Attack Methodology

GigaOps follows a structured 10-phase methodology modeled on real-world adversary operations. Deep audits run all 10 phases; Shallow audits stop after phase 6; Autonomous audits follow the methodology you brief.

The 10 phases

Phase 1 — Passive Reconnaissance

Before touching the target, GigaOps gathers context from public sources. No traffic to the target’s infrastructure.
  • WHOIS and DNS records
  • Certificate Transparency logs (crt.sh)
  • Wayback Machine for historical endpoints
  • Search engine dorking
  • GitHub / GitLab leaked secrets reconnaissance
  • Technology fingerprinting from public sources

Phase 2 — Subdomain Enumeration

GigaOps queries seven passive OSINT sources to build a complete subdomain map, then validates which are alive. See Subdomain Enumeration for the full source list.

Phase 3 — Port & Service Scanning

Network-level discovery using nmap -T2 (low-noise) by default, masscan for wide ranges.
  • TCP/UDP port discovery
  • Service version detection
  • TLS configuration analysis
  • Banner grabbing

Phase 4 — Web Fingerprinting

For HTTP/S services, identify the stack:
  • whatweb and httpx for application fingerprinting
  • wafw00f for WAF detection
  • CMS / framework / library version identification
  • Endpoint discovery via crawling and content discovery (feroxbuster, ffuf)

Phase 5 — Vulnerability Scanning

Active probing for known vulnerability classes:
  • nuclei with curated template sets
  • dalfox and xsstrike for XSS surface
  • wfuzz and ffuf for parameter discovery and injection points
  • Custom probes for SSTI, XXE, SSRF, deserialization, CORS misconfiguration
  • JWT analysis with jwt_tool

Phase 6 — Exploitation

Confirm vulnerabilities by exploiting them. The agent captures evidence as proof, but in Shallow mode stops at PoC level.
  • sqlmap for SQL injection (Deep mode: --level 5 --risk 3)
  • commix for command injection
  • tplmap for template injection
  • XXEinjector for XXE
  • ssrfmap for SSRF
  • Custom exploitation chains for chained findings
Shallow audits stop here. The remaining phases only run in Deep and Autonomous modes.

Phase 7 — Authentication Attacks

Test the auth surface:
  • Credential stuffing against captured username lists
  • hydra for service brute force (rate-limited)
  • JWT manipulation, signature stripping, algorithm confusion
  • OAuth flow analysis (PKCE downgrade, redirect_uri confusion, scope abuse)
  • Session fixation, predictable session IDs
  • Password reset flow analysis

Phase 8 — Post-Exploitation

After initial compromise, escalate and explore:
  • linpeas and pspy for Linux privilege escalation
  • Kernel exploit identification
  • impacket suite for Windows / AD post-ex
  • bloodhound for AD attack path analysis
  • Credential harvesting from memory and disk
  • Service account discovery

Phase 9 — Lateral Movement

Pivot from initial foothold to additional systems:
  • crackmapexec for SMB / WinRM lateral movement
  • evil-winrm for interactive shells
  • Token impersonation and pass-the-hash
  • Pivot through internal networks via SSH or ligolo-ng

Phase 10 — Persistence & Exfiltration Testing

Demonstrate full impact:
  • Persistence mechanism testing (cron, systemd, scheduled tasks)
  • DNS tunneling (dnscat2, iodine) for exfil path validation
  • Data exfiltration over allowed protocols
  • Cover-track / log-cleaning behavior assessment

Phase ordering and pivots

The methodology is not strictly linear. GigaOps continuously re-plans:
  • A finding in phase 5 may prompt deeper scanning in phase 3
  • A credential captured in phase 7 may unlock new targets requiring phase 2 enumeration
  • A pivot in phase 9 may reveal new web surface, triggering phases 4–6 against internal hosts
The agent decides what to do next based on what it just discovered.

When the methodology stops

GigaOps stops a phase when:
  • The phase’s objectives are exhausted (no new findings produced in the last iteration)
  • The audit’s time budget is approaching expiry (agent transitions to report writing)
  • The phase produced findings that warrant deeper exploration in a later phase

Modes recap

PhaseShallowDeepAutonomous
1–6 (recon → exploitation)Optional (per brief)
7 (auth attacks)Optional (per brief)
8 (post-exploitation)Optional (per brief)
9 (lateral movement)Optional (per brief)
10 (persistence / exfil)Optional (per brief)
In Autonomous mode, the brief defines which phases run and in what order.

Next steps

The GigaOps Agent

How the agent plans and executes each phase.

Toolkit

The full tool inventory in the darkops sandbox.