# AWE: Adaptive Agents for Dynamic Web Penetration Testing

Akshat Singh Jaswal · Ashish Baghel
Accepted at NDSS LAST-X 2026

## Abstract Modern web applications are increasingly produced through AI-assisted development and rapid no-code deployment pipelines, widening the gap between accelerating software velocity and the limited adaptability of existing security tooling. We introduce AWE, a memory-augmented multi-agent framework for autonomous web penetration testing that embeds structured, vulnerability-specific analysis pipelines within a lightweight LLM orchestration layer. Evaluated on the 104-challenge XBOW benchmark, AWE achieves 87% XSS success (+30.5% over MAPTA) and 66.7% blind SQLi success (+33.3%) while consuming 98% fewer tokens than prior work. ## Setup ```bash git clone https://github.com/stuxlabs/awe.git cd awe cp .env.example .env docker compose up --build ``` ## Usage ```bash ./run-docker.sh --auto # intelligent orchestration ./run-docker.sh --xss ./run-docker.sh --sqli ``` ## Structure ``` src/ ├── orchestrators/ # LLM-driven agent coordination ├── xss_agent/ # Context-aware XSS pipeline ├── sqli_agent/ # Database fingerprinting + injection ├── ssti_agent/ # Template engine detection ├── xxe_agent/ # XML external entity ├── command_injection_agent/ ├── lfi_agent/ ├── ssrf_agent/ ├── idor_agent/ └── utils/ # Memory system, browser verification ``` ## Citation ```bibtex @article{jaswal2026awe, title={AWE: Adaptive Agents for Dynamic Web Penetration Testing}, author={Jaswal, Akshat Singh and Baghel, Ashish}, journal={arXiv preprint arXiv:2603.00960}, year={2026} } ```