Review our comprehensive test suite for web applications and APIs

Penetration Test Suite

Heyhack's proprietary scanning and testing engine automatically crawls your entire web application and API endpoints to test your assets comprehensively. Have a look at what our test suite includes on this page.

Find zero-day vulnerabilities and known security issues in one unified platform

Heyhack's proprietary pentest engine includes both tests for zero-day vulnerabilities and tests for known security issues (published in the Common Vulnerabilities and Exposures database). By combining active penetration testing with traditional vulnerability scanning, you'll get a complete overview of all potential security issues in your application with one single tool.
To find zero-day vulnerabilities, we've built our own AI-powered penetration test engine that actively and offensively attempts to find and exploit security issues in your application with the purpose of penetrating your infrastructure. Heyhack only flags an issue if the scanner has been able to successfully exploit the found issue, which eliminates false positives and helps you gain a complete and transparent overview of all potential issues.
In addition, we rely on community efforts to find known vulnerabilities (i.e., security issues that have been assigned a CVE ID). Together with the zero-day issues found by our own proprietary engine, you'll get one unified presentation of the issues you need to address in your application.
Set up an account to try it out
Powered by Heyhack's AI

Heyhack's proprietary test engine

Unlike traditional vulnerability scanners, Heyhack's AI-powered test engine emulates the actions of skilled penetration testers to find security issues employing offensive attacks. Combined with our groundbreaking clicking and navigation module, Heyhack uncovers far more functionality (and ultimately more issues) than traditional scanners. Have a look at the types of attacks and vulnerabilities Heyhack's automated penetration test engine includes.
Broken Access Control
Broken Access Control-related issues are the #1 threat to modern web applications. Heyhack uses multiple users to run offensive tests related to the violation of the principle of least privilege, bypassing access control checks, accessing/editing other users' data, and more.
Business Logic Attacks
By leveraging multiple test users, Heyhack tests for issues related to the inherent business logic of the application. Using AI, Heyhack learns the functionality of the app and actively attempts to break it to find vulnerabilities associated to the logic and rules defined in the app.
SQL Injection (incl. Blind SQL Injection)
Intelligently testing for a wide variety of SQL injection-related issues.
Cross-Site Scripting (Stored, Reflected, and DOM-based)
Comprehensive tests for HTML rendering and execution of JavaScript.
Cross-Site Request Forgery
Refer to OWASP's information on cross-site request forgery.
Insecure Communications (incl. TLS-related issues)
Refer to OWASP's information on insecure transport issues.
Insecure HTTP Headers
Refer to OWASP's information on HTTP headers.
Missing HTTP Headers
Refer to OWASP's information on HTTP headers.
Information Leaks
Refer to OWASP's information on improper error handling.
Outdated and Vulnerable Dependencies
Refer to Category A06 in the OWASP Top 10.
Session Fixation
Refer to OWASP's information on session fixation.
Logging and Monitoring Issues
Refer to OWASP's information on logging and monitoring.
Missing Subresource Integrity
Refer to OWASP's Cheat Sheet Series on SRI.
XML External Entity (XXE) Processing
Refer to OWASP's information on XXE.
HttpOnly & SameSite Cookies
Refer to OWASP's articles on the HttpOnly and SameSite flags.
Secure Cookies
Refer to OWASP's information on issues related to secure cookies.
Server-Side Request Forgery
Refer to OWASP's information on issues related to SSRF.
Denial of Service
Refer to OWASP's information on denial of service attacks.
Unvalidated Redirects and Forwards
Refer to OWASP's Cheat Sheet Series on unvalidated redirects.
File Inclusion
Refer to OWASP's Web Security Testing Guide on file inclusion.
Powered by the AppSec Community

Testing for More than 2,000 CVEs

In addition to zero-day vulnerabilites, Heyhack looks for more than 2,000 known web-related vulnerabilities (with assigned CVE IDs). These include known issues in popular content management systems and web development frameworks. Check out the list of CVE-numbered issues covered by Heyhack here.
CVE ID Name Severity

Minimize your attack surface

Book a meeting with one of our security experts and learn how Heyhack can help you secure your web applications and services across your domains.
Put penetration testing on autopilot and immediately reduce your AppSec risk.
“Heyhack helps us gain a complete overview of the security of our application and patch vulnerabilities early.”
Søren Viuff
CPO of Openli