The 22-phase
engagement.

Goal. Map the full external attack surface before touching any endpoint.

Outputs. Live subdomains, tech stack fingerprint, TLS posture, open ports.

Goal. Replay common bug-bounty patterns against the discovered surface.

Outputs. Quick-win findings: debug pages, default creds, exposed dashboards.

Goal. Brute-force directories, files, and parameters the app never advertised.

Outputs. Hidden endpoints, backup files, leftover admin panels.

Goal. Validate cross-origin and cookie hygiene end-to-end.

Outputs. Misconfigured Access-Control headers, missing SameSite/HttpOnly flags.

Goal. Stress-test login, MFA, session, and password-reset flows.

Outputs. Token replay, weak JWT verification, account-takeover chains.

Goal. Probe every input for SQLi, XSS, SSTI, command injection.

Outputs. Confirmed injection vectors with payload + database fingerprint.

Goal. Detect server-side request forgery via callbacks and metadata services.

Outputs. Out-of-band callbacks, cloud-metadata reads, internal-network pivots.

Goal. Test object-level authorization across roles and tenants.

Outputs. Cross-tenant reads/writes, missing ownership checks.

Goal. Audit REST + GraphQL endpoints, including introspection and batching.

Outputs. Introspection enabled, query-depth issues, broken auth on hidden routes.

Goal. Push uploads to break out of the storage sandbox.

Outputs. Path traversal, unsafe MIME handling, executable upload + RCE.

Goal. Exercise deserialization sinks across languages.

Outputs. Gadget-chain RCE on cookies, queues, RPC payloads.

Goal. Hit race conditions and business-logic boundaries.

Outputs. Double-spend, coupon stacking, TOCTOU privilege escalation.

Goal. Hunt for unclaimed subdomains pointing at deprovisioned providers.

Outputs. Claimable CNAMEs (S3, Heroku, GitHub Pages, etc.).

Goal. Detect open redirects exploitable in phishing or OAuth flows.

Outputs. Unsanitised redirect parameters, host-header poisoning.

Goal. Audit SPF/DKIM/DMARC posture and inbox spoofability.

Outputs. Spoofable domains, weak DMARC policies, missing BIMI.

Goal. Look for exposed cloud assets and infrastructure leakage.

Outputs. Public buckets, .git directories, leaked secrets in JS bundles.

Goal. Fuzz WebSocket handshakes and message flows.

Outputs. Missing origin checks, auth bypass over wss, message injection.

Goal. Run CMS-specific playbooks (WordPress, Drupal, Magento, Shopify).

Outputs. Vulnerable plugins, XML-RPC misuse, theme-level RCE.

Goal. Catch broken outbound links + spoofable content surfaces.

Outputs. Expired link targets, embed-based content spoofing.

Goal. Re-run every suspected vulnerability with an exploit-class payload.

Outputs. Only verified, exploitable findings survive into the report.

Goal. LLM-driven hypothesis generation on app-specific logic.

Outputs. Novel chains the rule-based scanners didn't surface.

Goal. Assemble a branded, exec-ready report with full remediation guidance.

Outputs. PDF + HTML + JSON exports, CVSS scoring, evidence bundle per finding.