🧭

Mission Control Wizard

The pre-scan interview that customises every assessment to your exact target, engagement type, and attack surface - so PhantomYerra tests what matters, not everything blindly.

Why the Wizard matters: The quality of a penetration test depends entirely on what you tell PhantomYerra about your target. A well-configured wizard produces targeted, high-signal findings. A skipped or rushed wizard produces noisy, generic output. Spend 3–5 minutes here: it shapes the entire engagement.

Step-by-Step Guide

  1. 1

    Environment Type

    Select the environment you are testing. This controls tool intensity and safety governors.

    Production → Real users, live data. Rate limiting is enforced. Destructive tests disabled by default. Staging → Mirror of production. Recommended for most assessments, full coverage, no live data risk. Development → Dev/test environment. Full intensity allowed. May have weaker auth - note this in scope. Lab / CTF → Isolated lab or capture-the-flag target. All techniques enabled, no rate limiting.
    Production warning: PhantomYerra enforces rate limiting and disables denial-of-service techniques when "Production" is selected. You will be prompted to confirm written authorization before launching.
  2. 2

    Engagement Type

    Select the type of assessment. This determines which attack categories and tools are activated.

    Black Box → No prior knowledge. Simulates an external attacker. All discovery phases active. Grey Box → Partial knowledge (architecture docs, credentials for one role). Most phases active. White Box → Full access: source code, architecture, admin creds. SAST + full auth testing. Red Team → Adversary simulation. Multi-vector: phishing, physical, network, application. No holds barred. Compliance Audit → CIS / NIST / PCI-DSS / ISO 27001 gap analysis. Non-destructive checks only.
  3. 3

    Target Scope

    Define exactly what is in scope. PhantomYerra enforces scope boundaries: no tool touches anything outside what you define here.

    # Single URL https://app.target.com # Multiple URLs (one per line) https://app.target.com https://api.target.com https://admin.target.com # IP address 192.168.1.42 # CIDR range 10.0.0.0/24 # Wildcard subdomain (all subdomains of target.com) *.target.com # Mixed scope: URLs, IPs, CIDRs all accepted https://app.target.com 10.10.0.0/16 api.target.com

    Exclusions: Use the "Exclude from scope" field to list paths, IPs, or subdomains that must not be tested (e.g. https://app.target.com/payments or 10.0.0.254).

  4. 4

    Credentials (Auth Vault)

    Add credentials for each user role that exists in the application. PhantomYerra tests each role separately and checks for privilege escalation between them.

    Role Name → "Admin", "Standard User", "Read-Only", "API Service Account" Auth Type → Bearer Token | API Key (custom header) | Session Cookie | HTTP Basic | TOTP | SAML Cookie Token / Value → paste the credential value (encrypted at rest with AES-256-GCM) Header Name → (API Key only) e.g. X-Api-Key or Authorization # Examples: Admin role → Auth Type: Bearer Token → Token: eyJhbGci... Standard User → Auth Type: Session Cookie → Cookie name: session → Value: abc123... API Service → Auth Type: API Key → Header: X-API-Key → Value: sk-live-...
    Pro tip: Add at least two credential roles (Admin + Standard User) to enable privilege escalation testing - one of the most common high-severity finding classes.
  5. 5

    Surface Selection

    Select which attack surfaces to include. You can select one or many. Each surface adds its own specialized toolchain and attack categories to the scan plan.

    Web Application → DAST, injection, auth, business logic, OWASP Top 10 API / GraphQL → REST, GraphQL, gRPC, WebSocket, OWASP API Top 10 Mobile → Android APK / iOS IPA static + dynamic analysis Network / Infra → Port scan, AD, cloud, CIS benchmark Cloud Security → AWS, Azure, GCP, multi-cloud misconfiguration Container → Docker, Kubernetes, registry, IaC DevOps / CI-CD → Pipelines, secrets, supply chain, SBOM/SCA SAST → Source code analysis (20+ languages) DAST → Black-box dynamic testing with ZAP DAST engine SBOM / SCA → Dependency inventory, CVE matching, license audit Enterprise AD → Full Active Directory attack simulation IoT / Embedded → Firmware, protocol, hardware attack surface Automotive / ICS → CAN bus, OBD-II, industrial protocols (Modbus, DNP3) AI / LLM → Prompt injection, model extraction, training data attacks Red Team → Full multi-vector adversary simulation Reverse Engineering → Binary, firmware, protocol reverse engineering Robotics → ROS, robot OS, sensor spoofing, control system attacks Blockchain → Smart contract, on-chain logic, wallet security Physical → Badge cloning, lock bypass, dumpster dive, tailgate
  6. 6

    Surface Configuration (varies by surface)

    After selecting surfaces, each surface shows its own configuration panel. Common settings:

    # Web Application Login URL → https://app.target.com/login Logout URL → https://app.target.com/logout (prevents scanner from logging out mid-scan) Tech Stack → React + Node.js + PostgreSQL (improves AI payload targeting) Auth Flow → Form POST / OAuth2 / SAML / JWT # API / GraphQL Base URL → https://api.target.com/v2 OpenAPI Spec URL → https://api.target.com/openapi.json (auto-discovers all endpoints) GraphQL Endpoint → https://api.target.com/graphql Auth Header → Authorization: Bearer {token} # Network / Infrastructure Target Range → 192.168.1.0/24 Active Directory → Yes → DC IP: 10.0.0.10, Domain: corp.local Cloud Provider → AWS → IAM credentials (read-only) Port Scan Scope → Top 1000 / Full 65535
  7. 7

    Advanced Surface Settings

    Optional deep-configuration for specific surfaces. Skip for most engagements - defaults are production-tuned.

    Custom Headers → X-Internal-Debug: true (add to all requests to unlock debug surfaces) Proxy Chain → Route all traffic through Burp Suite at 127.0.0.1:8080 Rate Limit Override → Max 50 req/s (lower for fragile production targets) Wordlists → Custom directory bruteforce wordlist path Custom Cookies → Any additional cookies to include in every request
  8. 8

    Pentest Mode

    Choose how much autonomy PhantomYerra has during the scan.

    Automated AI → Claude drives the full engagement: discovers, exploits, chains, reports. No interruptions. Best for: time-boxed engagements, large scope. Requires: AI key configured. Semi-Automated → Claude proposes each action and waits for your [Approve] or [Skip]. You direct the investigation. Claude executes. Best for: learning, sensitive targets, precise scope control. Manual → PhantomYerra runs individual tools on demand. You run everything. Best for: experts who know exactly what to test. AI provides payload suggestions and finding analysis only.
  9. 9

    AI Interview (Business Logic)

    Claude asks targeted questions about your application's business logic to discover vulnerabilities a generic scanner would miss. This step takes 2–3 minutes but dramatically improves finding quality for complex applications.

    # Claude asks questions like: "What is the most valuable action a user can take in this application?" → "Purchase a subscription upgrade" "Are there any multi-step workflows where the order of steps matters?" → "Free trial → payment → activation - skipping payment crashes the flow" "What user roles exist and what can each role NOT do?" → "Free users cannot export data. Paid users can. Admins can delete accounts." "Are there any rate-limited or quota-governed features?" → "API calls are limited to 1000/day per account" # Claude uses your answers to generate surface-specific business logic # attack payloads that generic scanners never attempt.
  10. 10

    Intensity Profile

    Control the aggressiveness of the scan. This affects request rate, noise level, and whether destructive exploitation is attempted.

    Stealth → 5 req/s max. Mimics normal user traffic. Minimal logging footprint. Use for: production targets, red team (stay undetected). Standard → 50 req/s. Default. Balances coverage with safety. Use for: staging, most grey-box and white-box assessments. Aggressive → 200 req/s. Full tool intensity. May trigger WAF / rate-limit responses. Use for: dev/lab environments, when WAF bypass is in scope. Full → No rate limit. All exploits enabled. Active exploitation attempted. Use for: CTF, isolated lab, explicit full-exploitation authorization.
  11. 11

    Attack Categories

    Enable or disable specific attack categories. All applicable categories are enabled by default based on your surface selection. Toggle off any that are out of scope for this engagement.

    Injection → SQLi, XSS, XXE, SSTI, command injection, LDAP injection Authentication → Brute force, token prediction, session fixation, OAuth flows Authorization → IDOR, privilege escalation, horizontal access, API object-level auth Business Logic → Race conditions, workflow bypass, pricing manipulation, quota abuse Cryptography → Weak ciphers, TLS misconfiguration, certificate issues Supply Chain → Dependency CVEs, malicious packages, pipeline injection Infrastructure → Port exposure, service misconfiguration, default credentials Data Exposure → Sensitive data in responses, error messages, debug endpoints
  12. 12

    Review and Launch

    The final wizard step shows a complete test plan summary before anything runs.

    Test Plan Summary: Target : https://app.target.com, https://api.target.com Engagement : Grey Box | Staging | Standard intensity Surfaces : Web Application, API / GraphQL Mode : Automated AI (AI engine drives) Credentials : Admin (Bearer), Standard User (Cookie) Attack cats : Injection, Auth, AuthZ, Business Logic, Data Exposure Est. duration : 45–90 minutes AI mode : Automated AI (configured) [Edit Scope] [Edit Credentials] [Launch Scan →]

    Review the summary, make any edits, then click Launch Scan. The Scan Dashboard opens and the assessment begins immediately.

Pro Tips

Privilege escalation (a Standard User accessing Admin functions) is one of the most commonly found high-severity issues. Without two credential roles, PhantomYerra cannot test for this class of vulnerability. Add "Admin" and "Standard User" at minimum. If the app has more roles (e.g. Manager, Read-Only, Guest), add them all - cross-role IDOR tests become dramatically more effective.

If your API has an OpenAPI 3.x or Swagger 2.0 spec available (even internally), enter its URL in the API surface configuration. PhantomYerra will auto-discover every documented endpoint and parameter, including ones that don't appear in the UI. Without a spec, PhantomYerra crawls and discovers endpoints dynamically, but may miss internal-only or undocumented routes.

Even if you're authorized to test production, selecting "Staging" as the environment type in the wizard removes all safety governors and allows full-intensity testing. If you then aim that at a production URL, you may disrupt live users. Always select "Production" when targeting a live system: it keeps rate limits and safety governors active while still running a full assessment.

The AI interview step (Step 9) takes 2–3 minutes but can be the difference between a generic scan and a highly targeted engagement. Business logic vulnerabilities - race conditions, workflow bypasses, pricing manipulation - are impossible for a generic scanner to discover without understanding your application's specific rules. Claude uses your answers to generate payloads specific to your application that no off-the-shelf scanner has.

After completing the wizard, click Save as Template on the Review screen. Templates let you re-run the same engagement configuration later (e.g. for regression testing after remediation) without re-entering all settings. Templates are stored per-project and can be shared with team members.

Surface Quick Reference

Surface What It Tests Best For
Web Application OWASP Top 10, auth, session, business logic, DAST crawl Any web app with a browser UI
API / GraphQL OWASP API Top 10, REST, GraphQL, gRPC, WebSocket APIs, microservices, mobile backends
Mobile Android APK + iOS IPA: static, dynamic, network, auth Mobile apps (Android / iOS)
Network / Infra Port scan, service exploit, AD attacks, CIS benchmark Corporate networks, server infrastructure
Cloud Security AWS, Azure, GCP: IAM, storage, network, compliance Cloud-hosted infrastructure
Container Docker, Kubernetes, registry, pod security, network policy Containerized workloads
DevOps / CI-CD Pipeline injection, secrets, supply chain, SBOM/SCA GitHub Actions, Jenkins, GitLab CI, ArgoCD
SAST Source code analysis - 20+ languages, 500+ rules White-box engagements with code access
DAST Black-box ZAP DAST engine, active scanning, spidering Running web apps, no source required
SBOM / SCA Dependency inventory, CVE matching, license violations Software supply chain audits
Enterprise AD BloodHound paths, Kerberoasting, DCSync, Golden Ticket Active Directory environments
IoT / Embedded Firmware extraction, protocol analysis, hardware attack surface IoT devices, embedded systems
Automotive / ICS CAN bus, OBD-II, Modbus, DNP3, industrial protocols Vehicles, OT/ICS environments
AI / LLM Prompt injection, jailbreaking, model extraction, data poisoning AI-powered applications and APIs
Red Team Multi-vector: phishing, C2, lateral movement, full kill chain Full adversary simulation engagements
Reverse Engineering Binary analysis, protocol RE, firmware decompilation Closed-source software, firmware, protocols
Robotics ROS, sensor spoofing, control system attacks, navigation manipulation Robotic systems, autonomous vehicles
Blockchain Smart contract audit, on-chain logic flaws, wallet security DApps, DeFi protocols, NFT platforms
Physical Badge cloning, lock bypass, dumpster diving, tailgating guidance Physical security assessment components

Related Topics

🏠 Home Screen ⚡ Automated AI Mode 🔐 Auth Vault 📊 Reports
© Ravi Yerra. All Rights Reserved.