Methodology — 6 Phases¶
The platform executes a complete penetration test in 6 phases (with sub-phases). All phases are mandatory — no shortcuts.
Iron Rule
ALL phases MUST be executed. NEVER skip any phase. Earlier phases discover assets that later phases depend on.
Phase Timeline¶
gantt
title Penetration Testing Timeline
dateFormat YYYY-MM-DD
axisFormat %H:%M
section Phases
Phase 0 (Context Init) :p0, 2024-01-01, 15m
Phase 0.5 (Walkthrough) :p05, after p0, 45m
Phase 1 (Recon) :p1, after p05, 60m
Phase 2 (Discovery) :p2, after p1, 45m
Phase 3 (Scan) :p3, after p2, 30m
Phase 3.5 (Smart Routing) :p35, after p3, 15m
Phase 4 (Testing - 12 Waves) :crit, p4, after p35, 120m
Phase 5 (Verification) :p5, after p4, 45m
Phase 6 (Report) :p6, after p5, 30m
section Parallel Tiers
Tier 1 (Crypto, Supply Chain) :t1, after p05, 180m
Tier 2 (Cloud, Infra) :t2, after p1, 150m| Phase | Name | Description |
|---|---|---|
| 0 | Context Init | Fingerprint target -> context.json |
| 0.5 | Walkthrough | Headless browser crawl -> app-map.json |
| 1 | Recon | Passive/active information gathering |
| 2 | Discovery | Endpoints, parameters, JS analysis |
| 3 | Scan | Nuclei, Nikto automated scanning |
| 3.5 | Smart Routing | Endpoint -> test scope mapping |
| 4 | Testing | 17 skills, 31 sub-agents, 12 waves |
| 5 | Verification | Every finding gets a working PoC |
| 6 | Report | Professional report generation |
Exception: --fast flag
The --fast flag explicitly skips Phase 1 (recon) only — scope is pre-defined, so subdomain/DNS/port discovery is unnecessary. All other phases remain mandatory.