Your website is under attack right now. Not maybe. Right now.
Automated scanners probe every public-facing site thousands of times per day. New CVEs drop weekly. SSL certificates expire silently. Security headers drift after innocent deployments. And your team? They're busy building features.
This is exactly the problem AI agents solve โ not with hype, but with automated, continuous security auditing that runs while you sleep.
In this guide, we'll walk through how we built a self-monitoring web security stack using three open-source tools orchestrated by AI agents. No expensive SaaS. No vendor lock-in. Just bash scripts, free APIs, and an agent that never forgets to check.
The Problem: Security Is a Moving Target
Most businesses treat security like an annual physical โ check the boxes once, file the report, forget about it. But web security degrades constantly:
- SSL certificates expire and nobody notices until Chrome throws a warning
- Security headers disappear after a deployment or server config change
- Performance degrades, creating both UX and SEO penalties
- New vulnerabilities emerge in frameworks and dependencies you forgot you were running
- SAST findings pile up as codebases grow and developers move fast
The traditional approach โ hire a penetration tester once a year โ leaves 364 days of unmonitored drift.
The Solution: A Three-Layer Automated Audit Stack
| Layer | Tool | What It Checks |
|---|---|---|
| Performance & SEO | Google PageSpeed Insights API | Core Web Vitals, accessibility, SEO, best practices |
| External Attack Surface | Nuclei Scanner | Known CVEs, misconfigurations, exposed panels, header issues |
| Source Code | Semgrep SAST | Injection flaws, hardcoded secrets, insecure patterns |
Each tool runs on a schedule, produces structured reports, and feeds results to an AI agent that triages, prioritizes, and alerts only when something actually needs attention.
Layer 1: Performance & Security Headers with PageSpeed Insights
Google's PageSpeed Insights API is free (with an API key) and checks far more than just load times. It audits accessibility, SEO compliance, security best practices, and Core Web Vitals โ all in a single API call.
Here's the core of our automated audit script:
#!/usr/bin/env bash
# pagespeed-audit.sh โ Automated PageSpeed + security audit
set -euo pipefail
API="https://www.googleapis.com/pagespeedonline/v5/runPagespeed"
URL="${1:-https://yoursite.com}"
CATEGORIES=("performance" "seo" "accessibility" "best-practices")
# Fetch and parse scores for both mobile and desktop
for strategy in mobile desktop; do
json=$(curl -s "${API}?url=${URL}&key=${GKEY}&strategy=${strategy}")
echo "=== $strategy ==="
echo "$json" | jq -r '.lighthouseResult.categories
| to_entries[]
| "\(.key): \(.value.score * 100 | round)"'
doneBut the real power comes from the site-monitor wrapper that tracks scores over time as a CSV, checks SSL expiry, and verifies security headers (HSTS, X-Frame-Options, X-Content-Type-Options) every single day.
When a score drops below threshold or an SSL certificate has fewer than 30 days remaining, the AI agent triggers an alert. No dashboards to check. No logins to remember.
Gartner predicts that by 2026, over 40% of enterprise applications will embed role-specific AI agents. Web monitoring is one of the simplest, highest-ROI places to start.
Layer 2: External Attack Surface Scanning with Nuclei
Nuclei is an open-source vulnerability scanner with over 8,000 community-maintained templates. It checks for known CVEs, misconfigurations, exposed admin panels, default credentials, and more.
Our automated scanner wraps Nuclei with structured output and markdown reporting:
#!/usr/bin/env bash
# nuclei-scan.sh โ Automated external vulnerability scanning
set -euo pipefail
TARGETS=("https://yoursite.com")
DATE=$(date +%Y-%m-%d)
# Build target list
TARGET_FILE=$(mktemp)
printf '%s\n' "${TARGETS[@]}" > "$TARGET_FILE"
# Run Nuclei with severity filtering
nuclei -l "$TARGET_FILE" \
-severity critical,high,medium \
-json-export "nuclei-${DATE}.json" \
-silent
# Generate delta report (new findings only)
./nuclei-diff.sh "nuclei-${DATE}.json" "nuclei-yesterday.json"The companion nuclei-diff.sh script compares today's scan against yesterday's, surfacing only new findings. This is critical โ nobody wants to see the same 47 informational findings every morning. The AI agent sees only deltas.
Why Nuclei Over Commercial Scanners?
- Free and open source โ no per-scan licensing
- 8,000+ templates โ community-maintained, updated daily
- Fast โ Go-based, concurrent scanning
- Customizable โ write your own templates for business-specific checks
- CI/CD friendly โ JSON output, exit codes, silent mode
Layer 3: Source Code Analysis with Semgrep
While PageSpeed and Nuclei check the deployed application, Semgrep catches vulnerabilities before they ship. It's a static analysis tool that scans source code for security anti-patterns, hardcoded secrets, and injection vulnerabilities.
#!/usr/bin/env bash
# semgrep-full-scan.sh โ Repository-wide SAST scanning
REPO_PATH="$1"
REPO_NAME=$(basename "$(cd "$REPO_PATH" && git rev-parse --show-toplevel)")
# Run scan with auto-config (pulls relevant rulesets)
JSON_OUT=$(semgrep --config auto --json "$REPO_PATH" 2>/dev/null)
# Count by severity
ERROR_COUNT=$(echo "$JSON_OUT" | python3 -c "
import sys, json
d = json.load(sys.stdin)
print(sum(1 for r in d.get('results',[])
if r.get('extra',{}).get('severity','')=='ERROR'))
")The pre-commit hook version runs on every commit, blocking merges that introduce high-severity findings. This is shift-left security in practice โ catching SQL injection, XSS, and hardcoded credentials before they reach production.
The AI Agent: Orchestrating It All
Individual scripts are useful. An AI agent that orchestrates them is transformative.
- Daily schedule โ The agent runs site-monitor.sh every morning at 6 AM
- Weekly deep scan โ nuclei-scan.sh runs every Monday with full template library
- Continuous SAST โ Semgrep runs on every commit via pre-commit hooks
- Delta analysis โ The agent compares new results against historical baselines
- Intelligent alerting โ Only surfaces findings that are new, critical, or trending worse
- Automated remediation suggestions โ For common issues (missing headers, expiring certs), the agent generates fix scripts
The agent doesn't just collect data โ it triages. A new critical Nuclei finding gets an immediate alert. A PageSpeed score dropping from 95 to 92 gets logged but not escalated. An SSL certificate expiring in 7 days gets a high-priority notification with the exact certbot renew command to run.
Real Results: What We Found
Running this stack against our own properties revealed:
- 3 missing security headers that appeared after a server migration (HSTS, X-Frame-Options, X-Content-Type-Options)
- SSL certificate on a staging subdomain with 12 days remaining โ nobody was monitoring it
- 2 Semgrep findings โ an unused
eval()call in a legacy script and a hardcoded test API key - PageSpeed regression โ mobile performance dropped 15 points after a JavaScript bundle update
Total time to discover these issues manually? Probably never. Time for the automated stack? 47 seconds.
Setting Up Your Own Audit Pipeline
Step 1: Get Your Tools
# Google PageSpeed Insights โ free with Google Cloud account
# Enable PageSpeed Insights API at console.cloud.google.com
# Nuclei โ no API key needed
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
nuclei -update-templates
# Semgrep โ free for open source and individual use
pip install semgrepStep 2: Schedule It
# Cron โ traditional approach
0 6 * * * /path/to/daily-audit.sh >> /var/log/audit.log 2>&1
# Or let your AI agent handle scheduling
# (it'll also handle the triage and alerting)Step 3: Connect Alerting
The scripts produce structured output (JSON, CSV, Markdown). Feed these into your preferred notification channel โ Slack, Telegram, email, or let an AI agent decide what's worth your attention.
The Business Case
For business owners, the ROI is straightforward:
- Prevent breaches before they happen โ automated scanning catches drift that manual audits miss
- Reduce audit costs โ annual pen tests still matter, but continuous monitoring means fewer surprises
- Maintain SEO rankings โ Google penalizes slow, insecure sites
- Demonstrate compliance โ CSV history and markdown reports create an audit trail for SOC 2, ISO 27001, or client security questionnaires
- Save engineering time โ developers focus on features, not manual checks
A single prevented breach pays for years of automated monitoring. And with open-source tools, the financial cost is essentially zero.
What's Next: The Self-Healing Web Stack
The current stack detects and alerts. The next evolution is automated remediation: SSL certificate expiring? Agent runs certbot renew automatically. Security header missing? Agent patches the nginx config and reloads. PageSpeed regression from a large image? Agent runs WebP conversion and deploys.
This is the trajectory of AI-powered operations: from monitoring to alerting to autonomous remediation. The tools exist today. The question is whether your business is using them.
Ready to automate your security? At OptinAmpOut, we build exactly these kinds of AI-powered automation stacks for businesses. From automated security monitoring to full DevSecOps pipelines, we help you sleep better knowing your web properties are continuously protected.
The best security audit is the one that runs every single day without anyone remembering to trigger it.
Get a Free AI Automation Assessment โ
AI Security Checklist
The 10-step checklist every AI-powered business needs. Free, instant access.
No spam. Unsubscribe anytime.
Ready to Take Action?
Protect your AI infrastructure with our comprehensive security guide.