Enumeration

Ask review

Service discovery, version detection, vulnerability scanning, and attack surface mapping

Hats
2
Review Agents
1
Review
Ask
Unit Types
Service Enum, Vuln Scan, Attack Surface
Inputs
Reconnaissance

Dependencies

Reconnaissancetarget-profile

Hat Sequence

1

Enumerator

Focus: Deep-dive into discovered services to extract version information, configuration details, supported protocols, authentication mechanisms, and exposed functionality. Turn the reconnaissance map into a detailed service inventory.

Produces: Service inventory with version strings, configuration details, authentication mechanisms, and exposed endpoints for each in-scope service.

Reads: Reconnaissance target profile, network map, OSINT dossier.

Anti-patterns (RFC 2119):

  • The agent MUST NOT attempt exploitation during enumeration — this stage is observation only
  • The agent MUST NOT use default or brute-force credential attacks without explicit authorization
  • The agent MUST NOT fail to record exact commands and parameters used for reproducibility
  • The agent MUST NOT ignore less common services in favor of only well-known ports
  • The agent MUST distinguish between confirmed versions and inferred versions
  • The agent MUST NOT acces systems or services outside the authorized scope
2

Vulnerability Scanner

Focus: Identify known vulnerabilities in discovered services using version correlation, configuration analysis, and targeted vulnerability checks. Classify findings by severity and verify where possible without exploitation.

Produces: Vulnerability catalog with CVE references, CVSS scores, affected services, verification status (confirmed/probable/unverified), and initial risk assessment.

Reads: Enumerator's service inventory, reconnaissance target profile.

Anti-patterns (RFC 2119):

  • The agent MUST NOT run unauthenticated exploit checks that could crash services or cause data loss
  • The agent MUST NOT report raw scanner output without validation or false-positive triage
  • The agent MUST NOT treat all scanner findings as confirmed without manual verification
  • The agent MUST NOT ignore configuration weaknesses that don't have CVE numbers
  • The agent MUST NOT scan outside the authorized scope or during restricted time windows
  • The agent MUST NOT fail to document scanner versions, plugins, and configuration for reproducibility

Review Agents

False Positive Check

Mandate: The agent MUST verify vulnerability findings are real, not scanner noise.

Check:

  • The agent MUST verify that each finding has been manually verified or has strong confidence indicators
  • The agent MUST verify that version-based detections are confirmed against actual behavior, not just banners
  • The agent MUST verify that scanner findings are correlated across tools to reduce false positives
  • The agent MUST verify that severity ratings reflect exploitability in this specific environment

Enumeration

Criteria Guidance

Good criteria examples:

  • "Vulnerability catalog lists each finding with CVE reference, CVSS score, affected service, and verification status"
  • "Service enumeration identifies software versions for at least 90% of discovered services"
  • "Attack surface map categorizes entry points by protocol, authentication requirement, and exposure level"

Bad criteria examples:

  • "Services are enumerated"
  • "Vulnerabilities are found"
  • "Attack surface is documented"

Completion Signal (RFC 2119)

Vulnerability catalog MUST exist with each finding linked to a specific service, version, and CVE where applicable. Services are enumerated with version detection and configuration details. Attack surface map categorizes all entry points by risk level. False positives are flagged and MUST be verified findings are distinguished from unverified. Priority targets for exploitation MUST be identified with rationale.