Penetration Testing for Websites using LLM

Article Sidebar

Main Article Content

Dr. Vilas S. Gaikwad
Soham Deshmukh
Mohanish Kulkarni
Pallavi Akolkar
Jayam Mehta

Despite growing interest in applying Large Lan-guage Models (LLMs) to security assessment, existing prototype systems rarely provide controlled benchmarks, reproducible ar-tifacts, significance testing, or structured human evaluation. We introduce a reproducible, safety-bounded LLM-augmented web assessment framework that layers an LLM reasoning module atop conventional scanners to perform context-aware triage, con-strained payload proposal, evidence-grounded response analysis, false-alarm suppression, and actionable fix guidance. Empirical evaluation across WebGoat v2023.4, DVWA v1.9, bWAPP v2.2, and five authorized staging replicas of disclosed targets — spanning 1,247 endpoints and 462 labeled ground-truth flaws shows that the proposed approach raises micro-averaged F1 from 0.58 to 0.82 over scanner-only baselines, lowers the false-alarm rate from 23.4% to 7.2% (McNemar p<0.001), and shortens analyst review time by 43%, from 47 to 27 minutes per engagement (Wilcoxon p=0.008). Over 2,500 test executions, the safety layer blocked every destructive candidate payload with zero unsafe executions. A structured 10-person evaluation with five security practitioners and five application developers con-firmed statistically significant improvements in comprehension speed, report clarity, and remediation actionability (p<0.01).

Penetration Testing for Websites using LLM. (2026). International Journal of Latest Technology in Engineering Management & Applied Science, 15(5), 3014-3026. https://doi.org/10.51583/IJLTEMAS.2026.150500244

Downloads

References

G. Bacudio, X. Yuan, B. T. B. Chu, and M. Jones, “An overview of penetration testing,” Int. J. Netw. Secur. Its Appl., vol. 3, no. 6, pp. 19–38, 2011.

S. Chaudhary, A. O’Brien, and S. Xu, “Automated post-breach penetra-tion testing through reinforcement learning,” 2020.

D. N. Raikar and S. Joshi, “A comprehensive literature review of artificial intelligent practices in the field of penetration testing,” in Intelligent Systems and Applications. Springer, 2023, pp. 75–85.

Z. Zhang, H. Al Hamadi, E. Damiani, C. Y. Yeun, and F. Taher, “Explainable artificial intelligence applications in cyber security: State-of-the-art in research,” IEEE Access, vol. 10, pp. 94123–94159, 2022.

OWASP Foundation, “OWASP Top 10: The ten most critical web application security risks,” 2021.

MITRE, “Common Weakness Enumeration (CWE),” 2024.

sqlmap Development Team, “sqlmap: Automatic SQL injection and database takeover tool.”

N. Moustafa, B. Turnbull, and K. R. Choo, “Towards automation of vulnerability and exploitation identification in IIoT networks,” 2018.

F. Kamoun, F. Iqbal, M. A. Essgehir, and T. Baker, “AI and machine learning: A mixed blessing for cybersecurity,” 2020.

WebGoat, DVWA, and bWAPP project documentation.

G. Deng et al., “PentestGPT: Evaluating and harnessing large language models for automated penetration testing,” in Proc. 33rd USENIX Security Symp., pp. 847–864, 2024.

L. Gioacchini, M. Mellia, I. Drago, A. Delsanto, G. Siracusano, and R. Bifulco, “AutoPenBench: Benchmarking generative agents for penetra-tion testing,” arXiv:2410.03225, 2024.

Happe and J. Cito, “Getting pwn’d by AI: Penetration testing with large language models,” in Proc. ESEC/FSE 2023, pp. 2082–2086, 2023.

L. Derczynski, E. Galinkin, J. Martin, S. Majumdar, and N. Inie, “garak: A framework for security probing large language models,” 2024.

Article Details

How to Cite

Penetration Testing for Websites using LLM. (2026). International Journal of Latest Technology in Engineering Management & Applied Science, 15(5), 3014-3026. https://doi.org/10.51583/IJLTEMAS.2026.150500244