How the reconnaissance and security commands relate to each other -- subset relationships, overlap zones, and the depth/breadth trade-offs that determine which command to use.
flowchart LR
TR -->|"subset of"| FR["/full-report"]
TR -->|"--with-security overlaps"| SC["/scan"]
TR -->|"--with-security overlaps"| BA["/batch-audit"]
subgraph recon ["Reconnaissance Commands"]
TR
FR
end
subgraph security ["Security Commands"]
SC
BA
end
The three reconnaissance commands form a strict depth progression:
| Command | Scope | Depth | Steps | Grind Loop | Security Coverage |
|---|---|---|---|---|---|
/triage |
Module | Thorough orientation | 5-6 (identity, classify, callgraph, attack surface, optional taint) | No | Optional lightweight taint on top 3-5 entries (--with-security) |
/full-report |
Module | Exhaustive | 6 phases (identity, classify, attack surface + dossiers + taint, topology + diagrams, specialized, synthesis) | Yes | Taint + dossiers on top entries (always), COM/dispatch/types (adaptive) |
Each level is a strict superset of the one before it:
-
/triageadds binary identity (RE report), full classification (not just top 5), and attack surface ranking. With--with-security, it also runs a lightweight taint pass on the top 3-5 ranked entry points. -
/full-reportadds security dossiers and taint analysis on top entries (always, not just with a flag), cross-module dependency mapping, Mermaid call graph diagrams, and an adaptive Phase 5 that conditionally runs COM interface reconstruction, dispatch table extraction, global state mapping, decompilation quality checks, and type reconstruction.
The --with-security flag on /triage creates a small bridge into the
security domain. It runs taint_function.py on the top 3-5 ranked entry
points at depth 3 -- enough to surface a quick signal of exploitable issues,
but intentionally lightweight. It is not a substitute for proper security
analysis.
The proper security tools are:
| Command | Scope | Depth | What It Adds Over /triage --with-security |
|---|---|---|---|
/scan |
Module | Deep (security-only) | 8 scanners (memory + logic), verification against assembly, exploitability scoring, deduplication across pipelines |
/batch-audit |
Per-function | Deep (security-only) | Security dossier + taint + exploitability + classification per function; privilege-boundary discovery (RPC/COM/WinRT) |
/scan provides breadth across vulnerability classes (buffer overflows,
integer issues, UAF, format strings, auth bypasses, state errors,
logic flaws). /batch-audit provides depth per function with dossier-level
context and privilege-boundary awareness.
No two commands are redundant -- each occupies a distinct point on the
depth/breadth spectrum. /triage is the natural first command and the natural stepping stone toward /full-report, /scan,
or /audit.
Typical progression:
/triage <module> # Thorough orientation -- identity, classification, attack surface
|
+---> /full-report # When you need everything about the module
+---> /scan # When you want comprehensive vulnerability coverage
+---> /batch-audit # When you want to audit the top entry points in breadth
+---> /audit <func> # When you want to deep-dive a single function
- Commands README -- command catalog, decision tree, skill integration map
- Scan/Audit/Taint Workflow -- security pipeline drill-down and finding follow-up
- VR Workflow Overview -- exhaustive reference for all commands, agents, skills, and helpers