Traditional penetration testing has a coverage problem. A typical web application assessment covers somewhere between 20 and 40 per cent of an application's actual attack surface. Human testers make judgment calls about where to focus — and those calls are necessarily informed by time, scope, and prior experience. The endpoints and parameters that fall outside that window go untested.
That coverage gap is where Korrosiv.AI was built to operate.
Korrosiv.AI is SALTT Technologies' in-house AI-native penetration testing engine, purpose-built for web applications and APIs. It is not a scanner. It does not run predefined check lists against known CVEs. It operates the way a skilled adversary does — by observing application behaviour, forming hypotheses about the underlying logic, and adapting its approach based on what it finds.
Where a human tester samples a representative set of endpoints and parameters, Korrosiv.AI analyses every response across the full application surface. Where a traditional scanner fires static payloads and looks for known signatures, Korrosiv.AI generates context-aware payloads in real time and chains findings across the attack surface to understand how individual vulnerabilities interact.
Consider a mid-sized web application with 300 distinct endpoints, each accepting multiple parameters. A five-day engagement gives an experienced tester roughly 40 hours of active testing time. Even moving efficiently, meaningful manual coverage of 300 endpoints — including all parameter combinations, state variations, and multi-step workflows — is not achievable in that window.
The tester will cover the highest-risk areas well. But the business logic flaw sitting in a low-traffic administrative endpoint? The IDOR vulnerability in an API route that only becomes exploitable in a specific authenticated state? These are exactly the class of finding that falls outside the sampling window — and exactly the class of finding that attackers actively hunt for.
Korrosiv.AI does not replace the human tester's judgement on high-complexity, high-context findings. It eliminates the coverage gap that makes those findings possible to miss.
Korrosiv.AI operates as an integrated component of SALTT Technologies' penetration testing engagements, not as a standalone product. The workflow is straightforward:
For organisations procuring penetration testing services, the practical implication is higher confidence in coverage. A Korrosiv.AI augmented engagement does not just tell you about the vulnerabilities found — it gives you higher assurance about the vulnerabilities that were not found, because the surface area examined is materially larger than a human-only assessment would cover.
For applications where compliance drives testing cadence — PCI DSS, ISO 27001, APRA CPS 234, SOC 2 — this matters. An annual pen test that covers 25 per cent of your application is not the same risk statement as one that covers 90 per cent. Korrosiv.AI changes that equation.
Korrosiv.AI's current capabilities are focused on web applications and APIs — the highest-density attack surfaces for most Australian organisations. Specific application types where the coverage benefit is most pronounced include:
SALTT Technologies' position on AI in security testing is deliberate: the technology augments practitioner capability, it does not replace it. Korrosiv.AI handles coverage breadth and pattern detection at machine speed. SALTT's consultants handle the contextual reasoning, business logic analysis, and adversarial creativity that machines cannot replicate.
The result is an engagement where human expertise is deployed on the highest-value problems, not spent on exhaustive manual enumeration of application surface area.
If you are planning a web application or API penetration test and want to understand what a Korrosiv.AI augmented engagement looks like for your environment, speak to our technical testing team.