CodeWallDocs
Guidance

Comparing Test Types

Understand the differences between CodeWall's test types and when to use each.

CodeWall supports several test types optimized for different targets and objectives.

Test type comparison

FeatureWeb ApplicationWeb APIMCP Server SecurityLLM App / Chatbot
TargetBrowser-accessible sitesREST/GraphQL endpointsMCP tool serversLLM chat/completion APIs
ReconnaissanceCrawling, form discovery, sitemap parsingEndpoint enumeration, schema analysisTool enumeration, schema analysisEndpoint probing, format detection
Authentication testingLogin flows, session management, MFA bypassAPI keys, OAuth, JWT validationTool-level auth probingN/A
Injection testingXSS, SQLi, command injection via formsSQLi, NoSQLi, command injection via paramsSQLi, command injection, path traversal, SSRF via tool paramsPrompt injection (direct and indirect)
Access controlPrivilege escalation, IDOR via UIBOLA/IDOR, broken function-level authUnauthorized tool accessSystem prompt extraction, data exfiltration
Best forCustomer-facing apps, internal portalsMicroservices, mobile backendsAI tool integrations, agent pipelinesChatbots, AI assistants, LLM wrappers

When to use each

Web Application

Use when your target has a browser interface with login pages, forms, and navigation. CodeWall will crawl the application like a user would, testing every interaction point.

Web API

Use when your target exposes API endpoints directly. Provide an OpenAPI/Swagger spec if available — this dramatically improves coverage. Ideal for headless services and microservice architectures.

MCP Server Security

Use when your target exposes tools via the Model Context Protocol. CodeWall will enumerate all tools, analyse their input schemas, and test each parameter for injection and access control issues.

LLM App / Chatbot

Use when your target is an LLM-powered application. CodeWall will test for prompt injection, system prompt extraction, data exfiltration from context and RAG sources, and guardrail bypass techniques.

Combining test types

For comprehensive coverage, consider running multiple test types:

  • A Web Application test against your frontend
  • A Web API test against the same application's backend API
  • An MCP Server Security test against any tool-serving endpoints
  • An LLM App / Chatbot test against AI-powered features

This provides layered coverage across your entire stack.

Choosing Targets

What makes a good target for AI penetration testing and how to select the right systems to test.

Preparing Targets

Technical prerequisites and environment setup for effective penetration testing.

On this page

Test type comparisonWhen to use eachWeb ApplicationWeb APIMCP Server SecurityLLM App / ChatbotCombining test types