Scan Phases
A detailed breakdown of the five phases in every PreBreach security scan
Scan Phases
Every PreBreach scan executes five sequential phases, each designed to build on the results of the previous one. This layered approach mirrors the methodology of a professional penetration tester — starting with broad reconnaissance and progressively narrowing focus to validated, high-confidence findings.
Phase 1: Reconnaissance (0 - 20%)
The reconnaissance phase maps the target's attack surface. PreBreach deploys four specialized tools to gather intelligence before any active vulnerability testing begins.
Subdomain Discovery — Subfinder
PreBreach uses Subfinder to enumerate subdomains associated with your root domain. This reveals hidden services, staging environments, and forgotten assets that may contain vulnerabilities. Subfinder queries multiple passive sources including DNS datasets, certificate transparency logs, and search engines.
Technology Fingerprinting — Httpx
Httpx probes discovered hosts to identify the technologies in use — web servers, frameworks, CMS platforms, programming languages, and CDN providers. Knowing the technology stack allows subsequent phases to select the most relevant vulnerability checks.
Port Scanning — Nmap
Nmap performs a targeted port scan across discovered hosts to identify open services beyond standard HTTP/HTTPS. This can reveal exposed databases, admin panels, SSH services, and other network-level entry points.
Web Crawling — Katana
Katana crawls the web application to discover pages, endpoints, forms, API routes, and JavaScript files. The crawl results feed directly into the scanning and AI analysis phases, ensuring comprehensive coverage of the application's functionality.
Phase 2: Scanning (20 - 40%)
With the attack surface mapped, PreBreach moves into active vulnerability scanning using targeted templates and protocol analysis.
Vulnerability Templates — Nuclei
PreBreach runs 24 custom Nuclei templates specifically developed for modern web applications. These templates cover:
- Known CVEs in common frameworks and libraries.
- Misconfigurations in web servers, headers, and CORS policies.
- Exposed sensitive files (
.env, backups, debug endpoints). - Default credentials and authentication bypasses.
- Information disclosure through error messages and stack traces.
Unlike generic scanners that run thousands of irrelevant checks, PreBreach's curated template set minimizes noise and focuses on vulnerabilities that matter.
SSL/TLS Analysis — Testssl
Testssl performs a comprehensive audit of the target's SSL/TLS configuration, checking for:
- Weak cipher suites and deprecated protocols (SSLv3, TLS 1.0, TLS 1.1).
- Certificate validity, chain issues, and expiration.
- Known attacks such as BEAST, POODLE, Heartbleed, and ROBOT.
- HSTS configuration and preload status.
- Certificate transparency and OCSP stapling.
Phase 3: AI Analysis (40 - 70%)
This is where PreBreach diverges from traditional scanners. Eight specialized AI agents, each powered by Claude Opus, analyze the target for complex vulnerability classes that automated tools typically miss.
Each agent has deep expertise in its domain and receives the full context from Phases 1 and 2 — including discovered endpoints, technology fingerprints, and crawl data.
| Agent | Focus Area | What It Looks For |
|---|---|---|
| Authentication Agent | Login and session management | Weak password policies, session fixation, token leakage, brute-force susceptibility, MFA bypass |
| Authorization Agent | Access control | IDOR vulnerabilities, privilege escalation, horizontal/vertical access control flaws, missing role checks |
| Injection Agent | Input handling | SQL injection, XSS (reflected, stored, DOM-based), command injection, SSTI, LDAP injection, path traversal |
| Infrastructure Agent | Server and network | Misconfigurations, exposed admin interfaces, outdated software, cloud metadata exposure, SSRF |
| Business Logic Agent | Application workflows | Race conditions, workflow bypasses, price manipulation, coupon abuse, rate limiting gaps |
| Client-Side Agent | Browser security | CSP evaluation, JavaScript analysis, DOM clobbering, postMessage vulnerabilities, prototype pollution |
| API Security Agent | API endpoints | Broken object-level authorization, mass assignment, rate limiting, GraphQL introspection, excessive data exposure |
| Recon Analysis Agent | Attack surface synthesis | Correlates all reconnaissance data to identify high-value targets, shadow IT, and overlooked entry points |
Each agent produces a structured set of potential findings ranked by confidence and severity.
Phase 4: Validation (70 - 85%)
Raw findings from Phases 2 and 3 are validated to eliminate false positives and confirm exploitability.
Multi-Model Consensus
PreBreach employs a multi-model validation approach using both Claude and GPT models. Each finding is independently reviewed by both models, and only findings where both models reach consensus on exploitability are promoted to the final report. This dramatically reduces false positives compared to single-model analysis.
Proof-of-Concept Execution
For confirmed vulnerabilities, PreBreach generates and executes safe proof-of-concept (PoC) exploits that demonstrate the issue without causing damage. These PoCs are included in the final report so your development team can reproduce and understand each finding.
Evidence Collection
The validation phase captures screenshots and detailed evidence for each confirmed vulnerability, including:
- HTTP request and response pairs.
- Screenshots of the vulnerable state.
- Step-by-step reproduction instructions.
- Affected URLs and parameters.
Phase 5: Reporting (85 - 100%)
The final phase transforms validated findings into actionable reports.
CVSS v4.0 Scoring
Every confirmed vulnerability is scored using the Common Vulnerability Scoring System v4.0, the latest industry standard. CVSS scores account for attack vector, complexity, required privileges, user interaction, and impact on confidentiality, integrity, and availability.
Security Grade Calculation
PreBreach assigns an overall security grade (A through F) based on the aggregate findings. The grade considers:
- The number and severity of confirmed vulnerabilities.
- The presence of critical or high-severity issues.
- The overall security posture of the application.
Report Generation
Three report formats are generated automatically:
| Format | Use Case |
|---|---|
| Executive summaries and compliance documentation. Formatted for sharing with stakeholders and management. | |
| HTML | Interactive report with expandable finding details, evidence previews, and navigation. Ideal for development teams. |
| JSON | Machine-readable format for integration with CI/CD pipelines, ticketing systems, and security dashboards. |
Dashboard Upload
All reports are automatically uploaded to your PreBreach dashboard, where you can:
- View findings organized by severity.
- Track remediation progress over time.
- Compare results across multiple scans.
- Share reports with team members.
Timing and Performance
A complete scan through all five phases typically takes 30 to 60 minutes. The primary factors that affect duration are:
- Application size — Larger applications with more pages and endpoints take longer to crawl and analyze.
- Number of subdomains — Domains with many subdomains require additional reconnaissance time.
- AI analysis depth — Complex applications generate more context for the AI agents to evaluate.
You can monitor progress in real time from the scan detail page. See Scanning Overview for details on the real-time progress interface.