Agentic AI Framework for Web Vulnerability Detection, Mitigation and Patching
| dc.contributor.author | Gisselblad Seibt , Hanna | |
| dc.contributor.author | Shasawar, Pawan | |
| dc.contributor.department | Chalmers tekniska högskola / Institutionen för data och informationsteknik | sv |
| dc.contributor.department | Chalmers University of Technology / Department of Computer Science and Engineering | en |
| dc.contributor.examiner | Dahlstedt, Palle | |
| dc.contributor.supervisor | Eriksson, Thommy | |
| dc.date.accessioned | 2026-07-08T13:17:11Z | |
| dc.date.issued | 2026 | |
| dc.date.submitted | ||
| dc.description.abstract | Modern web applications expose increasingly complex attack surfaces, and existing security automation is still most effective at producing candidate findings rather than reviewable repairs. Static and dynamic analysis tools can identify possible weaknesses at scale, but the path from a finding to a validated, scoped, and review ready patch remains weakly automated and difficult to inspect. This thesis investigates whether a multi-stage agentic AI workflow can improve web vulnerability detection, mitigation, and patch delivery in white-box repository settings. To examine this question, the proposed framework decomposes security review into stages for discovery, triage, analysis, mitigation, verification, and delivery. Each stage produces structured artifacts that are consumed by later stages, making the workflow more inspectable than a single end-to-end repair agent. The design emphasizes repository-grounded evidence, explicit repair hypotheses, independent verification, and reviewer-oriented delivery units. The evaluation combines issue-level repair experiments with repository case studies. On the PatchEval runtime-validated subset of 230 vulnerability-repair tasks, the multi-stage workflow achieves 78 successful repairs, compared with 73 for a matched single-agent baseline under the same model. This improvement is modest and requires higher token use and cost, but case-level analysis suggests that staging can influence repair strategy by clarifying vulnerability boundaries and providing independent feedback on patch completeness. In repository case studies, agentic discovery and triage cover more answer-key vulnerabilities than CodeQL, Semgrep, and OWASP ZAP, especially for issues that require cross-file or design-level reasoning. The workflow also improves reviewability by organizing patches and reports into structured delivery units. Overall, the results indicate that the main value of multi-stage orchestration is not a large increase in repair success, but a more inspectable and controllable security review process. The workflow records repository evidence, analysis assumptions, verification results, and delivery boundaries, helping reviewers understand why a vulnerability was found, how it was analyzed, whether the patch addresses the issue, and how the repair should be reviewed. These benefits remain constrained by model capability and cost. | |
| dc.identifier.coursecode | DATX05 | |
| dc.identifier.uri | https://hdl.handle.net/20.500.12380/311952 | |
| dc.language.iso | eng | |
| dc.setspec.uppsok | Technology | |
| dc.subject | Attack Mitigation, Vulnerability Detection, Code Analysis, Cybersecu rity, Artificial Intelligence | |
| dc.title | Agentic AI Framework for Web Vulnerability Detection, Mitigation and Patching | |
| dc.type.degree | Examensarbete för masterexamen | sv |
| dc.type.degree | Master's Thesis | en |
| dc.type.uppsok | H | |
| local.programme | Interaction design and technologies (MPIDE), MSc |
