Skip to content

Glossary

Arsenal / arsenal_lite — External binary scanners (nmap, nuclei, …) that augment the native engine. The FULL/AI stream runs a bounded arsenal_lite (nmap service detection + nuclei high/critical) when those binaries are present.

Attack chain — Several individual findings combined into a higher-impact path (e.g. IDOR + mass assignment → privilege escalation), reported with a combined severity and narrative.

Confidence level — How a finding was verified: EXPLOITED/CONFIRMED, OBSERVED/HIGH, INFO, or UNVERIFIED. See Confidence pipeline.

Depth — How much of the pipeline a scan runs: Recon, Full, or AI.

Finding — A single issue detected on a target, with severity, confidence, evidence, and (if confirmed) a proof of concept.

Double-signal rule — A finding becomes CONFIRMED only when a second, independent signal reproduces it.

OOB (out-of-band) confirmation — Confirming blind vulnerabilities via an external callback. Opt-in (OOB_ENABLED), off by default.

PoC (proof of concept) — The reproducible steps/curl shipped with a confirmed finding.

SSE (Server-Sent Events) — The streaming protocol used to deliver scan progress and findings live.

SSRF validation — The check applied to every outbound request to block requests to internal/metadata addresses.

Tamper-proof agent — The guard that scope-locks outbound requests, isolates untrusted target output, and reports prompt-injection attempts.

Confidence pipeline — The set of guards and checks that grade findings and suppress false positives before they reach the report.