Automated penetration testing (also known as autonomous penetration testing or automated offensive security) is the application of software-driven workflows and orchestration to simulate cyberattack techniques. These methods are used to identify, validate, and exploit security vulnerabilities in IT assets such as networks, applications, and cloud infrastructure. Automated penetration testing is the use of software to simulate cyberattacks in order to rapidly identify exploitable vulnerabilities across systems without relying solely on human testers. In technical literature, the term describes a spectrum of activities ranging from scripted exploit orchestration to experimental systems designed for fully autonomous attack planning. Automated Penetration Testing falls short of testing using manual experts in terms of discovery of deep complex vulnerabilities and contextual business logic vulnerabilities. == Terminology and scope == The label “automated penetration testing” appears frequently in vendor and practitioner writing but lacks a single, neutral, standards-based definition. In the literature the term’s scope varies: some authors use it to mean automation of specific penetration-testing tasks (scanning, exploitation attempts, evidence collection), others to describe integrated, repeatable assessment pipelines, and a smaller body of work investigates autonomous decision-making agents that select attack steps algorithmically. To avoid implying consensus, this article describes common techniques and architectures reported in the literature and industry, and it notes where claims are primarily found in practitioner publications or early-stage research. Its important to note the differences between automated penetration testing and traditional penetration testing using human skill. The most important difference is scope and speed. Automated penetration testing generally fails at discovering exposures and weakness associated with business logic due to a lack of contextual understanding. The benefit of Automated Penetration testing is speed at which it can be conducted. Traditional penetration testing also is expected to be accurate and contain no false positives. This is due to the human validation aspect of the test. Automated approaches are expected to contain mistakes and false positives which need to be validated upon completion of the test. == History == Automated offensive techniques build on decades of tools and scripting that aided vulnerability discovery and exploitation. Early vulnerability scanners and community scripting in the 1990s and 2000s created the first layers of automation. Later, modular exploitation frameworks (notably Metasploit) integrated scanning and exploitation modules and made automated proof-of-concept attacks more accessible. Over the 2010s–2020s, as cloud platforms, APIs and continuous delivery practices increased the need for frequent validation, academic and industry interest in formalizing automated approaches also grew. == Methodologies and architectures == Descriptions in the literature and technical reports cluster automated capabilities into several overlapping models: Scripted/engineered playbooks (task automation): Predefined workflows or playbooks encode common attack paths (for example, web application exploit sequences or lateral-movement chains). These playbooks are designed to reproduce known techniques in a controlled way to validate exploitability and reduce manual repetition. Exploit-oriented orchestration: Automation orchestrates exploitation modules from established frameworks to perform controlled proof-of-concept attacks that confirm exploitability rather than simply flagging potential weaknesses. This approach can reduce false positives versus passive scanning when tests are run in an appropriately controlled environment. Orchestrated multi-tool pipelines: A coordinated toolchain integrates reconnaissance, vulnerability scanning, credential testing, exploitation modules and reporting. Data and state persist across stages so that multi-step workflows (e.g., discover → escalate → pivot) can be executed repeatably, approximating manual penetration-test methodologies at larger scale. Continuous / CI-integrated testing: Automation embedded in build or deployment pipelines (CI/CD) triggers assessments automatically on new builds, configuration changes, or on a schedule, supporting frequent, repeatable validation aligned with DevOps practices. Academic theses and experimental work describe CI/CD-integrated proof-of-concept systems for web applications and internal networks. Research on autonomous planning and learning: Recent academic work explores machine learning and reinforcement-learning approaches to select or prioritise attack steps, generate attack sequences, or optimize the testing path; these approaches are largely experimental and raise distinct validation and safety questions. == Tools and vendors == Automated penetration testing is provided by a mix of open-source projects, commercial platforms, and professional services. These often follow the penetration testing as a service (PTaaS) model, which integrates automated scanning with manual validation by security analysts. Examples of widely known tools and vendors in the space include exploitation frameworks such as Metasploit, commercial automated platforms and PTaaS providers, and specialist vendors that offer breach-and-attack simulation (BAS) or continuous testing capabilities. == Applications and deployment models == In industry practice, some organizations deploy automated techniques through dedicated security validation platforms rather than bespoke toolchains. These platforms are typically used for continuous or scheduled validation in pre-production or controlled environments and are often positioned alongside, rather than in place of, human-led penetration testing. Examples discussed in secondary literature include platforms such as Pentera, which are commonly classified under breach-and-attack simulation or automated security validation rather than as standalone penetration-testing methodologies.
Identi.ca
identi.ca is a free and open-source social networking and blogging service based on the pump.io software, using the Activity Streams protocol. Identi.ca stopped accepting new registrations in 2013, but continues to operate alongside several other pump.io-based hosts provided by E14N which continue to accept new registrations. == Features == Identi.ca is similar to social networking sites like Facebook and Google+, allowing unlimited length status updates, rich text, and images. The Activity Streams protocol supports many kinds of activities such as games. OpenFarmGame is a prototype application for an Activity Streams-based game. Previous features from its StatusNet version such as hashtags, groups, and global search are not supported. == History == === StatusNet === The service received more than 8,000 registrations and 19,000 updates within the first 24 hours of publicly launching on July 2, 2008, and reached its 1,000,000th notice on November 4, 2008. In January 2009, identi.ca received investment funds from venture capital group Montreal Start Up. On March 30, 2009, Control Yourself (since renamed StatusNet Inc) announced that Identi.ca was to become part of a hosted microblogging service called status.net to be launched in May 2009. Status.net offers individual microblogs under a subdomain to be chosen by the customer. Identi.ca will remain a free service. All notices will be published under the Creative Commons Attribution 3.0 license by default, but paying customers will be free to choose a different license. Formerly based on StatusNet, a micro-blogging software package built on the OStatus specification (and earlier based on the OpenMicroBlogging specification), Identi.ca allowed users to send text updates (known as "notices") up to 140 characters long. While similar to Twitter in both concept and operation, Identi.ca/StatusNet provided many features not currently implemented by Twitter, including XMPP support and personal tag clouds. In addition, Identi.ca/StatusNet allowed free export and exchange of personal and "friend" data based on the FOAF standard; therefore, notices could be fed into a Twitter account or other service, and also ported in to a private system similar to Yammer. === pump.io === Developer Evan Prodromou chose to change the site to the pump.io software platform in development, because pump.io offers more features making it technically more advanced. Registration on Identi.ca was closed in December 2012 in preparation for the switch to pump.io software (the popularity of Identi.ca and "official" Status.net hosting were considered a hindrance to the creation of a federated social network). The conversion was completed on 12 July 2013. The 140 character per post limit was removed (in StatusNet, it was a setting, not an inherent limitation); now the blog posts can contain formatting and images. Groups, hashtags, and a page listing popular posts are not yet implemented in pump.io.
Imageability
Imageability is a measure of how easily a physical object, word or environment will evoke a clear mental image in the mind of any person observing it. It is used in architecture and city planning, in psycholinguistics, and in automated computer vision research. In automated image recognition, training models to connect images with concepts that have low imageability can lead to biased and harmful results. == History and components == Kevin A. Lynch first introduced the term, "imageability" in his 1960 book, The Image of the City. In the book, Lynch argues cities contain a key set of physical elements that people use to understand the environment, orient themselves inside of it, and assign it meaning. Lynch argues the five key elements that impact the imageability of a city are Paths, Edges, Districts, Nodes, and Landmarks. Paths: channels in which people travel. Examples: streets, sidewalks, trails, canals, railroads. Edges: objects that form boundaries around space. Examples: walls, buildings, shoreline, curbstone, streets, and overpasses. Districts: medium to large areas people can enter into and out of that have a common set of identifiable characteristics. Nodes: large areas people can enter, that serve as the foci of the city, neighborhood, district, etc. Landmarks: memorable points of reference people cannot enter into. Examples: signs, mountains and public art. In 1914, half a century before The Image of the City was published, Paul Stern discussed a concept similar to imageability in the context of art. Stern, in Susan Langer's Reflections on Art, names the attribute that describes how vividly and intensely an artistic object could be experienced apparency. == In computer vision == Automated image recognition was developed by using machine learning to find patterns in large, annotated datasets of photographs, like ImageNet. Images in ImageNet are labelled using concepts in WordNet. Concepts that are easily expressed verbally, like "early", are seen as less "imageable" than nouns referring to physical objects like "leaf". Training AI models to associate concepts with low imageability with specific images can lead to problematic bias in image recognition algorithms. This has particularly been critiqued as it relates to the "person" category of WordNet and therefore also ImageNet. Trevor Pagan and Kate Crawford demonstrated in their essay "Excavating AI" and their art project ImageNet Roulette how this leads to photos of ordinary people being labelled by AI systems as "terrorists" or "sex offenders". Images in datasets are often labelled as having a certain level of imageability. As described by Kaiyu Yang, Fei-Fei Li and co-authors, this is often done following criteria from Allan Paivio and collaborators' 1968 psycholinguistic study of nouns. Yang el.al. write that dataset annotators tasked with labelling imageability "see a list of words and rate each word on a 1-7 scale from 'low imagery' to 'high imagery'. To avoid biased or harmful image recognition and image generation, Yang et.al. recommend not training vision recognition models on concepts with low imageability, especially when the concepts are offensive (such as sexual or racial slurs) or sensitive (their examples for this category include "orphan", "separatist", "Anglo-Saxon" and "crossover voter"). Even "safe" concepts with low imageability, like "great-niece" or "vegetarian" can lead to misleading results and should be avoided.
Generative AI Copyright Disclosure Act
The Generative AI Copyright Disclosure Act is a piece of legislation introduced by California Representative Adam Schiff in the United States Congress on April 9, 2024. It concerns the transparency of companies regarding their use of copyrighted work to train their generative artificial intelligence (AI) models. The legislation requires the submission of a notice regarding the identity and the uniform resource locator (URL) address of the copyrighted works used in the training data to the Register of Copyrights at least 30 days before the public release of the new or updated version of the AI model; it does not ban the use of copyrighted works for AI training. The bill's requirements would apply retroactively to prior AI models. Violation penalties would start at US$5,000. The legislation does not have a maximum penalty assessment that can be charged. The bill by Schiff was introduced a few days after The New York Times published an article regarding the business activities of major tech firms, including Google and Meta, in the training of their generative AI platforms on April 6, 2024. The legislation is supported by the Professional Photographers of America (PPA), SAG-AFTRA, the Writers Guild of America, the International Alliance of Theatrical Stage Employees (IATSE), the Recording Industry Association of America (RIAA), and others.
Qualification problem
In philosophy and AI (especially, knowledge-based systems), the qualification problem is concerned with the impossibility of listing all the preconditions required for a real-world action to have its intended effect. It might be posed as how to deal with the things that prevent me from achieving my intended result. It is strongly connected to, and opposite the ramification side of, the frame problem. John McCarthy gives the following motivating example, in which it is impossible to enumerate all the circumstances that may prevent a robot from performing its ordinary function: [T]he successful use of a boat to cross a river requires, if the boat is a rowboat, that the oars and rowlocks be present and unbroken, and that they fit each other. Many other qualifications can be added, making the rules for using a rowboat almost impossible to apply, and yet anyone will still be able to think of additional requirements not yet stated.
Character computing
Character computing is a trans-disciplinary field of research at the intersection of computer science and psychology. It is any computing that incorporates the human character within its context. Character is defined as all features or characteristics defining an individual and guiding their behavior in a specific situation. It consists of stable trait markers (e.g., personality, background, history, socio-economic embeddings, culture,...) and variable state markers (emotions, health, cognitive state, ...). Character computing aims at providing a holistic psychologically driven model of human behavior. It models and predicts behavior based on the relationships between a situation and character. Three main research modules fall under the umbrella of character computing: character sensing and profiling, character-aware adaptive systems, and artificial characters. == Overview == Character computing can be viewed as an extension of the well-established field of affective computing. Based on the foundations of the different psychology branches, it advocates defining behavior as a compound attribute that is not driven by either personality, emotions, situation or cognition alone. It rather defines behavior as a function of everything that makes up an individual i.e., their character and the situation they are in. Affective computing aims at allowing machines to understand and translate the non-verbal cues of individuals into affect. Accordingly, character computing aims at understanding the character attributes of an individual and the situation to translate it to predicted behavior, and vice versa. ''In practical terms, depending on the application context, character computing is a branch of research that deals with the design of systems and interfaces that can observe, sense, predict, adapt to, affect, understand, or simulate the following: character based on behavior and situation, behavior based on character and situation, or situation based on character and behavior.'' The Character-Behavior-Situation (CBS) triad is at the core of character computing and defines each of the three edges based on the other two. Character computing relies on simultaneous development from a computational and psychological perspective and is intended to be used by researchers in both fields. Its main concept is aligning the computational model of character computing with empirical results from in-lab and in-the-wild psychology experiments. The model is to be continuously built and validated through the emergence of new data. Similar to affective and personality computing, the model is to be used as a base for different applications towards improving user experience. == History == Character computing as such was first coined in its first workshop in 2017. Since then it has had 3 international workshops and numerous publications. Despite its young age, it has already drawn some interest in the research community, leading to the publication of the first book under the same title in early 2020 published by Springer Nature. Research that can be categorized under the field dates much older than 2017. The notion of combining several factors towards the explanation of behavior or traits and states has long been investigated in both Psychology and Computer Science, for example. == Character == The word character originates from the Greek word meaning “stamping tool”, referring to distinctive features and traits. Over the years it has been given many different connotations, like the moral character in philosophy, the temperament in psychology, a person in literature or an avatar in various virtual worlds, including video games. According to character computing character is a unification of all the previous definitions, by referring back to the original meaning of the word. Character is defined as the holistic concept representing all interacting trait and state markers that distinguish an individual. Traits are characteristics that mainly remain stable over time. Traits include personality, affect, socio-demographics, and general health. States are characteristics that vary in short periods of time. They include emotions, well-being, health, cognitive state. Each characteristic has many representation methods and psychological models. The different models can be combined or one model can be preset for each characteristic. This depends on the use-case and the design choices. == Areas == Research into character computing can be divided into three areas, which complement each other but can each be investigated separately. The first area is sensing and predicting character states and traits or ensuing behavior. The second area is adapting applications to certain character states or traits and the behavior they predict. It also deals with trying to change or monitor such behavior. The final area deals with creating artificial agents e.g., chatbots or virtual reality avatars that exhibit certain characteristics. The three areas are investigated separately and build on existing findings in the literature. The results of each of the three areas can also be used as a stepping stone for the next area. Each of the three areas has already been investigated on its own in different research fields with focus on different subsets of character. For example, affective computing and personality computing both cover different areas with a focus on some character components without the others to account for human behavior. == The Character-Behavior-Situation triad == Character computing is based on a holistic psychologically driven model of human behavior. Human behavior is modeled and predicted based on the relationships between a situation and a human's character. To further define character in a more formal or holistic manner, we represent it in light of the Character–Behavior–Situation triad. This highlights that character not only determines who we are but how we are, i.e., how we behave. The triad investigated in Personality Psychology is extended through character computing to the Character–Behavior–Situation triad. Any member of the CBS triad is a function of the two other members, e.g., given the situation and personality, the behavior can be predicted. Each of the components in the triad can be further decomposed into smaller units and features that may best represent the human's behavior or character in a particular situation. Character is thus behind a person's behavior in any given situation. While this is a causality relation, the correlation between the three components is often more easily used to predict the components that are most difficult to measure from those measured more easily. There are infinitely many components to include in the representation of any of C, B, and S. The challenge is always to choose the smallest subset needed for prediction of a person's behavior in a particular situation.
Versata
Versata is a privately held software company, one of several business units under the ESW Capital umbrella. Versata acquires underperforming or financially struggling enterprise software companies, integrates them into their portfolio, and makes operational changes to improve the viability and performance of the companies. == History == === Early years (1991–2000) === This company was founded in 1991 with the name Image Innovations; Naren Bakshi was co-founder and president, Kevin Fletcher Tweedy was vice president of technology, and they sold a development tool set named Image Application WorkBench that worked with Plexus Software's imaging platform. In 1997, the company name changed to Vision Software. They sold a small suite of software: Vision Builder for accelerated coding; and Vision StoryBoard Pro for creating software documentation. In 1998, their flagship product was a Java development tool named Vision JADE. In January 2000, the company changed names again, this time to Versata, and their e-business automation system, Versata Logic Suite, had three components: Versata Logic Server to host business rules written in Java, Versata Studio for developing the business rules, and Versata Connectors for connecting the logic server to IBM database servers. === Public company (2000–2006) === They went public in March 2000 during the dot-com bubble, raising about $94 million and reaching a market capitalization of over $2.5 billion despite reporting just $13 million in revenue and a $21 million loss in the prior year. In November 2000, Versata expanded into the business workflow area with the acquisition of Verve, Inc. and its workflow management system by the same name. From early 2001 through mid-2003, Versata's revenues were in quarter-over-quarter decline until Alan Baratz took over as CEO. Five consecutive quarters of growth followed until early 2005, when revenues once again took a downward plunge. In mid-2005, the company was notified by NASDAQ that it no longer met NASDAQ's requirements for continued listing, related to maintenance of a minimum amount of shareholder's equity, market value, or net income. In July 2005, Versata was delisted from NASDAQ and publicly traded on the OTC (also known as the Pink Sheets). == Versata, a business unit of ESW Capital == In January 2006, Austin-based Trilogy, Inc. acquired the company and took it private. Trilogy then proceeded to merge portions of Trilogy, specifically, Trilogy Technology Group, into Versata and began acquiring further companies, reorganizing dramatically and offshoring most technical positions to its office in Bangalore, India. From 2006 to 2008, Versata continued to make acquisitions mostly in US. Most of the employees in the acquired companies were laid -off with the majority work being offshored to its India office in Bangalore. In early 2009, Versata made another major overhaul of its business model when it asked all its employees in India to work as contractors through oDesk for a gDev which is an entity incorporated by Trilogy to manage its outsourcing activities. The only employees left in Versata were the ones in US. == Acquisitions == a Corizon was acquired by Metatomix, while Metatomix was part of Versata. b Infopia was acquired by Everest Software, while Everest Software was part of Versata. c Symphony Commerce was acquired by Quantum Retail, while Quantum Retail was part of Versata. == Legal disputes == === Patent infringement and "poison pill" lawsuits with Selectica === The legal disputes with Selectica began in 2004 (before Trilogy acquired Versata in January 2006) and lasted until 2010. While there were many suits and counter-suits, they largely centered around three issues: 2004–2006: Patent infringement in configure, price, and quote (CPQ) software 2005–2007: Patent infringement in contract lifecycle management (CLM) software 2008–2010: The "poison pill" lawsuit In 2004, Selectica and Trilogy had competing CPQ software: Selectica sold Solutions Advisor and Deal Optimization, while Trilogy sold Selling Chain. In April of that year, Trilogy Software sued Selectica for patent infringement. In 2005, before the court ruling, Trilogy made several offers to buy Selectica, but the board rejected them. In January 2006, the court ordered Selectica to pay Trilogy $7.5 million in damages. Four days after the January 2006 judgment in the first lawsuit, Trilogy announced its acquisition of Versata for an undisclosed amount. In 2005, Selectica had acquired the Determine CLM software platform, which included features that overlapped with some offered by Versata. In October 2006, Versata filed a second patent infringement lawsuit. The case was settled in 2007, with Selectica agreeing to pay Trilogy and Versata $10 million, plus up to $7.5 million in additional contingent payments. In 2008, Versata began acquiring Selectica stock. By December, Selectica's board amended its shareholder rights plan to adopt a "poison pill" with an unusually low trigger threshold: if any shareholder acquired more than 4.99% of company stock, their ownership would be diluted. The board explained that the move was meant to protect Selectica's net operating losses (NOLs), which were tax-deductible if the company returned to profitability. Under IRS Section 382, a significant change in stock ownership could cause those NOLs to be disqualified. Versata intentionally triggered the poison pill and also offered to sell back the stocks at a profit (greenmailing them), which prompted a legal dispute over whether Selectica's board had the authority to set such a low threshold and whether defending NOLs justified triggering shareholder dilution. The case ultimately reached the Delaware Supreme Court, which upheld the poison pill in October 2010, ruling in favor of Selectica. === Intellectual property lawsuit over joint development with Sun Microsystems === In 1998, Sun Microsystems hired Trilogy to help Sun's developers in California create a software configurator (later named the WC5 Configurator) that Sun's customers could use to modify products they wanted to buy, customizing products to have the features they wanted. Trilogy worked on the WC5 Configurator for several years, then Sun transferred the work to Oracle to finish. Trilogy believed that they owned the copyright to the work they'd done for Sun, and in 2006 after the merger with Versata they sued Sun for more than $100 million in damages. In April 2009, a jury ruled in favor of Sun and rejected Versata's claims. === Patent lawsuit and ruling on patents of abstract ideas with SAP === SAP developed Pricing Engine, a component in their enterprise resource planning (ERP) system. It competed with an older Trilogy product called Pricer, which was part of Trilogy's Selling Chain platform in the mid-1990s before they merged with Versata. In April 2007—the year after Trilogy acquired Versata—Versata filed a lawsuit against SAP for patent infringement. In August 2009, the jury agreed with Versata and awarded them $139 million. The court granted a new trial on damages and in September 2011, in the retrial, the jury awarded Versata $345 million. This then went to the US Court of Appeals, which in May 2013 affirmed the $345 million damages award, plus interest that had accumulated. In October 2014, Versata and SAP settled their litigation for an undisclosed amount of money. With the dispute between Versata and SAP settled, in June 2013 the Patent Trial and Appeal Board (PTAB) reviewed the validity of the patent itself, and issued a decision in a Covered Business Method (CBM) review, stating that the disputed items were abstract ideas and thus under the US patent law not patentable. In July 2015, the Federal Circuit agreed with PTAB's decision that the challenged items were not patentable. === Trade secrets and damages dispute with Internet Brands === Internet Brands was formerly known as CarsDirect and AutoData Solutions. Like Trilogy, they made software for automakers that helped customers compare vehicles online. In the late 1990s, Trilogy and Internet Brands tried to combine their products but failed to do so, and after a December 1999 lawsuit they made a settlement agreement in May 2001. In 2008, Versata sued Internet Brands claiming they had violated the settlement agreement by making presentations to potential clients stating they had a license from Versata to use and sell Versata technical solutions; and doing so had cost Versata business with Chrysler. Internet Brands' countersuit argued that Versata had misappropriated trade secrets and asked the jury to use Versata's business relationship with Toyota—including revenue from Toyota contracts—as a benchmark to calculate damages. The jury agreed and used that data to determine a $2 million damages award in favor of Internet Brands’ subsidiary, AutoData Solutions. Versata appealed the decision, and in January 2014 the court upheld the $2 million award to Internet Brands. === Patent challenges a