01 // Philosophy
We never test without written consent.
A vulnerability test is technically a controlled simulation of an attack. That means we send packets, attempt logins, and look for misconfigurations that could be abused. Without consent from the owner, it's the same act as a real intrusion, and falls under computer-misuse laws almost everywhere.
⚖
Unauthorized access is a crime, globally
Computer-fraud and unauthorized-access statutes (the CFAA in the US, the Computer Misuse Act in the UK, equivalent laws across the EU and most other jurisdictions) carry serious penalties, often years of prison. We never cross that line on your behalf.
What we need before we start
- Written consent from the domain owner. We need confirmation from someone who actually owns or administers the target.
- Scope agreement. Which domains, IPs, and ports are in scope, and what is explicitly out.
- Time window. We agree on when the scan runs, so your ops team doesn't have a heart attack at two in the morning.
Once this is in place, you get an engagement ID you can reference when we discuss findings later.
02 // Process
Eight phases, from mapping to report.
A full test follows a fixed sequence. Each phase builds on the last, and you get a status update when each phase finishes. The AD and cloud phases are skipped if your target doesn't have the relevant infrastructure.
PHASE 01
Recon
Mapping from the outside without touching the target: DNS, certificates, OSINT, leaks.
PHASE 02
Web
Hidden files and folders, exposed admin panels, known CMS traces, OWASP probes.
PHASE 03
Active Directory
Only runs if the target has AD infrastructure. BloodHound enumeration, Kerberoasting, delegation analysis.
PHASE 04
Cloud configuration
Only runs if cloud credentials are configured. IAM, exposed secrets, misconfigurations.
PHASE 05
Chain analysis
How several small findings can be combined into a serious vulnerability.
PHASE 06
Verification
False positives are weeded out. Each confirmed vulnerability gets a proof-of-concept.
PHASE 07
Detection
Sigma, SPL, and KQL rules are generated for every technique used during the test.
PHASE 08
Report
Findings classified by CVSS, with concrete remediation and detection rules.
⏱
Typical turnaround
The automated rounds against a single domain with under 50 endpoints take 1 to 5 minutes. We always reserve 3 business days from order to finished report, time to manually verify findings, weed out false positives, write explanations, and deliver something a board can read.
03 // Intensity
We tune the pace to your production.
You decide how hard we step on it. An aggressive test goes faster, but trips firewalls and can look like a real attack in the SOC. Stealth mode takes longer but flies under the radar, useful if you want to test whether your detection actually works.
Mode
Speed
Block risk
When we use it
stealth
Slow
Minimal, typically under WAF threshold
When you want to check if your SOC catches us
normal
Moderate
Low, respects 429
Default for a first test
aggressive
Max pace
High, may trip firewall or rate-limit
When you want a fast overview on dev/staging
✓
Rate-limit respect is on by default
We automatically back off on HTTP 429 and Retry-After. Max 3 attempts, exponential backoff capped at 30 seconds. That means an aggressive test against a well-hardened target effectively falls back to normal pace.
04 // Arsenal
The tools we use, and why.
Every tool has a reason to be here. Here's each one, with the example command we actually run and the kind of findings it typically surfaces.
🛡
Nmap
network mapper · /usr/bin/nmap
Industry standard for port and service discovery for over 25 years. Sends packets to every port and analyzes the response to guess what's listening there.
Why
You can't test what you don't know is there. Nmap gives us the map of what's exposed to the internet, often more than the ops team itself realizes. Forgotten database ports, RDP, or test services on non-standard ports are typical things that turn up.
How we run it
# Service detection + script scan against top 1000 ports
$ nmap -sV -sC --top-ports 1000 -T3 mustvedt.net
# Full TCP scan with version detection and OS fingerprint (requires sudo)
$ sudo nmap -sS -sV -O -p- --min-rate 1000 mustvedt.net
The flags mean: -sV version detection, -sC default NSE scripts, -T3 normal pace, -p- all 65535 ports.
Typical findings
- Open ports for services that shouldn't have been exposed (database, Redis, MongoDB).
- Outdated versions of nginx, Apache, OpenSSH with known CVEs.
- Admin panels on non-standard ports (8080, 8443, 9090).
- SNMP, mDNS, and other internal services that leak info.
🌍
Nikto
webserver scanner · /usr/local/bin/nikto
Checks a web server against 6700+ known vulnerabilities, dangerous files, and misconfigurations. A bit noisy on false positives, but catches things no one else catches.
Why
Nikto is the only scanner that covers "old sins" this broadly: forgotten .git folders, default passwords on admin panels, exposed phpinfo.php, vulnerable CGI scripts. Much of what it finds comes from eras when ops folks did things that seemed clever in 2008.
How we run it
# Standard scan with updated vulnerability database
$ nikto -h https://mustvedt.net -Tuning x4567890ab -output nikto.txt
# With authentication (cookie-based)
$ nikto -h https://target.com -id user:pass
Tuning flags control which test categories run (1-9, a-c, x). We typically skip the noisiest ones.
Typical findings
- Exposed .git, .svn, .env, .DS_Store files that leak source code and secrets.
- phpinfo.php, server-status, server-info that leak stack information.
- Default credentials on Tomcat Manager, Jenkins, WordPress wp-admin.
- Missing HSTS, X-Frame-Options, CSP, typical header findings.
🔭
gobuster
content discovery · /usr/bin/gobuster
Brute-forces folder and file names to find things that aren't linked from any public page. Written in Go, runs fast.
Why
Many admin panels, backup files, and forgotten test pages are not linked anywhere. They sit there if you know the name. Gobuster tries thousands of likely names and tells you which actually exist on the server. This often finds what no other tool catches.
How we run it
# Standard directory brute with our wordlist
$ gobuster dir -u https://mustvedt.net \
-w /opt/wordlist-common.txt \
-x php,html,bak,old,zip,tar.gz \
-t 20 -q
# Subdomain enumeration via DNS
$ gobuster dns -d mustvedt.net -w /opt/subdomains.txt
The -x flag makes it try each path with several extensions. -t 20 = 20 parallel threads.
Typical findings
- Backup files: .bak, ~, .old, which often contain the entire DB dump.
- Hidden admin panels: /admin/, /cpanel/, /manager/.
- Test pages, dev versions: /test.php, /dev/, /staging/.
- Old CMS installs without updates: /wp-admin/, /joomla/.
🔐
testssl.sh
TLS/SSL analysis · /usr/local/bin/testssl.sh
Checks TLS configuration against every known attack: BEAST, POODLE, Heartbleed, ROBOT, LOGJAM, and many more. Gives you a grade from A+ to F.
Why
TLS isn't something you "configure once". New attacks appear, old suites must be phased out, and protocols like TLS 1.0 and 1.1 are officially dead. We check against 50+ known attacks and give a concrete prioritized list of what you need to fix to get to A+.
How we run it
# Full check including vulnerability tests and certificate analysis
$ testssl.sh --severity LOW --htmlfile tls.html \
--jsonfile tls.json mustvedt.net:443
# Only vulnerabilities, faster
$ testssl.sh --vulnerable mustvedt.net:443
Typical findings
- TLS 1.0/1.1 still active, should have been off since 2020.
- Weak cipher suites: 3DES, RC4, NULL.
- Missing Forward Secrecy.
- Certificate expiring soon, or using SHA-1.
- Vulnerabilities: ROBOT, Heartbleed (rare, but still exists), CRIME, BREACH.
📥
theHarvester
passive OSINT · Python-based
Collects public information about a domain from Bing, crt.sh, OTX, and 20+ other sources. Never touches the target directly.
Why
Much of an attacker's job happens before they ever send a packet at the target. They search for employee emails, subdomains, old versions of the website, and certificate history. theHarvester collects all of this automatically, so we can show you what a motivated attacker would know about your company after one coffee and five minutes on Google.
How we run it
# Passive recon against the domain, from all free sources
$ theHarvester -d mustvedt.net \
-b bing,crtsh,otx,duckduckgo,certspotter \
-l 500 -f harvest.html
Typical findings
- Employee email addresses from public sources, perfect phishing material.
- Subdomains you've forgotten: old test environments, vendor portals.
- IPs and hosts belonging to your network.
- Certificate history: which names you've requested certificates for over the years.
🕷
SpiderFoot
dark web & leak OSINT · v4.0
Correlates data from 200+ sources, including paid services like IntelX (dark web, breach database, pastes, Usenet). Builds a graph of what's out there about you in the darker corners of the internet.
Why
Leaked credentials often sit out there for a long time before anyone notices. SpiderFoot against IntelX scans pastes, dark-web forums, leak databases, Usenet, DNS history, and whois archives in seconds, sources you wouldn't find manually if you worked a full week.
How we run it
# Domain scan with IntelX and passive modules
$ sf.py -s mustvedt.net -t DOMAIN_NAME \
-m sfp_intelx,sfp_haveibeenpwned,sfp_pastes \
-q -o json
We run via a wrapper script ~/spiderfoot/run.sh that returns clean JSON results to the PHP layer.
Typical findings
- Leaked password hashes belonging to employees (combo-lists, breach dumps).
- Credit-card numbers, OAuth tokens, and API keys in pastebin history.
- Mentions of the company on Russian or Chinese underground forums.
- Previously compromised email addresses from known breaches.
📡
Passive recon stack
crt.sh · HIBP · Shodan · RDAP · Wayback
The tools that don't send a single packet to your target. Use public databases to build the picture.
Why
Even before we have consent, we can give you a picture of your exposure, based on what's public. This is what we offer in previews and free-tier scanners. It's surprising how much you can find out without "touching" the target.
What we check
- crt.sh. Certificate Transparency logs give every certificate issued for the domain over the last 5 years. Reveals subdomains and past infrastructure.
- Have I Been Pwned. Have your email addresses been in a data breach? Which ones?
- Shodan. Shows what has been seen on your IPs in the past, without rescanning.
- RDAP (the successor to WHOIS). Who owns the domain, when does it expire, who is the contact.
- Wayback Machine. Historical versions of the site can contain forgotten API endpoints and secrets.
- DNS resolvers. Checks MX, SPF, DMARC, DKIM, CAA against 8.8.8.8, 1.1.1.1, and 9.9.9.9 to see how different clients see you.
05 // Specialist agents
Dedicated test agents per domain.
Beyond the classic command-line tools, we have ten specialist agents that each cover their own domain. Each agent knows what's relevant for its area, what's normal, and what typically goes wrong. They run asynchronously and report findings back to the same engagement.
Web-app agent
test_web_app
Full deterministic web scan with 60+ probes: SQLi (reflected + blind + login-bypass), XSS (reflected and stored), SSRF, XXE, path traversal, IDOR, JWT attacks, race conditions, type confusion, mass assignment via PATCH, host-header poisoning. OWASP API Top 10 is covered when an authenticated profile is configured.
API security agent
test_api_security
REST and GraphQL by OWASP API Top 10. Tests BOLA/IDOR, JWT alg-confusion, OAuth callback validation, rate-limit bypass, mass assignment, and GraphQL introspection. Can ingest an OpenAPI spec to test every defined endpoint.
Active Directory agent
test_active_directory
BloodHound enumeration, Kerberoasting, AS-REP roasting, delegation attacks, privilege-escalation paths, and domain dominance. NTLM credentials are loaded via an auth profile server-side, they never touch the MCP/LLM context.
Cloud agent
test_cloud · AWS/Azure/GCP
Misconfigurations, exposed secrets, IAM roles that are too generous, vulnerable services, and privilege-escalation paths. Credentials are retrieved server-side from env, 1Password, Vault, or AWS Secrets Manager.
Credentials agent
test_credentials
Default credentials, password spraying, and MFA-bypass tests. Lockout-sensitive, prefers spray (one password attempt across many users) over brute-force (many passwords against one user) in production. We don't lock anyone out by accident.
Mobile agent
test_mobile · Android/iOS
Static and dynamic analysis of Android and iOS apps. Covers OWASP Mobile Top 10: insecure local storage, external traffic without TLS, hardcoded secrets, debug flags, exposed intent handlers, jailbreak/root-detection bypasses.
Wireless agent
test_wireless
WiFi and Bluetooth security on site. WPA/WPA2/WPA3 configuration, rogue access points, deauth detection, Bluetooth pairing weaknesses. Requires an on-site test with a wlan interface.
Privesc agent
test_privesc · linux/windows/container
After a low-privilege account is compromised: can we climb higher? Uses LinPEAS / WinPEAS / DeepCE plus a kernel-exploit-suggester. Enumeration only by default, escalation only with explicit green light.
Vuln agent
test_vulnerabilities
Broad vulnerability scan with Nuclei + RouterSploit + Nikto + dirb. De-duplicates against existing findings in the same engagement, filters out obvious false positives, and ranks by CVSS plus EPSS, the probability the vulnerability is actually being exploited in the wild.
🧭
Auto-selecting the right agent
You don't need to know which agent to run. select_agent takes a free-text target and an optional intent, and returns the right agent deterministically based on heuristics. "test all our AWS accounts" → cloud agent. "our SharePoint server" → AD agent.
06 // Bug-class probes
60+ named probes, runnable individually.
Every bug class we test for has one or more dedicated probes. The list grows every month. You can run them all as a bundle through the web agent, or pick out specific probes for targeted testing. Here's what's in today, grouped by attack category.
💉Injection (SQLi / NoSQL / LDAP / SSTI)
sqli_fuzz
search_sqli_get
login_sqli_bypass
sqli_login_bypass
ldap_injection
ssti_fuzz
ssti_stored
ssti_polyglot
nosql_fuzz
nosql_inject
🪞Cross-site scripting
reflected_xss
stored_xss
xss_fuzz
dom_xss
🔓Authorization & access
idor_sequential
idor_authenticated
idor_authz_differential
privilege_escalation_patch
mass_assignment
trusted_header_bypass
role_self_promote
unauth_rest_leak
cache_deception
🎟Auth & session
jwt_alg_none
jwt_alg_variants
jwt_jku_x5u_ssrf
authenticated_pivot
saml_xsw
oauth_pkce_downgrade
password_reset_weak
host_header_reset_poisoning
cookie_prefix_bypass
user_enum
📂Files, deserialization & RCE
path_traversal
xxe_upload
deserialization
file_upload_validation
nextjs_rsc_rce
cve_poc_primitives
🌍SSRF & CORS
ssrf_cloud_metadata
cors_reflection
⚡Race conditions & logic
race_condition
business_logic_fuzz
prototype_pollution
coupon_forging
type_confusion
open_redirect
captcha_replay
🔎Discovery & info leakage
leaked_credentials
exif_metadata
ftp_leak
forced_error
web3_probe
api_path_discovery
asset_secrets_scan
hidden_discovery
dev_interfaces
graphql_introspection
directory_listing
source_maps
response_headers
Red chips = can hit critical or high CVSS when triggered. Yellow = medium. Each probe has its own "requires_auth" flag that controls whether it fires against unauthenticated or only logged-in targets. Full list via list_probes.
07 // Advanced features
What the other tools don't have.
The platform we use runs several layers above the raw scanners. These features are why we can deliver a report that isn't just an export of Nuclei output.
authenticated_scan
🪪
Authenticated scans
Logs in with a server-side credential profile and scans as a logged-in user. Credentials never pass through the LLM context. Lets us hit auth-gated bug classes like race conditions, mass assignment, and authenticated SQLi.
browser_inspect
🎭
Headless browser inspection
A real Chromium fetches the page and reports DOM, forms, scripts, network requests, cookies, and security headers. Catches SPAs, postMessage flows, and JS-injected endpoints that curl never sees.
discover_attack_chains
⛓
Attack-chain detection
Analyzes every finding in an engagement and figures out how several medium findings can be combined into full compromise. "Leaked env file + weak JWT secret + SSRF" → admin takeover.
validate_finding
✅
Safe PoC validation
For every finding we can run a non-destructive proof-of-concept that proves the vulnerability is real and exploitable. No permanent change to the target. Status flips to confirmed or failed.
generate_detection_rules
🚨
Sigma/SPL/KQL detection
Every offensive technique gets a matching detection rule the blue team can drop straight into the SIEM. Sigma for portability, SPL for Splunk, KQL for Microsoft Sentinel.
query_compliance
📜
Compliance mapping
Findings are grouped by PCI-DSS, HIPAA, SOC2, and OWASP controls. No more translating between the report and the compliance spreadsheet by hand.
start_campaign
🌐
Multi-target campaigns
One command, many targets: all prod IPs, the entire subdomain list, every one of the customer's APIs. The campaign creates one engagement per target and lets you consolidate findings across them.
strict_scope
🛂
Strict scope enforcement
An engagement with strict_scope=true rejects every request outside the target host. Redirect-following in the primitives is also off, so a 302 to attacker.com can't pull the scan out of scope.
resume_engagement
⏸
Pause and resume
Engagements can be paused, parked overnight, and resumed the next morning. State persists in a local SQLite database, so nothing is lost if the session is cut.
🔒
Credentials handling
Every secret, login password, API token, cloud credential, is loaded server-side via an auth-profile system. The value itself never passes through the LLM or the MCP protocol. We can integrate with 1Password (op://), HashiCorp Vault, AWS Secrets Manager, or just environment variables.
08 // Delivery
The report you get, and what's in it.
A pen-test and recon you can't act on is just a long PDF. We write reports that give the ops team a concrete order: this first, here's how you fix it, here's how you verify it's gone.
Structure
- Executive summary. One page leadership can read. What we found, what it means, what it costs to fix.
- Technical overview. Every finding with CVSS score, CWE ID, and OWASP category.
- Attack chains. How three medium findings can be combined into one critical problem.
- Proof of Concept. The exact command or request that demonstrates the vulnerability, and what the response looks like.
- Remediation. For every finding: temporary mitigation, permanent fix, how to verify.
- Detection rules. Sigma rules you can drop straight into the SIEM.
- Appendices. Raw output from every tool, if you want to double-check.
📄
Formats we deliver in
PDF for archiving and distribution. Markdown if you want to commit it to an internal repo. HTML if you want to share an interactive version with the team. JSON if you want to pipe it into a GRC platform.
CVSS prioritization
Every finding gets a CVSS 3.1 score. We group them like this:
- Critical (9.0–10.0). Fix within 24 hours. Actively exploitable from the internet, gives control of the system or data.
- High (7.0–8.9). Fix within 7 days. Exploitable with logged-in users, or leaks sensitive information.
- Medium (4.0–6.9). Fix within 30 days. Requires specific conditions, or contributes to a larger attack.
- Low / Info (<4.0). Best practice. Fix when you can.