1. Reconnaissance
Passive enumeration of the target's attack surface: subdomains, DNS records, certificate transparency logs, public artefacts, and technology fingerprinting — before a single active probe is sent.
2. Surface Mapping
Authenticated and unauthenticated crawls expand the recon baseline into a full endpoint inventory — API routes, parameters, authentication flows, session tokens, and application-specific logic paths.
3. Probing
Forty-nine instruments are fired against the mapped surface covering injection classes, access control, OAuth and JWT abuse, cloud metadata exposure, business-logic flaws, and client-side vulnerabilities.
4. Verification
Every candidate finding is re-fired with crafted payloads. HTTP request and response evidence is captured and preserved. False positives are discarded before a finding is promoted to the results stream.
5. Exploit Chaining
Individual verified findings are composed into multi-step attack paths — SSRF into cloud metadata credential theft, XSS into session hijacking, IDOR into privilege escalation — to demonstrate real-world blast radius.