Skip to content

Quick Start

Your First Pentest

/intake                    # Guided questionnaire
/intake --paste            # Paste existing info

This generates brief.json with business context, tech stack, and rules of engagement.

2. Run the pentest

/pentest https://target.com

This executes all 6 phases automatically:

  1. Phase 0 — Fingerprint target (tech stack, WAF, auth type)
  2. Phase 0.5 — Browser walkthrough (Playwright crawl)
  3. Phase 1 — Recon (subdomains, DNS, ports, historical URLs)
  4. Phase 2 — Discovery (endpoints, parameters, JS analysis)
  5. Phase 3 — Scanning (Nuclei, Nikto)
  6. Phase 3.5 — Smart routing (endpoint to test scope mapping)
  7. Phase 4 — Manual testing (17 skills, 31 sub-agents)
  8. Phase 5 — Verification (every finding gets a working PoC)
  9. Phase 6 — Report generation

3. Common flags

/pentest https://target.com --fast             # Skip recon, no stealth
/pentest https://target.com --bug-bounty       # Aggressive, expanded recon
/pentest https://target.com --proxy 127.0.0.1:8080  # Via Burp/Caido
/pentest https://api.target.com --api-spec auto     # API direct testing