Wave Schedule Design¶
Overview¶
Phase 4 testing dispatches 31+ sub-agents across 12 waves (plus a conditional Wave 12 for flag-gated skills). Each wave runs a maximum of 3 agents in parallel. This schedule is optimized for critical path prioritization, API rate limit compliance, and stealth constraints.
Why 3 Agents Per Wave¶
Three concurrent agents represent the maximum that satisfies all constraints simultaneously:
| Constraint | Limit | Impact at 3 agents |
|---|---|---|
| API rate limits | Claude API concurrency limits | 3 concurrent sessions are within standard tier limits |
| Stealth rate | 1-3 req/sec combined to target | With JITTER_MULT=3, each agent averages 1 req/3-12s, combined ~1 req/sec |
| Target load | Avoid WAF triggers and 429 responses | 3 agents with jittered timing appear as normal browsing traffic |
| Memory | Docker containers + Claude CLI processes | 3 agents consume ~6-8 GB RAM total, feasible on 16 GB development machines |
Wave Order: Critical Path Optimization¶
The wave order follows a critical path that prioritizes the highest-severity, highest-likelihood vulnerability classes first:
Wave 0 -- SQLi, XSS, IDOR (Critical/High severity, most common)
Wave 1 -- CMDi, AuthZ, JWT (Critical severity, auth compromise)
Wave 2 -- OAuth, Session, CSRF/CORS (High severity, account takeover paths)
Wave 3 -- DOM XSS, SSRF core, SSTI (High severity, server-side impact)
Wave 4 -- SSRF vectors, REST API, GraphQL (Medium-High, API attack surface)
Wave 5 -- Business logic, Race, MFA (Medium-High, logic flaws)
Wave 6 -- HPP/CRLF, Bypass, Smuggling (Medium, infrastructure)
Wave 7 -- Cache, Host/Method, Access matrix (Medium, infrastructure)
Wave 8 -- Prototype pollution, Upload, Deser (Medium, remaining injection)
Wave 9 -- Cloud storage, Takeover, K8s (Medium, cloud misconfig)
Wave 10 -- Crypto, Exceptions, Supply chain (Low-Medium, passive checks)
Wave 11 -- Misc injection, Misc client (Low, remaining coverage)
Wave 12 -- LLM, Mobile (flag-gated, only if --llm / --mobile)
This ordering means that if a pentest is interrupted or times out, the most impactful vulnerabilities have already been tested. Wave 0 findings (SQLi, XSS, IDOR) are often sufficient for a Critical-severity report even without later waves.
Pipeline Tier Overlap¶
Not all waves wait for full Phase 2 completion. Three tiers allow early starts:
| Tier | Starts After | Skills | Why |
|---|---|---|---|
| Tier 1 | Phase 0 (fingerprint only) | crypto, supply-chain, exceptions | These check TLS config, dependency manifests, and error handling on the base URL -- no endpoint discovery needed |
| Tier 2 | Phase 1 (recon complete) | cloud (S3, subdomain takeover), nuclei on subdomains, infra base | Need subdomain/URL list from recon but not full endpoint discovery |
| Tier 3 | Phase 2 + /route |
All injection, auth, access, client, SSRF, logic, API, deser, advanced | Require discovered endpoints and injectable parameters |
In practice, Tier 1 skills run during Phases 1-2 discovery, completing before the main Wave 0 starts. This overlaps approximately 15-20 minutes of testing that would otherwise be idle.
Session Health Checks¶
Between each wave, the coordinator runs check_session_health():
check_session_health() {
# Verify auth tokens are still valid between waves
python3 -c "
import json
with open('$EDIR/context.json') as f:
ctx = json.load(f)
users = ctx.get('auth', {}).get('users', [])
for u in users:
if u.get('active') and u.get('token'):
print(f'Session OK: {u.get(\"role\", \"unknown\")}')
"
}
This catches expired JWT tokens or invalidated sessions before the next wave's agents discover the problem mid-test (wasting their request budget on 401 responses). If a session has expired, the coordinator re-authenticates before proceeding.
Fast and Bug-Bounty Compression¶
The --fast and --bug-bounty flags compress the schedule:
| Mode | Agents/Wave | Waves | Stealth | Rate |
|---|---|---|---|---|
| Default | 3 | ~12 | ON | 1-3 req/sec |
| --fast | 5 | ~7 | OFF | 50 req/sec, 25 threads |
| --bug-bounty | 5 | ~7 | OFF | 50 req/sec, 25 threads |
With 5 agents per wave and no stealth constraints, the same 31 sub-agents complete in roughly 7 waves instead of 12. The JITTER_MULT is set to 1 (no inter-agent jitter), and all rate limits are raised.
Bug-bounty mode is aggressive
With 5 concurrent agents at 50 req/sec each, the combined rate can reach 250 req/sec. This is appropriate for bug bounty programs that explicitly permit automated scanning but will trigger WAF bans on production systems.
Dual-Verify for Critical Findings¶
After Phase 5 verification completes, any finding with Critical severity is re-verified by an independent Opus agent:
critical_findings=$(grep -l '"severity": "Critical"' "$EDIR/findings/FINDING-"*.md 2>/dev/null)
if [ -n "$critical_findings" ]; then
dispatch_agent "verify" "$TARGET" "$EDIR" "dual" "" "--findings $critical_findings"
fi
This dual-verification prevents false-positive Critical findings from reaching the final report. Each Critical finding is confirmed by two independent agents with separate context windows, eliminating confirmation bias.
Checkpoint and Resume¶
Each wave writes its completion status to checkpoint.json, enabling the /resume skill to restart from the last completed wave after an interruption:
{
"waves": {
"wave_0": {"status": "done", "timestamp": "2026-03-13T10:15:00Z"},
"wave_1": {"status": "done", "timestamp": "2026-03-13T10:32:00Z"},
"wave_2": {"status": "failed", "timestamp": "2026-03-13T10:48:00Z"}
}
}
A failed wave does not block subsequent waves. The failed agent is logged, and the coordinator continues. The /resume skill can re-run only the failed agents from a specific wave.