Attack Services

Replay, Mutation, and Attack Services

Payload mutation still exists, but in v4 the strongest proof usually comes from replay, AuthZ diffing, and race workflows.

Smart Payload Evolution still exists

The scanner can still mutate payloads and adapt based on target behavior. That remains useful for first-pass discovery, especially when responses hint at filtering or brittle parsing.

Replay is the stronger proof path

Once you capture a real action, the replay services can reproduce it with stored identity context instead of depending on a synthetic payload guess.

text
1POST /platform/projects/{project}/attacks/replay
2POST /platform/projects/{project}/attacks/http/replay
3POST /platform/projects/{project}/attacks/authz-diff
4POST /platform/projects/{project}/attacks/race

AuthZ diff and race workflows

AuthZ Diff

Compare the same action across identities to expose cross-role or cross-tenant behavior gaps.

Race Testing

Probe for duplicate execution, stale token reuse, and invalidation windows around state changes.

Use mutation where it helps

Mutation is still useful for fuzzing and scanner-led discovery. It is just not the center of the v4 platform anymore.