Attack Flow Graph
Explore every scanner module as a node in an interactive dependency graph. See how data flows, where bottlenecks sit, and what each module produces.
98 Modules. 6 Phases. One Pipeline.
Click any node to explore. Switch layouts to see different structural views.
Understand the Full Pipeline
The attack flow graph shows every module, every dependency, and every data pipeline in your scanning configuration.
Interactive Node Exploration
Click any module node to see its description, execution phase, estimated duration, and which data pipelines it participates in -- both inbound and outbound.
Data Pipeline Visualization
Cyan-colored edges show active data pipelines -- where findings from one scanner feed into the next. See how subdomains flow from recon to resolution to port scanning to vulnerability detection.
Critical Path Highlighting
Amber-ringed nodes and bold edges mark the critical path -- the longest chain of dependencies that determines your scan duration. Optimize here to reduce total scan time.
8 Layout Modes
Switch between Pipeline, Force-directed, Tree, Radial Tree, Dendrogram, Radial Dendrogram, Hierarchical Bundle, and Indented views. Each layout reveals different structural insights.
Module Search and Filter
Type a module name or category to instantly filter the graph. Matching nodes stay highlighted while the rest fade, making it easy to trace specific paths through the pipeline.
OAST-Enabled Scanner Badges
Scanners that use out-of-band testing (Nuclei, Dalfox, Sqlmap) are marked with OOB badges, so you can see which modules detect blind vulnerabilities via the self-hosted Interactsh server.
20+ Active Data Pipelines
Scanners do not run in isolation. Findings from one module flow into the next, building a comprehensive picture of the attack surface.
Recon to Resolution
Subfinder and Amass discover subdomains. Alterx generates permutations. Dnsx validates them via DNS resolution. Only live hosts proceed to port scanning.
Ports to Vulnerability
Naabu scans resolved hosts for open ports. Nuclei runs 11K+ vulnerability templates against every discovered service. Nmap feeds service data to Hydra for credential testing.
Crawling to Exploitation
Katana, Gau, and Photon crawl and discover URLs. Those URLs feed into Dalfox (XSS), Sqlmap (SQLi), Commix (command injection), and Tplmap (template injection).
API Discovery Pipeline
SwaggerJacker finds OpenAPI specs. Discovered API paths feed into Ffuf for fuzzing, Kiterunner for brute-forcing, and SensitiveFileScanner for deduplication.
Fuzzing to Bypass
Ffuf discovers directories and paths. Those that return 403 are sent to Nomore403 for bypass attempts using header manipulation and path tricks.
AI Correlation
After all modules complete, the AI Correlator analyzes every finding to identify attack chains, detect false positives, and assign confidence scores.
How the Pipeline Works
Modules declare dependencies
Each scanner module specifies which other modules it depends on. Subfinder depends on nothing. Alterx depends on Subfinder. Dnsx depends on Alterx and Subfinder. These declarations form a directed acyclic graph.
Pipeline resolves phases
The planner orders modules so each runs only after its prerequisites finish. Modules with no prerequisites launch first, their outputs feed the next batch, and so on across six phases.
Results flow through pipelines
When a downstream scanner starts, it queries findings from its upstream dependencies. Subdomains, URLs, ports, and services are passed through as piped targets. Each scanner enriches the data for the next phase.
Visualize Your Entire Scanner Pipeline
An interactive D3.js-powered dependency graph showing how 98 modules connect, where data flows between phases, and which paths are critical. 20+ active data pipelines. 8 layout modes. See the full attack surface pipeline at a glance.