Skip to main content
Verification Agent runs after testing completes. It reads execution results, delegates findings for independent re-testing, and files confirmed issues: ensuring that what reaches your issue tracker is verified, not assumed.

What it does

  • Finding review: reads all output and artifacts from a completed testing run to identify what needs verification
  • Independent reproduction: re-tests each finding from scratch, without relying on the original agent’s reasoning or approach
  • Structured verdict: returns a clear result (confirmed, false positive, or inconclusive) with evidence supporting the verdict
  • Parallel verification: runs up to five independent re-tests simultaneously, one per finding
  • Full sandbox access: runs commands, scripts, and exploits in the sandbox to reproduce findings
  • Web exploitation toolkit: uses OOB callbacks, SSRF, XXE, and other infrastructure as needed to prove exploitability
  • Issue filing: creates and bulk-creates issues for confirmed findings, with full details, severity, and evidence attached
  • Issue management: updates existing issues, adds assets and comments, and retrieves issue statistics and timelines
  • Jira integration: creates Jira tickets for confirmed findings when Jira is connected
  • Context retrieval: invokes Explore, Research, and Browser agents when additional context is needed to assess a finding
  • GitHub output: submits structured output back to GitHub when running in a GitHub review context

How it fits in

Verification Agent runs as the final phase of every Thorough mode task. It is the gate between raw testing output and filed issues: nothing reaches the Issues dashboard without passing through verification first. It is also the agent behind the Challenge & Verify action in the Issues dashboard, where you can trigger independent re-testing of any filed issue at any time.