagger spec.
Builds the access matrix — rows are acting accounts (including unauthenticated if enabled), columns are resources or functions intended for each role.
Tests every cell — for each account × resource combination the agent makes requests with that account's session and records whether access was allowed or denied.

Classifies outcomes — each cell is classified as:

Classification	Meaning
Expected allow	The account was permitted and should be.
Expected deny	The account was blocked and should be.
Unexpected allow	The account was permitted but should not be — potential vulnerability.
Unexpected deny	The account was blocked but should not be — potential logic/availability defect.
Blocked / error	The request errored or was blocked for an unexpected reason.
Skipped	The cell could not be tested in this run.

Reports findings — any unexpected-allow or other security-relevant outcome is filed as a finding with full evidence: acting account, target resource/role, request/response proof, and impact statement.

The matrix and findings are updated in real time as the agent works.

What it tests

Vertical privilege escalation — lower-privilege roles attempting admin-only endpoints, role management, billing, sensitive exports.
Horizontal privilege escalation — same-role account A accessing account B's data or actions.
IDOR / BOLA — swapping object IDs, UUIDs, tenant identifiers, and path parameters across sessions.
Function-level access control — non-admin sessions invoking create/update/delete/configuration endpoints.
Unauthenticated access — (optional) verifying that protected endpoints reject requests with no credentials.
OWASP-aligned web security — broken auth/session handling, CSRF gaps, sensitive data exposure, injection, XSS, and SSRF discovered during authorization flows.

Supported authentication types

Auth type	What you provide per account
`form`	Username and password. RedVeil performs a browser-based login for each account and extracts session cookies automatically. Supports TOTP/MFA when a 2FA secret is provided.
`basic`	Username and password. Sent as HTTP Basic Auth on every request.
`bearer`	A bearer token. Sent as `Authorization: Bearer <token>`.
`header`	A custom header name and value (e.g. `X-API-Key`).
`session`	Pre-existing session cookies pasted directly.

All accounts in a single project must use the same auth type.

Creating a project

Web UI

Go to Projects → New Project.
Select Auth Matrix as the project type.
Enter the target URL — a single HTTP(S) URL for the application under test.
Choose the authentication type.
Add at least two accounts. Each account needs:
- A unique role label (e.g. "Admin", "Viewer", "Editor").
- The credentials matching the chosen auth type.
- (Optional) Role guidance — a sentence describing what this role should be able to do. This helps the agent set accurate expected outcomes.
- (Optional) 2FA secret — a TOTP secret if form login requires a one-time code.
Toggle Test unauthenticated access on or off (default: on).
(Optional) Paste or upload an OpenAPI/Swagger spec to expand endpoint coverage.
Click Create project.

CLI

pentest-agent project create auth_matrix \
  --name "Acme Auth Matrix" \
  --target https://app.acme.com \
  --auth-type form \
  --auth-matrix-accounts @accounts.json

--auth-matrix-accounts accepts a JSON array inline or as a @file reference. Each entry must have a unique label and the credentials matching --auth-type.

Example accounts.json:

[
  {
    "label": "Admin",
    "username": "admin@example.com",
    "password": "super-secret",
    "guidance": "Can manage users and billing"
  },
  {
    "label": "Viewer",
    "username": "viewer@example.com",
    "password": "viewer-secret",
    "guidance": "Read-only access only"
  }
]

CLI options

Option	Required	Description
`--name <value>`	Yes	Project name.
`--description <value>`	No	Project description.
`--target <value>`	Yes	Single target URL for the application under test.
`--auth-type <value>`	No	Auth mode. One of: `form`, `basic`, `bearer`, `header`, `session`. Defaults to `form`.
`--auth-matrix-accounts <jsonOrFile>`	Yes	JSON array (or `@file`) with at least 2 accounts with unique labels.
`--auth-matrix-test-unauthenticated <bool>`	No	Include unauthenticated testing. Defaults to `true`.
`--auth-matrix-open-api-docs <value>`	No	OpenAPI/Swagger URL, inline JSON, or `@file`.

For more CLI context, see Projects.

Running a scan

Start a scan the same way as any other project type:

pentest-agent scan start <projectId>

Or click Start Scan in the web dashboard.

The agent authenticates each account, builds sessions, and begins cross-role testing. Progress is visible in real time on the dashboard.

Reading results

Authorization matrix panel

The dashboard replaces the network topology diagram with a live Authorization Matrix panel. Each row shows:

Column	Description
Actor	The account label performing the request.
Resource	The endpoint or function being tested.
Expected	Whether access should be allowed or denied for this actor.
Observed	Whether the request was actually allowed or denied.
Result	Classification badge — green for expected outcomes, amber for unexpected, red for errors.

Rows are color-coded by classification:

Green left border — expected allow or expected deny (working as intended).
Amber left border — unexpected allow or unexpected deny (investigate).
Red left border — blocked or errored.

The panel updates in real time as the agent tests each cell. You can expand it to full screen from the host detail view.

Findings

Findings from auth matrix tests follow the same format as all other RedVeil findings. Each includes:

Acting account label and target role/resource.
Request and response evidence.
Impact statement explaining what cross-role action became possible.
CVSS severity score.

Findings can be triaged (mark as false positive with a comment) and retested with one click, just like any other project type.

Reports

Auth matrix projects generate the same executive and standard reports available to other project types. The authorization matrix outcomes and cross-role findings are included in the report body.

Account field reference

Each account object in the accounts array supports these fields:

Field	Auth types	Required	Description
`label`	All	Yes	Unique display name for the role (e.g. "Admin").
`username`	`form`, `basic`	Yes	Login username or email.
`password`	`form`, `basic`	Yes	Login password.
`bearerToken`	`bearer`	Yes	OAuth/JWT bearer token.
`headerName`	`header`	Yes	Custom auth header name.
`headerValue`	`header`	Yes	Custom auth header value.
`sessionCookies`	`session`	Yes	Raw cookie string or JSON array of `{name, value}` pairs.
`twoFactorSecret`	`form`	No	TOTP secret for accounts that require MFA during login.
`guidance`	All	No	Description of what this role should be able to do. Improves expected-outcome accuracy.

Editing a project

Auth matrix project settings can be updated after creation from the project settings page or via pentest-agent project edit. You can change the target URL, auth type, accounts, unauthenticated testing toggle, and OpenAPI docs.

Availability

Auth matrix testing is available on Full Coverage and Enterprise plans. See your account's usage page for current plan details.

Authorization Matrix Testing

On this page