Phase Pipeline

The AppSec Scanner executes assessments through a six-phase pipeline (Phase 0 through Phase 5). Each phase builds on the output of the previous one, progressively deepening the scan from reconnaissance through exploitation to reporting.

Pipeline Overview

Phase 0: Bootstrap and Reconnaissance

Purpose: Initialize the scan environment and gather intelligence about the target before any active scanning begins.

Key Activities:

Interactive Q&A -- The bootstrapOrchestrator may prompt the user for context (sector, known endpoints, compliance requirements)
Sector Detection -- Identifies the target's industry (finance, healthcare, e-commerce, etc.) to enable sector-specific scanning rules
OSINT Collection -- The osintScanner gathers publicly available intelligence about the target domain
Technology Fingerprinting -- The targetProfiler identifies web frameworks, languages, servers, and middleware
Scan Context Assembly -- Builds the shared scanContext object with assessment mode (black/gray/white box), credential sets, and test data hints

Services Involved:

bootstrapOrchestrator.agent.ts -- Orchestrates Phase 0 activities
targetProfiler -- Technology fingerprinting
osintScanner.agent.ts -- OSINT reconnaissance
sharedBlackboard -- Receives initial target profile

Output: Populated blackboard with target metadata, technology stack, sector classification, and OSINT findings.

Phase 1: Discovery and Crawling

Purpose: Map the target's attack surface by discovering all reachable endpoints, API schemas, and entry points.

Key Activities:

Endpoint Discovery -- Crawls the target to find all accessible paths and endpoints
API Schema Parsing -- Parses OpenAPI/Swagger specifications when available
Authentication Flow Detection -- Identifies login pages, OAuth flows, and token-based auth
Application Model Building -- Constructs a structured model of the application's routes, parameters, and response patterns
Intelligent Discovery -- AI-powered endpoint inference based on observed patterns (e.g., if /api/v1/users exists, probe /api/v1/admin/users)

Services Involved:

intelligentDiscovery -- AI-powered endpoint inference
frameworkAgent.agent.ts -- Framework-specific path discovery
sharedBlackboard -- Updated with discovered endpoints

Output: Complete endpoint inventory with HTTP methods, parameter types, content types, and authentication requirements.

Phase 2: Profiling and Authentication

Purpose: Establish authenticated sessions and profile each endpoint's behavior to enable targeted attacks in Phase 3.

Key Activities:

Credential Testing -- Tests provided credentials against discovered auth endpoints
Session Management -- Establishes and maintains authenticated sessions for gray/white box scans
Baseline Profiling -- Records normal (baseline) responses for each endpoint to enable differential analysis during attacks
Parameter Analysis -- Identifies parameter types, constraints, and injection points
Budget Allocation -- The budgetAllocator distributes scan time and request budgets across all agents based on target profile

Services Involved:

authTester.agent.ts -- Credential validation
budgetAllocator -- Resource distribution
sharedBlackboard -- Updated with auth tokens and baselines

Output: Authenticated session tokens, per-endpoint baselines, parameter profiles, and agent budget assignments.

Phase 3: Attack (58 Agents)

Purpose: Execute all scanning agents in parallel against the profiled endpoints.

Key Activities:

Parallel Agent Execution -- All 58 agents run simultaneously, each testing for its specific vulnerability class
Blackboard Sharing -- Agents read from and write to the shared blackboard, enabling cross-agent intelligence (e.g., the JWT attacker shares forged tokens that the BFLA agent can reuse)
Budget Enforcement -- Each agent operates within its allocated request budget and time limit
Evidence Collection -- Every finding includes the attack request, attack response, and baseline response for later validation

Services Involved:

pentestCoordinator -- Orchestrates agent lifecycle and parallelism
baseAttackAgent.ts -- Base class providing common scanning utilities
All 58 *.agent.ts files -- Individual scanning agents (see Scanner Agents Catalog)
sharedBlackboard -- Cross-agent state sharing

Output: Raw, unvalidated findings with full evidence payloads.

Phase 4: Validation and False Positive Elimination

Purpose: Filter raw findings through multi-layered validation to eliminate false positives and assign confidence scores.

Key Activities:

Heuristic Filtering (H3-H19) -- Deterministic rules that auto-reject known false positive patterns (see Findings Validation for the full rule catalog)
Multi-Probe Confirmation -- Replays each attack with payload variations to confirm exploitability
AI Validation -- Uses Claude or GPT to analyze evidence payloads and assess severity
Deduplication -- Removes duplicates at both the APP_WIDE level (one finding per app for global issues) and the endpoint level
Delta Scanning -- Compares findings against previous scans to identify new vs. known vulnerabilities

Services Involved:

findingValidator -- Heuristic rules and AI confidence scoring
validationEngine -- Multi-probe confirmation and confidence tier computation
findingDeduplicator -- Semantic deduplication across agents
pentestAiAdapter -- LLM integration for AI validation

Output: Validated, deduplicated findings with confidence scores (0-100) and FP flags.

Phase 5: Chain Replay and Reporting

Purpose: Build exploit chains, map findings to compliance frameworks, and generate the final assessment report.

Key Activities:

Chain Replay -- The chainReplayEngine links related findings into multi-step exploit chains (e.g., JWT weak secret leading to BFLA leading to data exfiltration)
Compliance Mapping -- Maps findings to OWASP Top 10, OWASP API Top 10, CWE, and other frameworks
Report Generation -- Produces structured assessment reports with executive summary, finding details, and remediation guidance
Persistence -- Final findings are stored in the database and associated with the assessment
Notifications -- Webhook notifications are dispatched for configured integrations

Services Involved:

chainReplayEngine -- Multi-step exploit chain construction
pentestCoordinator -- Final report assembly
webhookService -- Outbound notifications

Output: Complete assessment report with chained findings, compliance mappings, and confidence-scored results.

Phase Timing

Phase	Typical Duration	Dependencies
Phase 0	5-30 seconds	None (first phase)
Phase 1	10-60 seconds	Phase 0 target profile
Phase 2	5-30 seconds	Phase 1 endpoint map
Phase 3	2-15 minutes	Phase 2 auth tokens + baselines
Phase 4	30-120 seconds	Phase 3 raw findings
Phase 5	10-30 seconds	Phase 4 validated findings

Total scan time depends on target complexity, number of endpoints, assessment mode, and agent budget allocation.

Scanner Agents Catalog -- Complete list of all 58 agents
Findings Validation -- Heuristic rules and AI validation details
AppSec Overview -- Module overview and architecture

Pipeline Overview​

Phase 0: Bootstrap and Reconnaissance​

Phase 1: Discovery and Crawling​

Phase 2: Profiling and Authentication​

Phase 3: Attack (58 Agents)​

Phase 4: Validation and False Positive Elimination​

Phase 5: Chain Replay and Reporting​

Phase Timing​

Related Pages​

Pipeline Overview

Phase 0: Bootstrap and Reconnaissance

Phase 1: Discovery and Crawling

Phase 2: Profiling and Authentication

Phase 3: Attack (58 Agents)

Phase 4: Validation and False Positive Elimination

Phase 5: Chain Replay and Reporting

Phase Timing

Related Pages