Every pillar is a runtime guarantee. Not a marketing claim.
Scope control
Boundaries enforced at the execution layer, not the UI layer
Every agent action is gated against an immutable scope policy before any network call. You define the in-scope hostnames and URL patterns once. The system enforces them throughout the entire hunt session with no operator-side override required. If the agent discovers a redirect that leaves scope, it stops, flags, and waits. There is no "oops" mode.
- Wildcard and regex scope patterns supported
- Scope violations flagged as first-class events in the activity log
- Scope policy is version-locked per session — cannot be mutated mid-run
- Out-of-scope targets are never contacted, logged, or counted as coverage
Mission execution
Live agentic hunting with full operator visibility
The agent streams its reasoning, tool calls, and intermediate findings in real time. Every step is surfaced in the Mission Control dashboard: what the agent is testing, which endpoints it is touching, and what lifecycle state each finding is in. You can pause, resume, or inject instructions mid-hunt without stopping the session. The glass-box model means you always know exactly what the AI did.
- SSE-backed live activity stream with full event replay
- Pause / resume / steer controls always accessible
- Agent thinking exposed in real time (not hidden behind a spinner)
- Multi-session support: run parallel hunts on separate targets
Validation lifecycle
Three-stage gate before a finding is called confirmed
Every potential finding goes through a mandatory validation pipeline: initial detection, deterministic reproduction attempt (up to 3 passes), and evidence assembly. Only findings that pass all three stages are promoted to "CONFIRMED" status. High-severity findings require a working curl command and a clean HTTP response diff. Nothing is hidden behind an "AI-confirmed" label without evidence.
- Pending → Reproducing → Confirmed → Rejected states clearly tracked
- Failed reproductions archived with explanation, not silently dropped
- CVSS-level tags assigned only after confirmation
- Evidence chain (request, response, diff) bundled with every finding
Submission output
Reports built for real disclosure programs, not demos
The final output is not a JSON blob or a raw log. It is a structured PoC report formatted for the platform you are submitting to: HackerOne, Bugcrowd, Intigriti, or custom templates. The report includes the vulnerability summary, CVSS score, step-by-step reproduction, a curl command, and the evidence diff. Copy. Paste. Submit. No cleanup needed.
- Platform-native templates: HackerOne, Bugcrowd, custom markdown
- Reproduction steps generated automatically from live agent trace
- Curl command included and verified against the confirmed response
- Reports exportable as markdown, PDF, or direct API push (Elite)
