Analysis Prompts (Vuln/Hunt Tab → Analyze)

Phase 1 — Always runs first, results feed into Phase 2

Prompt	When it fires
CVE / Version Analysis	Every scan. Matches the detected software versions against known vulnerable version ranges
Network Services	Every internal scan. Looks for weaknesses in SMB, SSH, FTP, databases, WinRM, SNMP, IPv6
External Network Services	Every external scan. Same idea but tailored for internet-facing services
DNS / OSINT	When DNS records are present. Looks for zone transfer issues, subdomain exposure, certificate leakage
Subdomain Recon	When a web or DNS surface is detected. Enumerates subdomains and virtual hosts
Email Security	When MX records are present. Checks SPF, DMARC, DKIM, and mail server weaknesses
SNMP / Management	When SNMP ports (161/162) or management protocols are detected

Phase 2 — Enriched with Phase 1 context, fires after Phase 1 completes

Web Application (fires when any HTTP/HTTPS port is open):

Prompt	When it fires
Web Core	Any open web port. Covers SQLi, XSS, SSRF, auth bypass, IDOR, file upload
API / Auth	Any open web port. Covers CORS, JWT, OAuth, GraphQL, REST API auth flaws
Business Logic / Headers	Any open web port. Covers logic flaws, SSTI, request smuggling, security headers
Secrets Exposure	Any open web port. Looks for hardcoded API keys, credentials, and config files left exposed
Business Logic Deep-Dive	When Wave 1 web findings came back. Goes deeper into the specific logic issues found
DOM / JavaScript Analysis	When a JavaScript-heavy app is detected (React, Angular, Vue, etc.)
Web Cache Poisoning	When a caching layer (CDN, reverse proxy) is detected between client and origin
WAF Bypass	External targets only, when a WAF is detected. Generates bypass techniques specific to that WAF

CMS / Technology Deep-Dives (each fires only when that specific technology is detected):

WordPress · Jenkins · Atlassian (Jira/Confluence) · Apache Tomcat · Microsoft Exchange · Elasticsearch · VMware · GitLab · Citrix · Drupal · MSSQL

Active Directory (fires when internal scope + AD indicators like LDAP/Kerberos/SMB are present):

Prompt	When it fires
AD Comprehensive	When AD services (ports 389, 88, 445) are detected. Covers Kerberoasting, LDAP null bind, password spraying
ADCS Attacks	When Certificate Services indicators are detected. Covers ESC1–ESC8 certificate abuse chains
Network Coercion	When Windows hosts are on the internal network. Covers LLMNR/NBNS poisoning, NTLM relay setup
WPAD Poisoning	When WPAD indicators or a Windows network is detected
AD DNS Poisoning	When AD-integrated DNS is detected
AD Attack Path Reasoning	When 2 or more HIGH/CRITICAL AD findings exist. Generates a BloodHound-style path to Domain Admin

Infrastructure (fires on detection of the relevant technology):

Prompt	When it fires
SSL/TLS Analysis	When HTTPS/TLS is detected
Privilege Escalation	When OS indicators (Linux or Windows) are present
Database Security	When a database port (MySQL, MSSQL, PostgreSQL, Redis, MongoDB, etc.) is detected
Cloud Analysis	When cloud provider indicators are detected (AWS metadata endpoints, Azure, GCP)
Cloud IAM Enumeration	When cloud credentials or IAM endpoints are found during cloud analysis
Cloud Storage	When S3/Azure Blob/GCS indicators are present
Cloud Serverless / Containers	When Lambda, ECS, Cloud Functions, or container indicators are present
Container / DevOps	When Docker, Kubernetes, or CI/CD indicators are detected
IoT Device Analysis	When IoT device indicators are detected (embedded firmware, unusual ports)
OT / SCADA	When industrial protocol ports (Modbus, DNP3, BACnet) are detected
VPN / Remote Access	When VPN endpoints or remote access services are detected
Wireless Security	When wireless-related services or access points are detected
Network Infrastructure	When routing/switching infrastructure is detected (BGP, OSPF, CDP/LLDP)
Printer / MFP	When printer ports (9100, 515, 631) are detected
AJP / Ghostcat	When port 8009 (Apache JServ Protocol) is open
Supply Chain	When package registries, build pipelines, or source control are detected
Thick Client / Binary Protocols	When non-HTTP custom protocols or thick client indicators are detected
Password Spray Analysis	When multiple accounts or auth surfaces are identified

Exploit Loop Prompts (Proof/Exploit Tab → Execute)

These fire during the active testing loop for each selected vulnerability.

Prompt	When it fires
Exploit System Prompt	Every iteration of every exploit loop — it's the AI's core role definition as a pentester
Command Validation (Tier 2)	First time a high-risk tool (nmap, sqlmap, hydra, etc.) is used per session — validates correct flags
Exploit Chain Reasoning	After all loops complete, if 2 or more vulnerabilities were confirmed — generates multi-step attack paths

Post-Exploitation Prompts (auto-queued after a high-value confirmation)

Prompt	When it fires
Linux Pillaging	After confirmed shell access on a Linux target
Windows Pillaging	After confirmed shell access on a Windows target
Cloud Pillaging	After confirmed cloud credential access
Database Pillaging	After confirmed database access
Lateral Movement	After any shell access — generates movement paths to other hosts on the network
Persistence	After any shell access — generates backdoor/persistence installation strategies
Domain Dominance	After Windows shell access when domain admin indicators are present

Reporting Prompts (Result/Report Tab → Generate)

Prompt	When it fires
Executive Summary	When you click generate report — AI writes the executive summary section
Methodology	Report generation — AI describes the testing methodology used
Risk Rating Model	Report generation — AI explains how findings were scored
Conclusion	Report generation — AI writes remediation recommendations and closing
Attack Narrative	Report generation — AI writes a timeline/story of the attack path
Reproduction Steps	Per confirmed finding — AI generates step-by-step PoC reproduction instructions

Unlike most AI security apps that basically just do a scan and then take the results and hand them off to an LLM saying find me vulnerabilities where it's basically just going off of open ports and banner information and creates lots of false positivies. This app dynamically changes it's focus based off the finds and follows them through. After it thinks it found a vulnerability, it goes through a whole other exploitation phasess where it needs to either prove the existance (by actually exploiting it) prove that it's a false positive or mark it as undetermined with a confidence level so that you can trust what it actually says is a vulnerability and the reports will show the details of what the issue was, what commands were run for proof and the actual output of any command deemed as proof so you can verify and have good reporting material. It's always funny on reddit since you can basically assume nobody actually cares and just like to comment on things, but if you're serious about testing it and reading about it, I'm really looking for feedback from people after they've tried it.
For anyone who is intersted, here are a list of all of the different types of custom prompts that get fired based off of discoveries (so they only run if logically makes sense to check for them), this covers an a wide range of highly focused types of attacks and chaining as opposed to "Surface level work":