Back to Blog

From Managed Pentests to Self-Hosted AI-DAST: Why We Made the Switch

APVISO Team · Owner·3 min read·

Apviso was fully managed.

You gave us a target, we ran the pentest, and delivered results.

That worked. But it also created friction.

You had to expose environments, whitelist infrastructure, and trust an external system to test your applications. For many teams, especially those working with internal apps or sensitive data, that’s a blocker.

So we changed it.

The shift: self-hosted by default

Apviso is now self-hosted.

You run the pentest from your own environment, on your own infrastructure, using your own API keys.

No more whitelisting.
No more external access requirements.
No more limits on what you can test.

If your app runs locally, in staging, or behind a firewall, you can test it.

This aligns with what modern teams actually need: control.

BYOK: bring your own AI

Instead of bundling AI into the platform, we moved to a BYOK model.

You can run Apviso with:

  • Codex
  • Claude Code
  • Anthropic API
  • OpenAI API
  • AWS Bedrock

This gives you flexibility on cost, performance, and compliance.

You decide which model to use.
You control your data.
You optimize your own economics.

No hidden margins. No black box.

Built for real workflows (not demos)

Security tools often live outside the development process.

Apviso doesn’t.

It integrates directly into your workflow:

  • Run pentests in CI/CD pipelines
  • Trigger scans on every deployment
  • Automate retesting after fixes
  • Export results into your existing tools

Modern development moves fast. Security has to keep up.

Automated testing is already a requirement in CI/CD pipelines, and AI-driven pentesting is the next step in that evolution.

Not just DAST — autonomous pentesting

Traditional DAST tools send requests and look for patterns.

That’s useful, but limited.

DAST works from the outside, testing running applications like an attacker would, but it often misses complex logic flaws or multi-step attacks.

Apviso goes further.

It uses AI agents that:

  • Explore the application
  • Understand behavior
  • Chain vulnerabilities
  • Verify real exploitation

This is closer to how real pentesters work.

And more importantly, it finds issues that scanners don’t.

OWASP APTS Tier 1–3

We also aligned Apviso with OWASP APTS.

  • Tier 1 is enabled by default
  • Tier 2 and Tier 3 are opt-in
  • Every run maps to structured pentesting requirements

This gives you something most tools don’t:

A clear path from automated testing to compliance-grade security.

Why this matters

Security is moving in the same direction as infrastructure did:

From managed → to self-hosted → to programmable.

The old model:

  • Centralized
  • Opaque
  • Hard to integrate

The new model:

  • Runs where your code runs
  • Uses your stack
  • Fits into your pipelines

Apviso is built for that model.

What you can do now

With the new self-hosted Apviso:

  • Pentest internal and private apps
  • Run hundreds of tests per month with your own AI
  • Integrate security directly into development
  • Keep full control over data and execution

No compromises.

Final note

This wasn’t just a feature update.

It’s a shift in how pentesting should work.

Closer to developers.
Closer to production.
Closer to reality.

If you’re already building with AI, your security should too.

Free Local Pentest pilot

Run your first localhost Launch Review from your own machine.

Start with the constrained free local flow, then upgrade when you need public, staging, private/internal, partner, retest, or scheduled testing.

Start FreeReview boundariesTalk to sales

Free Local

Clean entry point, clear upgrade path.

1 localhost-only Launch Review every 30 days
Self-hosted runner keeps access and BYOK credentials local
Paid plans unlock public, staging, private, schedules, and retests
APVISO orchestrates the job; execution happens on your runner.