Adaptive Attack Engine

How to Use the Adaptive Attack Engine — Automated AI Mode

In Automated AI mode, Claude drives the Adaptive Attack Engine end-to-end. You configure the intensity, select attack categories, and launch. The engine handles state transitions, bypass escalation, cross-endpoint learning, and finding chain analysis autonomously.

1. 1

   Step 1: Understand the Engine — State Machine Overview

   Before launching, understand what the engine does under the hood. Every endpoint-parameter combination is tracked through a six-state machine. The engine never silently skips a parameter — every one receives a definitive classification.

   STATE MACHINE: Per Endpoint x Parameter x Attack Class UNTESTED ──────────────────────────────────────────────────────────┐ │ │ │ Engine queues payloads for detected tech stack │ v │ PROBING ────────────────────────────────────────────────────────────┤ │ │ │ Response analyzed: status code, error messages, │ │ timing delta, content diff, header analysis │ v │ FILTER_DETECTED ────────────────────────────────────────────────────┤ │ │ │ WAF/filter identified: vendor, rule type, blocking pattern │ │ Bypass technique selected from escalation ladder │ v │ BYPASS_ATTEMPTING ──┬── Bypass succeeded ──> CONFIRMED │ │ │ │ │ └── Failed, more levels ──> (next level) │ │ │ │ All 8 levels exhausted │ v │ EXHAUSTED ──────────────────────────────────────────────────────────┘ (all bypass levels tried, no confirmation — "tested, not vulnerable")

   Key distinction: EXHAUSTED is not "not vulnerable." It means "we tried every available technique and could not confirm." The full attempt history is included in the report, demonstrating thorough testing.

   State	Visual Color	What It Means	Engine Action
   UNTESTED	Gray	Endpoint-parameter not yet probed for this vulnerability class	Queue standard payloads tailored to the detected tech stack
   PROBING	Blue	Baseline payloads sent, response analysis in progress	Analyze: HTTP status, error strings, timing deltas, content diffs, response headers
   FILTER_DETECTED	Yellow	WAF, input filter, or validation is actively blocking payloads	Identify filter type and vendor. Select appropriate bypass level.
   BYPASS_ATTEMPTING	Orange	Engine is escalating through the 8-level bypass ladder	Execute current level. If blocked, move to next level. If partial hit, refine within level.
   CONFIRMED	Red	Vulnerability confirmed with captured evidence	Capture request/response pair, hash evidence, add to attack graph, attempt chaining.
   EXHAUSTED	Green	All bypass levels attempted without confirmation — endpoint is clean for this class	Record full attempt history. Mark as "Tested — Not Vulnerable" with proof of all attempts.

2. 2

   Step 2: Configure Intensity Settings

   In the Mission Control Wizard (Step 8: Review & Launch), select one of four intensity levels. This controls how aggressively the engine escalates through bypass levels, request timing, and technique breadth.

   Intensity	Bypass Levels	Timing	Footprint	Best For
   Stealth	0 – 2	Slow (2–5s delay between requests)	Minimal — avoids detection by IDS/SIEM	Production environments, red team engagements where stealth is required. Only standard payloads and basic encoding. No aggressive bypass techniques that could trigger alerts.
   Standard	0 – 4	Normal (0.5–1s delay)	Moderate — typical scanner traffic pattern	Pre-production and staging environments. Includes URL encoding, double encoding, Unicode variants, and case manipulation. Covers most WAF bypass scenarios without deep evasion.
   Aggressive	0 – 6	Fast (50–200ms delay)	Heavy — high request volume, advanced evasion	Test and lab environments. Adds WAF-vendor-specific bypasses and full technique pivots (error-based to blind to OOB). Uses all encoding tricks and multiple exploitation paths per vulnerability class.
   Full	0 – 7+ (all levels)	Maximum (parallel, no delay)	Maximum — every technique, every variant	Dedicated test environments only. Includes AI-generated novel payloads, protocol-level evasion (HTTP smuggling, request desync), zero-day variant generation, and full payload mutation. This is the deepest possible test.

   How to set intensity: Wizard Step 8 → Intensity slider → Select level OR Scan Dashboard → Settings gear icon → Intensity dropdown Default: Standard (Level 0-4) Production recommendation: Stealth (Level 0-2) Lab/QA recommendation: Aggressive or Full

   Changing intensity mid-scan is supported. Click the settings gear on the Scan Dashboard and adjust the slider. The engine will apply the new ceiling to all subsequent bypass attempts without restarting.
3. 3

   Step 3: Select Attack Categories

   Choose which vulnerability classes the Adaptive Attack Engine should test. Each category has its own payload library, bypass techniques, and chaining rules. Select all that are in scope.

   Category	What the Engine Tests	Key Techniques
   SQL Injection (SQLi)	All SQL dialects: MySQL, MSSQL, PostgreSQL, Oracle, SQLite. Tests every input parameter for error-based, blind boolean, time-based, UNION-based, stacked queries, second-order, and out-of-band injection.	UNION SELECT, WAITFOR DELAY, BENCHMARK(), extractvalue(), LOAD_FILE(), INTO OUTFILE, DNS OOB via xp_dirtree
   Cross-Site Scripting (XSS)	Reflected, stored, DOM-based, mutation XSS (mXSS). Tests HTML context, attribute context, JavaScript context, URL context, and CSS context.	Script tags, event handlers (onerror, onfocus, ontoggle), JavaScript URIs, SVG/MathML injection, template literals, prototype pollution via DOM
   Server-Side Template Injection (SSTI)	Detects template engine (Jinja2, Twig, Freemarker, Velocity, Mako, Pebble, Thymeleaf, Smarty) and generates engine-specific payloads targeting RCE.	{{7*7}} detection, {{config.items()}}, ${T(java.lang.Runtime)}, #{root.getClass()}, Twig {system()}
   Local/Remote File Inclusion (LFI/RFI)	Path traversal to read sensitive files (/etc/passwd, /etc/shadow, web.config, .env). Remote file inclusion to load attacker-controlled code. PHP wrapper abuse (php://filter, php://input, data://).	../../../etc/passwd, ....//....//etc/passwd, ..%252f traversal, null byte injection (%00), PHP wrappers, Windows UNC paths (\\attacker\share)
   Command Injection	OS command injection in all contexts: Linux (bash, sh) and Windows (cmd, PowerShell). Tests pipe, semicolon, backtick, $() substitution, newline, and heredoc injection.	; id, | cat /etc/passwd, $(whoami), `whoami`, %0aid, ${IFS} space bypass, PowerShell -enc base64
   Server-Side Request Forgery (SSRF)	Tests URL parameters, webhook configs, PDF generators, image processors, and any feature that makes server-side HTTP requests. Targets cloud metadata, internal services, and localhost endpoints.	http://169.254.169.254, http://[::1], DNS rebinding, redirect chains, gopher://, URL parser confusion (http://evil.com@169.254.169.254)
   XML External Entity (XXE)	Tests XML input points (SOAP endpoints, file uploads, SVG processing, DOCX/XLSX parsing) for entity expansion, file read, SSRF via XXE, and billion laughs DoS.	<!ENTITY xxe SYSTEM "file:///etc/passwd">, parameter entities, blind XXE via OOB (HTTP/DNS), XInclude, XSLT injection
   Path Traversal	Directory traversal beyond LFI context: file download endpoints, file management APIs, image/document viewers, backup download paths.	../../../, ..%5c..%5c (Windows backslash), ..%c0%af (overlong UTF-8), absolute path override (/etc/passwd as filename), symlink following
   Header Injection	Tests for header injection in redirect URLs, email headers, log entries, and any endpoint that reflects user input into HTTP response headers.	%0d%0aX-Injected: header, CRLF + Set-Cookie injection, response splitting, cache poisoning via injected headers
   CRLF Injection	Tests for carriage return / line feed injection to manipulate HTTP responses, inject headers, perform response splitting, and enable cache poisoning attacks.	%0d%0a injection, %0aLocation:%20evil.com, log injection, HTTP response splitting
   Open Redirect	Tests redirect parameters (url=, next=, return=, redirect_to=) for unvalidated redirects that enable phishing, OAuth token theft, and SSRF chaining.	Protocol-relative URLs (//evil.com), backslash URLs (http://target.com\@evil.com), URL encoding bypass, data: URIs, javascript: URIs
   Prototype Pollution	Tests JavaScript applications for prototype pollution via query parameters, JSON body, and URL paths. Targets __proto__, constructor.prototype, and Object.assign chains.	__proto__[isAdmin]=true, constructor[prototype][isAdmin]=1, JSON merge pollution, lodash.merge exploitation
   Deserialization	Tests for insecure deserialization in Java (ObjectInputStream), PHP (unserialize), Python (pickle), .NET (BinaryFormatter, JSON.NET), Ruby (Marshal), and Node.js (node-serialize).	Java gadget chains (ysoserial), PHP POP chains, Python pickle RCE, .NET TypeNameHandling, ViewState deserialization, cookie-based object injection

   How to select attack categories: Wizard Step 3 → Attack Categories panel → Check/uncheck categories OR Scan Dashboard → Adaptive Engine Settings → Category toggles Default: All categories enabled Quick presets: "OWASP Top 10" / "Injection Only" / "All Categories"
4. 4

   Step 4: Configure WAF Detection

   The engine auto-detects WAFs from response headers, error pages, and behavioral patterns. You can override the detection or pre-select a WAF vendor to skip detection and go straight to vendor-specific bypasses.

   WAF Vendor	Detection Signals	Bypass Profile
   Auto-Detect	Engine analyzes all response headers, status codes, error page content, and behavioral patterns to identify the WAF automatically.	Dynamically selects bypass techniques based on detected vendor. Falls back to generic multi-vendor testing if identification is uncertain.
   Cloudflare	cf-ray header, cf-cache-status, Server: cloudflare, __cfduid cookie, challenge pages with CAPTCHA	Unicode normalization exploits, chunked transfer encoding, Cloudflare-specific event handlers not in blocklist (ontoggle, onpointerover), simple logic payloads avoiding keyword signatures
   Akamai	AkamaiGHost server header, X-Akamai-* headers, Akamai reference ID in error pages	MySQL version comments (/*!50000UNION*/), variable-length SQL comments, HTTP/2 header manipulation, content-type mismatch attacks
   AWS WAF	x-amzn-RequestId header, AWS error pages, CloudFront distribution ID	LIKE-based SQL comparisons instead of equality, JSON body with form content-type, oversized payload to exceed inspection buffer, chunked transfer encoding
   Azure Front Door	X-Azure-Ref header, afd-* tracking headers, Azure-specific error templates	URL-encoded payloads in path segments, header injection via X-Original-URL, multi-part form data with boundary manipulation
   ModSecurity	Server: Apache + mod_security, ModSecurity-specific error pages, OWASP CRS pattern in 403 bodies	Zero-version MySQL comments (/*!0AND*/), request splitting, tab/newline in SQL keywords, comment insertion mid-keyword (SE/**/LECT)
   Imperva / Incapsula	X-CDN: Imperva, incap_ses_* cookies, visid_incap_* cookies, Incapsula incident ID	Null byte prefix (%00), HTTP parameter pollution, double URL encoding, request body in GET with content-length
   F5 BIG-IP ASM	BigIP server cookie, TS* cookies, F5-specific error templates	HTTP desync (CL.TE), JSON injection via nested objects, Unicode fullwidth characters, cookie header overflow
   Barracuda	barra_counter_session cookie, Barracuda-specific block pages	HPP (HTTP Parameter Pollution), payload fragmentation across parameters, multipart boundary injection
   Sucuri	X-Sucuri-ID header, Sucuri block page with incident ID, sucuri-* cookies	Overlong UTF-8 encoding, null byte insertion, alternate HTTP methods (PATCH instead of POST), content-type switching
   Fastly	X-Served-By: cache-*, Fastly-Debug-* headers, Via: varnish	Cache key poisoning, vary header manipulation, HTTP/2 pseudo-header injection, payload in fragment identifier
   Fortinet / FortiWeb	FORTIWAFSID cookie, FortiWeb error page patterns	Double encoding, JSON/XML content-type confusion, transfer-encoding chunked with extensions, oversized cookie header

   How to configure WAF detection: Wizard Step 8 → Advanced → WAF Configuration → "Auto-Detect" (recommended — engine identifies WAF in first 5 requests) → "Manual Override" → Select vendor from dropdown → "None Expected" → Skip WAF-specific bypasses, save time on unprotected targets Pre-selecting the correct WAF vendor saves 30-50 requests at the start of the scan.
5. 5

   Step 5: Launch and Monitor the State Machine

   Click Launch Scan. The Scan Dashboard shows the Adaptive Attack Engine's state machine in real time. Every endpoint-parameter combination is displayed as a color-coded tile that transitions through states as the engine works.

   SCAN DASHBOARD — Adaptive Attack Engine Panel ┌────────────────────────────────────────────────────────────────────┐ │ Adaptive Attack Engine Intensity: Aggressive [0-6] │ │ WAF: Cloudflare (auto-detected) Categories: 13/13 active │ ├────────────────────────────────────────────────────────────────────┤ │ │ │ /api/v1/users?id= │ │ SQLi: [████ BYPASS_ATTEMPTING L3] → Double-encoding bypass │ │ XSS: [████ CONFIRMED] → Reflected via ontoggle │ │ SSRF: [████ PROBING] → Testing URL parameter │ │ SSTI: [████ EXHAUSTED] → 6 levels tried, clean │ │ │ │ /api/v1/search?q= │ │ SQLi: [████ CONFIRMED] → Time-based blind (MySQL) │ │ XSS: [████ FILTER_DETECTED] → Cloudflare blocking <script>│ │ LFI: [████ UNTESTED] → Queued │ │ │ │ /api/v1/upload (file param) │ │ XXE: [████ BYPASS_ATTEMPTING L5] → Vendor-specific bypass │ │ CMDi: [████ PROBING] → Testing filename parameter │ │ │ │ Progress: 47/182 parameters tested | 3 Confirmed | 8 Active │ │ Bypass Level Distribution: L0: 12 L1: 3 L2: 5 L3: 2 L5: 1 │ │ Time elapsed: 00:14:32 | Estimated remaining: 00:38:00 │ └────────────────────────────────────────────────────────────────────┘

   Real-Time Monitoring Features

   • State Tiles: Each endpoint-parameter shows its current state with color coding. Click any tile to see the full payload history, responses received, and engine decisions.
   • Bypass Level Indicator: Orange tiles show which bypass level is currently being attempted (L0 through L7).
   • Live Activity Feed: Scroll the activity panel to see every payload sent, every response analyzed, and every engine decision in real time.
   • Toast Notifications: Critical and high-severity confirmations trigger immediate desktop notifications.
   • Attack Graph: Click "Attack Graph" tab to see confirmed findings linked into chains as they are discovered.
6. 6

   Step 6: Cross-Endpoint Learning in Action

   As the engine works, it propagates every discovery across all endpoints. You can observe this on the dashboard when untested endpoints suddenly jump from Level 0 to a higher bypass level — the engine is applying what it learned elsewhere.

   Discovery at Endpoint A	What Propagates	Effect on All Other Endpoints	Example
   WAF vendor identified as Cloudflare	WAF profile + known bypass set	All future payloads skip Level 0-4 and start at Level 5 (Cloudflare-specific bypasses)	/api/users → WAF Cloudflare detected. Now /api/orders, /api/admin, /api/search all start with Cloudflare bypass payloads.
   Database detected as MySQL 8.0	SQL dialect + version-specific functions	All SQLi payloads switch to MySQL syntax. MSSQL and PostgreSQL payloads removed from queue.	/login SQLi reveals MySQL. Now /search, /products, /checkout all use MySQL-specific UNION, BENCHMARK(), LOAD_FILE().
   Level 3 bypass (Unicode) succeeded	Successful encoding technique	All remaining untested parameters try Unicode encoding first before falling back to lower levels.	Fullwidth apostrophe (%ef%bc%87) worked on /api/users. Engine tries it first on /api/orders before standard payloads.
   Session token extracted via SQLi	Authentication credentials	Engine uses the token to test authenticated endpoints, IDOR, privilege escalation, and admin functionality.	Admin session cookie extracted from users table. Engine now accesses /admin/dashboard and tests for additional vulns behind auth.
   Rate limit detected at 100 req/min	Request timing constraints	All endpoints throttle to 90 req/min to stay below the limit and avoid IP bans.	/api/v1 returns 429 at 100 req/min. All /api/v2, /api/admin, /app endpoints adjust timing globally.
   Error message reveals PHP 8.1	Server language + version	All SSTI payloads switch to PHP engines (Twig, Blade). LFI payloads add PHP wrapper tests. Deserialization tests use PHP POP chains.	Stack trace on /debug shows PHP 8.1. Now all endpoints add php://filter, php://input, and PHP-specific type juggling payloads.

   Efficiency impact: Cross-endpoint learning reduces total requests by 40-60% on average. Without learning, 1,000 endpoints x 13 attack categories x 200 payloads = 2.6M requests. With learning, the engine skips payloads known to be blocked and prioritizes payloads known to succeed, often completing the same scope in 800K–1.2M requests.
7. 7

   Step 7: Review Attack Chains

   The Finding Chain Engine automatically links confirmed vulnerabilities into attack paths. Each chain shows how an initial finding can be escalated to maximum business impact.

   Click the Attack Graph tab on the Scan Dashboard to see chains as they form. Each node is a confirmed finding. Each edge shows how one finding enabled the next.

   ATTACK CHAIN VIEW — Example: SQLi to Full Compromise [SQL Injection] ─────→ [Database Enumeration] ─────→ [Credential Extraction] /api/login information_schema users table: admin/bcrypt username param 3 databases found password hash extracted Level 2 bypass │ │ │ v │ [Hash Cracking / Reuse] │ admin:P@ssw0rd123 │ │ │ v │ [Admin Panel Access] │ /admin/dashboard │ full admin privileges │ │ │ v │ [File Upload → RCE] │ webshell uploaded └────────────────────────────────────────────→ FULL COMPROMISE Impact: Initial low-privilege SQL injection escalated to remote code execution CVSS Chain Score: 9.8 (Critical) — reflects the full chain, not individual findings

   How Chain Scoring Works

   • Individual CVSS: Each finding gets its own CVSS score.
   • Chain CVSS: The complete chain is scored based on the maximum achievable impact when all links are exploited in sequence. A medium SQLi + medium hash exposure + low admin access = critical chain.
   • Business Impact: Claude writes a narrative for each chain describing the real-world business impact in terms the client's executive team can understand.
8. 8

   Step 8: Export Results

   When the scan completes (all parameters reach CONFIRMED or EXHAUSTED), export the results. Every finding includes the full Adaptive Attack Engine context.

   EXPORT INCLUDES — Per Finding: Finding ID: PY-2024-0047 Severity: Critical (CVSS 9.1) Vulnerability Class: SQL Injection (Time-Based Blind) Endpoint: POST /api/v1/users/search Parameter: q (body, JSON) Bypass Technique: Level 3 — Unicode fullwidth apostrophe (%ef%bc%87) Original Payload: ' OR SLEEP(5)-- (blocked by Cloudflare at L0) Final Payload: %ef%bc%87 OR BENCHMARK(10000000,SHA1(%ef%bc%871%ef%bc%87))-- State Transitions: UNTESTED → PROBING → FILTER_DETECTED → BYPASS_ATTEMPTING (L1, L2, L3) → CONFIRMED Total Attempts: 34 payloads sent before confirmation WAF Detected: Cloudflare (cf-ray header) Evidence: Request: POST /api/v1/users/search HTTP/1.1 ... Response: HTTP/1.1 200 OK (response time: 5,014ms vs baseline 120ms) Proof: 5-second delay confirms time-based blind injection Attack Chain: Links to PY-2024-0048 (Database Enumeration) Remediation: 1. Use parameterized queries (PreparedStatement / PDO::prepare) 2. Apply input validation: whitelist alphanumeric for search parameter 3. Configure Cloudflare WAF custom rule for time-based patterns

   Report Types

   • Executive Summary: High-level findings, chain analysis, business impact, risk rating.
   • Technical Report: Full finding detail, payloads used, bypass techniques, evidence, remediation steps.
   • Compliance Report: Maps findings to OWASP Top 10, PCI DSS, NIST, SOC 2, ISO 27001 controls.
   • Remediation Tracker: Exportable CSV/JIRA/ServiceNow format for tracking fix progress.