Full Coverage Matrix — PhantomYerra Help

Honest disclosure: earlier versions of these help pages listed only the OWASP Top 10 A1–A10 as our coverage. That was a dramatic under-statement of what the scanner actually does. This page replaces that representation with the full enumeration. If you find a vuln class missing from this list that we should test, file an issue — we'll add it.

🌐 Web Application

27 web modules + 26 DAST modules = 53 engines · OWASP WSTG v4.2 full · OWASP Top 10 2021 · Top 10 + 100s more classes

Injection

SQL Injection (error / blind / time / out-of-band)
NoSQL Injection (Mongo, Redis, CouchDB operators)
OS Command Injection (sync + blind)
LDAP Injection (filter + DN)
XPath / XQuery Injection
SSTI — Server-Side Template Injection (Jinja2, Twig, Freemarker, Velocity, ERB, Mustache, Smarty)
SSI — Server-Side Includes
XXE — XML External Entity (in-band + blind)
CRLF Injection / HTTP response splitting
Header Injection (Host, X-Forwarded-Host, etc.)
Email Header Injection
Log Injection (Log4Shell-style + format string)
ORM Injection

Cross-Site Scripting

Reflected XSS
Stored XSS
DOM-based XSS (browser-rendered via Playwright)
Mutation XSS (mXSS)
Self-XSS via cookie/storage tampering
JSONP callback XSS
Filter / WAF bypass via dalfox

Authorization

Broken Access Control (vertical + horizontal)
IDOR — Insecure Direct Object Reference
Multi-Role IDOR (5 user roles tested in parallel)
BOLA — Broken Object Level Authorization
BFLA — Broken Function Level Authorization
Forced Browsing
Path Traversal / Directory Traversal
File Inclusion (LFI + RFI)
Mass Assignment / Parameter Pollution

Authentication / Session

Default Credentials (catalogue 12,000+ pairs)
Weak password enforcement
Credential Stuffing window
Username Enumeration (timing + response)
Session Fixation
Session Token Predictability
Insecure Session Cookie (Secure / HttpOnly / SameSite)
MFA Bypass (response manipulation, race condition)
Password Reset Poisoning (Host header)
Account Lockout Bypass

JWT / OAuth / SSO

JWT alg: none bypass
JWT weak HS256 secret brute
JWT Algorithm Confusion (RS256→HS256)
JWT kid Injection (path traversal, SQLi)
JWT jku / x5u Injection
OAuth redirect_uri manipulation
OAuth State Parameter abuse / CSRF
OAuth Token Leakage (referer, history, postMessage)
SAML XML Signature Wrapping
SAML Assertion Replay
OpenID Connect nonce reuse

SSRF / Remote Inclusion

SSRF — Server-Side Request Forgery (basic + bypass)
SSRF→IMDS (AWS / GCP / Azure metadata)
SSRF→internal port scan
SSRF→Redis / Memcached / Elasticsearch RCE
DNS Rebinding
Blind SSRF via OOB (Burp Collaborator-style via interactsh)

HTTP Protocol Attacks

HTTP Request Smuggling (CL.TE, TE.CL, TE.TE)
HTTP/2 Smuggling + h2c bypass
Web Cache Poisoning
Web Cache Deception
Host Header Attack
Range Header DoS
HTTP Verb Tampering
HTTP Parameter Pollution (HPP)

CSRF / Clickjacking

CSRF — token absence + weak validation
SameSite cookie verification
Clickjacking (X-Frame-Options absence)
UI Redress + cursor jacking
Cross-Origin Resource Sharing misconfig
postMessage origin abuse

Business Logic

Workflow Bypass / state-machine manipulation
Race Conditions (TOCTOU on payments, withdrawals, coupons)
Price Tampering (hidden field, parameter)
Discount Stacking / coupon replay
Quantity Manipulation (negative, oversized)
Currency Mismatch
Rate Limit Bypass (header rotation, IP spoofing)
Insufficient Anti-Automation (CAPTCHA bypass test)
Unbounded Loop / DoS via business workflow

File Upload

Unrestricted File Upload
Content-Type Bypass
Magic-byte spoof (polyglot files)
Path Traversal in filename
Race condition during upload
Server-side image processing exploits (ImageMagick, GhostScript)
ZIP Slip / archive traversal

Deserialization

Java Deserialization (ysoserial gadget chains)
PHP Deserialization (PHPGGC)
Python pickle / yaml.load RCE
Ruby YAML / Marshal
.NET Binary / Json.NET typenamehandling
Node.js prototype pollution → RCE chain

Modern JavaScript

Prototype Pollution
DOM Clobbering
postMessage Misuse
Service Worker abuse
Subdomain Takeover (CNAME → unclaimed)
Subresource Integrity (SRI) gaps

WordPress / CMS

WPScan: outdated core, plugins, themes, user enum
Plugin CVE matching
xmlrpc.php abuse
Drupal / Joomla CVE checks

Recon + passive

Subdomain enumeration (CT, brute, passive DNS)
Port + service fingerprinting
JavaScript secret extraction (Cariddi)
Hidden parameter discovery (Arjun-style)
GF pattern matching for sensitive endpoints
Visual recon (gowitness screenshots)
TLS / SSL config (cipher, version, HSTS, OCSP, certificate chain)
Security header audit (CSP, X-Frame, X-Content, Referrer-Policy)

Modules: web/ (27) — bola_scanner, business_logic_tester, dalfox_adapter, http_tester, injection_scanner, multi_role_idor, nikto_adapter, nuclei_zap_adapter, owasp_exploitation_engine, param_discovery_adapter, passive_analyzer, playwright_exploiter, tls_scanner, wapiti_adapter, wpscan_adapter, wstg_test_suite, fuzzing_adapter, gf_adapter, gowitness_adapter, cariddi_adapter, crawley_adapter, http_interceptor, http_intruder, http_proxy_server, intercept_intelligence + dast/ (26) — active_crawler, api_fuzzer, api_scanner, auth_manager, cache_poisoning, cors_scanner, dast_orchestrator, deserialization_attacker, dns_rebinding, file_upload_tester, form_fuzzer, graphql_scanner, grpc_scanner, http2_attacker, jwt_attacker, oauth_tester, oob_adapter, openapi_parser, openapi_tester, prototype_pollution, race_condition_tester, request_smuggling, schemathesis_runner, soap_scanner, websocket_tester

🔌 API / GraphQL / gRPC / SOAP / WebSocket / OpenAPI

OWASP API Security Top 10 2023 + protocol-specific attacks

REST + OpenAPI

OpenAPI/Swagger ingestion + endpoint generation
Schemathesis property-based fuzzing
BOLA enumeration on every {id} path param
BFLA — admin-only methods reachable by user role
Mass Assignment via JSON body extension
Excessive Data Exposure — response field over-fetch
Rate Limit Bypass (header rotation + parallel reqs)
Improper Inventory — orphan v1 / dev / staging endpoints
Unsafe consumption of 3rd-party APIs

GraphQL

Introspection enumeration
Field suggestion attack
Batching attack (concurrent mutations)
Depth-bomb / breadth-bomb (DoS)
Alias-based rate-limit bypass
SQLi / NoSQLi via variable injection
Authorization gaps via __type probe
Subscription endpoint abuse

gRPC

Service reflection enumeration
Proto fuzzing (malformed messages)
Auth bypass via metadata tampering
Streaming abuse (long-lived RPC DoS)

SOAP

WSDL ingestion
SOAP injection
WS-Security misconfig
XXE in SOAP payload
SAML in SOAP envelope abuse

WebSocket

Origin validation bypass
Cross-Site WebSocket Hijacking (CSWSH)
Message injection
Unauthenticated subscriptions

Modules: dast/ openapi_parser, openapi_tester, schemathesis_runner, graphql_scanner, grpc_scanner, soap_scanner, websocket_tester, api_scanner, api_fuzzer, auth_manager + web/ bola_scanner, multi_role_idor

🔗 Network / Active Directory

18 network modules · Internal + external · Windows AD / Linux post-exploitation

Discovery

ARP / ICMP / TCP-SYN / UDP host discovery
Port scan (Naabu) — full TCP, top-1000 UDP
Service version + OS fingerprinting
SNMP enumeration (community brute, MIB walk)
SMB enum (enum4linux + impacket)
NetBIOS / LLMNR / mDNS sniff
DNS recon (zone transfer, axfr, brute)

Active Directory

Kerberoasting (SPN ticket extraction + offline crack)
AS-REP Roasting (DONT_REQ_PREAUTH)
Pass-the-Hash / Pass-the-Ticket
Silver / Golden Ticket detection
BloodHound-style attack-path graph
SMB signing not required
LDAP signing not required
NTLM Relay (Responder + ntlmrelayx)
Coerced Authentication (PetitPotam, PrinterBug, Drupal/sccm)
ZeroLogon (CVE-2020-1472)
PrintNightmare (CVE-2021-1675/34527)
NoPac / sAMAccountName spoofing
ADCS attacks (ESC1–ESC11)
Kerberos delegation abuse (unconstrained / constrained / RBCD)

Network Service CVE

EternalBlue (MS17-010) detection
BlueKeep (CVE-2019-0708)
SMBGhost (CVE-2020-0796)
Heartbleed (CVE-2014-0160)
Shellshock (CVE-2014-6271)
Anonymous FTP, NFS exports, rsync open
RDP NLA bypass
SSH: weak ciphers, default creds, key brute
Telnet / VNC / X11 unauthenticated
MS-SQL / MySQL / PostgreSQL / Oracle / Mongo / Redis / Elasticsearch / Memcached unauth + default cred

Hardening Audit

CIS benchmark hardening checks
Service banner sensitive info leak
Insecure protocols (Telnet, FTP, rlogin, X11)

Modules: network/ ad_pentest, asset_discovery, cis_hardening, enum4linux_adapter, impacket_adapter, metasploit_adapter, naabu_adapter, ncat_adapter, netexec_adapter + scanners/ network_scanner

☁ Cloud (AWS / Azure / GCP)

Prowler · Checkov · Trivy · cloud_exploitation engine

AWS

IAM Privilege Escalation (Pacu-style — 30+ paths)
IAM AssumeRole confused-deputy
S3 Bucket Takeover (orphan CNAME)
S3 Bucket Public Read/Write
S3 Object Versioning + MFA Delete absence
IMDSv1 reachable (SSRF→IMDS)
Lambda over-privileged execution role
Lambda env vars containing secrets
RDS public access
Security Group 0.0.0.0/0 on sensitive ports
CloudTrail disabled / unsigned
KMS key rotation absent
Root account MFA missing
Access keys older than 90 days

Azure

Managed Identity over-permissions
Storage Account anonymous access
Service Principal secret leak
Key Vault permission grants
Azure AD Guest user audit
NSG inbound 0.0.0.0/0 audit

GCP

IAM Bindings public (allUsers / allAuthenticatedUsers)
Service Account key age + rotation
Storage bucket ACLs
Compute Instance public IP audit
Firewall rule audit

Cross-cloud

Cloud network exposure scan (find public-facing assets)
SSRF→cloud metadata test from web layer
Compliance mapping: PCI / SOC 2 / HIPAA / NIST 800-53

Modules: cloud/ checkov_adapter, cloud_exploitation, cloud_network_scanner, cloud_scanner, prowler_adapter, trivy_adapter

📦 Container / Kubernetes

Trivy · Docker daemon · K8s API · Helm chart audit

Image scan

OS package CVEs (Debian / Ubuntu / Alpine / RHEL)
Application library CVEs
Hardcoded secrets in layers
Vulnerable base image detection
Dockerfile linting (root user, ADD vs COPY, etc.)

Container Escape

Privileged container detection
hostPath / hostNetwork / hostPID abuse
Docker socket mount
capabilities=SYS_ADMIN
runc CVE-2019-5736 detection
cgroups release_agent abuse

Kubernetes

RBAC over-permission audit (ClusterRole bindings)
Service account token mounted by default
Pod Security Standards violations
Network Policies missing
API server unauthenticated
etcd unencrypted
Kubelet API exposed
Secrets in plaintext
Helm chart misconfig

Modules: container/ + cloud/trivy_adapter

📱 Mobile (Android / iOS)

12 mobile modules · OWASP MASTG · Static + dynamic + bytecode + zero-day

Android Static

APK manifest audit (exported, debuggable, allowBackup)
AndroidManifest permission analysis
Hardcoded API keys / secrets in DEX
String obfuscation detection
Smali / DEX bytecode analysis
Custom URL scheme handler (deep link audit)
Network Security Config audit (cleartext, pinning)
Insecure crypto primitives (DES, ECB, MD5)

Android Dynamic

Frida instrumentation (SSL pin bypass, root detection bypass)
Drozer module suite
Intent fuzzer (exported activity / service / provider)
Content provider SQLi
WebView JS bridge abuse
WebView setAllowUniversalAccessFromFileURLs
IPC violation detector
MITM via adb / mitmproxy

iOS

IPA static analysis (Mach-O symbols)
Plist permission audit
Keychain access controls
Jailbreak detection bypass test
SSL pinning bypass
URL scheme hijacking
Universal Links validation

Mobile Zero-Day Suite (4 engines)

DEX bytecode anomaly detector
Intent fuzzer with semantic mutation
WebView bridge exploitation analyzer
IPC violation detector (cross-app data leak)

Modules: mobile/ adb_mitmproxy_adapter, android_static_analyzer, dex_bytecode_analyzer, drozer_adapter, frida_adapter, intent_fuzzer, ios_adapter, ipc_violation_detector, mobile_orchestrator, mobsfscan, webview_bridge_analyzer

🔧 Firmware

binwalk extraction · binary diff · symbolic execution

Extraction + audit

Firmware unpacking (binwalk + custom)
Filesystem identification (squashfs, jffs2, ubifs, cramfs)
Embedded credential extraction
SSH host keys hardcoded
SSL certificate hardcoded
Backdoor account detection
Insecure update mechanism (unsigned firmware)
Bootloader misconfig (uboot env exposed)

Binary analysis

Binary diff (firmware version comparison)
Function symbol enumeration
Hardcoded URL / API endpoint extraction
Cryptographic algorithm identification
Symbolic execution (angr) for complex paths

Modules: firmware/ firmware_analyzer, binary_diff_engine + iot/ firmware_analyzer

💡 IoT

OWASP IoT Top 10 2018 · BLE / Zigbee / MQTT / CoAP / JTAG

Discovery

Network discovery (mDNS, SSDP, UPnP, Bonjour)
BLE / Zigbee scanner (bleak + python-zigpy)
MQTT broker enumeration + topic listing
CoAP endpoint discovery

Protocol attacks

MQTT topic injection / unauthorized publish
MQTT password brute
CoAP block-wise transfer abuse
BLE pairing replay
BLE characteristic dump
Zigbee key extraction

Hardware probes

UART pinout discovery
JTAG / SWD probe
Serial console root shell test

Modules: iot/ ble_zigbee_scanner, coap_adapter, firmware_analyzer, iot_discovery, iot_scanner, jtag_adapter, modbus_active_adapter, mqtt_fuzzer + scanners/ uart_adapter

🏭 OT / SCADA / ICS

Modbus · DNP3 · BACnet · OPC UA · S7Comm · EtherNet/IP · plcscan

Protocol attacks

Modbus function code abuse (write coil/register without auth)
Modbus replay
DNP3 application layer spoofing
BACnet broadcast abuse
OPC UA authentication bypass
EtherNet/IP enumeration + identity object query
S7Comm PLC stop / start command

PLC / HMI

plcscan — PLC fingerprinting
HMI authentication bypass
PLC logic injection (via uploaded ladder program)
HMI default credentials catalogue

Modules: ot/ modbus_adapter, ot_orchestrator, ot_protocol_scanner, plcscan_adapter

🚗 Automotive

CAN bus · ISO-TP · UDS · TPMS · OBD-II · OTA Telematics

In-vehicle

CAN bus injection (raw frames)
CAN replay attack
ISO-TP fragment abuse
UDS DiagnosticSessionControl abuse (security access bypass)
UDS RoutineControl unauthorized
OBD-II diagnostic command abuse

Wireless

Keyless entry replay
Rolling code reuse
TPMS spoofing
Cellular V2X replay

Telematics + OTA

OTA firmware integrity check
Cellular modem abuse
Backend API abuse (mobile companion app)
Compliance: ISO/SAE 21434, UNECE WP.29

Modules: automotive/ automotive_scanner, compliance_checker, ota_telematics

🏥 Medical Devices

DICOM · HL7 · FHIR · IEC 62443 · FDA pre-market

Protocol

DICOM C-STORE / C-FIND unauthenticated
DICOM AE Title brute
HL7 message injection
FHIR endpoint enumeration
FHIR auth bypass

Compliance

HIPAA Security Rule mapping
FDA pre-market cybersecurity guidance
IEC 62443 industrial security

Modules: medical/ dicom_scanner, fhir_scanner

🔍 SAST (Static Application Security Testing)

24 SAST modules · 11+ languages · 144 rules · 7 zero-day engines · symbolic execution · AI semantic SAST

Languages

Python · Java · JavaScript / TypeScript · C / C++ · C# / .NET · Go · Rust · Ruby · PHP · Kotlin · Swift · COBOL

Engine families

Pure-Python rule engine (144 rules across CWE Top 25)
Semgrep adapter (community + custom rule packs)
CodeQL adapter (where available)
Bandit (Python-specific)
AI Semantic SAST — Claude reads code + finds logic bugs scanners miss
Tree-sitter language-agnostic AST parsing

Zero-Day SAST suite (7 engines)

Interprocedural taint analysis (cross-function data flow)
Race condition detector
Crypto oracle detector (padding, timing, ECB)
Auth chain analyzer
Deserialization gadget finder
Supply chain analyzer
AI adversarial zero-day engine (5-pass adversarial review)

Symbolic execution

angr-based symbolic exec for complex paths
z3-solver constraint solving
Coverage-guided fuzzing integration

.NET / Java / Pyc deep

.NET PE parser + IL decompilation
Java class parser + decompilation
Python .pyc disassembly + reconstruction

Modules: sast/ _pure_sast_rules, ai_semantic_sast, auth_chain_analyzer, cobol_scanner, codeql_adapter, crypto_oracle_detector, data_trace_analyzer, deserialization_gadget_finder, interprocedural_taint, race_condition_detector, sast_orchestrator, semgrep_adapter, supply_chain_analyzer, tree_sitter_parser, zero_day_ai_engine, ...24 total

📦 SCA / Reachability

Syft · Grype · behavioral analyzer · install monitor · typosquat detector

Vulnerability scan

Dependency CVE matching (npm, pip, maven, gem, cargo, go, composer, nuget)
EPSS-weighted prioritization
CISA KEV cross-reference
Reachability analysis (is the vulnerable function actually called?)

Supply chain

Typosquat detection (Levenshtein + popularity)
Behavioral analysis (npm/pip lifecycle script abuse)
Install-time monitor (network calls during npm install)
Dependency confusion attack detection
Protestware detection

Modules: sca/ behavioral_analyzer, grype_adapter, install_monitor, syft_adapter, typosquat_detector + scanners/ sca_reachability

🧾 SBOM (CycloneDX + SPDX)

Generation + audit

CycloneDX 1.5 generation
SPDX 2.3 generation
License compliance audit
SBOM integrity signature
Supplier verification

🔑 Secrets Detection + Validation

Discovery

TruffleHog adapter
Gitleaks adapter
Custom regex (300+ patterns)
Entropy analysis
Git history scan (full commit log)
Container layer scan

Live validation

AWS / Azure / GCP key liveness
GitHub / GitLab token liveness
Slack webhook validation
Stripe / Twilio / SendGrid key test
JWT signature verification

📡 Wireless

Wi-Fi

WPA2 4-way handshake capture + brute
WPA3 SAE downgrade test
Evil Twin / Karma
Rogue AP detection
WPS PIN attack

Other

Bluetooth Classic + BLE recon
Zigbee key extraction
Z-Wave packet capture
SDR-based protocol fuzzing

⚙ Reverse Engineering

Binary formats

PE (Windows)
ELF (Linux)
Mach-O (macOS)
.NET assemblies (PE + IL)
Java JAR / class files
Android DEX / OAT
Python .pyc bytecode
Go binaries (symbol recovery)

Techniques

Function symbol recovery
String + URL extraction
Cryptographic algorithm identification (FLIRT-like)
Anti-debug / anti-VM detection
Packer detection (UPX, ASPack, Themida)
Dynamic instrumentation (Frida)
Symbolic execution (angr / claripy)
AI-assisted deobfuscation

🧬 Bytecode (Java / .NET / Pyc / DEX)

Analysis

Bytecode orchestrator (multi-language)
Java class parser + Krakatau decompilation
.NET IL decompiler
Python .pyc → reconstructed source
DEX → Smali → Java reconstruction
Constant pool extraction

🤖 AI / LLM Security

OWASP LLM Top 10 2025 · garak · prompt injection · agent hijack · RAG poisoning

Prompt + jailbreak

Direct prompt injection
Indirect prompt injection (via RAG, web fetch, email)
Jailbreak (DAN, AIM, role-play exploits)
System prompt leakage
Role confusion

Model attacks

Model inversion (training data extraction)
Membership inference
Adversarial prompt generation
Embedding collision
Tool/function-call abuse
Excessive agency abuse

RAG / data

RAG poisoning (vector store contamination)
Document upload attack
Source citation tampering
Embedding side-channel

Agent / tool use

Agent hijack (function-call manipulation)
Persistent system prompt injection
Memory poisoning
Multi-step plan corruption

Modules: ai_llm/ agent_hijack_adapter, garak_adapter, llm_fuzzer_adapter, llm_scanner, prompt_injection_adapter, rag_probe_adapter

🕵 OSINT

Surface enum

Subdomain enum (CT logs, brute, passive)
WHOIS + reverse-WHOIS
DNS history
Email harvesting (Hunter.io-style)
Employee enumeration (LinkedIn-style heuristics, never API-scraped)
Code repo discovery (GitHub / GitLab)
Public S3 bucket discovery
Pastebin / leaked credential search
Shodan-like service fingerprint

🎣 Phishing / Social Engineering

Authorized engagements only

Phishing landing-page templates (10+ industries)
Lookalike domain registration check
SPF / DKIM / DMARC audit
Open SMTP relay test
Vishing scenario scripting

🔐 Password Attacks

Online + offline

Hydra-style online brute (SSH, FTP, RDP, HTTP forms, etc.)
Hashcat / John offline crack (NTLM, NTLMv2, MD5, SHA, bcrypt, scrypt, Argon2, Kerberos5)
Custom wordlist generation (CeWL-style)
Rule-based mutations
Have-I-Been-Pwned integration

📐 IaC (Terraform / CloudFormation / K8s YAML / Helm)

Misconfig detection

Checkov + KICS rule engines
Terraform: open security groups, public S3, missing encryption
CloudFormation: same patterns
K8s manifest: privileged pods, missing PSP, no NetworkPolicy
Helm chart: values.yaml audit
Dockerfile linting

🎭 Red Team / C2 / Campaign Engine

Long-running engagements

Multi-phase campaign engine
Persistence implant detection (red team self-test)
C2 beacon traffic generation (test detection)
Living-Off-The-Land Binaries (LOLBAS) scenario suite
GTFOBins privesc scenario suite
WADComs Active Directory attack chains
Threat intel feeds: 15+ vendor feeds, CISA KEV, MITRE ATT&CK

🕳 Zero-Day Detection Suite (11 engines)

Find what no CVE has yet

SAST zero-day (7)

Interprocedural taint analysis
Race condition detector
Crypto oracle detector
Auth chain analyzer
Deserialization gadget finder
Supply chain analyzer
Adversarial AI zero-day engine

Mobile zero-day (4)

DEX bytecode anomaly analyzer
Intent fuzzer with semantic mutation
WebView bridge exploitation analyzer
IPC violation detector

💥 Exploit Authoring

AI-driven exploit + payload generation

Engines

Adaptive Payload Engine — context-aware payload generation per target's tech stack
Bypass Escalator — WAF bypass / filter evasion
Bypass Path Predictor — picks the bypass technique most likely to work
Multi-Point Attack Loop — orchestrates parallel payload variants
Attack Chain Correlator — chains SAST sinks → DAST endpoints → fuzzer crashes
Real Pentest Engine — full agentic orchestration
Claude Agentic Orchestrator — Claude drives the engagement end-to-end

Output

Working PoC (curl / Python / nc / one-liner)
Reproducible steps in report
WAF-aware payload variants
Stack-tailored payloads (e.g. PHP-specific SSRF when target is PHP)

📜 Evidence + Compliance

SHA-256 sealed · RFC 3161 timestamped · 16 frameworks mapped

Evidence chain

Auto-capture of request, response, PoC, raw tool output per finding
SHA-256 hash on every artifact
RFC 3161 timestamp via DigiCert TSA (soft fallback)
Blockchain-style chain log
Per-finding seal verification
Chain-of-custody export

Compliance frameworks

PCI DSS 4.0.1
ISO 27001:2022 · ISO 27002:2022
NIST 800-53 r5.1.1 · 800-171 r3 · NIST CSF 2.0
SOC 2 Type II
HIPAA Security Rule
GDPR · CCPA / CPRA
NIS2 (EU) · DORA (EU) · CRA (EU effective 2027-12-11)
HITRUST CSF v11.5
CIS Controls v8.1
SOX

Missing something?

If you find a vulnerability class or attack technique you expected to see and don't, file an issue at phantomyerra.com/contact — we ship coverage updates as soon as a real ask lands.