Skip to main content

Takumi Blackbox Assessment Released

· 3 min read
Takashi Yoneuchi
Takashi Yoneuchi
CTO @ GMO Flatt Security Inc.

Takumi now supports blackbox assessments.

It can detect a wide range of vulnerabilities, from classic issues like XSS to complex business logic flaws in authentication and authorization. While a full assessment takes several hours to 2 days, you can also run targeted assessments on specific features or vulnerability types as needed.

eyecatch

Overview

The Takumi Blackbox Assessment feature accepts application URLs and credentials, then simulates attacks against the application and delivers comprehensive security reports through the web interface.

Credit consumption varies based on the target application's characteristics and size, typically requiring several dozen credits or more.

You can access this feature through the Shisho Cloud by GMO web interface. It's not available via Slack to prevent unintended attack traffic.

Getting Started

This feature is available to all Takumi by GMO users within their monthly credit allowance at no additional cost or plan changes required.

Access it through the Assessment tab in the global sidebar.

Demo: Starting an Assessment

Click the New Assessment button in the top-right corner of the Assessment tab to begin.

The setup requires only your application URL and authentication credentials.

Assessment start UI

Choose from two assessment modes:

  • Full Assessment mode analyzes the entire application end-to-end, including crawling and testing in one continuous process.
  • Partial Assessment mode pauses after crawling, allowing you to select specific features and vulnerability types before resuming. This mode is ideal for controlling assessment scope and minimizing credit consumption.

Assessments typically take several hours to 2 days to complete. Please be patient while Takumi works.

Demo: Assessment Reports

Assessment reports are viewable in the web interface, similar to professional security vendor deliverables.

Assessment results UI

The format closely resembles outputs from professional security assessment vendors.

Assessment results UI

Each finding explains which features were tested, from what perspective, and details the severity and risk of any discovered vulnerabilities.

Assessment results UI

Demo: Re-assessment

The re-assessment feature allows testing specific features or vulnerability types only. Credit consumption varies based on the number of features and vulnerability types selected for re-assessment.

Assessment results UI

Assessment Coverage

Takumi evaluates applications across these key areas:

  • Logic flaws
  • Authorization bypass
  • All injection types
  • SSRF
  • XSS
  • Clickjacking
  • Open redirect
  • File handling issues
  • Session management flaws
  • CORS misconfigurations
  • CSRF

Each category includes numerous specific test cases. The standout feature is coverage of business logic vulnerabilities - our LLM agent technology enables application-aware testing based on understanding the application's intended behavior.

For detailed technical discussions, we're happy to meet with your development team. Please contact us.

Accuracy Evaluation

Testing against demo applications with intentionally embedded vulnerabilities, the blackbox assessment achieved a 48% detection rate and 33.3% false positive rate across approximately 20 hours of scanning.

When excluding vulnerabilities that are fundamentally difficult to detect without source code access, the detection rate improved to 70%.

Future Vision

This feature will evolve into graybox assessment by integrating with our whitebox analysis engine, combining the high detection capabilities of whitebox analysis with the strong vulnerability validation of blackbox testing for more accurate and user-friendly assessments.

Future roadmap