90 min · Persistent Engagement Memory · Tool Suite · Evidence Chain · Triage Pipeline
Prerequisite: S00, S01
Solution: a persistent target-state store (ChromaDB) with structured records: domains, subdomains, ports, services, endpoints, hypotheses, attempts, findings.
| Store | When |
|---|---|
| ChromaDB | Engagement-scoped (<1M records). In-process. Most bug bounty harnesses. |
| Qdrant | Production multi-target continuous monitoring. Horizontal scale. |
| LanceDB | Analytical queries over findings (aggregation, trends). |
After a week of scanning: 50,000 records, half duplicates or stale. The harness spends more time managing memory than finding vulnerabilities.
Solution: structured dedup at write time — every write checks against existing records. Duplicates UPDATE, not INSERT.
If you write a deceptive target response into memory verbatim, poisoned data persists across sessions.
Defense: only structured summaries (from the Reader Model, S01.3) enter the store. Raw responses never written verbatim.
| Tier | Tools | Purpose |
|---|---|---|
| Recon | nmap, amass, subfinder, httpx, nuclei | Discover the attack surface |
| Web app | Burp headless, sqlmap, ffuf, gobuster | Test web vulnerabilities |
| Evidence | Playwright, CVE lookup, CVSS calc | Capture and enrich findings |
| Report | Structured finding generator | Client-ready output |
Every offensive tool follows 7 steps:
Three principles: idempotency, rate limiting as stealth control, scope checks in BOTH middleware and tool.
Every finding needs a reproducible, client-presentable trail. The evidence chain is your legal protection and the client's compliance requirement.
Schema: timestamp · trace_id · tool · tool_version · target · action · exact request/response · scope_ref (legal anchor) · CVSS draft · retention class.
nuclei produces 200 raw findings. 15 are real. 3 are exploitable. 1 is worth reporting.
The harness's job is to triage, not dump raw output.
A secondary LLM evaluates each finding for actual exploitability + scope relevance. Separate from the model that found it.
Prevents confirmation bias — the finder's enthusiasm doesn't bias the severity assessment.
Surface: critical/high, exploitable, in scope → notify now. Batch: medium/low → accumulate for report. Discard: FP/out-of-scope → log, don't surface.
>90% / >80%
Precision / Recall targets against a labeled dataset (DVWA).
| Metric | Meaning | Below threshold |
|---|---|---|
| Precision <80% | Too many FPs surfaced | Operator buried in noise |
| Recall <70% | Real vulns missed | Dangerous gaps |
The bug bounty harness is operational: persistent memory, wrapped tools, evidence chain, triage pipeline.
S03 extends this to full pentest and red team operations: kill chain state management, plan correction, the sandbox inversion problem, report generation.