rorixrorix
sign in →

Pentesting

Rorix runs Nuclei vulnerability scans and optional API fuzzing against web targets you control. Verify the domain once with DNS, then launch scans without agents or installations.

How It Works

  1. You verify the target domain with a DNS TXT challenge
  2. You provide a target URL and optionally an OpenAPI specUrl or inline spec
  3. Rorix queues a pentest job and runs the selected scanners against the target
  4. Results are returned as a structured report with executive summary, coverage, and findings

Standalone Pentests

Go to /dashboard/pentest, verify the domain you own, and run a one-off scan against that host or one of its subdomains. This is useful for staging environments, public APIs, and production surfaces you explicitly control.

Project-Scoped Pentests

When a project has a configured target URL, you can run pentests directly from the project view. Results are linked to the project for tracking over time.

Scanners

Nuclei

A template-based vulnerability scanner that checks for common web vulnerabilities including:

  • SQL injection (SQLi)
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Server misconfigurations
  • Exposed sensitive files
  • Known CVEs in web technologies

API Fuzz

Accepts either an OpenAPI/Swagger specification URL or an inline OpenAPI document. The fuzzer parses the spec and tests each endpoint with malformed and unexpected input to uncover security issues such as injection flaws, broken authentication, and improper error handling.

Results

Findings are grouped by severity: Critical, High, Medium, Low, and Info. Each report includes:

  • An executive summary with overall risk and totals by severity
  • Coverage details showing which engines ran and what completed
  • Findings with evidence, target path, and remediation guidance

Each finding includes:

  • The target URL and matched path
  • A description of the vulnerability
  • Remediation advice

Export

Export your pentest results as CSV or JSON from the results page.

Limits

| Plan | Pentests per Month | |---|---| | Free | 1 pentest credit | | Pro | 5 pentest credits | | Business | 20 pentest credits |

API Usage

Create a pentest job:

curl -X POST https://rorix.io/api/pentest \
  -H "Authorization: Bearer rxk_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "targetUrl": "https://example.com",
    "specUrl": "https://example.com/openapi.json",
    "projectId": "proj_abc123"
  }'

Poll the job status:

curl https://rorix.io/api/pentest/job_xyz789 \
  -H "Authorization: Bearer rxk_your_api_key"

See the Pentest API reference for full details.

PolicyIntegrations