Project Settings Reference
Every project in RedAmon has 196+ configurable parameters that control the behavior of each reconnaissance module, the AI agent, and CypherFix automated remediation. These settings are managed through the project form UI (15 tabs across four groups: Scope, Recon Pipeline, AI Agent, Remediation), stored in PostgreSQL, and fetched by the recon container and agent at runtime.
Defaults: Sensible defaults are loaded automatically from the server when creating a new project. You only need to fill in the required fields (project name and target domain — or target IPs in IP mode) and adjust what you want.
- Target Configuration
- Scan Module Toggles
- Port Scanner (Masscan)
- Port Scanner (Naabu)
- Nmap Service Detection
- HTTP Prober (httpx)
- Technology Detection (Wappalyzer)
- Banner Grabbing
- Web Crawler (Katana)
- Passive URL Discovery (GAU)
- API Discovery (Kiterunner)
- Web Crawler (Hakrawler)
- JavaScript Analysis (jsluice)
- Parameter Discovery (Arjun)
- Vulnerability Scanner (Nuclei)
- CVE Enrichment
- MITRE Mapping
- Security Checks
- GVM Vulnerability Scan
- Subdomain Discovery
- URLScan.io Enrichment
- Shodan OSINT Enrichment
- Threat Intelligence Enrichment (7 OSINT Tools)
- GitHub Secret Hunting
- TruffleHog Secret Scanning
- Agent Behavior
- Hydra Credential Testing
- Social Engineering Simulation
- CypherFix Configuration
- Tool Phase Restrictions
| Parameter | Default | Description |
|---|---|---|
| Start from IP (IP Mode) | false | Toggle between domain mode and IP/CIDR targeting mode. Locked after project creation. When enabled, hides domain fields and shows IP/CIDR input |
| Target Domain | — | The root domain to assess (required in domain mode, hidden in IP mode) |
| Target IPs / CIDRs | [] | IP addresses and CIDR ranges to scan (IP mode only). Accepts IPv4, IPv6, and CIDR notation up to /24 (256 hosts) |
| Subdomain List | [] | Specific subdomain prefixes to scan (empty = discover all). Domain mode only |
| Verify Domain Ownership | false | Require DNS TXT record proof before scanning. Domain mode only |
| Ownership Token | (auto) | Unique token for TXT record verification |
| Ownership TXT Prefix | _redamon |
DNS record name prefix |
| Stealth Mode | false | Forces passive-only techniques — disables active scanning, brute force, and GVM |
| Use Tor | false | Route all recon traffic through the Tor network |
| Use Bruteforce | true | Enable Knockpy active subdomain bruteforcing. Domain mode only |
Modules can be individually enabled/disabled with automatic dependency resolution — disabling a parent module automatically disables all children:
domain_discovery (root)
└── port_scan
└── http_probe
├── resource_enum
└── vuln_scan
| Parameter | Default | Description |
|---|---|---|
| Scan Modules | all enabled | Array of phases to execute |
| Update Graph DB | true | Auto-import results into Neo4j |
| WHOIS Max Retries | 3 | Retry attempts for WHOIS lookups |
| DNS Max Retries | 3 | Retry attempts for DNS resolution |
High-speed SYN port scanner optimized for large networks and IP/CIDR ranges. Runs in parallel with Naabu — results are merged and deduplicated automatically. Incompatible with Tor (raw SYN packets bypass TCP stack). Both scanners are enabled by default.
Graph nodes — consumes: IP, Domain | produces: Port, Service
| Parameter | Default | Description |
|---|---|---|
| Enabled | true | Toggle Masscan on/off |
| Top Ports | 1000 | Port selection: 100, 1000, or "full" for all 65535 |
| Custom Ports | — | Manual port range (e.g., 80,443,8080-8090). Overrides Top Ports |
| Rate | 1000 | Packets per second. Masscan handles very high rates (10k+) |
| Banners | false | Capture service banners (SSH, HTTP, etc.). Increases scan time |
| Wait | 10 | Seconds to wait for late responses after scan completes |
| Retries | 1 | Retry attempts for unresponsive ports |
| Exclude Targets | — | Comma-separated IPs/CIDRs to exclude from scanning |
Warning: If both Masscan and Naabu are disabled, port scanning is skipped entirely and downstream modules (HTTP probe, vulnerability scanning) will produce no results.
Controls how ports are discovered on target hosts.
Graph nodes — consumes: IP, Domain | produces: Port, Service
| Parameter | Default | Description |
|---|---|---|
| Top Ports | 1000 | Port selection: 100, 1000, or custom |
| Custom Ports | — | Manual port range (e.g., 80,443,8080-8090) |
| Scan Type | SYN | SYN (fast, requires root) or CONNECT (slower, no root needed) |
| Rate Limit | 1000 | Packets per second |
| Threads | 25 | Parallel scanning threads |
| Timeout | 10000 | Per-port timeout in milliseconds |
| Retries | 3 | Retry attempts for unresponsive ports |
| Exclude CDN | true | Skip CDN-hosted IPs (Cloudflare, Akamai, etc.) |
| Display CDN | true | Show CDN info but don't scan deeper |
| Skip Host Discovery | false | Skip ping-based host check |
| Verify Ports | false | Double-check ports with TCP handshake |
| Passive Mode | false | Use Shodan InternetDB instead of active scanning (zero packets) |
Deep service version detection (-sV) and NSE vulnerability scripts (--script vuln) on discovered open ports. Runs after port scan merge (GROUP 3.5), only probing ports already confirmed open by Masscan/Naabu. Detected service versions feed into the CVE lookup pipeline for NVD/Vulners enrichment.
Graph nodes -- consumes: IP, Port | produces: Port (enriched), Service (enriched), Technology, Vulnerability, CVE
| Parameter | Default | Description |
|---|---|---|
| Enabled | true | Toggle Nmap service detection on/off |
| Version Detection (-sV) | true | Probe open ports for service/version info |
| NSE Vulnerability Scripts | true | Run --script vuln for vulnerability detection |
| Timing Template | T3 | Nmap timing template: T1 (Sneaky), T2 (Polite), T3 (Normal), T4 (Aggressive), T5 (Insane) |
| Total Timeout | 600 | Maximum total scan duration in seconds |
| Per-Host Timeout | 300 | Maximum time per target host in seconds |
Stealth mode overrides: timing forced to T2 (Polite), NSE scripts disabled.
Controls what metadata is extracted from live HTTP services.
Graph nodes — consumes: Domain, IP, Port, Service | produces: BaseURL, Certificate, Technology, Header, Service, Port
Connection Settings:
| Parameter | Default | Description |
|---|---|---|
| Threads | 50 | Concurrent HTTP probes |
| Timeout | 15 | Request timeout (seconds) |
| Retries | 0 | Retry attempts for failed requests |
| Rate Limit | 150 | Requests per second |
| Follow Redirects | true | Follow HTTP redirects |
| Max Redirects | 10 | Maximum redirect chain depth |
Probe Toggles (each individually enabled/disabled):
| Probe | Default | Description |
|---|---|---|
| Status Code | true | HTTP response status code |
| Content Length | true | Response body size |
| Content Type | true | MIME type of response |
| Title | true | HTML page title |
| Server | true | Server header value |
| Response Time | true | Time to first byte |
| Word Count | true | Number of words in response |
| Line Count | true | Number of lines in response |
| Tech Detect | true | Built-in technology fingerprinting |
| IP | true | Resolved IP address |
| CNAME | true | CNAME DNS records |
| TLS Info | true | TLS certificate details |
| TLS Grab | true | Full TLS handshake data |
| Favicon | false | Favicon hash (for fingerprinting) |
| JARM | false | JARM TLS fingerprint |
| ASN | true | Autonomous System Number |
| CDN | true | CDN provider detection |
| Response Hash | — | Hash algorithm for response body |
| Include Response | false | Include full response body |
| Include Response Headers | false | Include all response headers |
Filtering:
| Parameter | Default | Description |
|---|---|---|
| Paths | [] | Additional paths to probe on each host |
| Custom Headers | [] | Extra headers to send with requests |
| Match Codes | [] | Only keep responses with these status codes |
| Filter Codes | [] | Exclude responses with these status codes |
Second-pass technology fingerprinting engine with 6,000+ fingerprints.
| Parameter | Default | Description |
|---|---|---|
| Enabled | true | Master toggle for Wappalyzer |
| Min Confidence | 50 | Minimum detection confidence (0-100%) |
| Require HTML | false | Only fingerprint responses with HTML content |
| Auto Update | true | Update fingerprint database from npm |
| NPM Version | 6.10.56 | Wappalyzer npm package version |
| Cache TTL (hours) | 24 | How long to cache fingerprint data |
Raw socket banner extraction for non-HTTP services.
| Parameter | Default | Description |
|---|---|---|
| Enabled | true | Master toggle for banner grabbing |
| Timeout | 5 | Connection timeout (seconds) |
| Threads | 10 | Concurrent banner grab connections |
| Max Length | 1024 | Maximum banner size (bytes) |
Active web crawling for endpoint and parameter discovery.
Graph nodes — consumes: BaseURL | produces: Endpoint, Parameter, BaseURL
| Parameter | Default | Description |
|---|---|---|
| Enable Katana | true | Master toggle for active web crawling |
| Crawl Depth | 2 | How many links deep to follow (1-10). Each level adds ~50% time |
| Max URLs | 300 | Maximum URLs to collect per domain. 300: ~1-2 min/domain, 1000+: scales linearly |
| Rate Limit | 50 | Requests per second |
| Timeout | 3600 | Overall crawl timeout in seconds (default: 60 minutes) |
| JavaScript Crawling | false | Parse JS files with headless browser (+50-100% time) |
| Parameters Only | false | Only keep URLs with query parameters for DAST fuzzing |
| Exclude Patterns | [100+ patterns] | URL patterns to skip — static assets, images, CDN URLs |
| Custom Headers | [] | Browser-like headers to avoid detection |
Passive URL discovery from web archives and threat intelligence sources.
Graph nodes — consumes: Domain, Subdomain | produces: Endpoint, Parameter, BaseURL
| Parameter | Default | Description |
|---|---|---|
| Enable GAU | false | Master toggle for passive URL discovery |
| Providers | wayback, commoncrawl, otx, urlscan | Data sources for archived URLs |
| Max URLs | 1000 | Maximum URLs per domain (0 = unlimited) |
| Timeout | 60 | Request timeout per provider (seconds) |
| Threads | 5 | Parallel fetch threads (1-20) |
| Year Range | [] | Filter Wayback by year (e.g., "2020, 2024"). Empty = all |
| Verbose Output | false | Detailed logging |
| Blacklist Extensions | [png, jpg, css, pdf, zip, ...] | File extensions to exclude |
URL Verification (when enabled, GAU confirms URLs are still live):
| Parameter | Default | Description |
|---|---|---|
| Verify URLs | false | HTTP check on archived URLs |
| Verify Timeout | 5 | Seconds per URL check |
| Verify Rate Limit | 100 | Verification requests per second |
| Verify Threads | 50 | Concurrent verification threads (1-100) |
| Accept Status Codes | [200, 201, 301, ...] | Status codes indicating a live URL |
| Filter Dead Endpoints | true | Exclude 404/500/timeout URLs |
HTTP Method Detection (when verification is enabled):
| Parameter | Default | Description |
|---|---|---|
| Detect Methods | false | Send OPTIONS to discover allowed methods |
| Method Detect Timeout | 5 | Seconds per OPTIONS request |
| Method Detect Rate Limit | 50 | Requests per second |
| Method Detect Threads | 25 | Concurrent threads |
API endpoint brute-forcing using real-world Swagger/OpenAPI wordlists.
Graph nodes — consumes: BaseURL | produces: Endpoint, BaseURL
| Parameter | Default | Description |
|---|---|---|
| Enable Kiterunner | true | Master toggle for API brute-forcing |
| Wordlist | routes-large |
routes-large (~100k, 10-30 min) or routes-small (~20k, 5-10 min) |
| Rate Limit | 100 | Requests per second |
| Connections | 100 | Concurrent connections per target |
| Timeout | 10 | Per-request timeout (seconds) |
| Scan Timeout | 1000 | Overall scan timeout (seconds) |
| Threads | 50 | Parallel scanning threads |
| Min Content Length | 0 | Ignore responses smaller than this (bytes) |
Status Code Filters:
| Parameter | Default | Description |
|---|---|---|
| Ignore Status Codes | [] | Blacklist: filter out noise (e.g., 404, 500) |
| Match Status Codes | [200, 201, ...] | Whitelist: only keep these codes. Includes 401/403 |
| Custom Headers | [] | For authenticated API scanning |
Method Detection:
| Parameter | Default | Description |
|---|---|---|
| Detect Methods | true | Find POST/PUT/DELETE methods beyond GET |
| Detection Mode | bruteforce |
bruteforce (slower, more accurate) or options (faster) |
| Bruteforce Methods | POST, PUT, DELETE, PATCH | Methods to try in bruteforce mode |
| Method Detect Timeout | 5 | Seconds per request |
| Method Detect Rate Limit | 50 | Requests per second |
| Method Detect Threads | 25 | Concurrent threads |
Hakrawler is a DOM-aware web crawler that runs as a Docker container alongside Katana. It provides an additional crawling perspective with scope-aware link following.
Graph nodes — consumes: BaseURL | produces: Endpoint, Parameter, BaseURL
| Parameter | Default | Description |
|---|---|---|
| Enable Hakrawler | true | Master toggle for Hakrawler crawling |
| Docker Image | jauderho/hakrawler:latest | Docker image to use |
| Crawl Depth | 2 | How many links deep to follow (1-10) |
| Threads | 5 | Concurrent crawling threads |
| Per-URL Timeout | 30 | Timeout per URL in seconds |
| Max URLs | 500 | Maximum URLs to discover |
| Include Subdomains | true | Allow crawler to follow links to subdomains. Results are still scope-filtered |
| Skip TLS Verify | true | Skip TLS certificate verification |
| Custom Headers | [] | Custom HTTP headers for requests |
Stealth mode: Hakrawler is automatically disabled in stealth mode to reduce the active crawling footprint.
jsluice is a passive JavaScript analysis tool compiled into the recon container. It analyzes JS files discovered by Katana/Hakrawler to extract hidden URLs, API endpoints, and embedded secrets.
Graph nodes — consumes: BaseURL, Endpoint | produces: Endpoint, Parameter, BaseURL, Secret
| Parameter | Default | Description |
|---|---|---|
| Enable jsluice | true | Master toggle for JavaScript analysis |
| Max Files | 50 | Maximum number of JS files to analyze |
| Timeout | 120 | Overall analysis timeout in seconds |
| Concurrency | 5 | Files to process concurrently |
| Extract URLs | true | Extract URLs and API endpoints from JS |
| Extract Secrets | true | Detect API keys, tokens, and credentials |
Note: jsluice is passive — it downloads JS files already discovered by crawlers and analyzes them locally. No additional crawling or scanning traffic is generated.
FFuf (Fuzz Faster U Fool) brute-forces directory and endpoint paths using wordlists to discover hidden content that crawlers cannot find — admin panels, backup files, configuration pages, and undocumented APIs. Runs after jsluice and before Kiterunner in the pipeline. Disabled by default.
Graph nodes — consumes: BaseURL, Endpoint | produces: Endpoint, BaseURL
| Parameter | Default | Description |
|---|---|---|
| Enable FFuf | false | Master toggle for directory fuzzing |
| Wordlist | common.txt | SecLists wordlist: common.txt, raft-medium-directories.txt, or directory-list-2.3-small.txt. Custom uploaded wordlists also appear here |
| Threads | 40 | Concurrent fuzzing threads |
| Rate | 0 | Requests per second (0 = unlimited). Capped by RoE if active |
| Timeout | 10 | Per-request timeout in seconds |
| Max Time | 600 | Overall fuzzing timeout in seconds (per target) |
| Match Codes | 200, 201, 204, 301, 302, 307, 308, 401, 403, 405 | HTTP status codes to keep |
| Filter Codes | [] | HTTP status codes to exclude |
| Filter Size | Response sizes to filter (comma-separated, e.g., 0,4242) |
|
| Extensions | [] | File extensions to append (e.g., .php, .bak, .env) |
| Recursion | false | Enable recursive fuzzing into discovered directories |
| Recursion Depth | 2 | Maximum recursion depth (1-5) |
| Auto-Calibrate | true | Automatically filter false positives |
| Follow Redirects | false | Follow HTTP redirects |
| Custom Headers | [] | Custom HTTP headers (one per line, Name: Value format) |
| Smart Fuzz | true | Fuzz under base paths discovered by crawlers (e.g., /api/v1/FUZZ) |
Custom Wordlists:
Upload your own .txt wordlists per-project via the FFuf settings UI. Uploaded wordlists appear in the dropdown under "Your custom lists" alongside the built-in SecLists. Maximum file size: 50 MB.
Stealth mode: FFuf is automatically disabled in stealth mode (it is an active brute-force tool).
RoE: When Rules of Engagement are active and
FFUF_RATEis 0 (unlimited), it is automatically capped to the RoE max requests per second.
Arjun discovers hidden HTTP query and body parameters on discovered endpoints by testing ~25,000 common parameter names. It finds debug parameters, admin functionality, and hidden API inputs that aren't visible in HTML forms or JavaScript. Runs after FFuf in the pipeline, testing endpoints already discovered by crawlers and fuzzers. Disabled by default.
Graph nodes — consumes: BaseURL, Endpoint | produces: Parameter
| Setting | Default | Description |
|---|---|---|
| Enable Arjun | false | Master toggle for parameter discovery |
| HTTP Methods | GET | Methods to test: GET (query params), POST (form body), JSON (JSON body), XML (XML body). Multiple methods run in parallel. |
| Max Endpoints | 50 | Maximum number of discovered endpoints to test. API and dynamic endpoints are prioritized over static ones. |
| Threads | 2 | Concurrent parameter testing threads per Arjun process |
| Request Timeout | 15s | Per-request timeout |
| Scan Timeout | 600s | Overall scan timeout per method |
| Chunk Size | 500 | Number of parameters tested per request batch. Lower values increase accuracy but make more requests. |
| Rate Limit | 0 | Max requests per second (0 = unlimited) |
| Stable Mode | false | Add random delays between requests to avoid WAF detection. Forces threads to 1 internally. |
| Passive Mode | false | Use CommonCrawl, OTX, and WaybackMachine only — no active requests to target |
| Disable Redirects | false | Do not follow HTTP redirects during parameter testing |
| Custom Headers | [] | Custom HTTP headers (e.g., auth tokens) added to every request |
Stealth mode: Arjun is automatically switched to passive mode in stealth mode (queries archives only, sends no requests to the target).
RoE: When Rules of Engagement are active and
ARJUN_RATE_LIMITis 0 (unlimited), it is automatically capped to the RoE max requests per second.
Template-based vulnerability scanning with 9,000+ community templates.
Graph nodes — consumes: BaseURL, Endpoint, Technology, Domain | produces: Vulnerability, Endpoint, Parameter, CVE, MitreData, Capec
Performance Settings:
| Parameter | Default | Description |
|---|---|---|
| Severity Levels | critical, high, medium, low, info | Severity filter. Excluding "info" is ~70% faster |
| Rate Limit | 100 | Requests per second |
| Bulk Size | 25 | Hosts processed in parallel |
| Concurrency | 25 | Templates executed in parallel |
| Timeout | 10 | Request timeout per check (seconds) |
| Retries | 1 | Retry attempts for failed requests (0-10) |
| Max Redirects | 10 | Maximum redirect chain (0-50) |
Template Configuration:
| Parameter | Default | Description |
|---|---|---|
| Template Folders | [] | Directories to include (cves, vulnerabilities, misconfiguration, exposures, etc.). Empty = all |
| Exclude Template Paths | [] | Exclude specific directories or files |
| Custom Template Paths | [] | Your own templates in addition to the official repo |
| Include Tags | [] | Filter by tags: cve, xss, sqli, rce, lfi, ssrf, xxe, ssti. Empty = all |
| Exclude Tags | [] | Exclude tags — recommended: dos, fuzz for production |
Template Options:
| Parameter | Default | Description |
|---|---|---|
| Auto Update Templates | true | Download latest before scan (+10-30 seconds) |
| New Templates Only | false | Only run templates added since last update |
| DAST Mode | true | Active fuzzing for XSS, SQLi, RCE (+50-100% time) |
Advanced Options:
| Parameter | Default | Description |
|---|---|---|
| Headless Mode | false | Use headless browser for JS pages (+100-200% time) |
| System DNS Resolvers | false | Use OS DNS instead of Nuclei defaults |
| Interactsh | true | Blind vulnerability detection via out-of-band callbacks |
| Follow Redirects | true | Follow HTTP redirects during scanning |
| Scan All IPs | false | Scan all resolved IPs, not just hostnames |
Enrich findings with CVSS scores, descriptions, and references.
Graph nodes — consumes: Technology | produces: CVE, MitreData, Capec
| Parameter | Default | Description |
|---|---|---|
| Enable CVE Lookup | true | Master toggle |
| CVE Source | nvd | Data source: nvd or vulners
|
| Max CVEs per Finding | 20 | Maximum entries per technology (1-100) |
| Min CVSS Score | 0 | Only include CVEs at or above this score (0-10) |
Note: NVD and Vulners API keys are configured in Global Settings → API Keys (user-scoped), not in project settings.
CWE/CAPEC enrichment of CVE findings.
| Parameter | Default | Description |
|---|---|---|
| Auto Update DB | true | Auto-update CWE/CAPEC database |
| Include CWE | true | Map CVEs to CWE weaknesses |
| Include CAPEC | true | Map CWEs to CAPEC attack patterns |
| Enrich Recon CVEs | true | Enrich CVEs from reconnaissance |
| Enrich GVM CVEs | true | Enrich CVEs from GVM scans |
| Cache TTL (hours) | 24 | Database cache duration |
25+ individual toggle-controlled checks grouped into six categories. Each check creates a Vulnerability node in the graph if the condition is detected.
Graph nodes — consumes: BaseURL, IP, Subdomain, Domain | produces: Vulnerability
Global Settings:
| Parameter | Default | Description |
|---|---|---|
| Enable Security Checks | true | Master toggle for all checks |
| Timeout | 10 | Per-check timeout (seconds) |
| Max Workers | 10 | Concurrent check threads |
Network Exposure:
| Check | Default | Description |
|---|---|---|
| Direct IP HTTP | true | HTTP accessible via IP address |
| Direct IP HTTPS | true | HTTPS accessible via IP address |
| IP API Exposed | true | API endpoints accessible via IP |
| WAF Bypass | true | WAF can be bypassed via direct IP |
TLS/Certificate:
| Check | Default | Description |
|---|---|---|
| TLS Expiring Soon | true | Certificate expires within configurable days |
| TLS Expiry Days | 30 | Days before expiry to trigger warning |
Security Headers:
| Check | Default | Description |
|---|---|---|
| Missing Referrer-Policy | true | No Referrer-Policy header |
| Missing Permissions-Policy | true | No Permissions-Policy header |
| Missing COOP | true | No Cross-Origin-Opener-Policy |
| Missing CORP | true | No Cross-Origin-Resource-Policy |
| Missing COEP | true | No Cross-Origin-Embedder-Policy |
| Cache-Control Missing | true | No Cache-Control header |
| CSP Unsafe Inline | true | Content-Security-Policy allows unsafe-inline |
Authentication:
| Check | Default | Description |
|---|---|---|
| Login No HTTPS | true | Login form served over HTTP |
| Session No Secure | true | Session cookie missing Secure flag |
| Session No HttpOnly | true | Session cookie missing HttpOnly flag |
| Basic Auth No TLS | true | Basic Authentication without TLS |
DNS Security:
| Check | Default | Description |
|---|---|---|
| SPF Missing | true | No SPF record for the domain |
| DMARC Missing | true | No DMARC record |
| DNSSEC Missing | true | DNSSEC not configured |
| Zone Transfer | true | DNS zone transfer allowed |
Exposed Services:
| Check | Default | Description |
|---|---|---|
| Admin Port Exposed | true | Administrative ports publicly accessible |
| Database Exposed | true | Database ports publicly accessible |
| Redis No Auth | true | Redis accessible without authentication |
| Kubernetes API Exposed | true | Kubernetes API publicly accessible |
| SMTP Open Relay | true | SMTP server allows open relay |
Application:
| Check | Default | Description |
|---|---|---|
| Insecure Form Action | true | Form submits over HTTP |
| No Rate Limiting | true | No rate limiting detected on endpoints |
Configure GVM/OpenVAS network-level scanning.
Graph nodes — consumes: IP, Port, Subdomain, Domain | produces: Vulnerability, Technology, Traceroute, Certificate, ExploitGvm, CVE, MitreData, Capec
Scan Configuration:
| Parameter | Default | Description |
|---|---|---|
| Scan Profile | Full and fast | GVM scan preset — see GVM Vulnerability Scanning for all 7 profiles |
| Scan Targets Strategy | both |
both (IPs + hostnames), ips_only, or hostnames_only
|
Timeouts & Polling:
| Parameter | Default | Description |
|---|---|---|
| Task Timeout | 14400 | Maximum seconds per scan task (4 hours). 0 = unlimited |
| Poll Interval | 5 | Seconds between status checks (5-300) |
Post-Scan:
| Parameter | Default | Description |
|---|---|---|
| Cleanup After Scan | true | Remove targets/tasks from GVM after results are extracted |
Configure passive and active subdomain enumeration. Located in the Discovery & OSINT tab.
Graph nodes — consumes: Domain | produces: Domain, Subdomain, IP, DNSRecord
Each passive source has an enabled toggle and a max results cap. All sources run in parallel and results are merged and deduplicated. After merging, Puredns validates the combined list against public DNS resolvers to remove wildcard and DNS-poisoned entries before DNS resolution proceeds.
| Parameter | Default | Description |
|---|---|---|
| crt.sh | enabled, max 5000 | Certificate Transparency log queries for subdomain discovery |
| HackerTarget | enabled, max 5000 | Passive DNS lookup database |
| Subfinder | enabled, max 5000 | Passive enumeration using 50+ online sources (CT logs, DNS databases, web archives). Runs via Docker (projectdiscovery/subfinder). No API key required |
| Amass | disabled, max 5000 | OWASP Amass subdomain enumeration using 50+ data sources (certificate logs, DNS databases, web archives, WHOIS). Runs via Docker (caffix/amass). No API key required for passive mode |
| Amass Timeout | 10 | Enumeration timeout in minutes (1-120) |
| Amass Active Mode | false | Enable zone transfers and certificate name grabs — sends DNS queries directly to target. Forced off in stealth mode |
| Amass Bruteforce | false | DNS brute forcing after passive enumeration — significantly increases scan time. Forced off in stealth mode |
| Knockpy Recon | enabled, max 5000 | Passive wordlist-based subdomain enumeration |
| Use Bruteforce | true | Enable Knockpy active subdomain brute-forcing. Domain mode only |
| Puredns Wildcard Filtering | enabled | Validates discovered subdomains against public DNS resolvers and removes wildcard entries and DNS-poisoned results. Runs after all discovery tools complete, before DNS resolution. Active tool — sends DNS queries. Runs via Docker (frost19k/puredns). Disabled in stealth mode |
| Puredns Threads | 0 | Parallel resolution threads (0 = auto-detect) |
| Puredns Rate Limit | 0 | DNS queries per second (0 = unlimited). Capped by RoE global rate limit when enabled |
| WHOIS Max Retries | 3 | Retry attempts for WHOIS lookups |
| DNS Max Retries | 3 | Retry attempts for DNS resolution |
Passive OSINT enrichment using URLScan.io historical scan data. Runs in the recon pipeline after domain discovery and before port scanning. Located in the Discovery & OSINT tab.
| Parameter | Default | Description |
|---|---|---|
| URLScan Enabled | false | Master toggle for URLScan.io enrichment |
| Max Results | 500 | Maximum scan results to fetch per domain (1-10000) |
API Key: Optional. Configure in Global Settings → API Keys. Without an API key, only public scan results are available with lower rate limits. With a key, you get access to private scans and higher rate limits.
Graph nodes — consumes: Domain, BaseURL | produces: Domain, Subdomain, ExternalDomain, IP, Endpoint, Parameter. URL paths from historical scans are parsed into Endpoint and Parameter nodes (only when a matching BaseURL already exists from httpx). External domains encountered in scans are tracked as ExternalDomain nodes for situational awareness.
GAU deduplication: When URLScan enrichment runs successfully, the urlscan provider is automatically removed from GAU's data sources to avoid redundant API calls.
Passive internet-wide OSINT enrichment using the Shodan REST API. Runs in the recon pipeline after domain/IP discovery and before port scanning. Located in the Discovery & OSINT tab. Each feature is independently toggled and all require a Shodan API key set in Global Settings.
API Key Required: All toggles are disabled until a Shodan API key is configured in Global Settings. Host Lookup, Reverse DNS, and Passive CVEs automatically fall back to the free InternetDB API when the paid Shodan API returns 403. Domain DNS requires a paid Shodan plan (no free fallback).
| Parameter | Default | Description |
|---|---|---|
| Host Lookup | false | Query each discovered IP for OS, ISP, organization, geolocation, and known vulnerabilities. Uses /shodan/host/{ip} (paid plan: full banners, geo, services) or falls back to InternetDB (free: ports, hostnames, CPEs, CVEs, tags — no geo or banners) |
| Reverse DNS | false | Discover hostnames for known IPs. Uses /dns/reverse (paid) or falls back to InternetDB hostnames (free). Can reveal subdomains missed by standard enumeration |
| Domain DNS | false | Subdomain enumeration and DNS records via /dns/domain/{domain}. Requires paid Shodan plan — no free fallback. Domain mode only (skipped in IP mode) |
| Passive CVEs | false | Extract known CVEs associated with discovered IPs. Reuses Host Lookup data if available; otherwise queries InternetDB directly (free, no key needed) |
Graph nodes — consumes: IP, Subdomain, Domain | produces: IP, Port, Service, Subdomain, ExternalDomain, DNSRecord, Vulnerability, CVE. All use MERGE-based deduplication — data from Shodan is automatically merged with findings from Naabu, Nuclei, and other tools.
Seven passive threat intelligence enrichment tools that run in GROUP 3b — concurrently with port scanning. All tools query external intelligence platforms using IPs and domains discovered in GROUP 1. Located in the Discovery & OSINT tab.
API Keys: All API keys are stored in Global Settings > API Keys (user-scoped, not per-project). Project settings contain only enable/disable toggles and optional limits. Enable a tool here, then add its key in Global Settings.
OTX Exception: OTX is enabled by default and works without an API key (anonymous requests, 1,000 req/hr).
Key Rotation: FOFA, OTX, Netlas, VirusTotal, ZoomEye, and CriminalIP support automatic round-robin key rotation — configure extra keys in Global Settings to avoid rate limiting mid-scan.
Graph nodes — consumes: IP, Domain, Subdomain | produces: threat intelligence properties stored on existing IP and Domain nodes (no new node types). Results also written to recon_domain.json under per-tool keys.
| Parameter | Default | Description |
|---|---|---|
| Enabled | false | Enable Censys host intelligence enrichment. Requires both Censys API ID and API Secret in Global Settings |
Queries /v2/hosts/{ip} for each discovered IP. Returns open ports, running services + banners, TLS certificate chains, geolocation, ASN, and OS fingerprint. On HTTP 429 (rate limit), stops querying and logs the limit.
| Parameter | Default | Description |
|---|---|---|
| Enabled | false | Enable FOFA internet asset search enrichment. Requires FOFA API Key in Global Settings |
| Max Results | 1000 | Maximum rows to fetch per query (hard cap: 10,000) |
Queries the FOFA API using base64-encoded syntax (domain="<domain>" or per-IP queries). Returns IP:port pairs, HTTP titles, server headers, geolocation, certificate info, and protocol details. Supports both legacy (email:key) and modern (key-only) authentication formats.
| Parameter | Default | Description |
|---|---|---|
| Enabled | true | Enable OTX threat intelligence enrichment. Works without an API key (anonymous). Add OTX API Key in Global Settings for higher rate limits |
Queries the OTX Indicators API v1 for each IP and domain. Returns threat reputation, pulse count, associated malware families, MITRE ATT&CK attack IDs, passive DNS records (first/last seen), and individual pulse details (adversaries, TLP, tags). Anonymous rate limit: 1,000 req/hr. With API key: 10,000 req/hr.
OTX is the only enrichment tool enabled by default. It requires no API key to function, making it active in every scan out of the box.
| Parameter | Default | Description |
|---|---|---|
| Enabled | false | Enable Netlas internet intelligence enrichment. Requires Netlas API Key in Global Settings |
| Max Results | 1000 | Maximum items to fetch per query (hard cap: 1,000) |
Queries the Netlas Responses API (host:{domain} or host:{ip}). Returns port/service data, HTTP response headers and body snippets, geolocation (country, city, latitude/longitude, timezone), TLS certificate details, DNS records, and WHOIS data.
| Parameter | Default | Description |
|---|---|---|
| Enabled | false | Enable VirusTotal reputation enrichment. Requires VirusTotal API Key in Global Settings |
| Rate Limit | 4 | Requests per minute (free-tier limit). Increase for paid plans. On 429, the pipeline automatically waits 65 seconds and retries once |
| Max Targets | 20 | Maximum number of domains + IPs to query per scan (caps API usage for large target sets) |
Queries VirusTotal API v3 for each discovered domain (/v3/domains/{domain}) and IP (/v3/ip_addresses/{ip}). Returns reputation score, last analysis stats (malicious/suspicious/undetected AV engine counts), categories, tags, JARM fingerprint, registrar, total votes, and last analysis date.
| Parameter | Default | Description |
|---|---|---|
| Enabled | false | Enable ZoomEye host search enrichment. Requires ZoomEye API Key in Global Settings |
| Max Results | 1000 | Maximum items to fetch per query |
Queries the ZoomEye API for hostname and IP searches. Returns open ports, service banners, device type/OS, web application fingerprints, geolocation (country, city, lat/lon, timezone), ASN, ISP, and SSL certificate details.
| Parameter | Default | Description |
|---|---|---|
| Enabled | false | Enable Criminal IP threat intelligence enrichment. Requires CriminalIP API Key in Global Settings |
Queries the Criminal IP API v1 for each IP (/v1/ip/data?full=true) and domain (/v1/domain/data). Returns IP risk score, threat tags (VPN, cloud, Tor, proxy, hosting, mobile, darkweb, scanner, Snort IDS), geolocation, ISP, hosted services, and abuse history. On HTTP 429, automatically waits 2 seconds and retries once.
Configure GitHub repository scanning for leaked credentials.
Graph nodes — consumes: Domain | produces: GithubHunt, GithubRepository, GithubPath, GithubSecret, GithubSensitiveFile
| Parameter | Default | Description |
|---|---|---|
| GitHub Access Token | — | Personal Access Token (ghp_...) |
| Target Organization | — | GitHub org or username to scan |
| Target Repositories | (all) | Comma-separated repo names to limit scope |
| Scan Member Repositories | false | Include individual member repos |
| Scan Gists | false | Search gists for secrets |
| Scan Commits | false | Examine git history for removed secrets |
| Max Commits to Scan | 100 | Max commits per repo (1-1000) |
| Output as JSON | false | Save results as downloadable JSON |
See GitHub Secret Hunting for a step-by-step setup guide including how to create a GitHub Personal Access Token.
Configure TruffleHog secret scanning with 700+ detectors and optional live API verification.
Graph nodes — consumes: Domain | produces: TrufflehogScan, TrufflehogRepository, TrufflehogFinding
| Parameter | Default | Description |
|---|---|---|
| Target Organization | — | GitHub org or username to scan |
| Target Repositories | (all) | Comma-separated repo names to limit scope |
| Only Verified | false | Only report findings verified as active against live APIs |
| No Verification | false | Skip all API verification — faster but unconfirmed |
| Concurrency | 8 | Concurrent scanning workers (1-20) |
| Include Detectors | (all) | Comma-separated detector names to include |
| Exclude Detectors | (none) | Comma-separated detector names to exclude |
Note: TruffleHog uses the GitHub Access Token from Global Settings > API Keys (shared with GitHub Secret Hunt). See TruffleHog Secret Scanning for a step-by-step setup guide.
Configure the AI agent orchestrator for autonomous pentesting.
LLM & Phase Configuration:
| Parameter | Default | Description |
|---|---|---|
| Guardrail Enabled | true | Enable/disable the LLM-based scope guardrail that verifies the target on agent startup. When disabled, the agent skips scope verification. Fail-closed: if the check itself fails, the agent is blocked |
| LLM Model | claude-opus-4-6 | AI model for the agent. 400+ models from 5 providers — see AI Model Providers |
| Deep Think | true | When enabled, the agent performs an explicit deep reasoning step at key decision points (start of session, phase transitions, failure loops) to plan multi-step attack strategies before acting. Adds ~1 extra LLM call at these moments. Recommended for complex targets with multiple services. |
| Post-Exploitation Type | statefull |
statefull (Meterpreter sessions) or stateless (one-shot commands) |
| Activate Post-Exploitation Phase | true | Whether post-exploitation is available |
| Informational Phase System Prompt | — | Custom instructions for the informational phase |
| Exploitation Phase System Prompt | — | Custom instructions for the exploitation phase |
| Post-Exploitation Phase System Prompt | — | Custom instructions for the post-exploitation phase |
Payload Direction:
| Parameter | Default | Description |
|---|---|---|
| Tunnel Provider | None | Dropdown: None (manual LHOST/LPORT), ngrok (single port — free, no VPS), or chisel (multi-port — requires VPS). Only one tunnel can be active at a time. ngrok tunnels port 4444 only, requires the ngrok authtoken configured in Global Settings → Tunneling, auto-detects LHOST/LPORT from the ngrok public URL, stageless payloads only. Requires identity verification on your ngrok account (free). chisel tunnels ports 4444 + 8080, requires Chisel Server URL (and optionally Chisel Auth) configured in Global Settings → Tunneling, enables web delivery and HTA delivery (which need two ports), stageless payloads required (staged payloads fail through the tunnel). Requires a VPS running chisel server -p 9090 --reverse. See AI Agent Guide — Tunnel Providers for setup instructions. |
| LHOST (Attacker IP) | — | Your IP for reverse shell callbacks. Leave empty for bind mode. Hidden when a tunnel provider is enabled. |
| LPORT | — | Listening port for reverse shells. Leave empty for bind mode. Hidden when a tunnel provider is enabled. |
| Bind Port on Target | — | Port the target opens for bind shell payloads |
| Payload Use HTTPS | false | Use reverse_https instead of reverse_tcp
|
Agent Limits:
| Parameter | Default | Description |
|---|---|---|
| Max Iterations | 100 | Maximum LLM reasoning-action loops per objective |
| Trace Memory Steps | 100 | Past steps kept in agent's working context |
| Tool Output Max Chars | 20000 | Truncation limit for tool output (min: 1000) |
Approval Gates:
| Parameter | Default | Description |
|---|---|---|
| Require Approval for Exploitation | true | User confirmation before exploitation phase |
| Require Approval for Post-Exploitation | true | User confirmation before post-exploitation phase |
Kali Shell — Library Installation:
| Parameter | Default | Description |
|---|---|---|
| Allow Library Installation | false | Let the agent install packages (pip/apt) via kali_shell at runtime. Prompt-based control only — no server-side enforcement. Installed packages are ephemeral (lost on container restart). |
| Authorized Packages | — | Comma-separated whitelist. If non-empty, only these packages may be installed. |
| Forbidden Packages | — | Comma-separated blacklist. These packages must never be installed. |
Retries, Logging & Debug:
| Parameter | Default | Description |
|---|---|---|
| Cypher Max Retries | 3 | Neo4j query retry attempts (0-10) |
| Log Max MB | 10 | Maximum log file size before rotation |
| Log Backups | 5 | Number of rotated log backups |
| Create Graph Image on Init | false | Generate a LangGraph visualization on startup |
Configure THC Hydra password cracking (50+ protocols: SSH, FTP, RDP, SMB, HTTP forms, databases, etc.).
| Parameter | Default | Description |
|---|---|---|
| Hydra Enabled | true | Enable/disable Hydra brute force |
| Threads (-t) | 16 | Parallel connections per target. Protocol limits: SSH max 4, RDP max 1, VNC max 4 |
| Wait Between Connections (-W) | 0 | Seconds between each connection. 0 = no delay |
| Connection Timeout (-w) | 32 | Max seconds to wait for a response |
| Stop On First Found (-f) | true | Stop when valid credentials are found |
| Extra Password Checks (-e) | nsr | Additional checks: n=null, s=username-as-password, r=reversed username |
| Verbose Output (-V) | true | Show each login attempt |
| Max Wordlist Attempts | 3 | Wordlist strategies to try before giving up (1-10) |
Configure SMTP settings for the phishing agent skill email delivery capability. The agent reads this configuration when the phishing_social_engineering agent skill is active and the user requests email delivery.
| Parameter | Default | Description |
|---|---|---|
| SMTP Configuration | (empty) | Free-text SMTP settings for email delivery. The agent parses this naturally when sending phishing emails via Python smtplib |
Example configuration:
SMTP_HOST: smtp.gmail.com
SMTP_PORT: 587
SMTP_USER: pentest@gmail.com
SMTP_PASS: abcd efgh ijkl mnop
SMTP_FROM: it-support@company.com
USE_TLS: true
If left empty, the agent asks the user at runtime for SMTP credentials when email delivery is requested. The agent never attempts to send email without proper SMTP configuration.
See Agent Skills > Social Engineering Simulation for the full phishing workflow documentation.
Configure CypherFix automated vulnerability remediation. These settings control how the CodeFix agent interacts with your GitHub repository.
| Parameter | Default | Description |
|---|---|---|
| GitHub Token (CypherFix) | — | Personal Access Token with repo scope for cloning, pushing, and creating PRs |
| Default Repository | — | Target repository in owner/repo format (e.g., redis/redis) |
| Default Branch | main | Base branch for creating fix branches |
| Branch Prefix | cypherfix/ | Prefix for auto-created fix branches (e.g., cypherfix/fix-sqli-42) |
| Require Approval | true | Pause before each code edit for human review. When disabled, blocks auto-accept after 5 minutes |
| LLM Model Override | (Agent default) | Use a specific model for CodeFix instead of the model configured in Agent Behaviour |
See CypherFix — Automated Remediation for the full usage guide.
A matrix controlling which tools the agent can use in each operational phase. Each tool can be independently enabled/disabled per phase. Tools that require an external API key (web_search, shodan, google_dork) display a warning with a quick-add modal when enabled without a key configured in Global Settings.
| Tool | Informational | Exploitation | Post-Exploitation |
|---|---|---|---|
| query_graph | ✓ | ✓ | ✓ |
| web_search | ✓ | ✓ | ✓ |
| shodan | ✓ | ✓ | — |
| google_dork | ✓ | — | — |
| execute_curl | ✓ | ✓ | ✓ |
| execute_naabu | ✓ | ✓ | — |
| execute_nmap | ✓ | ✓ | ✓ |
| execute_nuclei | ✓ | ✓ | — |
| kali_shell | ✓ | ✓ | ✓ |
| execute_code | — | ✓ | ✓ |
| execute_hydra | — | ✓ | ✓ |
| metasploit_console | — | ✓ | ✓ |
| msf_restart | — | ✓ | ✓ |
This matrix is configurable per project in the dedicated Tool Matrix tab of the project settings form (under the AI Agent tab group).