Scan Checkpointing & Resume

PhantomYerra automatically saves your scan state after every phase. If a scan is interrupted, by a crash, timeout, network issue, or manual stop - you can resume from the exact point it stopped. No work is ever lost.

Why Scans Get Interrupted

Long-running security scans are routinely interrupted by factors outside your control. PhantomYerra is designed from the ground up to handle all of them without data loss:

Interruption Type	How PhantomYerra Handles It
Machine sleep / hibernate	Checkpoint saved before each phase. Resume picks up at the last completed phase.
Application crash	Crash recovery saves an emergency checkpoint. Findings collected so far are preserved.
Network timeout	Per-phase timeout detection. Timed-out phase is marked as INCOMPLETE and can be retried selectively.
Target goes offline	Scan paused automatically. Resume when target is available: no need to restart.
Manual stop (user)	Explicit checkpoint created on stop. All findings and phase progress saved.
Rate limiting / WAF block	Phase paused with backoff. Checkpoint includes rate-limit state - resume respects the delay.

How Checkpointing Works

PhantomYerra divides every scan into discrete phases. At the end of each phase, and at configurable intervals within long-running phases: the complete scan state is written to disk as a checkpoint file.

    Scan Phase Structure
     Phase 1 - Pre-Recon (target validation, scope verification)
 Phase 2 - Port & Service Discovery
 Phase 3 - Web Crawler & Endpoint Mapping
 Phase 4 - Technology Fingerprinting
 Phase 5 - Authentication Testing
 Phase 6 - Injection Testing (ACTIVE: checkpointed every 50 requests)
 Phase 7 - Business Logic Testing
 Phase 8: IDOR & Access Control
 Phase 9: AI Analysis & Attack Chain
 Phase 10 - Report Generation

  

What Is Saved in a Checkpoint

{
  "scan_id": "sc_9f3a1b2c",
  "workspace": "ClientCorp Q2 Assessment",
  "target": "[TARGET_URL_1]",        // stored as reference: not transmitted
  "checkpoint_ts": "2026-04-06T14:32:11Z",
  "completed_phases": [1, 2, 3, 4, 5],
  "active_phase": 6,
  "active_phase_progress": {
    "endpoints_tested": 847,
    "endpoints_total": 1203,
    "last_endpoint": "/api/users/search",
    "payloads_sent": 12450
  },
  "findings_count": 14,
  "findings_ids": ["f_001", "f_002", ...],  // full findings in findings.db
  "crawler_state": { "visited": 847, "queue": [...] },
  "auth_tokens": { "USER_A": "...", "ADMIN": "..." },  // re-used on resume
  "phase_results": {
    "1": { "status": "complete", "duration_s": 4 },
    "2": { "status": "complete", "ports_found": 8 },
    ...
  }
}

How to Resume a Scan

Open the Scans List

Navigate to Scans in the sidebar. Interrupted scans are shown with an amber PAUSED or red INTERRUPTED badge. The phase progress bar shows exactly where the scan stopped.

Scans List - Interrupted Scan Scan row showing: scan name "ClientCorp Q2", target masked, status badge "INTERRUPTED" in amber, phase progress bar at 58% (Phase 6 of 10), findings count "14 found so far", last checkpoint timestamp "2026-04-06 14:32". "Resume" button on the right.

Click Resume

Click the Resume button on the interrupted scan row. PhantomYerra loads the checkpoint, restores all session tokens, and picks up from the exact endpoint and payload position within the interrupted phase.

Select Resume Options (Optional)

A resume options dialog lets you: skip the interrupted phase and start fresh from it, retry only failed sub-tasks, or continue exactly from the checkpoint. The default (continue from checkpoint) is correct for most cases.

Scan Continues

The scan dashboard opens and the scan continues from where it stopped. Findings from before the interruption are still present and visible alongside new findings as they are discovered.

Named Workspaces

Named workspaces let you organise multiple scans, checkpoints, and findings under a single engagement. Every scan belongs to a workspace. Workspaces persist indefinitely and can be resumed, exported, or archived.

Creating a Workspace

New Scan → Create Workspace

In the Scan Wizard, the first field is the workspace name. Type a descriptive name - e.g. "ClientCorp Q2 2026 Assessment". If a workspace with that name exists, the new scan is added to it automatically.

All Scans in the Workspace Share Context

Findings from all scans in a workspace are aggregated in the workspace report. Attack chains can span multiple scans within the same workspace. Each scan has its own checkpoint but all findings flow to the same database.

Managing Workspaces

Navigate to Projects in the sidebar to see all workspaces. Each workspace shows: total scans, total findings, last activity, and export options. You can rename, archive, or delete workspaces from this view.

Exporting and Backing Up Checkpoints

Export a Checkpoint

Right-click any scan in the Scans list and select Export Checkpoint. This creates a .phantomcp file containing the complete scan state, all findings, and all evidence. You can transfer this file to another machine and import it to continue the scan there.

Checkpoint File Location

# Windows
%APPDATA%\PhantomYerra\data\checkpoints\{scan_id}\

# Files in a checkpoint directory:
checkpoint.json       # Phase progress, scan config, auth tokens
findings.db           # SQLite: all findings with evidence
evidence\             # Screenshots, HTTP captures, extracted data
crawler_state.json    # Crawler queue, visited URLs
phase_{n}_results.json # Detailed results per completed phase

Checkpoint integrity: Every checkpoint file is SHA-256 hashed on creation. PhantomYerra verifies the hash on resume, if a checkpoint is corrupted, it falls back to the most recent valid checkpoint automatically.