Saltar a contenido

Scan depths (Recon / Full / AI)

Every pentest runs at one of three depths. They share the same engine — depth controls how much of the pipeline runs and how aggressive it is.

Recon

Passive and infrastructure-level only. Fast (typically under three minutes).

  • TCP port scan (async, no external binary needed)
  • TLS / cipher and certificate checks
  • DNS records (SPF / DMARC / MX) and Certificate Transparency
  • Security-header and cookie-flag audit
  • Sensitive-path probing

Use it for a quick posture check or when you are not authorized for active attacks.

Full

Everything in Recon plus active attacks against the target. This is the standard pentest depth.

  • Crawl and form/parameter discovery, feeding the injection phases
  • Injection: command injection, SQL injection (error-based and blind), reflected XSS, SSTI, path traversal, XXE
  • Auth: JWT alg:none / signature / kid handling, auth-bypass, rate-limit
  • API: OpenAPI ingestion → IDOR/BOLA, mass assignment, GraphQL checks
  • Web: request smuggling, open redirect (host-aware), CSRF, SSRF via headers
  • Business logic and verb tampering
  • arsenal_lite — bounded nmap (-F -sV, service versions) + nuclei (high/critical templates only), when those binaries are present on the host

Findings are run through the confidence pipeline.

AI

Everything in Full plus an LLM analysis layer (the configured VEX_LLM_PROVIDER) that reasons over the results and enriches the report.

Use it when you want narrative analysis and prioritization on top of the raw findings.

Safety guards

  • Each phase has a hard timeout and is fail-soft: a phase that errors or times out does not crash the scan.
  • arsenal_lite and active phases are skipped for local targets and for targets that fail the pre-scan health check.
  • All outbound requests pass SSRF validation.

Choosing a depth

You want… Depth
A fast posture snapshot Recon
A real pentest with verified exploits Full
Full + AI-written analysis AI