> For the complete documentation index, see [llms.txt](https://docs.akto.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.akto.io/api-security-testing/concepts/smart-automated-testing.md).

# Smart Automated Testing

Smart Automated Testing is Akto's AI-powered testing mode where an intelligent agent takes over the execution of security tests. Rather than mechanically replaying pre-defined payloads, the agent reasons about each test, forms a plan, executes HTTP requests, observes the response, and refines its approach across multiple attempts — all to determine whether a vulnerability is real.

## How It Works

The agent follows a **Think → Plan → Act → Observe** loop, repeating until it either confirms a vulnerability or exhausts its attempts. Each iteration builds on what the previous one learned.

### Execution Loop

| Step                         | What Happens                                                                                                                                                                                                                                                     |
| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Thinking**                 | The agent reads the test scenario and baseline request, then reasons about what a successful exploit would look like — which parameters to change, what response signals matter (status code, body similarity, error messages).                                  |
| **Plan (Attempt N)**         | Before sending a request, the agent decides exactly what to change and why — e.g., swap the auth token with a different user's token, alter an object ID, or craft a malformed payload.                                                                          |
| **Action (Attempt N)**       | The agent sends the crafted HTTP request. The full request is logged: method, URL, headers, and body.                                                                                                                                                            |
| **Observation (Attempt N)**  | The agent reads the response — status code, body, headers — and judges whether it indicates a vulnerable or secure state. If the response is not conclusive, it adjusts and tries again.                                                                         |
| **Vulnerability Validation** | After all attempts, the agent checks the key indicators defined in the test scenario — e.g., HTTP response code is `2XX`, response body matches the baseline by more than 90%, no error message present. If criteria are met, the issue is flagged as confirmed. |

## How to Run Smart Automated Tests

Smart Automated Testing runs the same way as standard tests — you select the tests you want to run, and the AI agent executes them.

{% stepper %}
{% step %}

### Open Testing

Go to **Testing** and open a collection or endpoint.
{% endstep %}

{% step %}

### Select Tests

Click **Run Test** and select the tests by name or category.
{% endstep %}

{% step %}

### Enable Smart Automated Testing

Check **Smart Automated Testing** in the test configuration panel.
{% endstep %}

{% step %}

### Run

The agent references the selected test definitions and begins the execution loop.
{% endstep %}
{% endstepper %}

The agent uses the test ID and its associated YAML definition to understand the scenario — what vulnerability to test for, what parameters to manipulate, and what response conditions confirm a finding.

## Viewing the AI Execution Trace

Each Smart Automated Testing run produces a detailed **AI Execution Trace** visible in the test result. See [AI Execution Trace in Test Results](/api-security-testing/concepts/test-result.md#ai-execution-trace) for details on reading the trace.

## Key Differences from Standard Testing

|              | Standard Testing        | Smart Automated Testing                                    |
| ------------ | ----------------------- | ---------------------------------------------------------- |
| Execution    | Fixed payload templates | AI-reasoned, adaptive requests                             |
| Attempts     | Single pass             | Multiple attempts, each improving on the last              |
| Transparency | Request/response logs   | Full reasoning trace (Thinking, Plan, Action, Observation) |
| Validation   | Rule-based matchers     | AI-driven judgment with evidence                           |


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.akto.io/api-security-testing/concepts/smart-automated-testing.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.