Skip to content

Project Settings Reference

Jump to bottom
“samuele edited this page Apr 21, 2026 · 34 revisions

Project Settings Reference

Every project in RedAmon has 245+ configurable parameters that control the behavior of each reconnaissance module, the AI agent, and CypherFix automated remediation. These settings are managed through the project form UI (16 tabs across four groups: Scope, Recon Pipeline, AI Agent, Remediation), stored in PostgreSQL, and fetched by the recon container and agent at runtime.

Project Form Tabs

Defaults: Sensible defaults are loaded automatically from the server when creating a new project. You only need to fill in the required fields (project name and target domain — or target IPs in IP mode) and adjust what you want.

Recon Presets: Instead of configuring the 215+ parameters below individually, you can apply a Recon Preset that sets all recon parameters at once. See Recon Presets for the full list of 21 built-in presets and how to create your own.

Table of Contents

Target Configuration

Parameter Default Description
Start from IP (IP Mode) false Toggle between domain mode and IP/CIDR targeting mode. Locked after project creation. When enabled, hides domain fields and shows IP/CIDR input
Target Domain The root domain to assess (required in domain mode, hidden in IP mode)
Target IPs / CIDRs [] IP addresses and CIDR ranges to scan (IP mode only). Accepts IPv4, IPv6, and CIDR notation up to /24 (256 hosts)
Subdomain List [] Specific subdomain prefixes to scan (empty = discover all). Domain mode only
Verify Domain Ownership false Require DNS TXT record proof before scanning. Domain mode only
Ownership Token (auto) Unique token for TXT record verification
Ownership TXT Prefix _redamon DNS record name prefix
Stealth Mode false Forces passive-only techniques — disables active scanning, brute force, and GVM
Use Tor false Route all recon traffic through the Tor network
Use Bruteforce true Enable Knockpy active subdomain bruteforcing. Domain mode only

Scan Module Toggles

Modules can be individually enabled/disabled with automatic dependency resolution — disabling a parent module automatically disables all children:

domain_discovery (root)
  └── port_scan
       └── http_probe
            ├── resource_enum
            └── vuln_scan
Parameter Default Description
Scan Modules all enabled Array of phases to execute
Update Graph DB true Auto-import results into Neo4j
WHOIS Max Retries 3 Retry attempts for WHOIS lookups
DNS Max Retries 3 Retry attempts for DNS resolution

Port Scanner (Masscan)

High-speed SYN port scanner optimized for large networks and IP/CIDR ranges. Runs in parallel with Naabu — results are merged and deduplicated automatically. Incompatible with Tor (raw SYN packets bypass TCP stack). Both scanners are enabled by default.

Graph nodes — consumes: IP, Domain | produces: Port, Service

Parameter Default Description
Enabled true Toggle Masscan on/off
Top Ports 1000 Port selection: 100, 1000, or "full" for all 65535
Custom Ports Manual port range (e.g., 80,443,8080-8090). Overrides Top Ports
Rate 1000 Packets per second. Masscan handles very high rates (10k+)
Banners false Capture service banners (SSH, HTTP, etc.). Increases scan time
Wait 10 Seconds to wait for late responses after scan completes
Retries 1 Retry attempts for unresponsive ports
Exclude Targets Comma-separated IPs/CIDRs to exclude from scanning

Warning: If both Masscan and Naabu are disabled, port scanning is skipped entirely and downstream modules (HTTP probe, vulnerability scanning) will produce no results.

Port Scanner (Naabu)

Controls how ports are discovered on target hosts.

Graph nodes — consumes: IP, Domain | produces: Port, Service

Parameter Default Description
Top Ports 1000 Port selection: 100, 1000, or custom
Custom Ports Manual port range (e.g., 80,443,8080-8090)
Scan Type SYN SYN (fast, requires root) or CONNECT (slower, no root needed)
Rate Limit 1000 Packets per second
Threads 25 Parallel scanning threads
Timeout 10000 Per-port timeout in milliseconds
Retries 3 Retry attempts for unresponsive ports
Exclude CDN true Skip CDN-hosted IPs (Cloudflare, Akamai, etc.)
Display CDN true Show CDN info but don't scan deeper
Skip Host Discovery false Skip ping-based host check
Verify Ports false Double-check ports with TCP handshake
Passive Mode false Use Shodan InternetDB instead of active scanning (zero packets)

Nmap Service Detection

Deep service version detection (-sV) and NSE vulnerability scripts (--script vuln) on discovered open ports. Runs after port scan merge (GROUP 3.5), only probing ports already confirmed open by Masscan/Naabu. Detected service versions feed into the CVE lookup pipeline for NVD/Vulners enrichment.

Graph nodes -- consumes: IP, Port | produces: Port (enriched), Service (enriched), Technology, Vulnerability, CVE

Parameter Default Description
Enabled true Toggle Nmap service detection on/off
Version Detection (-sV) true Probe open ports for service/version info
NSE Vulnerability Scripts true Run --script vuln for vulnerability detection
Timing Template T3 Nmap timing template: T1 (Sneaky), T2 (Polite), T3 (Normal), T4 (Aggressive), T5 (Insane)
Total Timeout 600 Maximum total scan duration in seconds
Per-Host Timeout 300 Maximum time per target host in seconds
Parallelism 2 Number of IPs to scan concurrently. Higher values speed up scanning but increase network load (1-10)

Stealth mode overrides: timing forced to T2 (Polite), NSE scripts disabled.

HTTP Prober (httpx)

Controls what metadata is extracted from live HTTP services.

Graph nodes — consumes: Domain, IP, Port, Service | produces: BaseURL, Certificate, Technology, Header, Service, Port

Connection Settings:

Parameter Default Description
Threads 50 Concurrent HTTP probes
Timeout 15 Request timeout (seconds)
Retries 0 Retry attempts for failed requests
Rate Limit 150 Requests per second
Follow Redirects true Follow HTTP redirects
Max Redirects 10 Maximum redirect chain depth

Probe Toggles (each individually enabled/disabled):

Probe Default Description
Status Code true HTTP response status code
Content Length true Response body size
Content Type true MIME type of response
Title true HTML page title
Server true Server header value
Response Time true Time to first byte
Word Count true Number of words in response
Line Count true Number of lines in response
Tech Detect true Built-in technology fingerprinting
IP true Resolved IP address
CNAME true CNAME DNS records
TLS Info true TLS certificate details
TLS Grab true Full TLS handshake data
Favicon false Favicon hash (for fingerprinting)
JARM false JARM TLS fingerprint
ASN true Autonomous System Number
CDN true CDN provider detection
Response Hash Hash algorithm for response body
Include Response false Include full response body
Include Response Headers false Include all response headers

Filtering:

Parameter Default Description
Paths [] Additional paths to probe on each host
Custom Headers [] Extra headers to send with requests
Match Codes [] Only keep responses with these status codes
Filter Codes [] Exclude responses with these status codes

Technology Detection (Wappalyzer)

Second-pass technology fingerprinting engine with 6,000+ fingerprints.

Parameter Default Description
Enabled true Master toggle for Wappalyzer
Min Confidence 50 Minimum detection confidence (0-100%)
Require HTML false Only fingerprint responses with HTML content
Auto Update true Update fingerprint database from npm
NPM Version 6.10.56 Wappalyzer npm package version
Cache TTL (hours) 24 How long to cache fingerprint data

Banner Grabbing

Raw socket banner extraction for non-HTTP services.

Parameter Default Description
Enabled true Master toggle for banner grabbing
Timeout 5 Connection timeout (seconds)
Threads 10 Concurrent banner grab connections
Max Length 1024 Maximum banner size (bytes)

Web Crawler (Katana)

Active web crawling for endpoint and parameter discovery.

Graph nodes — consumes: BaseURL | produces: Endpoint, Parameter, BaseURL

Parameter Default Description
Enable Katana true Master toggle for active web crawling
Crawl Depth 2 How many links deep to follow (1-10). Each level adds ~50% time
Max URLs 300 Maximum URLs to collect per domain. 300: ~1-2 min/domain, 1000+: scales linearly
Rate Limit 50 Requests per second
Timeout 3600 Overall crawl timeout in seconds (default: 60 minutes)
JavaScript Crawling false Parse JS files with headless browser (+50-100% time)
Parameters Only false Only keep URLs with query parameters for DAST fuzzing
Exclude Patterns [100+ patterns] URL patterns to skip — static assets, images, CDN URLs
Custom Headers [] Browser-like headers to avoid detection
Parallelism 5 Number of target URLs to crawl simultaneously via -p flag (1-50)
Concurrency 10 Concurrent HTTP fetchers per target URL via -c flag (1-50)

Passive URL Discovery (GAU)

Passive URL discovery from web archives and threat intelligence sources.

Graph nodes — consumes: Domain, Subdomain | produces: Endpoint, Parameter, BaseURL

Parameter Default Description
Enable GAU false Master toggle for passive URL discovery
Providers wayback, commoncrawl, otx, urlscan Data sources for archived URLs
Max URLs 1000 Maximum URLs per domain (0 = unlimited)
Timeout 60 Request timeout per provider (seconds)
Threads 5 Parallel fetch threads (1-20)
Year Range [] Filter Wayback by year (e.g., "2020, 2024"). Empty = all
Verbose Output false Detailed logging
Blacklist Extensions [png, jpg, css, pdf, zip, ...] File extensions to exclude
Workers 10 Parallel domain query workers (replaces hardcoded limit of 5) (1-20)

URL Verification (when enabled, GAU confirms URLs are still live):

Parameter Default Description
Verify URLs false HTTP check on archived URLs
Verify Timeout 5 Seconds per URL check
Verify Rate Limit 100 Verification requests per second
Verify Threads 50 Concurrent verification threads (1-100)
Accept Status Codes [200, 201, 301, ...] Status codes indicating a live URL
Filter Dead Endpoints true Exclude 404/500/timeout URLs

HTTP Method Detection (when verification is enabled):

Parameter Default Description
Detect Methods false Send OPTIONS to discover allowed methods
Method Detect Timeout 5 Seconds per OPTIONS request
Method Detect Rate Limit 50 Requests per second
Method Detect Threads 25 Concurrent threads

ParamSpider Passive Parameter Discovery

ParamSpider discovers URL parameters from the Wayback Machine archives. It queries web.archive.org for historical URLs containing query parameters, providing passive parameter discovery without sending any requests to the target. Disabled by default.

Graph nodes - consumes: Domain, Subdomain | produces: Endpoint, Parameter

Parameter Default Description
Enable ParamSpider false Master toggle for passive parameter discovery
Placeholder FUZZ Placeholder string injected into parameter values for downstream fuzzing
Timeout 120 Overall timeout in seconds
Workers 5 Parallel domain workers for Wayback Machine queries (1-10)

API Discovery (Kiterunner)

API endpoint brute-forcing using real-world Swagger/OpenAPI wordlists.

Graph nodes — consumes: BaseURL | produces: Endpoint, BaseURL

Parameter Default Description
Enable Kiterunner true Master toggle for API brute-forcing
Wordlist routes-large routes-large (~100k, 10-30 min) or routes-small (~20k, 5-10 min)
Rate Limit 100 Requests per second
Connections 100 Concurrent connections per target
Timeout 10 Per-request timeout (seconds)
Scan Timeout 1000 Overall scan timeout (seconds)
Threads 50 Parallel scanning threads
Min Content Length 0 Ignore responses smaller than this (bytes)
Parallelism 2 Number of wordlists to process in parallel (1-5)

Status Code Filters:

Parameter Default Description
Ignore Status Codes [] Blacklist: filter out noise (e.g., 404, 500)
Match Status Codes [200, 201, ...] Whitelist: only keep these codes. Includes 401/403
Custom Headers [] For authenticated API scanning

Method Detection:

Parameter Default Description
Detect Methods true Find POST/PUT/DELETE methods beyond GET
Detection Mode bruteforce bruteforce (slower, more accurate) or options (faster)
Bruteforce Methods POST, PUT, DELETE, PATCH Methods to try in bruteforce mode
Method Detect Timeout 5 Seconds per request
Method Detect Rate Limit 50 Requests per second
Method Detect Threads 25 Concurrent threads

Web Crawler (Hakrawler)

Hakrawler is a DOM-aware web crawler that runs as a Docker container alongside Katana. It provides an additional crawling perspective with scope-aware link following.

Graph nodes — consumes: BaseURL | produces: Endpoint, Parameter, BaseURL

Parameter Default Description
Enable Hakrawler true Master toggle for Hakrawler crawling
Docker Image jauderho/hakrawler:latest Docker image to use
Crawl Depth 2 How many links deep to follow (1-10)
Threads 5 Concurrent crawling threads
Per-URL Timeout 30 Timeout per URL in seconds
Max URLs 500 Maximum URLs to discover
Include Subdomains true Allow crawler to follow links to subdomains. Results are still scope-filtered
Skip TLS Verify true Skip TLS certificate verification
Custom Headers [] Custom HTTP headers for requests
Parallelism 4 Number of URLs to crawl in parallel Docker containers (1-10)

Stealth mode: Hakrawler is automatically disabled in stealth mode to reduce the active crawling footprint.

JavaScript Analysis (jsluice)

jsluice is a JavaScript analysis tool compiled into the recon container. It downloads JS files discovered by Katana/Hakrawler from the target and analyzes them to extract hidden URLs, API endpoints, and embedded secrets.

Graph nodes — consumes: BaseURL, Endpoint | produces: Endpoint, Parameter, BaseURL, Secret

Parameter Default Description
Enable jsluice true Master toggle for JavaScript analysis
Max Files 50 Maximum number of JS files to analyze
Timeout 120 Overall analysis timeout in seconds
Concurrency 5 Files to process concurrently
Extract URLs true Extract URLs and API endpoints from JS
Extract Secrets true Detect API keys, tokens, and credentials
Parallelism 3 Number of base URLs to analyze in parallel (1-10)

Note: jsluice downloads JS files from the target (HTTP requests) and analyzes them locally. No additional crawling beyond fetching the JS files themselves.

JS Reconnaissance

JS Recon is a deep JavaScript analysis engine that runs as GROUP 5b in the pipeline -- after resource enumeration. It downloads discovered JS files and runs six parallel analysis modules to extract secrets, endpoints, dependency confusion risks, source map exposures, DOM XSS sinks, and framework fingerprints. Disabled by default.

Graph nodes -- consumes: BaseURL, Endpoint | produces: JsReconFinding, Secret, Endpoint

Core Settings:

Parameter Default Description
Enable JS Recon false Master toggle for JS Reconnaissance (GROUP 5b)
Max Files 500 Maximum number of JS files to download and analyze
Concurrency 10 Concurrent file download threads
Timeout 900 Overall JS Recon timeout in seconds
Include Framework JS true Include framework-specific chunks (/_next/static/, /_nuxt/)
Include Chunks true Include .chunk.js and .bundle.js files
Include Archived JS true Include JS URLs from GAU/Wayback archive sources

Module Toggles:

Parameter Default Description
Secret Pattern Scanning true Scan JS files against 90+ regex patterns for credentials, tokens, and secrets
Source Map Discovery true Discover exposed .map files via comment parsing, HTTP headers, and path probing
Dependency Confusion Check true Check scoped npm packages against public registry for confusion risks
Endpoint Extraction true Extract REST, GraphQL, WebSocket, router, and admin/debug endpoints
DOM Sink Detection true Detect 15 DOM XSS sink patterns (innerHTML, eval, proto, etc.)
Framework Detection true Identify 12 frameworks with version extraction
Dev Comment Extraction true Extract TODO/FIXME/HACK comments with sensitive keywords

Secret Validation:

Parameter Default Description
Validate Discovered Keys true Test discovered secrets against their service APIs (21 services supported)
Validation Timeout 5 Per-validation request timeout in seconds
Minimum Confidence low Minimum confidence level to keep findings: low, medium, or high

JS File Sources:

Parameter Default Description
Include Webpack Chunks true Analyze .chunk.js and .bundle.js files excluded by Katana
Include Framework JS true Fetch Next.js (/_next/static/chunks/) and Nuxt.js (/_nuxt/) bundles
Include Archived JS true Analyze historical JS files from Wayback Machine/GAU

Custom Extensions (file uploads -- edit mode only):

Parameter Default Format Description
Custom Secret Patterns -- JSON array or TXT (name|regex|severity|confidence per line) Additional regex patterns. JSON schema: [{name, regex, severity?, confidence?}]
Custom Source Map Paths -- TXT (one URL template per line using {url}, {base}, {filename}) Extra paths to probe for .map files
Custom Internal Packages -- TXT (one @scope/name per line) Known internal npm package names to check against public registry
Custom Endpoint Keywords -- TXT (one keyword per line, min 2 chars) Extra keywords to search for in JS content
Custom Framework Signatures -- JSON array [{name, patterns[], version_regex}] Detection signatures for custom frameworks

All custom files have client-side validation before upload. Files are additive and do not replace built-in defaults.

Manual File Upload (edit mode only):

Parameter Default Description
Uploaded JS Files [] JS files for analysis without crawling -- from Burp Suite, mobile APKs, DevTools, or authenticated areas (.js, .mjs, .map, .json, max 10 MB each, multiple files supported)

Note: JS Recon is passive -- it downloads JS files already discovered by crawlers and analyzes them locally. Secret validation sends one minimally-scoped API request per secret with per-service rate limiting (1 req/sec). See JS Reconnaissance for full upload schemas, validation rules, and format examples.

Directory Fuzzer (FFuf)

FFuf (Fuzz Faster U Fool) brute-forces directory and endpoint paths using wordlists to discover hidden content that crawlers cannot find — admin panels, backup files, configuration pages, and undocumented APIs. Runs after jsluice and before Kiterunner in the pipeline. Disabled by default.

Graph nodes — consumes: BaseURL, Endpoint | produces: Endpoint, BaseURL

Parameter Default Description
Enable FFuf false Master toggle for directory fuzzing
Wordlist common.txt SecLists wordlist: common.txt, raft-medium-directories.txt, or directory-list-2.3-small.txt. Custom uploaded wordlists also appear here
Threads 40 Concurrent fuzzing threads
Rate 0 Requests per second (0 = unlimited). Capped by RoE if active
Timeout 10 Per-request timeout in seconds
Max Time 600 Overall fuzzing timeout in seconds (per target)
Match Codes 200, 201, 204, 301, 302, 307, 308, 401, 403, 405 HTTP status codes to keep
Filter Codes [] HTTP status codes to exclude
Filter Size Response sizes to filter (comma-separated, e.g., 0,4242)
Extensions [] File extensions to append (e.g., .php, .bak, .env)
Recursion false Enable recursive fuzzing into discovered directories
Recursion Depth 2 Maximum recursion depth (1-5)
Auto-Calibrate true Automatically filter false positives
Follow Redirects false Follow HTTP redirects
Custom Headers [] Custom HTTP headers (one per line, Name: Value format)
Smart Fuzz true Fuzz under base paths discovered by crawlers (e.g., /api/v1/FUZZ)
Parallelism 3 Number of targets to fuzz in parallel. Per-target threads are automatically reduced to avoid resource contention (1-10)

Custom Wordlists:

Upload your own .txt wordlists per-project via the FFuf settings UI. Uploaded wordlists appear in the dropdown under "Your custom lists" alongside the built-in SecLists. Maximum file size: 50 MB.

Stealth mode: FFuf is automatically disabled in stealth mode (it is an active brute-force tool).

RoE: When Rules of Engagement are active and FFUF_RATE is 0 (unlimited), it is automatically capped to the RoE max requests per second.

Parameter Discovery (Arjun)

Arjun discovers hidden HTTP query and body parameters on discovered endpoints by testing ~25,000 common parameter names. It finds debug parameters, admin functionality, and hidden API inputs that aren't visible in HTML forms or JavaScript. Runs after FFuf in the pipeline, testing endpoints already discovered by crawlers and fuzzers. Disabled by default.

Graph nodes — consumes: BaseURL, Endpoint | produces: Parameter

Setting Default Description
Enable Arjun false Master toggle for parameter discovery
HTTP Methods GET Methods to test: GET (query params), POST (form body), JSON (JSON body), XML (XML body). Multiple methods run in parallel.
Max Endpoints 50 Maximum number of discovered endpoints to test. API and dynamic endpoints are prioritized over static ones.
Threads 2 Concurrent parameter testing threads per Arjun process
Request Timeout 15s Per-request timeout
Scan Timeout 600s Overall scan timeout per method
Chunk Size 500 Number of parameters tested per request batch. Lower values increase accuracy but make more requests.
Rate Limit 0 Max requests per second (0 = unlimited)
Stable Mode false Add random delays between requests to avoid WAF detection. Forces threads to 1 internally.
Passive Mode false Use CommonCrawl, OTX, and WaybackMachine only — no active requests to target
Disable Redirects false Do not follow HTTP redirects during parameter testing
Custom Headers [] Custom HTTP headers (e.g., auth tokens) added to every request

Stealth mode: Arjun is automatically switched to passive mode in stealth mode (queries archives only, sends no requests to the target).

RoE: When Rules of Engagement are active and ARJUN_RATE_LIMIT is 0 (unlimited), it is automatically capped to the RoE max requests per second.

GraphQL Security Testing

Dedicated GraphQL security testing module that discovers GraphQL endpoints, tests for exposed introspection, extracts the schema, flags sensitive fields, and (optionally) runs the external graphql-cop Docker container for 12 additional misconfiguration checks (alias overloading, batch query DoS, GraphiQL detection, trace mode, CSRF variants, etc.). Runs as GROUP 6 Phase A in parallel with Nuclei — both scanners read BaseURL/Endpoint/Technology and write Vulnerability nodes, but have zero data dependency on each other. Disabled by default.

Graph nodes -- consumes: BaseURL, Endpoint, Domain, Technology | produces: Endpoint (with GraphQL capability flags), Vulnerability, CVE

Core Settings:

Parameter Default Description
Enable GraphQL Security false Master toggle for the GraphQL security scanner (GROUP 6 Phase A)
Introspection Test true Probe each candidate endpoint for exposed introspection (__schema, __type). When enabled, extracts the full schema, counts queries/mutations/subscriptions, computes a schema hash, and flags sensitive fields (password, token, secret, key, ssn, credit, cvv, etc.)
Request Timeout 30 Per-request timeout in seconds (clamped 1-600). Applies to the initial { __typename } probe, the simple introspection query, and the deep introspection query
Rate Limit 10 Maximum requests per second across all endpoints (clamped 0-100, 0 = unlimited). Enforced globally — delay = 1/rate_limit between submissions
Concurrency 5 Parallel endpoint-testing threads (clamped 1-20, auto-reduced when fewer endpoints than threads). Endpoints are tested via ThreadPoolExecutor; 1 forces sequential mode
Introspection Depth Limit 10 Recursion depth for the TypeRef fragment in the full introspection query (clamped 1-20). Higher values extract more info on deeply-wrapped types (NON_NULL → LIST → NON_NULL → NAMED). Lower values avoid server-side query rejection on limit-aware GraphQL engines
Retry Count 3 HTTP retry attempts on transient failures (clamped 0-10). Targets 429, 500, 502, 503, 504 and connection-level errors
Retry Backoff 2.0 Base backoff factor in seconds between retries (clamped 0-10). Uses exponential backoff via urllib3 Retry(backoff_factor=)
Verify SSL true Verify TLS certificates on all GraphQL probes. Disable to test endpoints with self-signed or untrusted certificates
Custom Endpoints Comma-separated GraphQL endpoint URLs to test explicitly, in addition to auto-discovered ones (e.g. https://api.example.com/graphql,https://app.example.com/v1/query)

Endpoint Discovery:

The module auto-discovers GraphQL endpoints from five sources, deduplicated and sorted:

Source How It Discovers
User-specified Values in the Custom Endpoints setting
HTTP probe Endpoints with application/graphql Content-Type or GraphQL indicators in response
Resource enum Katana/Hakrawler/FFuf/GAU endpoints whose path contains graphql, gql, or query (POST only) — plus endpoints with query, mutation, variables, or operationName parameters
JS Recon Findings of type graphql or graphql_introspection extracted from JavaScript analysis
Pattern probing Appends common GraphQL paths to every discovered base URL: /graphql, /api/graphql, /v1/graphql, /v2/graphql. Secondary patterns (/query, /api/query, /gql, /api/gql, /graphiql, /api/graphiql, /playground, /api/playground) are tested only on base URLs that already show GraphQL evidence elsewhere

Authentication:

When Auth Type is set, the scanner attaches auth headers to every introspection probe and to graphql-cop (via -H JSON headers). Authentication values are masked in logs.

Parameter Default Description
Auth Type One of: bearer, cookie, header, basic, apikey (case-insensitive). Empty = no auth
Auth Value The token, cookie string, raw header value, or username:password pair (basic)
Auth Header Name Custom header name used when Auth Type is header (defaults to X-Auth-Token) or apikey (defaults to X-API-Key)

Auth type behavior:

Type Emitted Header
bearer Authorization: Bearer <value>
cookie Cookie: <value>
basic Authorization: Basic <base64(username:password)>
header <Auth Header Name>: <value>
apikey <Auth Header Name or X-API-Key>: <value>

graphql-cop External Scanner (opt-in Docker-in-Docker):

An optional Phase 2 scanner that wraps dolevf/graphql-cop:1.14 and runs 12 additional misconfiguration checks per endpoint. Automatically skipped when disabled or when all 12 per-test toggles are off. Uses Docker-in-Docker — requires the Docker socket to be mounted to the recon container.

Parameter Default Description
Enable graphql-cop false Master toggle for graphql-cop (opt-in — requires Docker socket access)
Docker Image dolevf/graphql-cop:1.14 Docker image to execute. Pinned to 1.14 because the -e exclusion flag (v1.15+) is not yet on DockerHub — per-test exclusions are applied Python-side
Timeout 120 Seconds per endpoint before the container is killed (subprocess.TimeoutExpired)
Force Scan false Pass the -f flag to scan the endpoint even when graphql-cop does not detect it as GraphQL. Useful when the endpoint returns non-standard errors or custom wrappers
Debug Mode false Pass the -d flag to add X-GraphQL-Cop-Test header to every request for correlation with target logs

Network mode: graphql-cop uses the default Docker bridge network. When Use Tor is enabled at the project level, the container is started with --network host and passed the -T flag to route probes through Tor. When a global HTTP_PROXY is set, it is forwarded via -x.

Heavy-traffic tests: alias_overloading, batch_query, directive_overloading, and circular_query_introspection send DoS-class probes. In stealth mode the four DoS toggles are automatically forced to false. Because graphql-cop 1.14 doesn't honor -e, those probes still hit the target if the master toggle is on — use the master Enable graphql-cop toggle for true stealth.

Per-Test Toggles (12 tests — all run by default except introspection):

Each toggle below enables/disables one graphql-cop test. Exclusions are applied post-execution because the v1.14 image ignores the -e flag.

Parameter Default Severity Description
Field Suggestions true info Detects "Did you mean..." schema leakage that bypasses introspection-disabled defences
Introspection (cop) false high Secondary introspection probe — disabled by default to deduplicate with the native introspection test above
GraphiQL IDE Exposed true medium Detects exposed GraphiQL / GraphQL Playground / Apollo Studio IDE pages
GET Method Support true medium Endpoint accepts queries via HTTP GET (enables cache poisoning + CSRF)
Alias Overloading true low Tests server tolerance of aliased-field DoS. DoS — disabled in stealth mode
Array-based Query Batching true low Tests array-batched query DoS amplification. DoS — disabled in stealth mode
Trace Mode true info Apollo tracing extension exposes query timings (schema and resolver info leak)
Directive Overloading true low Tests server tolerance of repeated directives on a single field. DoS — disabled in stealth mode
Circular Introspection true low Recursive introspection query causing exponential parse cost. DoS — disabled in stealth mode
GET-based Mutation true high Mutation allowed over GET (full CSRF surface)
POST url-encoded CSRF true medium Mutation accepts application/x-www-form-urlencoded (cross-origin CSRF possible)
Unhandled Error Detection true info Endpoint leaks stack traces / internal error paths on malformed queries

Endpoint Capability Flags:

Beyond creating Vulnerability nodes on positive findings, graphql-cop also sets these boolean flags directly on the GraphQL Endpoint node — even when a test returned negative (e.g. "GraphiQL exposed: false" is recorded explicitly):

Flag Set By Meaning
graphql_graphiql_exposed detect_graphiql IDE page served at the endpoint
graphql_tracing_enabled trace_mode Apollo tracing extension returns timing data
graphql_get_allowed get_method_support Endpoint accepts GET queries
graphql_field_suggestions_enabled field_suggestions "Did you mean..." responses enabled
graphql_batching_enabled batch_query Server responds to array-batched requests
graphql_cop_ran Set to true after graphql-cop completes

Output:

Per tested endpoint, results are stored under combined_result.graphql_scan.endpoints[endpoint]:

  • introspection_enabled, schema_extracted — booleans
  • queries_count, mutations_count, subscriptions_count — operation counts
  • schema_hash — 16-char SHA256 prefix for change detection
  • operations.{queries,mutations,subscriptions} — lists of operation names
  • error — last error message if tests failed
  • All graphql-cop endpoint-flag booleans from the table above

Scan-wide summary at combined_result.graphql_scan.summary: endpoints_discovered, endpoints_tested, endpoints_skipped (RoE excluded), introspection_enabled, vulnerabilities_found, by_severity.{critical,high,medium,low,info}.

Rules of Engagement: Discovered endpoints are filtered by ROE_EXCLUDED_HOSTS (supports *.example.com wildcards) before testing. Out-of-scope endpoints are skipped and counted in endpoints_skipped.

Stealth mode overrides: GRAPHQL_RATE_LIMIT=2, GRAPHQL_CONCURRENCY=1 (sequential only), GRAPHQL_TIMEOUT=60, and the four DoS-class graphql-cop tests (alias/batch/directive/circular) forced to false. The native introspection test still runs because it is passive.

Partial recon: GraphQL scanning is available as a Partial Recon tool. The modal accepts custom URLs (validated against project scope) that are injected via GRAPHQL_ENDPOINTS and expanded by the same discovery pipeline. GRAPHQL_SECURITY_ENABLED is force-set to true for partial runs regardless of the project toggle. See Recon Pipeline Workflow — Partial Recon.

Subdomain Takeover Detection

Layered takeover scanner that stacks three independent engines against dangling DNS records and orphaned SaaS targets: Subjack (Apache-2.0 Go binary, DNS-first fingerprints), Nuclei takeover templates (-t http/takeovers/ -t dns/, HTTP-fingerprint coverage), and the BadDNS sidecar (AGPL-3.0, opt-in, Docker-in-Docker isolated image with 10 addressable modules covering CNAME/NS/MX/TXT/SPF/DMARC/wildcard/NSEC/zone-transfer/references). Findings are deduplicated across tools on (hostname, provider, method), scored 0-100, mapped to a confirmed / likely / manual_review verdict, and emitted as Vulnerability nodes with source="takeover_scan". Runs as GROUP 6 Phase A parallel with Nuclei and GraphQL. Disabled by default. See the dedicated Subdomain Takeover Detection page for the full design and scoring rules.

Graph nodes -- consumes: Domain, Subdomain, DNSRecord, BaseURL (alive URLs) | produces: Vulnerability (source="takeover_scan", type="subdomain_takeover")

Master toggle:

Parameter Default Description
Enable Subdomain Takeover false Master toggle. When off the whole module is skipped and output contains { "skipped_reason": "disabled" }

Subjack (Apache-2.0, native Go binary baked into the recon image):

Parameter Default Description
Enable Subjack true Enable the DNS-first Subjack layer. Requires the master toggle on
Threads 10 Concurrent Subjack workers (-t, clamped 1-100)
Request Timeout 30 Per-request connection timeout in seconds (-timeout)
Force HTTPS true Probe over HTTPS (-ssl). Improves accuracy against HTTPS-only SaaS providers
Test Every URL false Probe every subdomain, not just CNAME-bearing ones (-a). Slower but more thorough
Check NS Takeovers false Detect expired nameserver delegations and dangling cloud DNS zones (-ns)
Check Stale A Records false Flag A records pointing to dead cloud IPs (-ar). Probabilistic, requires human verification
Check SPF/MX Takeovers false Audit SPF includes and MX records for dead infrastructure references (-mail)
Subjack Run Timeout 900 Overall hard cap on the Subjack subprocess in seconds (minimum 60)

Nuclei Takeover Templates (HTTP fingerprint layer):

Parameter Default Description
Enable Nuclei Takeovers true Enable the Nuclei takeover layer. Targets are the alive URLs from httpx
Nuclei Takeover Run Timeout 1800 Overall hard cap on the Nuclei takeover subprocess in seconds
Severity Filter critical, high, medium Severity filter passed to Nuclei. Defaults to the three action-worthy levels
Rate Limit 50 Nuclei req/s rate limit for this layer only (does not affect the main vuln scan)

Shared from the main Nuclei block: NUCLEI_BULK_SIZE, NUCLEI_CONCURRENCY, NUCLEI_TIMEOUT, NUCLEI_RETRIES, NUCLEI_SYSTEM_RESOLVERS, NUCLEI_FOLLOW_REDIRECTS, NUCLEI_MAX_REDIRECTS, NUCLEI_DOCKER_IMAGE. Global NUCLEI_EXCLUDE_TAGS is not inherited here (would drop the takeover tag and neuter the whole layer). Interactsh is always off for this layer since takeover templates do not need OOB interactions.

Scoring & Verdicts:

Parameter Default Description
Confidence Threshold 60 Minimum score for likely; threshold + 10 for confirmed (clamped 0-100)
Auto-publish Manual Review false Promote manual_review findings from severity=info to severity=medium so they appear in the main findings table instead of the review queue

Scoring is additive: +30 (confirmed by 2+ tools), +25 (Subjack confirmed), +20 (provider in auto-exploitable list), +15 (Nuclei template match), +10 (method=cname), -15 (method=stale_a/mx), -10 (provider unknown). Verdicts: >= threshold+10 -> confirmed; >= threshold -> likely; otherwise manual_review.

BadDNS (AGPL-3.0 isolated Docker-in-Docker sidecar, opt-in):

Parameter Default Description
Enable BadDNS false Opt-in AGPL sidecar. Requires docker compose --profile tools build baddns-scanner once before the first run
Docker Image redamon-baddns:latest Sidecar image tag. Override only when testing a non-default build
Modules cname, ns, mx, txt, spf Active module set. Full addressable list: cname, ns, mx, txt, spf, dmarc, wildcard, nsec, references, zonetransfer. nsec and zonetransfer are opt-in because they can be slow on large targets
Nameservers [] Optional custom DNS resolvers. Empty = system resolvers
BadDNS Run Timeout 1800 Overall hard cap on the baddns subprocess in seconds. Orphan containers are reaped via docker kill <container_name> on timeout

Auto-exploitable providers (single-step claim, +20 confidence bonus): github-pages, heroku, aws-s3, shopify, fastly, ghost, unbounce, readthedocs, surge, webflow, tumblr, statuspage. Full fingerprint table lives in recon/helpers/takeover_helpers.py::PROVIDER_FROM_SIGNAL and covers ~40 signals plus ~30 CNAME patterns.

Stealth mode overrides: NUCLEI_TAKEOVERS_ENABLED=false, BADDNS_ENABLED=false, SUBJACK_ALL=false, SUBJACK_CHECK_NS=true, SUBJACK_CHECK_MAIL=true (both DNS-only and safe at low concurrency), SUBJACK_THREADS=3, TAKEOVER_RATE_LIMIT=10. Subjack stays on in DNS-only mode because CNAME/NS/MX resolution does not generate HTTP traffic to the target.

Partial recon: Subdomain Takeover is a Partial Recon tool. The modal accepts custom subdomains (validated against project scope -- entry must equal the apex or end with .<apex>). User-provided dangling subdomains with no A/AAAA are still scanned because they are the prime takeover candidates. SUBDOMAIN_TAKEOVER_ENABLED is force-set to true for partial runs. Rescans converge on the same Vulnerability.id (deterministic hash of hostname|provider|method) instead of duplicating. See Recon Pipeline Workflow -- Partial Recon.

Vulnerability Scanner (Nuclei)

Template-based vulnerability scanning with 9,000+ community templates.

Graph nodes — consumes: BaseURL, Endpoint, Technology, Domain | produces: Vulnerability, Endpoint, Parameter, CVE, MitreData, Capec

Performance Settings:

Parameter Default Description
Severity Levels critical, high, medium, low, info Severity filter. Excluding "info" is ~70% faster
Rate Limit 100 Requests per second
Bulk Size 25 Hosts processed in parallel
Concurrency 25 Templates executed in parallel
Timeout 10 Request timeout per check (seconds)
Retries 1 Retry attempts for failed requests (0-10)
Max Redirects 10 Maximum redirect chain (0-50)

Template Configuration:

Parameter Default Description
Template Folders [] Directories to include (cves, vulnerabilities, misconfiguration, exposures, etc.). Empty = all
Exclude Template Paths [] Exclude specific directories or files
Custom Template Paths [] Your own templates in addition to the official repo
Include Tags [] Filter by tags: cve, xss, sqli, rce, lfi, ssrf, xxe, ssti. Empty = all
Exclude Tags [] Exclude tags — recommended: dos, fuzz for production

Template Options:

Parameter Default Description
Auto Update Templates true Download latest before scan (+10-30 seconds)
New Templates Only false Only run templates added since last update
DAST Mode true Active fuzzing for XSS, SQLi, RCE (+50-100% time)

Advanced Options:

Parameter Default Description
Headless Mode false Use headless browser for JS pages (+100-200% time)
System DNS Resolvers false Use OS DNS instead of Nuclei defaults
Interactsh true Blind vulnerability detection via out-of-band callbacks
Follow Redirects true Follow HTTP redirects during scanning
Scan All IPs false Scan all resolved IPs, not just hostnames

CVE Enrichment

Enrich findings with CVSS scores, descriptions, and references.

Graph nodes — consumes: Technology | produces: CVE, MitreData, Capec

Parameter Default Description
Enable CVE Lookup true Master toggle
CVE Source nvd Data source: nvd or vulners
Max CVEs per Finding 20 Maximum entries per technology (1-100)
Min CVSS Score 0 Only include CVEs at or above this score (0-10)

Note: NVD and Vulners API keys are configured in Global Settings → API Keys (user-scoped), not in project settings.

MITRE Mapping

CWE/CAPEC enrichment of CVE findings.

Parameter Default Description
Auto Update DB true Auto-update CWE/CAPEC database
Include CWE true Map CVEs to CWE weaknesses
Include CAPEC true Map CWEs to CAPEC attack patterns
Enrich Recon CVEs true Enrich CVEs from reconnaissance
Enrich GVM CVEs true Enrich CVEs from GVM scans
Cache TTL (hours) 24 Database cache duration

Security Checks

25+ individual toggle-controlled checks grouped into six categories. Each check creates a Vulnerability node in the graph if the condition is detected.

Graph nodes — consumes: BaseURL, IP, Subdomain, Domain | produces: Vulnerability

Global Settings:

Parameter Default Description
Enable Security Checks true Master toggle for all checks
Timeout 10 Per-check timeout (seconds)
Max Workers 10 Concurrent check threads

Network Exposure:

Check Default Description
Direct IP HTTP true HTTP accessible via IP address
Direct IP HTTPS true HTTPS accessible via IP address
IP API Exposed true API endpoints accessible via IP
WAF Bypass true WAF can be bypassed via direct IP

TLS/Certificate:

Check Default Description
TLS Expiring Soon true Certificate expires within configurable days
TLS Expiry Days 30 Days before expiry to trigger warning

Security Headers:

Check Default Description
Missing Referrer-Policy true No Referrer-Policy header
Missing Permissions-Policy true No Permissions-Policy header
Missing COOP true No Cross-Origin-Opener-Policy
Missing CORP true No Cross-Origin-Resource-Policy
Missing COEP true No Cross-Origin-Embedder-Policy
Cache-Control Missing true No Cache-Control header
CSP Unsafe Inline true Content-Security-Policy allows unsafe-inline

Authentication:

Check Default Description
Login No HTTPS true Login form served over HTTP
Session No Secure true Session cookie missing Secure flag
Session No HttpOnly true Session cookie missing HttpOnly flag
Basic Auth No TLS true Basic Authentication without TLS

DNS Security:

Check Default Description
SPF Missing true No SPF record for the domain
DMARC Missing true No DMARC record
DNSSEC Missing true DNSSEC not configured
Zone Transfer true DNS zone transfer allowed

Exposed Services:

Check Default Description
Admin Port Exposed true Administrative ports publicly accessible
Database Exposed true Database ports publicly accessible
Redis No Auth true Redis accessible without authentication
Kubernetes API Exposed true Kubernetes API publicly accessible
SMTP Open Relay true SMTP server allows open relay

Application:

Check Default Description
Insecure Form Action true Form submits over HTTP
No Rate Limiting true No rate limiting detected on endpoints

GVM Vulnerability Scan

Configure GVM/OpenVAS network-level scanning.

Graph nodes — consumes: IP, Port, Subdomain, Domain | produces: Vulnerability, Technology, Traceroute, Certificate, ExploitGvm, CVE, MitreData, Capec

Scan Configuration:

Parameter Default Description
Scan Profile Full and fast GVM scan preset — see GVM Vulnerability Scanning for all 7 profiles
Scan Targets Strategy both both (IPs + hostnames), ips_only, or hostnames_only

Timeouts & Polling:

Parameter Default Description
Task Timeout 14400 Maximum seconds per scan task (4 hours). 0 = unlimited
Poll Interval 5 Seconds between status checks (5-300)

Post-Scan:

Parameter Default Description
Cleanup After Scan true Remove targets/tasks from GVM after results are extracted

Subdomain Discovery

Configure passive and active subdomain enumeration. Located in the Discovery & OSINT tab.

Graph nodes — consumes: Domain | produces: Domain, Subdomain, IP, DNSRecord

Each passive source has an enabled toggle and a max results cap. All sources run in parallel and results are merged and deduplicated. After merging, Puredns validates the combined list against public DNS resolvers to remove wildcard and DNS-poisoned entries before DNS resolution proceeds.

Parameter Default Description
crt.sh enabled, max 5000 Certificate Transparency log queries for subdomain discovery
HackerTarget enabled, max 5000 Passive DNS lookup database
Subfinder enabled, max 5000 Passive enumeration using 50+ online sources (CT logs, DNS databases, web archives). Runs via Docker (projectdiscovery/subfinder). No API key required
Amass disabled, max 5000 OWASP Amass subdomain enumeration using 50+ data sources (certificate logs, DNS databases, web archives, WHOIS). Runs via Docker (caffix/amass). No API key required for passive mode
Amass Timeout 10 Enumeration timeout in minutes (1-120)
Amass Active Mode false Enable zone transfers and certificate name grabs — sends DNS queries directly to target. Forced off in stealth mode
Amass Bruteforce false DNS brute forcing after passive enumeration — significantly increases scan time. Forced off in stealth mode
Knockpy Recon enabled, max 5000 Passive wordlist-based subdomain enumeration
Use Bruteforce true Enable Knockpy active subdomain brute-forcing. Domain mode only
Puredns Wildcard Filtering enabled Validates discovered subdomains against public DNS resolvers and removes wildcard entries and DNS-poisoned results. Runs after all discovery tools complete, before DNS resolution. Active tool — sends DNS queries. Runs via Docker (frost19k/puredns). Disabled in stealth mode
Puredns Threads 0 Parallel resolution threads (0 = auto-detect)
Puredns Rate Limit 0 DNS queries per second (0 = unlimited). Capped by RoE global rate limit when enabled
WHOIS Max Retries 3 Retry attempts for WHOIS lookups
DNS Max Retries 3 Retry attempts for DNS resolution
DNS Max Workers 50 Parallel DNS resolution worker threads (was hardcoded at 20) (1-200)
DNS Record Parallelism Enabled Query all 7 DNS record types (A, AAAA, MX, NS, TXT, SOA, CNAME) in parallel per hostname

URLScan.io Enrichment

Passive OSINT enrichment using URLScan.io historical scan data. Runs in the recon pipeline after domain discovery and before port scanning. Located in the Discovery & OSINT tab.

Parameter Default Description
URLScan Enabled false Master toggle for URLScan.io enrichment
Max Results 500 Maximum scan results to fetch per domain (1-10000)

API Key: Optional. Configure in Global Settings → API Keys. Without an API key, only public scan results are available with lower rate limits. With a key, you get access to private scans and higher rate limits.

Graph nodes — consumes: Domain, BaseURL | produces: Domain, Subdomain, ExternalDomain, IP, Endpoint, Parameter. URL paths from historical scans are parsed into Endpoint and Parameter nodes (only when a matching BaseURL already exists from httpx). External domains encountered in scans are tracked as ExternalDomain nodes for situational awareness.

GAU deduplication: When URLScan enrichment runs successfully, the urlscan provider is automatically removed from GAU's data sources to avoid redundant API calls.

Shodan OSINT Enrichment

Passive internet-wide OSINT enrichment using the Shodan REST API. Runs in the recon pipeline after domain/IP discovery and before port scanning. Located in the Discovery & OSINT tab. Each feature is independently toggled and all require a Shodan API key set in Global Settings.

API Key Required: All toggles are disabled until a Shodan API key is configured in Global Settings. Host Lookup, Reverse DNS, and Passive CVEs automatically fall back to the free InternetDB API when the paid Shodan API returns 403. Domain DNS requires a paid Shodan plan (no free fallback).

Parameter Default Description
Host Lookup false Query each discovered IP for OS, ISP, organization, geolocation, and known vulnerabilities. Uses /shodan/host/{ip} (paid plan: full banners, geo, services) or falls back to InternetDB (free: ports, hostnames, CPEs, CVEs, tags — no geo or banners)
Reverse DNS false Discover hostnames for known IPs. Uses /dns/reverse (paid) or falls back to InternetDB hostnames (free). Can reveal subdomains missed by standard enumeration
Domain DNS false Subdomain enumeration and DNS records via /dns/domain/{domain}. Requires paid Shodan plan — no free fallback. Domain mode only (skipped in IP mode)
Passive CVEs false Extract known CVEs associated with discovered IPs. Reuses Host Lookup data if available; otherwise queries InternetDB directly (free, no key needed)
Workers 5 Parallel IP lookup workers for Shodan/InternetDB queries (1-20)

Graph nodes — consumes: IP, Subdomain, Domain | produces: IP, Port, Service, Subdomain, ExternalDomain, DNSRecord, Vulnerability, CVE. All use MERGE-based deduplication — data from Shodan is automatically merged with findings from Naabu, Nuclei, and other tools.

Uncover Multi-Engine Search

ProjectDiscovery's uncover queries up to 13 search engines simultaneously to discover exposed hosts, IPs, and endpoints associated with the target. Runs as GROUP 2b before port scanning so discovered assets are processed by all downstream modules.

Parameter Default Description
Uncover Enabled false Enable/disable multi-engine target expansion
Uncover Max Results 500 Maximum results to collect across all engines (1-10,000)
Uncover Docker Image projectdiscovery/uncover:latest Docker image for the uncover container

Key configuration: Uncover automatically reuses API keys configured for standalone OSINT tools (Shodan, Censys, FOFA, ZoomEye, Netlas, CriminalIP). Additional engines require their own keys configured in Global Settings > API Keys under the "Uncover (Multi-Engine Search)" group: Quake, Hunter, PublicWWW, HunterHow, Google Custom Search (key + CX), Onyphe, Driftnet.

IP filtering: All discovered IPs pass through centralized filtering (ip_filter.py) that removes non-routable addresses (RFC 1918, CGNAT, loopback, reserved) and CDN IPs (detected by Naabu/httpx) before entering the pipeline. This prevents wasting API credits on downstream enrichment.

Threat Intelligence Enrichment (7 OSINT Tools)

Seven passive threat intelligence enrichment tools that run in GROUP 3b — concurrently with port scanning. All tools query external intelligence platforms using IPs and domains discovered in GROUP 1. Located in the Discovery & OSINT tab.

API Keys: All API keys are stored in Global Settings > API Keys (user-scoped, not per-project). Project settings contain only enable/disable toggles and optional limits. Enable a tool here, then add its key in Global Settings.

OTX Exception: OTX is enabled by default and works without an API key (anonymous requests, 1,000 req/hr).

Key Rotation: FOFA, OTX, Netlas, VirusTotal, ZoomEye, and CriminalIP support automatic round-robin key rotation — configure extra keys in Global Settings to avoid rate limiting mid-scan.

Graph nodes — consumes: IP, Domain, Subdomain | produces: threat intelligence properties stored on existing IP and Domain nodes (no new node types). Results also written to recon_domain.json under per-tool keys.

Censys

Parameter Default Description
Enabled false Enable Censys host intelligence enrichment. Requires both Censys API ID and API Secret in Global Settings
Workers 5 Parallel IP enrichment workers for Censys (1-20)

Queries /v2/hosts/{ip} for each discovered IP. Returns open ports, running services + banners, TLS certificate chains, geolocation, ASN, and OS fingerprint. On HTTP 429 (rate limit), stops querying and logs the limit.

FOFA

Parameter Default Description
Enabled false Enable FOFA internet asset search enrichment. Requires FOFA API Key in Global Settings
Max Results 1000 Maximum rows to fetch per query (hard cap: 10,000)
Workers 5 Parallel IP enrichment workers for FOFA (1-20)

Queries the FOFA API using base64-encoded syntax (domain="<domain>" or per-IP queries). Returns IP:port pairs, HTTP titles, server headers, geolocation, certificate info, and protocol details. Supports both legacy (email:key) and modern (key-only) authentication formats.

OTX (AlienVault Open Threat Exchange)

Parameter Default Description
Enabled true Enable OTX threat intelligence enrichment. Works without an API key (anonymous). Add OTX API Key in Global Settings for higher rate limits
Workers 5 Parallel IP enrichment workers for AlienVault OTX (1-20)

Queries the OTX Indicators API v1 for each IP and domain. Returns threat reputation, pulse count, associated malware families, MITRE ATT&CK attack IDs, passive DNS records (first/last seen), and individual pulse details (adversaries, TLP, tags). Anonymous rate limit: 1,000 req/hr. With API key: 10,000 req/hr.

OTX is the only enrichment tool enabled by default. It requires no API key to function, making it active in every scan out of the box.

Netlas

Parameter Default Description
Enabled false Enable Netlas internet intelligence enrichment. Requires Netlas API Key in Global Settings
Max Results 1000 Maximum items to fetch per query (hard cap: 1,000)
Workers 5 Parallel IP enrichment workers for Netlas (1-20)

Queries the Netlas Responses API (host:{domain} or host:{ip}). Returns port/service data, HTTP response headers and body snippets, geolocation (country, city, latitude/longitude, timezone), TLS certificate details, DNS records, and WHOIS data.

VirusTotal

Parameter Default Description
Enabled false Enable VirusTotal reputation enrichment. Requires VirusTotal API Key in Global Settings
Rate Limit 4 Requests per minute (free-tier limit). Increase for paid plans. On 429, the pipeline automatically waits 65 seconds and retries once
Max Targets 20 Maximum number of domains + IPs to query per scan (caps API usage for large target sets)
Workers 3 Parallel IP enrichment workers for VirusTotal (1-10, lower due to strict rate limits)

Queries VirusTotal API v3 for each discovered domain (/v3/domains/{domain}) and IP (/v3/ip_addresses/{ip}). Returns reputation score, last analysis stats (malicious/suspicious/undetected AV engine counts), categories, tags, JARM fingerprint, registrar, total votes, and last analysis date.

ZoomEye

Parameter Default Description
Enabled false Enable ZoomEye host search enrichment. Requires ZoomEye API Key in Global Settings
Max Results 1000 Maximum items to fetch per query
Workers 5 Parallel IP enrichment workers for ZoomEye (1-20)

Queries the ZoomEye API for hostname and IP searches. Returns open ports, service banners, device type/OS, web application fingerprints, geolocation (country, city, lat/lon, timezone), ASN, ISP, and SSL certificate details.

CriminalIP

Parameter Default Description
Enabled false Enable Criminal IP threat intelligence enrichment. Requires CriminalIP API Key in Global Settings
Workers 5 Parallel IP enrichment workers for CriminalIP (1-20)

Queries the Criminal IP API v1 for each IP (/v1/ip/data?full=true) and domain (/v1/domain/data). Returns IP risk score, threat tags (VPN, cloud, Tor, proxy, hosting, mobile, darkweb, scanner, Snort IDS), geolocation, ISP, hosted services, and abuse history. On HTTP 429, automatically waits 2 seconds and retries once.

GitHub Secret Hunting

Configure GitHub repository scanning for leaked credentials.

Graph nodes — consumes: Domain | produces: GithubHunt, GithubRepository, GithubPath, GithubSecret, GithubSensitiveFile

Parameter Default Description
GitHub Access Token Personal Access Token (ghp_...)
Target Organization GitHub org or username to scan
Target Repositories (all) Comma-separated repo names to limit scope
Scan Member Repositories false Include individual member repos
Scan Gists false Search gists for secrets
Scan Commits false Examine git history for removed secrets
Max Commits to Scan 100 Max commits per repo (1-1000)
Output as JSON false Save results as downloadable JSON

See GitHub Secret Hunting for a step-by-step setup guide including how to create a GitHub Personal Access Token.

TruffleHog Secret Scanning

Configure TruffleHog secret scanning with 700+ detectors and optional live API verification.

Graph nodes — consumes: Domain | produces: TrufflehogScan, TrufflehogRepository, TrufflehogFinding

Parameter Default Description
Target Organization GitHub org or username to scan
Target Repositories (all) Comma-separated repo names to limit scope
Only Verified false Only report findings verified as active against live APIs
No Verification false Skip all API verification — faster but unconfirmed
Concurrency 8 Concurrent scanning workers (1-20)
Include Detectors (all) Comma-separated detector names to include
Exclude Detectors (none) Comma-separated detector names to exclude

Note: TruffleHog uses the GitHub Access Token from Global Settings > API Keys (shared with GitHub Secret Hunt). See TruffleHog Secret Scanning for a step-by-step setup guide.

Agent Behavior

Configure the AI agent orchestrator for autonomous pentesting.

Agent Behaviour Settings

LLM & Phase Configuration:

Parameter Default Description
Guardrail Enabled true Enable/disable the LLM-based scope guardrail that verifies the target on agent startup. When disabled, the agent skips scope verification. Fail-closed: if the check itself fails, the agent is blocked
LLM Model claude-opus-4-6 AI model for the agent. 400+ models from 5 providers — see AI Model Providers
Deep Think true When enabled, the agent performs an explicit deep reasoning step at key decision points (start of session, phase transitions, failure loops) to plan multi-step attack strategies before acting. Adds ~1 extra LLM call at these moments. Recommended for complex targets with multiple services.
Post-Exploitation Type statefull statefull (Meterpreter sessions) or stateless (one-shot commands)
Activate Post-Exploitation Phase true Whether post-exploitation is available
Informational Phase System Prompt Custom instructions for the informational phase
Exploitation Phase System Prompt Custom instructions for the exploitation phase
Post-Exploitation Phase System Prompt Custom instructions for the post-exploitation phase

Payload Direction:

Parameter Default Description
Tunnel Provider None Dropdown: None (manual LHOST/LPORT), ngrok (single port — free, no VPS), or chisel (multi-port — requires VPS). Only one tunnel can be active at a time. ngrok tunnels port 4444 only, requires the ngrok authtoken configured in Global Settings → Tunneling, auto-detects LHOST/LPORT from the ngrok public URL, stageless payloads only. Requires identity verification on your ngrok account (free). chisel tunnels ports 4444 + 8080, requires Chisel Server URL (and optionally Chisel Auth) configured in Global Settings → Tunneling, enables web delivery and HTA delivery (which need two ports), stageless payloads required (staged payloads fail through the tunnel). Requires a VPS running chisel server -p 9090 --reverse. See AI Agent Guide — Tunnel Providers for setup instructions.
LHOST (Attacker IP) Your IP for reverse shell callbacks. Leave empty for bind mode. Hidden when a tunnel provider is enabled.
LPORT Listening port for reverse shells. Leave empty for bind mode. Hidden when a tunnel provider is enabled.
Bind Port on Target Port the target opens for bind shell payloads
Payload Use HTTPS false Use reverse_https instead of reverse_tcp

Agent Limits:

Parameter Default Description
Max Iterations 100 Maximum LLM reasoning-action loops per objective
Trace Memory Steps 100 Past steps kept in agent's working context
Tool Output Max Chars 20000 Truncation limit for tool output (min: 1000)

Approval Gates:

Parameter Default Description
Require Approval for Exploitation true User confirmation before exploitation phase
Require Approval for Post-Exploitation true User confirmation before post-exploitation phase

Kali Shell — Library Installation:

Parameter Default Description
Allow Library Installation false Let the agent install packages (pip/apt) via kali_shell at runtime. Prompt-based control only — no server-side enforcement. Installed packages are ephemeral (lost on container restart).
Authorized Packages Comma-separated whitelist. If non-empty, only these packages may be installed.
Forbidden Packages Comma-separated blacklist. These packages must never be installed.

Retries, Logging & Debug:

Parameter Default Description
Cypher Max Retries 3 Neo4j query retry attempts (0-10)
Log Max MB 10 Maximum log file size before rotation
Log Backups 5 Number of rotated log backups
Create Graph Image on Init false Generate a LangGraph visualization on startup

Cross-Site Scripting (XSS)

Configure the XSS attack skill (reflected, stored, DOM-based, blind, WAF/CSP bypass).

Parameter Default Description
dalfox WAF Evasion Enabled true Allow dalfox automated scanning + WAF bypass when manual context-aware payloads fail. Runs in background mode (--silence --waf-evasion --deep-domxss --mining-dom)
Blind Callback Enabled false Allow interactsh-client OOB callbacks for blind/stored XSS detection. Opt-in — when enabled, the agent may send document.cookie and other browser data to a third-party callback domain (oast.fun). Disabled by default
CSP Bypass Guidance true Include the CSP bypass reference table in the workflow prompt (covers unsafe-inline, unsafe-eval, JSONP gadgets, nonce reuse, AngularJS template injection, <base> hijack)

See Agent Skills > Cross-Site Scripting (XSS) for the full 8-step workflow documentation.

Hydra Credential Testing

Configure THC Hydra password cracking (50+ protocols: SSH, FTP, RDP, SMB, HTTP forms, databases, etc.).

Agent Skills Settings

Parameter Default Description
Hydra Enabled true Enable/disable Hydra brute force
Threads (-t) 16 Parallel connections per target. Protocol limits: SSH max 4, RDP max 1, VNC max 4
Wait Between Connections (-W) 0 Seconds between each connection. 0 = no delay
Connection Timeout (-w) 32 Max seconds to wait for a response
Stop On First Found (-f) true Stop when valid credentials are found
Extra Password Checks (-e) nsr Additional checks: n=null, s=username-as-password, r=reversed username
Verbose Output (-V) true Show each login attempt
Max Wordlist Attempts 3 Wordlist strategies to try before giving up (1-10)

Social Engineering Simulation

Configure SMTP settings for the phishing agent skill email delivery capability. The agent reads this configuration when the phishing_social_engineering agent skill is active and the user requests email delivery.

Parameter Default Description
SMTP Configuration (empty) Free-text SMTP settings for email delivery. The agent parses this naturally when sending phishing emails via Python smtplib

Example configuration:

SMTP_HOST: smtp.gmail.com
SMTP_PORT: 587
SMTP_USER: pentest@gmail.com
SMTP_PASS: abcd efgh ijkl mnop
SMTP_FROM: it-support@company.com
USE_TLS: true

If left empty, the agent asks the user at runtime for SMTP credentials when email delivery is requested. The agent never attempts to send email without proper SMTP configuration.

See Agent Skills > Social Engineering Simulation for the full phishing workflow documentation.

CypherFix Configuration

Configure CypherFix automated vulnerability remediation. These settings control how the CodeFix agent interacts with your GitHub repository.

CypherFix Settings

Parameter Default Description
GitHub Token (CypherFix) Personal Access Token with repo scope for cloning, pushing, and creating PRs
Default Repository Target repository in owner/repo format (e.g., redis/redis)
Default Branch main Base branch for creating fix branches
Branch Prefix cypherfix/ Prefix for auto-created fix branches (e.g., cypherfix/fix-sqli-42)
Require Approval true Pause before each code edit for human review. When disabled, blocks auto-accept after 5 minutes
LLM Model Override (Agent default) Use a specific model for CodeFix instead of the model configured in Agent Behaviour

See CypherFix — Automated Remediation for the full usage guide.

Tool Phase Restrictions

A matrix controlling which tools the agent can use in each operational phase. Each tool can be independently enabled/disabled per phase. Tools that require an external API key (web_search, shodan, google_dork) display a warning with a quick-add modal when enabled without a key configured in Global Settings.

Tool Informational Exploitation Post-Exploitation
query_graph
web_search
shodan --
google_dork -- --
execute_curl
execute_httpx --
execute_naabu --
execute_subfinder --
execute_gau --
execute_nmap
execute_nuclei --
execute_wpscan --
execute_jsluice --
execute_amass --
execute_katana --
execute_arjun --
execute_ffuf --
kali_shell
execute_code --
execute_playwright
execute_hydra --
metasploit_console --
msf_restart --

This matrix is configurable per project in the dedicated Tool Matrix tab of the project settings form (under the AI Agent tab group).

RedAmon GitHub Repository | Report an Issue | Back to Home

Home

Getting Started

Core Workflow

Scanning & OSINT

AI & Automation

HackLab

Analysis & Reporting

Contributing

Reference & Help

Clone this wiki locally