OWASP APTS Conformance Summary
Last updated: April 28, 2026 · Applies to APVISO Scan.
APVISO uses the OWASP Autonomous Penetration Testing Standard (APTS) v0.1.0 as the governance reference for autonomous penetration testing. APTS is a standard for operating these systems safely, transparently, and within agreed boundaries; it is not an OWASP certification program.
Summary
- Conformance model: APVISO documents conformance per engagement, based on the scan's selected governance profile and evidence package.
- Supported tiers: Tier 1 Foundation, Tier 2 Verified, and Tier 3 Comprehensive are supported as engagement-specific assurance postures. The selected tier is recorded with the scan.
- Assessment method: internal self-assessment against the APTS v0.1.0 requirements, backed by customer-available evidence.
Engagement Scope
The APTS posture for a specific scan depends on the customer's selected governance profile, scope, target criticality, and review requirements. Self-service scans use a foundation posture by default. Higher-assurance production, regulated, or critical-environment engagements should use a verified or comprehensive governance profile and review the associated evidence pack before testing begins.
| Public statement | Customer evidence |
|---|---|
| Scope is verified and enforced for every engagement. | Rules of engagement, scope decisions, and scan audit trail. |
| Safety controls constrain potentially harmful activity. | Control evidence, approval records, and termination records. |
| Reports identify what was tested and what was not tested. | Engagement report, coverage matrix, and finding evidence package. |
| Model and supply-chain posture are documented. | Current model disclosure, dependency inventory, and provider review. |
Explicit non-claims
The following are not claimed, by design:
- External APTS conformance audit or assessor engagement. APVISO's APTS posture is currently documented through internal self-assessment and customer review materials.
- OWASP certification, endorsement, or vendor approval. OWASP APTS v0.1.0 does not operate a vendor certification body.
- SOC 2 Type II alignment or audit. The 7-year audit-archive retention happens to align with a SOC 2 floor; this is intentional but not claimed as framework conformance.
- Universal Tier 2 or Tier 3 conformance for every scan. APTS controls are scoped to the engagement tier selected and recorded for that scan.
- Public release of implementation details. Detailed technical evidence and validation artifacts are shared only through customer security review channels.
Evidence Access
Active customers and qualified security reviewers can request the current APTS evidence pack, including the completed conformance assessment, engagement-specific report artifacts, model disclosure, supply-chain documentation, and relevant audit samples. Evidence is provided through authenticated customer channels or under appropriate review terms.
Contact
Questions or audit requests: [email protected]. PGP key is published at /.well-known/security.txt.
APVISO's APTS materials are operator-provided documentation. OWASP neither endorses nor certifies individual vendors under APTS v0.1.0.