As a penetration testing tool, what does Steel OSS enable for Apex that Playwright MCP doesn't already provide?
Steel OSS delivers 5 capabilities that directly impact pentest effectiveness:
| # | Capability | Playwright MCP | Steel OSS | Pentest Impact |
|---|---|---|---|---|
| 1 | WAF Bypass - Load Chrome extensions | ❌ No | ✅ Yes | Test targets behind Cloudflare, Akamai, Incapsula |
| 2 | Auth Debugging - Visual session inspection | ❌ No | ✅ /ui |
Get past complex auth (OAuth, SAML, MFA) that blocks AI |
| 3 | Rapid Recon - Quick actions without session overhead | ❌ No | ✅ Yes | Enumerate 100s of URLs faster during discovery phase |
| 4 | Session Survival - Redis/Postgres backing | ❌ No | ✅ Yes | Don't lose expensive-to-get authenticated sessions |
| 5 | Observability - REST API vs MCP stdio | ❌ No | ✅ HTTP | Debug why the AI agent is failing in real-time |
Bottom line: If you pentest targets behind WAFs, with complex auth, or need to enumerate at scale, Steel OSS solves problems that currently block Apex.
┌─────────────────────────────────────────────────────────────────────────────────┐
│ CURRENT APEX LIMITATIONS (Playwright MCP) │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ❌ WAF BLOCKED ❌ AUTH FAILS │
│ Target: example.com Target: app.okta.com │
│ Protection: Cloudflare Challenge: OAuth + MFA + CAPTCHA │
│ Result: Automated traffic Result: AI can't figure out the flow │
│ blocked immediately gives up after retries │
│ │
│ ❌ SLOW RECON ❌ SESSION LOST │
│ Task: Screenshot 200 endpoints Context: 2 hours into pentest │
│ Problem: Session overhead Event: Crash or timeout │
│ Result: Takes forever Result: Start over, re-auth, lose progress │
│ │
│ ❌ OPAQUE FAILURES │
│ Problem: AI agent fails, can't see why │
│ Debugging: Blind, no visibility into browser state │
│ Result: Waste time guessing at the problem │
│ │
└─────────────────────────────────────────────────────────────────────────────────┘
↓ Steel OSS solves these ↓
┌─────────────────────────────────────────────────────────────────────────────────┐
│ APEX WITH STEEL OSS │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ✅ WAF BYPASSED ✅ AUTH SUCCEEDS │
│ Load: Browser extension Tool: Debug UI at /ui │
│ Result: Flows undetected Result: Watch browser, guide AI, │
│ understand what's happening │
│ │
│ ✅ FAST RECON ✅ SESSION PERSISTS │
│ Method: Quick actions Backing: Redis/Postgres │
│ Result: Enumerate in parallel Result: Resume where you left off │
│ │
│ ✅ FULL VISIBILITY │
│ Tool: REST API + Debug UI │
│ Result: See exactly what the AI sees, debug in real-time │
│ │
└─────────────────────────────────────────────────────────────────────────────────┘
The Problem:
Target: https://bugbounty.example.com
Protection: Cloudflare Enterprise Challenge
Current Apex: Traffic blocked, challenge page returned
Pentest Status: STUCK
With Steel OSS:
# Load anti-detect extension
docker run -v ./bypass-extension:/extensions ghcr.io/steel-dev/steel-browser
# Apex now flows through undetected
# Pentest proceedsReal Targets This Unlocks:
- Cloudflare-protected sites (common on bug bounty programs)
- Akamai-protected enterprise apps
- Incapsula, Sucuri, other WAFs
- Bot detection that flags headless Chrome
Pentest Impact: BLOCKED → TESTING
The Problem:
Target: SaaS app with Okta + Duo MFA
Challenge: AI agent can't figure out:
- Which field is username (autocomplete fills it)
- MFA is push notification (async, no form)
- Session establishes via redirect chain
Current Apex: Blind retries, "auth failed" messages
Pentest Status: CAN'T GET IN
With Steel OSS:
1. Start Apex in auth mode
2. Open http://localhost:3000/ui
3. Watch AI attempt login
4. See exactly where it fails
5. Add custom prompt to guide AI through the tricky part
6. Auth succeeds, session captured
Real Targets This Unlocks:
- Enterprise SaaS (Okta, Azure AD, Auth0)
- MFA-protected apps (Duo push, TOTP, YubiKey)
- SPA auth with complex flows
- OAuth/SAML sequences
Pentest Impact: LOCKED OUT → AUTHENTICATED
The Problem:
Phase: Initial reconnaissance
Task: Screenshot 500 discovered endpoints
Current Apex:
- Create session for each
- Navigate, screenshot, cleanup
- Subprocess overhead per endpoint
- Rate: ~10 endpoints/minute
Pentest Status: TOO SLOW
With Steel OSS:
// Quick action - no session needed
for (const url of endpoints) {
await fetch('http://localhost:3000/v1/screenshot', {
method: 'POST',
body: JSON.stringify({ url, fullPage: true })
});
}
// Rate: ~50 endpoints/minute (5x faster)Pentest Impact: Enumeration that took 1 hour now takes 12 minutes
The Problem:
Scenario: Deep dive on authenticated app
Timeline:
- 0:00 - Start pentest
- 0:15 - Get through MFA (painful)
- 0:30 - Establish session, start testing
- 1:45 - Apex crashes or timeout
- 1:46 - Session lost, start over
Pentest Status: LOSING PROGRESS
With Steel OSS:
Timeline with Steel OSS:
- 0:00 - Start pentest
- 0:15 - Get through MFA (one-time cost)
- 0:30 - Session saved to Redis
- 1:45 - Apex crashes
- 1:46 - Restart Apex, reconnect to session
- 1:47 - Resume testing, still authenticated
Pentest Status: PROGRESS PRESERVED
Pentest Impact: Don't re-auth every time something breaks
The Problem:
Scenario: AI agent failing on a target
Symptoms:
- "element not found" errors
- "navigation timeout" errors
- No clue what's actually happening
Current Apex:
- Check logs
- Add debug logging
- Retry
- Guess at problem
- Repeat
Pentest Status: DEBUGGING BLIND
With Steel OSS:
1. Open http://localhost:3000/ui
2. See current browser state
3. Inspect DOM (element exists? selector changed?)
4. Check console (errors? timing issues?)
5. Watch network (blocked? slow? redirect?)
6. Fix the problem, continue pentest
Pentest Impact: HOURS OF GUESSING → MINUTES TO FIX
| Pentest Scenario | Playwright MCP | Steel OSS | Winner |
|---|---|---|---|
| Target behind Cloudflare | ❌ Blocked | ✅ Extension bypass | Steel |
| Okta OAuth + Duo MFA | ✅ Debug UI helps | Steel | |
| Simple form auth | ✅ Works fine | ✅ Works fine | Tie |
| Enumerate 1000 URLs | ✅ Fast (quick actions) | Steel | |
| 4-hour authenticated session | ❌ Lost on crash | ✅ Survives crash | Steel |
| Quick one-shot test | ✅ Works fine | ✅ Works fine | Tie |
| Air-gapped testing | ✅ Works | ✅ Works | Tie |
| Debugging AI failures | ✅ Visual + REST | Steel | |
| Minimal resource usage | ✅ Light | Playwright | |
| "Just works" setup | ✅ npx only | Playwright |
Pattern: Playwright wins on simplicity. Steel wins on capability.
- Target is WAF-protected (Cloudflare, Akamai, etc.)
- Auth is complex (OAuth, SAML, MFA, async flows)
- You need to enumerate at scale (100s of URLs)
- Session is expensive to get (MFA, complex flows)
- You need to debug AI failures (visual feedback helps)
- Simple targets (no WAF, basic auth)
- Quick tests (one-off, short sessions)
- Limited resources (no Docker, need lightweight)
- Air-gapped (offline environments)
┌─────────────────────────────────────────────────────────────────────────────────┐
│ APEX BACKEND SELECTION │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ .env configuration decides backend: │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ # Default - Works for basic targets │ │
│ │ BROWSER_BACKEND=playwright │ │
│ │ │ │
│ │ # Upgrade - Unlocks WAF bypass, debug UI, persistence │ │
│ │ BROWSER_BACKEND=steel-oss │ │
│ │ STEEL_OSS_URL=http://localhost:3000 │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ │
│ User experience: │
│ ───────────────── │
│ • Default: Apex works out of box, no setup │
│ • Power user: Run Docker once, get WAF bypass + debug UI │
│ • Both: Same AI tools, same interface, different backend │
│ │
└─────────────────────────────────────────────────────────────────────────────────┘
Steel OSS adds 5 capabilities that directly impact pentest success:
| Capability | Pentest Problem It Solves |
|---|---|
| Custom Extensions | Bypass WAFs (Cloudflare, Akamai) that block automated testing |
| Debug UI | Get through complex auth (OAuth, MFA) by watching the browser |
| Quick Actions | Enumerate 100s of URLs faster during recon phase |
| Session Persistence | Don't lose expensive authenticated sessions to crashes |
| REST API | Debug AI failures in real-time instead of flying blind |
Everything else (stealth, proxies, CDP, offline) Playwright already does.
The implementation is justified if you pentest:
- WAF-protected targets
- Complex auth flows
- At scale (100s of endpoints)
For basic targets, Playwright MCP remains sufficient.
Generated for Pensar Apex - AI-powered penetration testing CLI tool Analysis: Steel Open Source value proposition for penetration testing use cases