NOX ships with 300 built in modules. Every module implements the same module.Module interface described in architecture. Any module can run on its own with nox modules run <name> --target <host>, or as part of a scan pipeline.
This reference groups modules into the same 24 phases that nox full runs, in the same order. This is the order NOX runs modules in during a full chain scan: passive intelligence first, then subdomain and DNS discovery, then web fingerprinting, then progressively deeper active vulnerability testing.
The nox modules list command groups the same modules by a shorter set of internal categories (osint, subdomains, dns, hosts, web, js, fuzz, cloud, vuln). Both views describe the same 300 modules. This guide uses the phase grouping because it is more specific and it matches how a real scan runs.
- OSINT & Passive Intelligence (9 modules)
- Subdomain Enumeration (7 modules)
- DNS Resolution (5 modules)
- Port Scan (1 module)
- HTTP Probe & Web Fingerprint (19 modules)
- Vulnerability Scanning (Core) (16 modules)
- Session & Auth Security (23 modules)
- Authorization (Deep) (12 modules)
- Client-Side Security (Deep) (15 modules)
- Cloud Vulnerabilities (10 modules)
- Injection (Deep) (52 modules)
- Cross-Site Scripting (Deep) (12 modules)
- API Security (Deep) (29 modules)
- Cache & CORS (Deep) (13 modules)
- Browser Security Policies (5 modules)
- Content Discovery (Deep) (6 modules)
- File Download Vulnerabilities (6 modules)
- Deserialization (10 modules)
- Secrets & Source Exposure (12 modules)
- Email Vulnerabilities (Deep) (4 modules)
- Mobile API Security (4 modules)
- Business Logic Abuse (15 modules)
- AI / LLM Security (8 modules)
- Reporting & Enrichment (6 modules)
The diagram below shows the order nox full runs these phases in, and how many modules are in each one. Earlier phases feed targets into later phases. Subdomains found in phase 2 are resolved in phase 3, resolved hosts are probed in phase 5, and so on.
flowchart TD
P1["1. OSINT & Passive Intelligence<br/>9 modules"]
P2["2. Subdomain Enumeration<br/>7 modules"]
P3["3. DNS Resolution<br/>5 modules"]
P4["4. Port Scan<br/>1 module"]
P5["5. HTTP Probe & Web Fingerprint<br/>19 modules"]
P6["6. Vulnerability Scanning (Core)<br/>16 modules"]
P7["7. Session & Auth Security<br/>23 modules"]
P8["8. Authorization (Deep)<br/>12 modules"]
P9["9. Client-Side Security (Deep)<br/>15 modules"]
P10["10. Cloud Vulnerabilities<br/>10 modules"]
P11["11. Injection (Deep)<br/>52 modules"]
P12["12. Cross-Site Scripting (Deep)<br/>12 modules"]
P13["13. API Security (Deep)<br/>29 modules"]
P14["14. Cache & CORS (Deep)<br/>13 modules"]
P15["15. Browser Security Policies<br/>5 modules"]
P16["16. Content Discovery (Deep)<br/>6 modules"]
P17["17. File Download Vulnerabilities<br/>6 modules"]
P18["18. Deserialization<br/>10 modules"]
P19["19. Secrets & Source Exposure<br/>12 modules"]
P20["20. Email Vulnerabilities (Deep)<br/>4 modules"]
P21["21. Mobile API Security<br/>4 modules"]
P22["22. Business Logic Abuse<br/>15 modules"]
P23["23. AI / LLM Security<br/>8 modules"]
P24["24. Reporting & Enrichment<br/>6 modules"]
P1 --> P2
P2 --> P3
P3 --> P4
P4 --> P5
P5 --> P6
P6 --> P7
P7 --> P8
P8 --> P9
P9 --> P10
P10 --> P11
P11 --> P12
P12 --> P13
P13 --> P14
P14 --> P15
P15 --> P16
P16 --> P17
P17 --> P18
P18 --> P19
P19 --> P20
P20 --> P21
P21 --> P22
P22 --> P23
P23 --> P24
Every module can run on its own, outside of a full scan or workflow.
nox modules list
nox modules run <module-name> --target <host>
See scans for how modules are chained together into phases and workflows, and architecture for the module interface each one implements.