AI Pivot Logic - PhantomYerra Help

What Is a Pivot?

In manual penetration testing, a "pivot" is the moment when a tester discovers something and decides to change direction: go deeper into a confirmed vulnerability, shift to test related endpoints, or combine findings into a multi-step attack. This is what separates a skilled penetration tester from a scanner — the ability to react to what is found and make strategic decisions about what to test next.

PhantomYerra's AI performs this same decision-making process automatically. Every time a new finding is confirmed, a filter is detected, or a partial signal is observed, the AI pivot engine evaluates the cumulative state of the engagement and decides the optimal next action.

Key: The AI does not follow a static test list. It dynamically rebalances the attack plan based on what it has learned. A critical finding can reprioritize the entire remaining engagement in milliseconds.

Pivot Decision Tree

New Finding or Signal Received | v [EVALUATE] What type of signal? | +--- Confirmed Vulnerability ----+ | | | +--- Critical/High -------> DEPTH PIVOT: Deep-dive on same surface | | + CHAIN CHECK: Can this chain with existing? | | | Yes --> CHAIN PIVOT | | | No --> LATERAL PIVOT: Test similar surfaces | | | +--- Medium/Low ----------> LATERAL PIVOT: Test related parameters | + ESCALATION CHECK: Can this be escalated? | Yes --> ESCALATION PIVOT | No --> Queue and continue | +--- Filter/WAF Detected ------> PAYLOAD ADAPTATION: Escalate bypass level | (handled by Stage 7) | +--- Partial Signal ------------> REFINE: Adjust payload, retry | + Is this a new technology indicator? | Yes --> TECHNOLOGY PIVOT | No --> Continue refinement | +--- No Signal -----------------> Mark parameter tested, continue queue | v [UPDATE] Rebalance attack plan priorities | v Continue execution with updated plan

Five Pivot Types

Depth Pivot

Go Deeper on the Same Surface

When a vulnerability is confirmed on a surface, the AI immediately tests for deeper exploitation on that same surface. A confirmed SQL injection triggers tests for data exfiltration, privilege escalation within the database, operating system command execution through the database, and file system access.

Scenario

SQL injection confirmed on /api/search?q= parameter. The AI depth-pivots to test: Can we read arbitrary tables? Can we access the information_schema? Can we execute OS commands via database functions? Can we read or write files on the server?

DEPTH PIVOT: SQLi confirmed -> testing data exfil, privesc, OS cmd, file access

Lateral Pivot

Test Similar Surfaces

A finding on one endpoint triggers testing of structurally similar endpoints. If IDOR is found on /api/users/123, the AI laterally pivots to test IDOR on every other /api/* endpoint that accepts numeric identifiers. The logic: if one endpoint has broken access control, similar endpoints likely do too.

Scenario

IDOR confirmed on /api/users/123 — changing the ID to another user's returns their data without authorization. The AI identifies 14 other endpoints following the /api/{resource}/{id} pattern and tests each for the same flaw.

LATERAL PIVOT: IDOR on /api/users -> testing 14 similar /api/{resource}/{id} endpoints

Chain Pivot

Combine Findings for Greater Impact

Two or more findings that individually have moderate impact may combine into a critical attack path. The AI continuously evaluates whether new findings can chain with existing confirmed vulnerabilities. An SSRF finding combined with discovery of an internal admin API creates a chain hypothesis: "Can we use the SSRF to access the internal admin API?"

Scenario

Finding A: SSRF on /api/fetch?url= (Medium). Finding B: Internal service discovered at http://10.0.0.5:8080/admin (Informational). Chain hypothesis: SSRF + Internal Admin = unauthenticated admin access via server-side request.

CHAIN PIVOT: SSRF + internal admin API -> testing internal service exploitation via SSRF

Escalation Pivot

Test for Higher Impact

Low-severity findings are not dismissed. They are tested for escalation to higher-impact outcomes. An information disclosure that reveals an admin panel URL triggers authentication bypass testing on that admin panel. A path traversal that reads configuration files is tested for reading credential files or SSH keys.

Scenario

Information disclosure reveals /admin/dashboard exists and returns a login page. The AI escalates: test default credentials, test authentication bypass techniques, test session management flaws on the admin login.

ESCALATION PIVOT: Info disclosure -> admin panel found -> testing auth bypass on admin login

Technology Pivot

React to New Technology Discovery

When previously unknown technology is detected during testing, the AI pivots to add technology-specific test cases. Discovering a GraphQL endpoint triggers introspection queries, batch attack tests, and GraphQL-specific injection tests. Discovering a WebSocket endpoint triggers message injection and authorization tests.

Scenario

During surface mapping, /graphql is discovered. The AI immediately adds to the attack plan: introspection query (is schema exposed?), batch query attacks (denial of service), nested query depth attacks, and field-level authorization testing.

TECHNOLOGY PIVOT: GraphQL discovered -> adding introspection, batch, depth, authz tests

Decision Weighting Factors

When multiple pivot options exist simultaneously, the AI weighs these factors to determine priority:

Factor	Weight	Description
Finding Severity	High	Critical findings trigger immediate deep-dive. High findings prioritized over medium.
Chain Potential	High	Findings that could chain with existing confirmed vulnerabilities get top priority.
Surface Coverage	Medium	Untested surfaces are balanced against known-vulnerable surfaces for breadth.
Bypass Success Rate	Medium	Surfaces showing partial bypass success (WAF partially evaded) get additional attention.
Time Remaining	Low	With less time remaining, the AI favors depth on confirmed findings over breadth on untested surfaces.
Scope Boundaries	Absolute	Scope constraints are never violated regardless of findings. This factor overrides all others.

The "Never Give Up" Guarantee

The AI pivot engine ensures that no viable attack path is abandoned prematurely. The engine will:

Escalate through all 8 bypass levels before marking any parameter as filter-exhausted
Test every chain hypothesis generated by combining confirmed findings
Attempt escalation on every low and medium finding before moving on
Rebalance priorities whenever new intelligence changes the risk landscape
Document every attempt in the report, even those that did not confirm a vulnerability

Result: The client receives a report that shows not just what was found, but how thoroughly every surface was tested. "Exhausted" means every technique was tried — not that the engine gave up early.