
www.rsisinternational.org
INTERNATIONAL JOURNAL OF LATEST TECHNOLOGY IN ENGINEERING,
MANAGEMENT & APPLIED SCIENCE (IJLTEMAS)
ISSN 2278-2540 | DOI: 10.51583/IJLTEMAS | Volume XV, Issue V, May 2026
Penetration Testing for Websites using LLM
Dr. Vilas S. Gaikwad
1
, Soham Deshmukh
4
, Mohanish Kulkarni
2
, Pallavi Akolkar
3
,
Jayam
Mehta
5
1
Dept. of Information Technology Trinity College of Engineering and Research
4
Dept. of Information Technology Trinity College of Engineering and Research
2
Dept. of Information Technology Trinity College of Engineering and Research
3,5
Dept. of Information Technology Trinity College of Engineering and Research
DOI:
https://doi.org/10.51583/IJLTEMAS.2026.150500244
Received: 27 May 2026; Accepted: 01 June 2026; Published: 22 June 2026
ABSTRACT
Despite growing interest in applying Large Lan-guage Models (LLMs) to security assessment, existing prototype
systems rarely provide controlled benchmarks, reproducible ar-tifacts, significance testing, or structured human
evaluation. We introduce a reproducible, safety-bounded LLM-augmented web assessment framework that
layers an LLM reasoning module atop conventional scanners to perform context-aware triage, con-strained
payload proposal, evidence-grounded response analysis, false-alarm suppression, and actionable fix guidance.
Empirical evaluation across WebGoat v2023.4, DVWA v1.9, bWAPP v2.2, and five authorized staging replicas
of disclosed targets — spanning 1,247 endpoints and 462 labeled ground-truth flaws shows that the proposed
approach raises micro-averaged F1 from 0.58 to 0.82 over scanner-only baselines, lowers the false-alarm rate
from 23.4% to 7.2% (McNemar p<0.001), and shortens analyst review time by 43%, from 47 to 27 minutes per
engagement (Wilcoxon p=0.008). Over 2,500 test executions, the safety layer blocked every destructive
candidate payload with zero unsafe executions. A structured 10-person evaluation with five security practitioners
and five application developers con-firmed statistically significant improvements in comprehension speed,
report clarity, and remediation actionability (p<0.01).
Index Terms: Large Language Models, web penetration test-ing, vulnerability assessment, OWASP, CWE,
reproducibility, statistical evaluation
INTRODUCTION
Web applications present a persistently wide attack surface, coupling server-side business logic with client-side
scripting, authentication subsystems, REST and GraphQL APIs, file-handling endpoints, database layers, and
third-party depen-dencies. Expert-led security assessments remain thorough but expensive and slow; automated
scanners extend coverage at speed yet generate findings that are context-free and often noisy. This work
investigates whether LLMs can serve as a practical reasoning intermediary — improving triage and reporting
without acting as an unconstrained autonomous agent.
The system described here positions deterministic scanning tools as evidence collectors and delegates five
bounded cog-nitive tasks to an LLM: prioritizing candidate findings by context, proposing constrained test
payloads, interpreting tool responses, suppressing false alarms, and generating structured fix guidance.
Evaluation proceeds against labeled ground truth with paired statistical comparison against both a scanner-only
baseline and PentestGPT.
Primary contributions include:
1)
A fully reproducible LLM-augmented web security assess-ment architecture featuring local model
inference, rule-based safety filters, and schema-validated JSON outputs.