Scan Modes
Choose Your Scan Depth
Four modes for every scenario — from a quick CI check to an autonomous AI penetration test. Each mode controls which scanners run, how many requests are sent, and whether the target's data can be modified.
| ⚡ QUICK | 🔬 DEEP | 🗡️ AGGRESSIVE | 🤖 AGENTIC | |
|---|---|---|---|---|
| Time | ~3 min | ~10 min | ~10 min | +5 min |
| Scanners | ~50 | 63 | 63 | AI agent |
| Request budget | 500 | 2,000 | 5,000 | 20 probes |
| Rate limit | 10 req/s | 20 req/s | 30 req/s | 5 req/s |
| Payload class | SAFE + PROBE | + ACTIVE | + MUTATE | AI-controlled |
| Modifies data | No | No | Yes ⚠️ | No |
| Browser CDP | No | Yes | Yes | — |
| AI analysis | No | Full | Full | OODA loop |
| Attack chains | No | Yes | Yes | Yes |
Fast Surface Scan
Quick pre-deploy security check
Runs SAFE and PROBE payloads only — no heavy injection testing, no browser analysis. Designed to give you a fast security snapshot without stressing the target.
Included
- +Transport & TLS analysis
- +Secret scanning (28+ patterns)
- +XSS (reflected & DOM)
- +CSRF token validation
- +CORS misconfiguration
- +JWT security
- +GraphQL introspection & complexity
- +Info disclosure & sensitive files
- +Client-side auth bypass
- +Dependency audit (CVE + typosquatting)
- +Integer overflow & type juggling
- +HTTP parameter pollution
- +Web cache deception
- +Client-side path traversal (JS analysis)
- +Dangling markup injection
- +security.txt & robots.txt audit
- +CORS preflight bypass
- +LDAP injection
- +HTTP/2 attacks (H2C smuggling)
- +IDOR / access control
- +Open redirect
- +Account enumeration
- +Client storage exposure
- +Email security (SPF/DMARC)
- +Subresource integrity
Not included
- −SQL injection (time-blind, UNION)
- −SSRF (cloud metadata probes)
- −OS command injection
- −Server-side template injection
- −Database port scanning
- −Subdomain takeover (CNAME checks)
- −OAST (out-of-band DNS callbacks)
- −Nuclei & TruffleHog integrations
- −Path traversal (server-side)
- −CRLF injection
- −Privacy compliance scanning
- −Cloud misconfiguration recon
- −DNS intelligence (AXFR, DNSSEC)
Pros
- Fast — results in under 3 minutes
- Safe — read-only payloads, no data modification
- Low load — 10 req/s, 500 request budget
- No account required
Cons
- Misses deep injection vulnerabilities (SQLi, SSRF, SSTI)
- No browser runtime analysis (CDP)
- No AI analysis, attack chains, or fix prompts
- No infrastructure port scanning
Full Security Audit
Pre-release audit & comprehensive assessment
Runs all 63 scanners including heavy injection tests, headless browser analysis, and AI-powered chain detection. The default mode for thorough security assessment.
Included
- +Everything in Quick mode
- +SQL injection (error, blind, time-based, UNION)
- +SSRF (AWS, GCP, Azure metadata, DNS rebinding)
- +OS command injection (time-blind, reflected)
- +Server-side template injection (10+ engines)
- +Database exposure (54 ports, default creds)
- +Subdomain takeover (dangling CNAME)
- +OAST DNS callback confirmation
- +Path traversal (encoding bypasses)
- +CRLF injection
- +Privacy compliance (GDPR/CCPA)
- +Cloud misconfiguration (S3, GCS, Vercel, Railway)
- +DNS intelligence (AXFR, CAA, DNSSEC)
- +Nuclei vulnerability templates
- +TruffleHog secret scanning
- +Browser CDP pass (console leaks, source maps, eval sinks)
- +AI attack chain detection
- +AI business logic abuse scanner (Claude)
Not included
- −File upload testing (dangerous extensions)
- −Mass assignment (privilege field injection)
- −Prototype pollution (state modification)
- −Email injection (header injection in forms)
- −HTTP DELETE method
Pros
- Complete coverage — all 63 scanners
- Browser runtime analysis catches DOM-based issues
- AI-powered business logic abuse detection (Claude)
- Attack chain detection (CORS + XSS → account takeover)
- AI fix prompts for every finding
Cons
- Takes ~10 minutes for full pipeline
- Higher load on target (20 req/s, 2,000 requests)
- Does not test file uploads or mass assignment
Maximum Coverage
Staging environments & penetration testing
Unlocks MUTATE-class payloads that can modify data on the target. File uploads, mass assignment injection, prototype pollution — everything a real attacker would try. Use only on staging or environments you can reset.
Included
- +Everything in Deep mode
- +File upload (dangerous extensions, polyglot files, path traversal)
- +Mass assignment (role, isAdmin, privilege injection)
- +Prototype pollution (__proto__, constructor)
- +Email injection (header injection in contact forms)
- +HTTP DELETE method testing
- +Rate limiting enforcement testing (auth & API endpoints)
Pros
- Maximum scanner coverage — nothing skipped
- Tests real-world attack vectors (file upload, mass assignment)
- 30 req/s rate limit, 5,000 request budget
- Closest to a real penetration test
Cons
- ⚠️ May modify data on the target server
- Can upload test files, inject form fields
- Only use on staging or environments you control
- Not suitable for production systems
AI Pentester
Claude AI autonomous security testing
An autonomous Claude AI agent runs an OODA reasoning loop — observing findings, orienting hypotheses, deciding on next probes, and acting with real HTTP requests. It adapts to what it discovers, chaining novel attack paths that pattern-based scanners cannot see.
Included
- +OODA loop (Observe → Orient → Decide → Act)
- +Up to 20 adaptive probe iterations
- +Real HTTP requests (GET, POST, PUT only)
- +Reviews all previous scanner findings
- +Discovers novel vulnerability chains
- +Reports findings with evidence and fix prompts
Not included
- −HTTP DELETE / PATCH methods
- −Out-of-scope domains (strict scope lock)
- −Destructive SQL payloads (DROP, DELETE FROM)
- −OS commands (rm, shutdown, reboot)
Pros
- Finds what pattern scanners miss — adaptive reasoning
- Chains multiple findings into novel attack paths
- Human-like hypothesis testing
- Each probe is informed by all previous results
Cons
- Requires Deep mode (cannot run standalone)
- Unpredictable coverage — AI decides what to test
- Adds ~5 minutes to scan time
- Limited to 20 probes / 5 req/s
Safe Scanning Architecture
Detect, don't exploit — we prove the door is unlocked, but never walk in.
Global Rate Governor
A single asyncio semaphore gates ALL HTTP requests from ALL scanners. Quick=10, Deep=20, Aggressive=30 req/s. Adaptive throttle on 429/503 (backoff ×2) and 403 WAF blocks (60s pause).
Target Health Monitor
Background pings every 30 seconds. If the target returns 5xx or latency spikes 5× above baseline: 2 failures → pause all scanners for 60s. 4 failures → abort the scan and return partial results.
Payload Classification
Every payload is classified as SAFE, PROBE, ACTIVE, or MUTATE. The orchestrator only allows payload classes permitted by the current scan mode. If PROBE already confirmed a vulnerability, ACTIVE payloads on the same endpoint are skipped.
Request Budget
Hard request caps per scan mode: Quick=500, Deep=2,000, Aggressive=5,000. Each scanner also has per-endpoint (5) and total (50) limits. When exhausted, the scan completes with partial results.
Payload Classification System
Risk: Zero
Read-only: GET, HEAD, DNS, JS analysis, header inspection, cookie parsing.
All modes
Risk: Low
Single lightweight request with minimal payload: ', {{7*7}}, %0d%0a. May trigger a 500 but never modifies data.
All modes
Risk: Medium
POST requests, UNION SELECT, timing payloads (SLEEP). May slow the server for 5 seconds.
Deep + Aggressive
Risk: High
File uploads, mass assignment, prototype pollution, PUT/DELETE. Can change data on the target.
Aggressive only
Ready to Scan?
Start with Quick — go deeper when you need it
Quick mode runs ~50 checks in under 2 minutes with minimal risk to your target. Switch to Deep for all 63 scanners with browser analysis and AI-powered business logic testing, or Aggressive for staging pentests.
Scan your app