Automation of web application pentesting is a relevant direction in cybersecurity due to the increasing complexity of this process caused by modern protection mechanisms, such as WAF and IDS/IPS. This paper proposes a multi-agent system based on JADE that enables adaptive real-time testing with defense evasion. The system architecture is presented, the operation of agents is described, and experimental testing results are provided. The obtained results demonstrate the effectiveness of the multi-agent approach for automated vulnerability detection in protected web environments.
The scientific novelty of the research lies in the development of a full-featured MAS system based on JADE, supporting parallel agent interaction, dynamic generation of obfuscated payloads, and adaptation of attack strategies based on the results of previous attempts. The solution implements asynchronous interaction through FIPA-compliant protocols and can be deployed on physically or geographically distributed nodes.
The practical significance of the study is the possibility to apply the proposed multi-agent system for automated and adaptive pentesting of protected web applications in real time, with the capability to bypass WAFs and analyze defense system responses. Thanks to its modular architecture, support for distributed deployment, and compatibility with containerization, the system is suitable for integration into existing cybersecurity processes and can also be used as a training platform for security professionals.
The aim of the study is to develop and experimentally evaluate the effectiveness of a distributed multi-agent system capable of detecting web application vulnerabilities by bypassing active protection mechanisms in real time.
To achieve this goal, the following tasks were set: • • • • to present the architecture of the multi-agent system; to implement agents of various purposes based on JADE; to develop attack scenarios and payload mutation methods; to conduct experimental testing using XSS and SQLi attacks as examples.
The issue of web application security testing is actively explored in the context of both traditional
penetration testing approaches and modern automated solutions. According to [
Significant attention has been devoted to automating pentesting through the use of multi-agent
systems (MAS). Studies [
In the context of MAS security [
Regarding the use of agent systems in cybersecurity, study [
In the domain of web application protection, multi-agent systems are applied to intrusion analysis and the enhancement of IDS/IPS and WAF functionality.
Modern protection tools such as WAFs and IDSs perform real-time traffic monitoring, attack detection, and response to emerging threats.
Their efficiency is improved through the use of machine learning methods [
Special attention should be paid to the comparative analysis of pentesting tools [
The conducted analysis shows that multi-agent systems hold high potential in automating web application security testing. They enable parallel task processing, real-time agent interaction, and rapid adaptation to new types of attacks — which is critical in the face of increasing threat complexity.
In the authors' previous studies [
Web applications are key components of modern information systems widely used in business, government administration, finance, and other critical sectors. At the same time, the openness of their interfaces, complex user interaction logic, and rapid technological development make them vulnerable to various attacks, among which XSS, SQL injection, and CSRF remain the most common.
Traditional security testing methods, particularly manual penetration testing, are resourceintensive, laborious, and poorly scalable. Given the growing number of web applications and their dynamic changes, there is a need for automated solutions capable of quickly adapting to new types of vulnerabilities and changes in protective mechanisms, including the operation of WAFs, IDS/IPS, and others. Despite the availability of vulnerability scanning tools such as Burp Suite, their use is often limited by licensing policies, the need for manual configuration, and lack of support for full distributed request processing. This limits testing effectiveness in large-scale or distributed environments.
In this context, solutions that combine the following remain insufficiently researched and practically unimplemented: •
distributed data processing; use of multi-agent technologies for automating penetration testing; adaptation to modern protection systems in real time.
Thus, the current challenge is the development of a distributed multi-agent system capable of autonomously and coherently detecting web application vulnerabilities under the constraints imposed by modern protection mechanisms.
For the implementation of the experimental multi-agent system, the JADE platform (Java Agent Development Framework) was used, which complies with the FIPA specification and supports distributed interaction between agents. Within the scope of the study, the system is understood as an implemented set of agents built according to an agreed architecture that constitutes the proposed solution. The development environment included Java 11, Apache Maven for dependency management, and NetBeans IDE for designing the agent architecture. To emulate a protected web application targeted by the pentest, web applications deployed on an Apache server with the WAF module ModSecurity enabled were used, allowing the simulation of a modern protection system with signature-based analysis.
The system architecture involves the implementation of four agents with different purposes, which interact via ACL messages typical for JADE.
Recon-Agent performs initial analysis of the target web application, including examining HTTP headers, the presence of client-side JavaScript, and server behavior. It also detects the presence of request filtering and characterizes the WAF operation.
Mutation-Agent is responsible for generating malicious payloads using obfuscation methods. The study implements three mutation approaches: character encoding (Base64, URL encoding), syntactic transformations (altering the structure of requests), and polymorphism (dynamic XSS/SQLi payloads that evade signature detection).
Attack-Agent sends requests to the target system and records responses, including HTTP status codes (403, 406, 500) and processing times. It also detects changes in WAF behavior after each attack series.
Learning-Agent analyzes attack results, performs machine learning generalization of effective patterns, and adapts mutation and retry strategies. Based on data received from the Attack-Agent, it modifies payload mutation parameters and sends them back to the Mutation-Agent, thus forming a closed learning loop.
Each agent runs in a separate JADE container, which can be deployed locally or remotely on a separate physical or virtual node in another network. This enabled the implementation of a distributed architecture where agents coordinate yet remain autonomous, which is especially important for bypassing geolocation or IP-based filters.
Communication between agents is conducted via ACL messages, allowing asynchronous interaction without centralized control (Figure 1).
The diagram illustrates the sequential data exchange between agents of the multi-agent system operating in automated pentesting mode.
All agents in the figure are connected by directed arrows, reflecting the sequence and cycle of processing. The process begins with the Recon-Agent, which interacts with the target web application, collecting data on HTTP headers, client-side scripts, and server behavior:
2. Process: Collects HTTP headers, JavaScript code and server responses.
Output: Passes collected data to Mutation-Agent.
The information is passed to the Mutation-Agent, which generates adaptive payloads based on it, taking into account possible protection at the WAF level:
Output: Passes formed requests to Attack-Agent.
The simulated requests are sent to the Attack-Agent, which performs the attacks and records the target system’s response, including status codes and processing time:
Output: Forwards collected responses to Learning-Agent.
The results are analyzed by the Learning-Agent, which identifies effective evasion strategies and adjusts the actions of the Mutation-Agent accordingly:
2. Process: Analyzes effectiveness and adjusts mutation strategy; Analyzes the success of attacks, adapts mutations for subsequent cycles.
Thus, the system forms a closed processing loop where each agent operates autonomously yet in coordination, ensuring adaptability, learning, and flexible response to defense reactions in real time.
The agents were deployed on different physical or virtual machines, simulating real distributed conditions and allowing the evaluation of WAF evasion effectiveness from various geographic zones.
Heuristic and machine learning approaches were used to generate modified requests that are not recognized by the WAF as malicious but are still capable of triggering harmful behavior in the web application. For instance, replacing SQL operators with their encoded or alternative representations allows bypassing static filtering rules.
XSS with character encoding (standard injected JavaScript with modified characters); Polymorphic SQL injection (using keyword and parameter substitution to avoid detection); Split XSS (split payload), where the malicious script is divided into several parts that execute sequentially.
The selection of these specific attack types (XSS, split-XSS, polymorphic SQLi) is justified by their prevalence in modern web applications and their sensitivity to behavioral and signature-based WAF mechanisms.
In each test cycle, 100 requests were executed, and the results were recorded and classified based on the success of WAF evasion.
analysis of HTTP response codes (2xx, 4xx, 5xx), comparison of response times for modified requests, statistical aggregation of successful attacks, visualization of payload mutation effectiveness.
The data is stored in log files, which allows the Learning-Agent to assess the effectiveness of each mutation and adjust the strategy in subsequent stages.
An example of a log file saved after a series of attacks and the use of the Learning-Agent to evaluate mutation effectiveness and adapt strategies is shown in Figure 2.
What the Learning-Agent analyzes: • • • • • • • • • mutation_type — the type of mutation that was applied; was_blocked + http_status — the result of the request: successful or blocked; waf_signature_triggered — the specific signature that was triggered (if any); response_time_ms — an indirect indicator of additional request processing or filtering; payload — allows evaluation of which specific constructions are more “invisible” to the WAF.
Based on these logs, the Learning-Agent compiles statistics on successful/unsuccessful mutations, excludes ineffective patterns from future attacks, adjusts the behavior of the Mutation-Agent to generate more obfuscated or altered requests, and can assign weights to each mutation type depending on its effectiveness (as part of a heuristic or reinforcement learning strategy).
The results were compared to expected blocking rates characteristic of typical signature-based WAF configurations. The research was conducted in a controlled lab environment, allowing precise tracking of the impact each mutation method had on bypassing the protection.
The concept of distribution is implemented through the use of autonomous agents that perform their functions independently while exchanging results and coordinating actions to achieve a common goal. Agents can be deployed on different physical or virtual machines, as well as in containers, and, if possible, across diverse geographical locations to reduce the risk of blocking based on IP addresses or geographic restrictions.
For example, a Recon-Agent may operate from multiple IP addresses to avoid detection of requests as malicious originating from a single source. Similarly, Mutation-Agent and Attack-Agent can run concurrently on separate nodes, enabling parallel testing of various attack vectors. This distribution allows for multifunctional attacks from multiple sources, minimizing the likelihood of the entire system being blocked.
Several Recon-Agents can simultaneously collect information from different sections of one or multiple websites, analyzing pages, metadata, HTTP headers, request parameters, and server responses from various points. This approach provides a more comprehensive understanding of WAF configurations. The collected data is centrally stored and utilized by other agents.
A Mutation-Agent distributed across multiple nodes generates payload variants for different WAF configurations in parallel. One agent may focus on bypassing one type of protection, while another targets a different one. The generated payloads are then passed to Attack-Agents for simultaneous testing.
The distribution of Attack-Agents sending requests from different geographical locations accelerates testing and increases the likelihood of successful attacks by circumventing diverse blocking strategies. The Learning-Agent operates both centrally and in a distributed manner, gathering data on attack effectiveness, analyzing patterns, and optimizing strategies to minimize detection risk. Data from various locations are aggregated and used to enhance subsequent attacks.
The implementation of distribution in the system is based on autonomous agents that perform their functions independently but exchange results through secure communication channels using TLS protocols to ensure data integrity and confidentiality. Each agent undergoes authentication via JADE Security mechanisms, minimizing the risk of unauthorized access or message forgery.
In the test scenarios simulating XSS and SQLi attacks, the agents dynamically modified payloads, analyzed server responses, and learned from the results. Examples of test requests for XSS or SQLi scanning with WAF bypass are shown in Table 1.
Each request had a different attack nature, objective, and The first request aimed to test for XSS vulnerability by injecting a simple script <script>alert(1)</script>. If successful, a JavaScript alert was expected to trigger. The presence of the alert indicated the absence of server-side script filtering.
The second request — an SQL injection with the payload id=1' OR '1'='1 — targeted bypassing the SQL parameter filtering logic.
The expected outcome was either incorrect data output or complete request rejection in case of blocking. If the server returned results, this indicated the presence of the injection vulnerability.
The third request used an XSS attack via an image tag: <img src=x onerror=alert(123)>.
The goal was to check whether the script executes upon handling an error in the attribute. If the browser ran the script, it meant protective mechanisms did not block such constructs.
In the fourth test, an obfuscated XSS attack was employed in the form of a URL-encoded SVG tag containing a script with alert (document. cookie). This request was intended to test the WAF’s ability to recognize and decode URL-encoded inputs. Successful bypass indicated insufficient depth of the filtering check.
The fifth test checked for SQL injection through a JSON request. The "username" field contained a payload capable of initiating the deletion of the users table: "admin'; DROP TABLE users; --".
If the request executed without errors, this indicated a serious vulnerability in JSON parameter processing.
The sixth request involved an LFI attack, where the "file" parameter was used to display a system file (/etc/passwd).
If successful, the expected result was either the file content displayed or a specific access error. If the file was output, the system had a critical local file inclusion vulnerability.
The seventh request tested an XSS attack with data exfiltration, where JavaScript was supposed to send the user's cookies to an external server.
If the browser executed the script and triggered the external request, it meant the WAF did not block connections to third-party addresses via XSS.
Overall, these requests allowed evaluation of the agent system’s bypass techniques, testing of defensive mechanisms’ responses, and drawing conclusions about existing vulnerabilities in the web application.
Within the set goal, the system was tested for its ability to bypass WAF using various payload mutation techniques.
Three types of attacks were tested: character-encoded XSS, polymorphic SQLi, and split-XSS. The results are presented in the table below (Table 2).
100 60 60%
Split XSS Polymorphic
SQLi Signaturebased WAF
blocks
Specifically, split-bypass methods for XSS demonstrated high effectiveness in bypassing behavioral filters, whereas SQL injections were often blocked by heuristic WAF algorithms, indicating the need for deeper optimization.
Analysis of agent performance showed that the Recon-Agent successfully identified the WAF type in 87% of cases, providing relevant input data for subsequent attacks.
The Mutation-Agent generated over 150 payload variants, among which split-XSS achieved the highest success rate (up to 80%).
The Attack-Agent recorded server response codes and request processing times, allowing tracking of the system's reaction to each mutation; the average response time ranged between 230 and 310 ms.
The Learning-Agent proved to be a key component of adaptation: after several attack cycles, it improved the accuracy of selecting effective payloads from 55% to 71%, demonstrating the system’s ability for self-learning and strategy optimization.
Each agent plays a distinct role in the overall attack process — from information gathering to payload generation, delivery, and analysis — enabling the system to maintain a full attack cycle with feedback and learning elements.
To further evaluate the performance of the system in a dynamic and scalable environment, an additional experiment was conducted to assess how the number of agents affects the overall effectiveness of WAF bypass attempts.
The goal was to examine whether increasing the number of cooperating agents leads to a measurable improvement in penetration testing outcomes. The findings are visualized in the graph below and analyzed in detail (Figure 3).
30
The scalability experiment of the multi-agent system demonstrated a clear positive correlation between the number of active agents and the number of successful bypasses of protection mechanisms, particularly the Web Application Firewall (WAF). The graph illustrates the results of 10 testing series, where the number of concurrently operating agents ranged from 1 to 10.
The results indicate that increasing the number of agents improves the system’s capability to discover alternative attack vectors. With a single agent, the number of successful bypasses was minimal (4 cases). As new agents were added, the overall effectiveness steadily improved, reaching up to 28 successful bypasses at the 10-agent level. This can be explained by the parallel operation of agents, each performing a specialized role (e.g., reconnaissance, mutation, attack execution, and response analysis), which allowed the system to react more quickly to WAF rejections or blocks.
However, beginning at approximately 7–8 agents, a saturation effect becomes evident: the growth rate of successful attacks slows down. This suggests that the current system configuration approaches its upper efficiency limit. Such an effect may be caused by overlapping agent operations or system-level constraints (e.g., server request handling capacity or WAF throughput limitations).
Overall, the results confirm that scaling a multi-agent system increases its performance in automated penetration testing tasks, especially in the early stages of agent count expansion. This supports the feasibility of employing distributed MAS architectures in real-world cybersecurity environments.
The experimental data show that the system demonstrates stable performance in security testing tasks: the average success rate of attacks is approximately 60%. The highest effectiveness was observed for XSS attacks using split techniques, which proved successful in bypassing both signature-based and behavior-based WAF filters. This indicates the agents' ability to adapt and apply unconventional payload strategies. At the same time, polymorphic SQL injections were blocked more frequently, highlighting the need for further optimization of mutation techniques, particularly through the use of time-based or blind SQLi methods.
The system architecture, implemented on the JADE platform, combines automated scanning, adaptive payload generation, parallel agent interaction, and real-time learning. The four main types of agents — Recon-Agent, Mutation-Agent, Attack-Agent, and Learning-Agent — operate autonomously but remain coordinated within a shared strategy. This enables the system to adapt to changes in the defensive environment, reducing the risk of detection and providing flexibility in attack tactics.
Deploying agents across distributed nodes, including geographically separated locations, allows the system to simulate realistic attack scenarios and avoid blocking based on IP or geolocation filters. Moreover, the presence of a feedback loop between agents (especially between Attack-Agent and Learning-Agent) ensures the progressive refinement of attack strategies based on the outcomes of previous iterations.
Thus, the proposed approach demonstrates the advantages of dynamic payload mutation, distributed architecture, and agent self-learning capabilities. Future research will focus on integrating machine learning algorithms to predict WAF behavior and generate more sophisticated, context-aware attacks, thereby significantly enhancing the system’s effectiveness in real-time environments.
To justify the feasibility of the proposed multi-agent system, a comparative analysis was conducted against existing automated pentesting tools, including Burp Suite, SQLMap, and approaches based on the SPADE platform.
Burp Suite is a widely used commercial framework for web application security analysis, enabling manual and semi-automated testing, including request interception, modification, and resubmission. However, it lacks full support for distributed execution, real-time adaptive behavior toward security systems, and requires significant user involvement. Furthermore, many of its advanced features are only available in the paid version, limiting its scalability for broad deployment.
SQLMap is a highly specialized tool designed to detect and exploit SQL injection vulnerabilities. It supports a wide range of obfuscation methods, automatic injection parameter detection, and partial WAF evasion through various techniques. Nevertheless, SQLMap is focused exclusively on a single class of attacks (SQLi) and does not provide inter-module interaction or support for multi-strategy behavior.
SPADE (Smart Python Agent Development Environment) is a platform for developing agents in Python that enables the creation of autonomous action scenarios. However, SPADE demonstrates limited flexibility when scaled or deployed in heterogeneous environments, and it lacks full agent mobility. Moreover, it does not offer comprehensive support for FIPA protocols, which complicates the development of adaptive and dynamically interacting systems.
The proposed system, based on JADE, stands out by combining several key functional advantages: support for distributed interaction between agents, the ability to operate autonomously across different nodes, adaptation to defense system responses, dynamic payload generation, and learning from attack results. This makes the system not only a scanning tool but also an intelligent mechanism for discovering evasion strategies in actively protected environments (WAF, IDS/IPS).
Table 4 presents a summarized comparison of the functionality of the mentioned approaches.
The comparison results indicate that the proposed JADE-based multi-agent system offers a number of advantages that ensure its effectiveness as a tool for adaptive and scalable penetration testing under modern cybersecurity challenges. Its distributed nature, learning capabilities, support for multiple attack classes, and open architecture provide a solid foundation for further integration of the system into real-world corporate environments.
• • • •
Parallel execution – agents operated independently, allowing simultaneous information gathering, attack generation, and learning; Adaptability – agents adjusted their strategies in response to WAF reactions, demonstrating features of machine learning; Distributed deployment – placing agents on different nodes helped reduce the risk of IPbased blocking and increased the amount of collected data; Coordinated interaction – the system's architecture ensured efficient data exchange between agents with minimal latency, enabled by the use of FIPA-compliant protocols provided by the JADE platform.
The proposed solution is based on a modular architecture that enables gradual scaling of the number of agents, with the possibility of centralized monitoring of their status. Although JADE is built in Java, the interaction interfaces between agents are implemented as REST endpoints and ACL messages, which opens the possibility for integration with Python scripts or external pentesting tools such as SQLMap, wfuzz, or Zap.
To facilitate the system’s deployment in practical security environments, a simplified launch mode is provided through Docker containers with preconfigured JADE containers and configuration profiles, minimizing user workload and reducing deployment time. Future plans include the development of a web interface for managing agents and visualizing results.
Regarding attack types, the system currently focuses on XSS and SQLi, as they are common and representative vectors that are sensitive to filtering. However, the system’s architecture is designed to support the extension of payload types. Future versions are planned to include support for SSRF attacks and heuristic testing for business logic flaws. For this purpose, the Mutation-Agent will be extended with templates for atypical requests, while the Learning-Agent will incorporate a response classification subsystem based not only on HTTP status codes but also on content analysis.
Another important aspect is that real-time adaptation to WAF rule changes indeed requires computational resources. To reduce the number of false positives or negatives, a prioritization mechanism has been implemented that ranks payloads based on their historical effectiveness. Additionally, attack attempts are buffered and analyzed based on server response time, with noisy or non-informative payloads filtered out. This helps reduce the frequency of low-value requests.
As a promising direction, the use of incremental learning in the Learning-Agent is being considered to dynamically refine effective patterns without requiring full model retraining. Furthermore, integration with popular CI/CD or DevSecOps platforms will enable the automation of pentesting as part of the continuous integration pipeline.
As a result of the conducted research, a distributed multi-agent system for automated web application security testing was implemented. The proposed solution is based on the JADE platform and integrates the functionality of several types of agents (Recon, Mutation, Attack, Learning), which interact autonomously in real time. A closed learning loop between the agents was established, where the effectiveness of attacks is used to dynamically update the payload mutation strategy, enabling the system to adapt to the behavior of WAF/IDS in real time. This approach provides parallel request processing, adaptation to protective mechanisms, and learning capability based on obtained results.
The system demonstrated stable performance in penetration testing tasks: the average attack success rate was approximately 60%, with the best results achieved for split-XSS. Polymorphic SQL injections proved less effective due to countermeasures from heuristic WAF filters. The distributed operation of agents reduced the risk of IP blocking and increased the system’s overall resilience to detection.
Comparative analysis confirmed the advantages of the proposed system over traditional tools (Burp Suite, SQLMap) and agent-based platforms built on SPADE. Key differentiators include dynamic adaptation to defenses, distributed architecture, openness, and support for multiple attack classes.
Unlike previously described platforms, the proposed system demonstrates the ability to scale and process requests in a distributed environment with support for various attack types, including XSS (notably split-XSS) and polymorphic SQLi, with prospects for extension to SSRF and logic vulnerabilities.
Heuristic analysis and request obfuscation tools integrated into the system proved effective in realistic tests—the average success rate of attacks reached 60%, and up to 80% for split-XSS.
At the same time, results indicate the need for further improvement in supporting time-based SQLi, blind-XSS, and optimizing performance when processing large volumes of requests. The proposed system features a modular architecture and open interfaces, ensuring efficient integration with diverse external tools and platforms. Use of REST endpoints and Docker containerization support simplify deployment and scaling in practical environments.
Future work envisions integrating machine learning algorithms to predict WAF responses and generate more complex payloads. The developed system can be utilized both for research purposes and as a foundation for practical cybersecurity solutions.
We express our gratitude to all members of the group who diligently and persistently conducted this research. Special thanks are extended to Professor Y.Dorogyy and PhD candidate V. Kravchuk for their significant contributions to prior studies. We also convey our appreciation to the teams of the Departments of Information Security Management and Applied Mathematics and Computer Science, as well as to the postgraduate and master’s students whose ideas greatly contributed to the modernization of the research and its integration into the educational process, and we hope the research will be further developed in their future scientific work.
During the preparation of this work, the authors used generative AI tools by using the activity taxonomy in ceur-ws.org/genai-tax.html to improve grammar, spelling, and enhance the visual quality of Figure 1. After using these tools and services, the authors thoroughly reviewed and edited all AI-assisted content, ensured its accuracy, and presented it in their own words. The authors are fully responsible for the final content of the publication."