Skip to main content

Documentation Index

Fetch the complete documentation index at: https://pentest-tools.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Flowmapper uses an AI browser agent to navigate your target website and uncover endpoints that traditional crawling misses. The agent interacts with the site like a real user: clicking links, filling and submitting forms, and following multi-step flows to build a fuller map of your application’s attack surface. It is integrated into the Website Scanner and runs alongside the standard spider.

How it works

When Flowmapper is enabled, it runs as a parallel process during the spidering phase of a Website Scanner scan.
1

Spider starts

The Website Scanner begins its standard crawl against the target URL.
2

The AI agent launches in parallel

A planner agent analyzes the current page and breaks it into specific user journeys to explore, such as submitting a form or moving through a checkout flow. Worker browser agents then carry out those tasks in a real browser.
3

Requests are captured

As the agents browse, every HTTP request and response is recorded, including URLs, methods, headers, and status codes.
4

Endpoints feed back into the scanner

Discovered endpoints are filtered for scope and validity, then added to the spider’s queue. The scanner tests them for vulnerabilities like any other discovered page.
The agent runs for up to half the scan’s maximum time. For a scan with a 60-minute limit, Flowmapper runs for up to 30 minutes.

What it discovers

Flowmapper is effective at finding endpoints that traditional spiders struggle with:

JavaScript-driven navigation

Pages and routes rendered entirely by client-side JavaScript frameworks

Interactive workflows

Multi-step flows that require clicking buttons, expanding menus, or filling forms

Dynamic content

Content loaded via AJAX requests or single-page application routing

Hidden functionality

Endpoints reached only by submitting a form or completing a user flow
Each discovered endpoint includes its URL and HTTP method, the request headers sent during the interaction, the response status code, and POST data when applicable.

Enabling Flowmapper

Flowmapper runs automatically when it is turned on in your AI settings. There is no per-scan switch: enable it once under Account > AI > Flowmapper, and it then runs during every Website Scanner scan that includes the spider.
Flowmapper is a paid AI feature. The toggle is managed by the organization owner and gated by your plan.

Confirming it ran

When Flowmapper runs during a scan, it adds a test entry to the scan results:
Performed Flowmapping
This confirms the feature ran and contributed to the crawling phase.

How it complements traditional spidering

The AI agent and the traditional spider run concurrently, each contributing endpoints to the same scanning pipeline.
ApproachStrengthsLimitations
Traditional spiderFast, efficient for static sites, handles large volumes of pagesMisses JavaScript-rendered content and interactive flows
AI browser agentNavigates dynamic content, interacts with UI elements, completes multi-step flowsSlower due to real browser interaction, limited by the timeout
Together they cover more endpoints than either method alone. Endpoints discovered by the agent go through the same vulnerability testing as traditionally spidered pages.

When Flowmapper stops early

If the agent hits bot protection or a challenge page (for example Cloudflare Turnstile, Arkose, or a generic CAPTCHA), it stops and the scan continues with the traditional spider. The same is true if the agent times out or fails for another reason: Flowmapper never blocks the rest of the scan.

AI data handling

The Flowmapper browser agent sends the target site’s content to a large language model to decide what to do next. That model is served through OpenRouter (currently Google’s Gemini), a third-party AI provider. Only the target website’s content is processed, and agent telemetry is disabled. For the full details on processors, retention, and training, see our AI Data Policy.