SOCVault Wireframe — L9 AI Agent Security Scan

US-130US-131US-132 US-133US-134US-135 US-136US-137US-138 US-139US-140

L9 — AI Agent Security Scan

✦ Powered by Claude Security SOC Pro & Enterprise Only

Autonomous AI-driven security assessment — Claude Security iteratively probes, reasons, and reports vulnerabilities across your application surface.

⚡ Wireframe state: scan completed. Agent ran 18 steps across 4 tool categories in 6m 43s. 9 findings generated.

🗓️

AI Agent Scan Rate Limit — 1 scan per 7 days Industry standard for autonomous AI security assessments. Resets every Monday 00:00 UTC.

1 / 1

Used this week
Next available: Mon 23 Jun

📋

Platform Scan Limits (applies to all modules except L7 SOC/SIEM and L8 Malware): L1 Recon: 2/week · L2 Web AppSec: 1/15 days · L3 Mobile: 1/15 days · L4 API: 2/week · L5 Compliance: 1/30 days · L6 Cloud: 1/15 days · L9 AI Agent: 1/7 days

Findings

2 critical, 3 high

Agent Steps

6m 43s total

4,821

Tokens Used

~$0.14 cost

97%

Avg Confidence

Claude Security

🎯 Scan Configuration US-130, US-131

Target Application URL

Must be within your registered domain (acmecorp.com). Subdomain scanning included.

Scan Scope — Select what the AI agent should assess

Authentication Authorisation Input Validation Session Management Business Logic File Upload Payment Flows Admin Panels API Endpoints CSRF

Agent Depth

Max Agent Steps

Rate limit: 1 scan / 7 days · Next reset: Mon 23 Jun 2026 00:00 UTC

✦ Agent Activity Log US-132, US-133 Completed — 6m 43s

00:00.0 THINK Analysing target acmecorp.com/app. I'll start by mapping the authentication surface before probing for vulnerabilities.

00:08.3 TOOL http_probe(url="https://app.acmecorp.com/login") → 200 OK, form detected, CSRF token present

00:15.1 THINK Login form found. Checking for rate limiting on failed attempts and username enumeration via response timing.

00:28.7 TOOL brute_probe(endpoint="/login", attempts=10, timing_analysis=true) → No lockout after 10 attempts, timing delta: 480ms (user exists) vs 12ms (user not found)

00:29.2 FIND CRITICAL: Username enumeration via timing — response time 40× slower for existing users. Attacker can enumerate all accounts. CVE pattern: OWASP A07:2021

00:44.0 THINK No account lockout after 10 attempts. Let me verify if there's rate limiting at the IP level before flagging a brute-force finding.

01:02.5 TOOL rate_limit_probe(endpoint="/login", requests=50, window="60s") → No rate limiting detected at IP or session level

01:03.1 FIND CRITICAL: No rate limiting on authentication endpoint. Brute-force attacks unrestricted. 50 requests in 60 seconds without block.

01:18.0 THINK Moving to session management. I'll check JWT handling, session fixation, and logout behaviour.

02:10.4 TOOL jwt_analyse(token="eyJhbG...") → alg: HS256, exp: +30d, no jti (no revocation possible)

02:11.0 FIND HIGH: JWT tokens non-revocable (no jti claim). Compromised tokens valid for 30 days with no server-side invalidation.

03:45.0 TOOL idor_probe(endpoints=["/api/user/{id}", "/api/orders/{id}"], method="sequential_id_test") → /api/orders/{id} returns other users' orders

03:45.8 FIND CRITICAL: IDOR on /api/orders/{id} — authenticated user can access any order by incrementing ID. Data exposure risk: order history, PII, payment last-4.

06:43.0 DONE Assessment complete. 18 steps executed. 9 findings generated (2 critical, 3 high, 3 medium, 1 low). Full report ready.

🔴 AI Agent Findings US-134, US-135

All (9)

Critical (2)

High (3)

Medium (3)

Low (1)

CRITICAL

99% conf

IDOR — Unauthorised Order Data Exposure

Endpoint /api/orders/{id} returns full order details for any ID without ownership check. Any authenticated user can access other users' orders, PII, and payment last-4 digits.

OWASP A01:2021 · CWE-639 · Detected at step 14 · Financial exposure: $180,000+ (GDPR breach fine estimate)

CRITICAL

98% conf

No Rate Limiting on Authentication

Login endpoint /api/auth/login accepts unlimited requests. No lockout, captcha, or IP throttle. Full credential brute-force possible.

OWASP A07:2021 · CWE-307 · Detected at step 6 · Financial exposure: $95,000

HIGH

96% conf

Username Enumeration via Timing Attack

Login response time differs by 40× for valid vs invalid usernames. Attackers can enumerate all registered accounts before brute-forcing.

OWASP A07:2021 · CWE-208 · Detected at step 4 · Financial exposure: $42,000

HIGH

94% conf

Non-Revocable JWT Tokens (30-day TTL)

JWTs lack jti claim and no server-side revocation store exists. Stolen tokens remain valid for 30 days. No logout invalidation possible.

OWASP A07:2021 · CWE-613 · Detected at step 10 · Financial exposure: $38,000

HIGH

91% conf

Missing Content-Security-Policy Header

No CSP header returned on any page. XSS payloads can load external scripts, exfiltrate session tokens, or redirect users to phishing pages.

OWASP A05:2021 · CWE-693 · Detected at step 3 · Financial exposure: $28,000

+ 4 more findings (3 medium, 1 low) — Show all

✦ AI-Generated Remediation — IDOR Finding US-136, US-137

✦ Claude Security has generated a targeted remediation script for this finding. Test in staging before deploying.

# Fix: Add ownership check to order retrieval
# File: app/api/routes/orders.py

@router.get("/orders/{order_id}")
async def get_order(
    order_id: str,
    current_user: User = Depends(get_current_user),
    db: AsyncIOMotorClient = Depends(get_db)
):
    order = await db.orders.find_one({"_id": order_id})

    if not order:
        raise HTTPException(404, "Order not found")

    # ADD THIS: Enforce ownership
    if str(order["user_id"]) != str(current_user.id):
        raise HTTPException(403, "Access denied")

    return order