IntelStrike Docs

IntelStrike is the autonomous security testing platform that covers OWASP LLM Top 10, web application vulnerabilities, and API security — in one scanner. Run 210+ probes across 21 vulnerability categories against LLM endpoints, RAG pipelines, agent frameworks, web applications, and REST APIs.

Key Capabilities

• 210+ security probes across 27 vulnerability categories (LLM, Web, API, Agent-to-Agent, Emerging Threats, Supply Chain)
• Autonomous Red Teaming Engine — multi-turn, AI-powered adaptive attack sequences with budget management
• Full OWASP LLM Top 10 coverage (LLM01–LLM10) plus RAG and AI Agent attack categories
• Full OWASP Web Top 10 coverage (WEB01–WEB10) — SQL injection, XSS, SSRF, RCE, XXE, path traversal, CSRF, open redirect, and more
• 13 scan profiles: quick, owasp-llm-top10, rag-full, agent-strict, agent-network, autonomous, owasp-web-top10, api-security, full-spectrum, guardrail-audit, open-source-audit, coding-agent, social-engineering
• Parallel probe execution for 5x faster scans
• Zero-code setup — register your target and start scanning from the dashboard
• REST API for programmatic access (power users)
• Real-time dashboard with KPIs, vulnerability tracking, usage analytics, and SSE progress streaming
• SARIF 2.1.0 output for GitHub Security tab and security tool interoperability
• HTML report export — printable, self-contained, compliance-ready
• Native integrations with Slack, Jira, Linear, PagerDuty, GitHub, Teams, Datadog, and generic webhooks with HMAC-SHA256 signing
• Role-based access control (RBAC) with owner/admin/member/viewer roles
• Enterprise audit logs with filtering, pagination, and CSV export
• CI/CD integration via REST API with GitHub Actions and GitLab CI examples
• Stripe-integrated billing with Free, Pro, and Enterprise tiers
• Compliance mapping: SOC 2, PCI DSS v4.0, ISO 27001:2022, GDPR, NIST CSF 2.0
• Continuous Monitoring: register a target once, auto-discover endpoints, rotate scan profiles, encrypted credentials (AES-256-GCM)
• Business Logic Testing: pricing logic, auth/permission, and workflow/concurrency probes with a natural-language assertion builder
• Email notifications: critical alerts, scan completion, weekly digest

How It Works

IntelStrike sends adversarial probes against your AI endpoints, analyzes the responses for vulnerabilities, and classifies findings by OWASP LLM attack vector. Each finding includes a severity rating, evidence of the vulnerability, and step-by-step remediation guidance.

Get up and running with IntelStrike in under 5 minutes. No SDK or CLI to install — everything runs from the dashboard.

1. Create Your Account

Sign up at intel-strike.com. You'll get immediate access to the dashboard where you can manage targets, scans, and findings.

2. Add Your Target

Navigate to Dashboard → Monitoring and paste your target URL. This can be any web app, API, or LLM endpoint. Our discovery engine will automatically map all endpoints and surfaces.

3. Start the Scan

Click 'Start Scan'. IntelStrike automatically selects the best scan profile for your target and runs 210+ security probes. No configuration needed.

4. Review Findings

Findings appear in your dashboard with severity ratings (Critical, High, Medium, Low), OWASP classification, evidence, and step-by-step remediation guidance.

This tutorial walks you through scanning OWASP Juice Shop — a deliberately vulnerable web application perfect for testing IntelStrike's capabilities. You'll deploy it locally, run a full security scan, review findings, and export a report.

Step 1: Deploy OWASP Juice Shop

Juice Shop is a realistic vulnerable application that runs on Node.js. Deploy it locally using Docker:

docker run -d --name juice-shop -p 3000:3000 bkimminich/juice-shop

Verify it's running:

curl http://localhost:3000

Alternatively, install via npm if you prefer:

npm install juice-shop
npx juice-shop

Step 2: Create an IntelStrike Account

If you haven't already, sign up at intelstrike.uk and create an API key from the dashboard.

export INTELSTRIKE_API_KEY=isk_live_...

Step 3: Configure Your Scan

Navigate to Dashboard → Monitoring in the IntelStrike dashboard. For Juice Shop, configure:

Or via REST API:

curl -X POST https://api.intel-strike.com/v1/scans \
  -H "Authorization: Bearer $INTELSTRIKE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "endpoint": "http://localhost:3000"
  }'

Step 4: Run the Scan

Click 'Start Scan' in the dashboard. IntelStrike will execute 50+ probes covering:

• SQL Injection (including JSON field name injection)
• Cross-Site Scripting (reflected, event-handler, javascript: URL)
• Server-Side Request Forgery (AWS/GCP metadata, localhost)
• Authentication Bypass and IDOR
• Command Injection and RCE
• Security Header checks
• Path Traversal
• Open Redirect

The scan typically takes 2-5 minutes depending on your target.

Step 5: Review Findings

Once complete, you'll see findings organized by severity:

Each finding includes:

• OWASP category (e.g., WEB01: SQL Injection)
• Attack vector and payload used
• Confidence score (0-100%)
• Evidence from the response
• Step-by-step remediation guidance
• References to official documentation

Step 6: Export Your Report

Download reports from the dashboard or via API:

curl -H "Authorization: Bearer $INTELSTRIKE_API_KEY" \
  https://api.intel-strike.com/v1/scans/{scanId}/report \
  -o report.pdf

curl -H "Authorization: Bearer $INTELSTRIKE_API_KEY" \
  https://api.intel-strike.com/v1/scans/{scanId}/sarif \
  -o results.sarif

Next Steps

• Scan your own APIs using the techniques learned here
• Explore other scan profiles like owasp-llm-top10 for AI endpoints
• Set up scheduled scans for continuous security monitoring
• Integrate with Slack, Jira, or Linear for team notifications
• Review the full documentation for advanced features

The IntelStrike REST API is available at https://api.intel-strike.com/v1. All requests require an API key passed in the Authorization header.

curl https://api.intel-strike.com/v1/scans \
  -H "Authorization: Bearer isk_live_..."

Endpoints

Create a Scan

POST /v1/scans accepts the following body parameters:

# LLM endpoint scan
curl -X POST https://api.intel-strike.com/v1/scans \
  -H "Authorization: Bearer isk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "projectId": "proj_abc123",
    "endpoint": "https://your-api.com/chat",
    "profile": "owasp-llm-top10",
    "requestType": "llm",
    "targetHeaders": {
      "Authorization": "Bearer your-llm-key"
    }
  }'

# Web application scan
curl -X POST https://api.intel-strike.com/v1/scans \
  -H "Authorization: Bearer isk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "endpoint": "https://your-app.com/search",
    "profile": "owasp-web-top10",
    "requestType": "web",
    "method": "GET",
    "injectIn": "query"
  }'

# Autonomous red teaming scan
curl -X POST https://api.intel-strike.com/v1/scans \
  -H "Authorization: Bearer isk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "projectId": "proj_abc123",
    "endpoint": "https://your-api.com/chat",
    "profile": "autonomous",
    "requestType": "llm",
    "targetDescription": "Customer support chatbot with tool access",
    "budget": { "maxTokens": 100000, "maxTurns": 10 }
  }'

Response Format

{
  "id": "scn_abc123",
  "status": "completed",
  "profile": "owasp-llm-top10",
  "endpoint": "https://your-api.com/chat",
  "created_at": "2026-03-18T10:00:00Z",
  "completed_at": "2026-03-18T10:04:32Z",
  "summary": {
    "total_findings": 7,
    "critical": 1,
    "high": 2,
    "medium": 3,
    "low": 1
  },
  "findings": [
    {
      "id": "fnd_xyz789",
      "owasp_id": "LLM01",
      "title": "Direct Prompt Injection",
      "severity": "critical",
      "evidence": "...",
      "remediation": "..."
    }
  ]
}

Rate Limits

IntelStrike is configured primarily through the dashboard. For CI/CD and API usage, configuration is done via environment variables and API request parameters.

Environment Variables (CI/CD)

Set these in your CI/CD environment to trigger scans via the REST API:

Scan Profiles

IntelStrike provides full coverage of the OWASP Top 10 for LLM Applications. Every attack vector is automated, classified, and includes remediation guidance.

Supply chain attacks have become one of the most critical threats to AI/ML infrastructure. The TeamPCP campaign (March 2026) compromised Trivy, LiteLLM, and multiple npm packages, demonstrating how attackers target trusted tools to reach downstream victims. IntelStrike provides comprehensive supply chain security coverage to protect your dependencies.

Recent Supply Chain Incidents

Supply Chain Categories

How to Scan Your Dependencies

Use the Dashboard or API to scan your lockfiles for vulnerabilities:

curl -X POST https://intelstrike.uk/api/v1/package-check \
  -H "Authorization: Bearer isk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "lockfile": "requests==2.31.0\ntelnyx==4.87.1\nnumpy==1.24.0",
    "registry": "pypi"
  }'

curl -X POST https://intelstrike.uk/api/v1/package-check \
  -H "Authorization: Bearer isk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "lockfile": "<package-lock.json content>",
    "registry": "npm"
  }'

Using the Dashboard

Navigate to Dashboard → Supply Chain to upload lockfiles, view vulnerabilities, and export compliance reports. The dashboard provides a visual overview of your dependency security posture.

Compliance Coverage

Continuous Monitoring lets you register a target once and have IntelStrike's agents scan it automatically — discovering endpoints, rotating scan profiles, and reporting vulnerabilities without manual intervention.

How It Works

1. Register your target URL with optional credentials (Bearer token, API key, or cookie) — credentials are encrypted at rest with AES-256-GCM.
2. Enable auto-discovery: IntelStrike crawls your target to find all endpoints (sitemap.xml, robots.txt, OpenAPI/Swagger specs, GraphQL introspection, HTML forms, internal links, and common paths).
3. Choose a frequency (every 6 hours, every 12 hours, daily, weekly, or monthly) and set the profile to Auto-Rotate.
4. Agents scan continuously, cycling through profiles relevant to your target type (LLM, Web, API, A2A). Deep scans (autonomous / full-spectrum) run weekly.
5. Vulnerabilities are reported in real-time via your configured integrations (Slack, Jira, Linear, PagerDuty, webhooks).

Target Types

Profile Rotation

When the profile is set to Auto-Rotate, IntelStrike cycles through all profiles relevant to your target type, avoiding repeats. Once per week (on Sundays), a deep scan runs using the autonomous or full-spectrum profile for maximum coverage.

Auto-Discovery

When enabled, IntelStrike re-discovers your target's endpoints every 24 hours. Discovery sources include:

• sitemap.xml parsing
• robots.txt path extraction
• OpenAPI / Swagger spec detection (7 common paths)
• GraphQL endpoint detection
• HTML form action URLs
• Internal link crawling (1 level deep)
• Common endpoint probing (/api, /graphql, /health, /admin, etc.)

Credential Security

Credentials are encrypted with AES-256-GCM before storage. The encryption key is stored as an environment variable (ENCRYPTION_KEY) and never committed to source control. The API never returns credential values — only the auth type (bearer, api-key, cookie, or none) is exposed.

Dashboard API

curl -X POST https://intelstrike.uk/api/dashboard/scheduled-scans \
  -H "Authorization: Bearer <session>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production API",
    "endpoint": "https://api.example.com",
    "targetType": "api",
    "profile": "auto",
    "frequency": "daily",
    "autoDiscover": true,
    "auth": { "type": "bearer", "token": "sk-..." }
  }'

Business Logic Testing targets application-specific rules that traditional vulnerability scanners miss — pricing errors, permission bypasses, and workflow race conditions. Define assertions in plain English and let IntelStrike probe your endpoints automatically.

Probe Categories

Natural-Language Assertion Builder

Write assertions in plain language (e.g. "discount must never exceed 50%" or "user A cannot read user B's orders"). IntelStrike translates them into executable checks and runs them against your API.

API Endpoint

curl -X POST https://intelstrike.uk/api/dashboard/logic-scans \
  -H "Authorization: Bearer <session>" \
  -H "Content-Type: application/json" \
  -d '{
    "endpoint": "https://api.example.com/checkout",
    "categories": ["pricing", "auth", "workflow"],
    "assertions": ["price must be non-negative", "coupon cannot stack"]
  }'

Push scan results and findings to your existing tools in real-time. IntelStrike supports webhooks and native integrations with popular platforms.

Webhook Configuration

const webhook = await client.webhooks.create({
  url: "https://your-app.com/webhooks/intelstrike",
  events: ["scan.completed", "finding.critical"],
  secret: "whsec_...",  // Used to verify webhook signatures
});

Webhook Events

Webhook Payload

{
  "event": "scan.completed",
  "timestamp": "2026-03-25T09:00:00Z",
  "data": {
    "scanId": "scn_abc123",
    "endpoint": "https://your-app.com/api/chat",
    "profile": "owasp-web-top10",
    "riskScore": 74,
    "findings": [
      {
        "id": "fnd_xyz789",
        "title": "SQL Injection via JSON field name",
        "severity": "critical",
        "category": "WEB01"
      }
    ]
  },
  "signature": "sha256=a1b2c3d4e5f6..."
}

Verifying Signatures (Node.js)

Every webhook delivery includes an X-IntelStrike-Signature header. Verify it with HMAC-SHA256 before processing the payload.

import crypto from "crypto";

function verifyWebhookSignature(
  rawBody: Buffer,
  signatureHeader: string,
  secret: string
): boolean {
  const expected = "sha256=" + crypto
    .createHmac("sha256", secret)
    .update(rawBody)
    .digest("hex");
  return crypto.timingSafeEqual(
    Buffer.from(expected),
    Buffer.from(signatureHeader)
  );
}

app.post("/webhooks/intelstrike", express.raw({ type: "*/*" }), (req, res) => {
  const sig = req.headers["x-intelstrike-signature"] as string;
  if (!verifyWebhookSignature(req.body, sig, process.env.WEBHOOK_SECRET!)) {
    return res.status(401).send("Invalid signature");
  }
  const event = JSON.parse(req.body.toString());
  // handle event.event ("scan.completed", "finding.critical", etc.)
  res.sendStatus(200);
});

Native Integrations

IntelStrike exports scan results in SARIF 2.1.0 (Static Analysis Results Interchange Format), the industry standard for security tools. SARIF files can be uploaded to GitHub Security tab, viewed in VS Code SARIF Viewer, or consumed by any SARIF-compatible tool.

Download SARIF via API

# Via API key
curl -H "Authorization: Bearer isk_live_..." \
  https://api.intel-strike.com/api/v1/scan/SCAN_ID/sarif \
  -o results.sarif

SARIF in CI/CD

- name: Run IntelStrike Scan
  env:
    INTELSTRIKE_API_KEY: ${{ secrets.INTELSTRIKE_API_KEY }}
  run: |
    curl -sf -X POST \
      -H "Authorization: Bearer $INTELSTRIKE_API_KEY" \
      -H "Content-Type: application/json" \
      -d '{"endpoint": "${{ secrets.TARGET_URL }}", "profile": "owasp-llm-top10"}' \
      -o results.json \
      https://intelstrike.uk/api/v1/scan
    # Download SARIF
    SCAN_ID=$(cat results.json | grep -o '"id":"[^"]*"' | head -1 | cut -d'"' -f4)
    curl -sf -H "Authorization: Bearer $INTELSTRIKE_API_KEY" \
      "https://intelstrike.uk/api/v1/scan/$SCAN_ID/sarif" \
      -o results.sarif

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

SARIF Contents

• Tool metadata (IntelStrike version, scan profile)
• Rules with OWASP LLM Top 10 taxonomy relationships
• Results with severity levels (error, warning, note, none)
• Invocation metadata (endpoint, duration, success status)
• Security-severity scores for prioritization

IntelStrike includes enterprise-grade access control and compliance features. Role-based access control (RBAC) restricts actions by team role, while audit logs provide a complete trail of all actions taken in your organization.

Role Hierarchy

Permission Examples

Audit Logs

Every significant action is recorded in the audit log with: timestamp, user, action type, affected resource, and metadata. Audit logs support filtering by action type and resource, pagination, and CSV export for compliance reporting.

• scan.created, scan.completed, scan.failed
• api_key.created, api_key.revoked
• vulnerability.resolved, vulnerability.ignored
• member.invited, member.removed, member.role_changed
• integration.created, integration.updated, integration.deleted
• webhook.created, webhook.deleted
• sarif.downloaded
• billing.subscription_created, billing.subscription_cancelled

IntelStrike is designed to work with any LLM endpoint that accepts HTTP requests. Below are the supported runtimes, providers, and system requirements.

Supported Runtimes

Supported LLM Providers

• OpenAI (GPT-4, GPT-4o, GPT-3.5 Turbo)
• Anthropic (Claude 4.5, Claude 4, Claude 3.5)
• Azure OpenAI Service
• Google Vertex AI (Gemini)
• Cohere (Command R+)
• AWS Bedrock
• Hugging Face Inference Endpoints
• Self-hosted models (vLLM, TGI, Ollama, LMStudio)
• Any HTTP endpoint that accepts chat/completion requests

Supported Frameworks

• LangChain / LangGraph
• LlamaIndex
• CrewAI
• AutoGen
• Semantic Kernel
• Custom agent frameworks (via HTTP endpoint scanning)

System Requirements

IntelStrike follows semantic versioning (semver). The API version is specified in the URL path (/v1).

Current Versions

Recent Changes

v1.6.0 — March 2026

• Supply Chain Security — NEW: Package integrity checking, IOC detection, and lockfile vulnerability scanning
• Dashboard Supply Chain page — Upload and scan requirements.txt, package-lock.json, and Gemfile for vulnerabilities
• API /package-check endpoint — Programmatic dependency security scanning
• Agent Trust Chain Security — NEW: Detect identity spoofing, inter-agent injection, delegation abuse, and trust chain exploitation
• Coverage for TeamPCP, LiteLLM, and Telnyx supply chain attacks
• Added SUPPLY01-05 and A2A-TRUST vulnerability categories

v1.5.0 — March 2026

• Autonomous Red Teaming Engine — multi-turn AI-powered adaptive attacks with budget management
• Parallel probe execution (5x faster scans with configurable concurrency)
• Stripe billing integration (Free, Pro $49/endpoint/mo, Enterprise)
• Real-time dashboard with KPIs wired to live data
• API key management with SHA-256 hashing and usage tracking
• Autonomous mode with configurable max turns and token budget

v1.4.0 — March 2026

• Added agent abuse scan profiles (LLM07, LLM08)
• Improved prompt injection detection with multi-turn context analysis

v1.3.0 — February 2026

• RAG-specific scan profile with retrieval poisoning detection
• Webhook signature verification with HMAC-SHA256
• Performance improvements: 40% faster scans with parallel probing

v1.2.0 — January 2026

• HTML and PDF report generation from the dashboard
• PagerDuty native integration
• Custom scan profiles support
• API rate limiting improvements

IntelStrike covers 27 vulnerability categories across three domains: AI/LLM (18 categories), Web/API (10 categories), and Supply Chain (5 categories). Each category maps to one or more OWASP classifications.

AI / LLM Categories

Web / API Categories

Supply Chain Categories

Every finding IntelStrike produces is automatically mapped to the relevant controls in SOC 2 Type II, PCI DSS v4.0, ISO 27001:2022, GDPR, NIST CSF 2.0, EU AI Act, and NIST AI RMF. Use the compliance report to generate audit evidence in one click.

Framework Coverage by Category

The IntelStrike API uses standard HTTP status codes. All error responses include a JSON body with a code string and a human-readable message.

{
  "error": {
    "code": "SCAN_LIMIT_EXCEEDED",
    "message": "Free plan allows 5 scans per month. Upgrade to Pro for unlimited scans.",
    "status": 429
  }
}

Frequently Asked Questions

Does IntelStrike send real attacks to my endpoint?

IntelStrike sends adversarial probes designed to test your endpoint's defenses. These are non-destructive — they do not modify data, trigger side effects, or cause damage. However, they may generate unusual log entries. We recommend running initial scans in a staging environment.

Can I scan endpoints behind a VPN or firewall?

Yes. Use the --proxy flag to route scans through your corporate proxy, or whitelist IntelStrike's IP ranges in your firewall. Contact support for the current IP list.

How long does a scan take?

With parallel probe execution (default concurrency of 5), a full OWASP LLM Top 10 scan typically takes 1-2 minutes. The 'quick' profile runs in under 30 seconds. Autonomous red teaming scans take 5-15 minutes depending on the number of turns and budget.

Can I scan multiple endpoints?

Yes. Register multiple targets in the dashboard, or use the REST API to trigger scans for multiple endpoints programmatically.

Troubleshooting

Scan times out

• Try a lighter scan profile (e.g., 'quick' instead of 'full-spectrum')
• Ensure the target endpoint is reachable and responding within expected latency
• Check if a firewall or WAF is blocking IntelStrike probes

Authentication errors (401/403)

• Verify your API key is set correctly: echo $INTELSTRIKE_API_KEY
• Ensure the key has not been revoked in Dashboard → API Keys
• Check that you're using the correct key type (live vs. test)

No findings detected

• This may indicate strong defenses — review the scan report for details
• Try a more targeted profile (e.g., prompt-injection) for deeper testing
• Ensure the endpoint is returning actual LLM responses (not cached or static)
• Increase concurrency for more comprehensive probing