AutoWAFuzzer: An Adaptive Framework for Web Application Firewall Penetration Testing with Multi-agent System and RAG-enabled Reinforcement Learning

RESEARCH CREW
15:57 20/04/2026

Web Application Firewalls (WAFs) are crucial in mitigating web-based threats such as SQLi and XSS, yet the evolving complexity of WAF detection mechanisms poses significant challenges for penetration testing (pentest) tools. Existing ML- and RL-based fuzzers often suffer from three main limitations: (1) reliance on static training datasets, making them unflexible to new WAF rules; (2) monolithic single-agent architectures, which hinder diverse strategy exploration; and (3) lack of contextual awareness due to missing integration with real-world threat intelligence. To address these challenges, we propose AutoWAFuzzer, an adaptive multi-agent framework that integrates Large Language Models (LLM), Reinforcement Learning (RL), and Retrieval-Augmented Generation (RAG). AutoWAFuzzer decomposes the testing process into modular agents: a generative LLM agent, an RL-based policy optimizer, a Reward Model agent simulating WAF feedback, and a RAG agent that continuously retrieves threat context from structured sources like MISP. This design enables parallel strategy exploration, semantic conditioning of payloads, and continuous policy refinement in a closed feedback loop. Experimental evaluations across rule-based and ML-based WAFs—including ModSecurity, Naxsi, WAF-Brain, and CloudGuard—demonstrate that AutoWAFuzzer significantly outperforms prior approaches in bypass rate, adaptability, and generalization, advancing the state-of-the-art in automated WAF penetration testing.

TIN LIÊN QUAN
Despite the dominance of Transformer-based models in software vulnerability detection, the extent to which their learned security logic generalizes across different programming languages remains a critical open question. To address this, we propose a comprehensive evaluation framework organized into three phases spanning five distinct experimental scenarios, aiming to rigorously dissect...
Security testing of REST APIs remains difficult because real-world OpenAPI specifications are often incomplete, many security flaws are inherently stateful, and prevailing stateful fuzzers still optimize primarily for structural exploration rather than OWASP-aligned risk categories. Based on this gap, this paper presents APIGFUZZ, a graph-driven, OWASP-aware black-box REST API fuzzing...