Skip to main content

Assessment

An Assessment is one run of AISafe against one target: a codebase, a URL, or both. It is the central work unit of the platform. Findings, reports, artifacts, and triage all belong to one assessment. You create an assessment by clicking "Start assessment" in the dashboard or calling POST /api/v1/assessments via the API.

Identity

Each assessment carries a human-readable public ID of the form AIS-{ORG}-{CODE} (e.g. AIS-ACME-TLP). The code is unique within the owning organization. Drafts carry a -DRAFT suffix (e.g. AIS-ACME-TLP-DRAFT); AISafe strips this suffix when you finalize and start the assessment. These IDs are immutable, appear in URLs and reports, and form part of each downstream finding ID.

Types

AISafe supports two primary assessment types:

TypeWhat it doesSource input
Code AuditWhitebox static analysis. AI agents examine your source for vulnerabilities, taint flows, and misconfigurations.GitHub/GitLab repo or uploaded archive
PentestBlackbox runtime testing. AI agents probe your live application over HTTP, modeling the attack surface and testing for exploitable vulnerabilities.Target URLs + optional credentials

A hybrid white-box mode combines static analysis with additional agent probing against live targets, using both source and target URLs.

Lifecycle

An assessment moves through these stages:

  1. Draft. You configure the name, source/target, type, and optional instructions. Nothing has run yet.
  2. Validation. AISafe validates the source (clones the repo, resolves the ref, checks the archive) and confirms the target is reachable.
  3. Running. AI agents execute in isolated sandboxes. AISafe streams progress through stages (Understanding → Analysis → Audit → Triage → Report for code audits; Validation → Scoping → Modeling → Testing → Triage → Report for pentests).
  4. Completed. Findings are final, triage is complete, and a report is ready.
  5. Failed. The assessment encountered an unrecoverable error. AISafe refunds credits.

Steering

You can provide additional instructions: free-form text that tells the agents what to prioritize (e.g. "focus on medium-or-higher vulnerabilities that map to a CVE" or "this is a mature library, prioritize logic bugs over input validation"). Scope and safety rules take precedence over steering instructions.

Project membership

An assessment may belong to a Project. Project-bound assessments load context from the project's living knowledge base at start and contribute new knowledge back at completion, making them faster and more accurate than standalone runs. See Project for details.