Scan depths (Recon / Full / AI)¶
Every pentest runs at one of three depths. They share the same engine — depth controls how much of the pipeline runs and how aggressive it is.
Recon¶
Passive and infrastructure-level only. Fast (typically under three minutes).
- TCP port scan (async, no external binary needed)
- TLS / cipher and certificate checks
- DNS records (SPF / DMARC / MX) and Certificate Transparency
- Security-header and cookie-flag audit
- Sensitive-path probing
Use it for a quick posture check or when you are not authorized for active attacks.
Full¶
Everything in Recon plus active attacks against the target. This is the standard pentest depth.
- Crawl and form/parameter discovery, feeding the injection phases
- Injection: command injection, SQL injection (error-based and blind), reflected XSS, SSTI, path traversal, XXE
- Auth: JWT
alg:none/ signature /kidhandling, auth-bypass, rate-limit - API: OpenAPI ingestion → IDOR/BOLA, mass assignment, GraphQL checks
- Web: request smuggling, open redirect (host-aware), CSRF, SSRF via headers
- Business logic and verb tampering
arsenal_lite— bounded nmap (-F -sV, service versions) + nuclei (high/critical templates only), when those binaries are present on the host
Findings are run through the confidence pipeline.
AI¶
Everything in Full plus an LLM analysis layer (the configured
VEX_LLM_PROVIDER) that reasons over the results and enriches the report.
Use it when you want narrative analysis and prioritization on top of the raw findings.
Safety guards¶
- Each phase has a hard timeout and is fail-soft: a phase that errors or times out does not crash the scan.
arsenal_liteand active phases are skipped for local targets and for targets that fail the pre-scan health check.- All outbound requests pass SSRF validation.
Choosing a depth¶
| You want… | Depth |
|---|---|
| A fast posture snapshot | Recon |
| A real pentest with verified exploits | Full |
| Full + AI-written analysis | AI |