The Security Test Agent in Qodex helps you proactively catch vulnerabilities like broken access control, token misuse, and OWASP Top 10 risks — without needing to write complex security tests manually.

It works alongside your functional testing to validate security rules across endpoints and environments.

What It Does

  • Scans your API flows for common security pitfalls
  • Auto-generates test scenarios based on OWASP Top 10
  • Injects edge-case payloads to simulate malicious behavior
  • Checks role-based access violations across endpoints
  • Surfaces real security gaps with detailed failure logs

Key Tests Included

  • Broken access control

    Attempts unauthorized access using standard and manipulated tokens

  • Token abuse checks

    Tests expired, missing, or malformed tokens

  • Rate limiting tests

    Simulates burst calls to check if limits are enforced

  • Sensitive data exposure

    Looks for unsecured PII fields or unencrypted responses

  • Custom security rules

    Define your own assertions for roles, headers, or response structure

How to Use It

  1. Create a test scenario using the AI Agent

    e.g., “Check if user without admin role can access /admin endpoints”

  2. Qodex suggests security-focused test rules

    Includes both status checks (403/401) and field-level validations

  3. Run the test

    Failures will show up in the Build tab with specific logs and auto-heal suggestions

  4. Monitor security posture

    Track failures, fix issues, and re-run updated tests