Back to Blog

Self-Hosted AI Pentesting: Why BYOK Runners Change the Security Model

APVISO Team · Security Research·6 min read·

Autonomous pentesting raises a practical buyer question before it raises a technical one: where does the testing actually run?

For many SaaS teams, agencies, and enterprises, the answer cannot be "inside a vendor black box." The application may sit behind a VPN, depend on staging-only services, require a private CA, or need test credentials that should never leave the customer's environment. The team may also have approved model-provider accounts, data residency rules, and procurement language that make bring-your-own-key workflows non-negotiable.

That is why self-hosted AI pentesting is becoming the serious default for teams that want autonomous testing without outsourcing their network, model keys, or target authentication secrets.

What self-hosted AI pentesting means

In a self-hosted model, the vendor's cloud control plane coordinates the work, but execution happens on a customer-operated runner. The runner claims jobs, checks its own environment, launches the pentest runtime locally, and streams findings back to the product dashboard.

In APVISO's architecture, the cloud control plane manages organizations, targets, runner jobs, schedules, findings, reports, and integrations. The customer-installed runner performs the scan execution. It checks Docker, provider credentials, DNS and target reachability, pinned scan image metadata, and any runner-local authentication file before it launches the scan container, then verifies the pulled image digest before running it.

That split is important. APVISO can provide the workflow, evidence trail, and reporting experience, while model-provider credentials and target application credentials stay on the runner host.

Why BYOK matters for security teams

Bring-your-own-key is often treated like a billing preference. For autonomous pentesting, it is closer to an operating model.

Model credentials are sensitive because they can expose account usage, provider policy scope, logs, budgets, and sometimes access to approved enterprise endpoints. Target application credentials are even more sensitive. They may unlock staging systems, admin flows, customer-like test data, and internal APIs. Putting those secrets into a third-party SaaS dashboard creates a new trust boundary that many teams do not need.

With a self-hosted BYOK runner, the team can:

  • Use its own approved model providers and endpoints.
  • Keep target auth files on infrastructure it controls.
  • Test private, staging, partner-client, and localhost targets that a cloud scanner cannot reach.
  • Enforce local network rules, proxy behavior, custom CA roots, and egress policy.
  • Rotate runner tokens and target credentials through its existing operations process.
  • Preserve a central APVISO dashboard for status, findings, reports, retests, and integrations.

This is the difference between "upload secrets so a scanner can work" and "run the scanner where the approved secrets already live."

The runner lifecycle in plain English

A self-hosted APVISO pentest follows a job lifecycle rather than a hosted-container lifecycle.

First, APVISO creates a pending_runner job for the selected target and pentest package. A registered runner authenticates with a runner-scoped token and claims that job. The platform returns job-scoped credentials, target metadata, and scan image metadata. The runner then performs preflight checks before active testing begins.

Those preflights are not cosmetic. They answer the questions that usually break automated pentesting in real environments:

  • Can the runner reach the target from the network position that matters?
  • Are model-provider credentials present for the selected BYOK provider?
  • Is Docker available to launch the scan container?
  • Is the scan image pinned to an immutable digest?
  • Is the optional target auth file readable on the runner host?
  • Are local constraints such as proxies, workspace paths, and runtime configuration sane?

If preflight fails, the job can fail before the scan container starts or any active testing begins. If preflight passes, the runner launches the pinned scan image locally and the scan container reports back with a job-scoped bearer token plus a scan token.

Why job-scoped auth matters

Autonomous security tooling should not run on broad, reusable credentials when a narrower credential can do the job. APVISO's scan containers use job-scoped auth for callbacks, so each scan receives credentials tied to that job rather than a global plugin key. The plugin API checks the runner job bearer token and scan token, and legacy global X-API-Key callbacks are rejected.

That design limits blast radius. A scan should be able to stream its messages, findings, artifacts, and report for its assigned job. It should not have standing access to unrelated platform APIs or other customers' data. Job-scoped auth also makes audit trails easier to reason about because platform events can be connected to the runner job that produced them.

For buyers evaluating autonomous pentesting vendors, this is worth asking directly: does the scan runtime receive a reusable tenant credential, or a narrow job credential?

What this unlocks for teams

Self-hosted execution changes what can be tested. Public marketing sites are only one slice of modern application security. The highest-risk issues often live in the places generic external scanners cannot reach:

  • Staging environments before a customer launch.
  • Internal admin portals behind VPN or zero-trust access.
  • Local developer previews for high-risk flows.
  • Partner-client environments managed by an agency or MSP.
  • Authenticated API paths that need a dedicated test account.
  • Applications with private DNS, custom CA roots, or strict egress policy.

Because the runner runs inside the customer's environment, APVISO can support those workflows without turning the APVISO cloud into a secret store for model keys or application credentials.

A practical adoption checklist

Before running a first self-hosted AI pentest, teams should prepare the same way they would prepare a serious manual engagement:

  • Confirm written authorization and target scope.
  • Choose the runner network position that can reach the intended target.
  • Create dedicated test accounts with realistic roles.
  • Store target credentials in a runner-local auth file instead of a SaaS form.
  • Verify provider credentials and token budgets for the selected model family.
  • Run runner readiness checks before scheduling recurring pentests.
  • Decide where findings should flow, such as Jira, GitHub, Linear, Slack, or webhook-based systems.
  • Use retests to verify remediations instead of treating the first report as a one-time artifact.

APVISO's API reference, authenticated pentesting guide, pentest-start guide, and pricing page map these operational choices to runner count, concurrency, target visibility, and governance needs.

The bigger point

AI changes the economics of penetration testing, but operations still matter. The teams that get the most value from autonomous pentesting are not the ones that fire a scanner at production and hope for the best. They are the teams that place execution where the application actually lives, keep secrets under their own control, and use the platform to turn each run into evidence, remediation, and continuous coverage.

That is the promise of self-hosted AI pentesting: autonomous security testing without surrendering the parts of the environment that should remain local.

Free Local Pentest pilot

Run your first localhost Launch Review from your own machine.

Start with the constrained free local flow, then upgrade when you need public, staging, private/internal, partner, retest, or scheduled testing.

Start FreeReview boundariesTalk to sales

Free Local

Clean entry point, clear upgrade path.

1 localhost-only Launch Review every 30 days
Self-hosted runner keeps access and BYOK credentials local
Paid plans unlock public, staging, private, schedules, and retests
APVISO orchestrates the job; execution happens on your runner.