Zypheron
ZYPHERON

Workflow Playbook: Web Recon and Validation

This playbook walks an IT or security lead through recon on a web-facing scope without losing the thread. You fingerprint live hosts, run templated checks, drop into a terminal for manual validation, and keep every finding addressable across the workspace.

Starting state

You have a domain or an IP range in scope and an empty (or lightly populated) Network Map. Nothing has been validated yet. The goal of this run is to turn a flat target list into a set of validated web findings tied to real hosts.

Inputs

  • Your targets: the domain or IP range you are authorized to assess.
  • Scope boundaries: the subnets and hosts that are in bounds, and anything explicitly out of bounds.
  • An AI key (Settings > AI) or a local Ollama model if you want the chat sidebar to reason over findings.

Key steps

  1. 1. Fingerprint live web hosts with httpx. In Tools & Config, find httpx (filter by install state so you only see what is on your $PATH), then use Send to terminal. The command pastes with placeholders intact so you can fill in your scope before running. Results stream through the queue into the live store, and the Network Map updates as hosts and services resolve.
  2. 2. Run nuclei for templated checks. Select nuclei in Tools & Config and Send to terminal. The streaming parser ingests nuclei output as it arrives, so findings appear in the live store and against their hosts on the Network Map without waiting for the full run to finish.
  3. 3. Right-click a host and Open in terminal as $T for manual validation. When a templated hit looks worth confirming, right-click the host on the Network Map and choose Open in terminal as $T. The host is bound to $T, so any command you type runs against the exact host you selected. This is where you confirm a finding by hand instead of trusting a single template.
  4. 4. @mention a finding in chat to decide what to verify next. Open the chat sidebar and @mention the host or the finding. Because the prompt is grounded in the real object, the local-AI-first assistant can suggest what to verify next instead of guessing from a description you typed.

# Tools & Config: Send to terminal (placeholders kept)

httpx -l targets.txt -title -tech-detect -status-code

nuclei -l live-hosts.txt -severity medium,high,critical

# right-click host on Network Map: Open in terminal as $T

curl -sk https://$T/ -I

Switching tools without losing the thread

You can move from httpx to nuclei to a manual curl session and back without rebuilding context. Findings produced anywhere are objects, addressable from the Network Map, the chat sidebar, and the terminal. The live store ties them to their hosts, so a tool switch never resets what you know.

Interpreting results

The Network Map draws a public-exposure boundary, so you can see at a glance which validated hosts sit on the internet-facing side versus internal subnets. As scans stream in, the live store and the map update together, which means triage starts before the run completes. ActiveScanPanel shows the live jobs so you know what is still in flight.

How to avoid losing context

Everything you find is persisted to an encrypted local SQLite store. Close the workspace, reopen it, and your hosts, services, and findings are still there as the same objects you can @mention. Context survives the session, so the recon you did today is the foundation you build on tomorrow.

Expected outputs

A set of validated web findings, each tied to a specific host on the Network Map, with the live versus exposed distinction already drawn. These are structured objects rather than loose notes, which is exactly what the reporting workflow consumes later.

Common operator decisions

  • Template selection. Run a broad nuclei severity range first, then narrow to the templates that match the stack httpx fingerprinted. Wider is fine on the first pass; targeted is better once you know the tech.
  • True versus false positive triage. Treat a templated hit as a lead to investigate, never a conclusion on its own. Open in terminal as $T and confirm by hand before it becomes a reported finding.
  • When to go manual. If a host sits on the public-exposure boundary or a template result is ambiguous, drop into the terminal. Manual validation is cheap here because the host is already bound to $T.
Email List

Get AD security drops in your inbox

Release notes, identity attack-path research, and early access. Low volume, real signal only. Unsubscribe anytime.

Recommended next read

AD AND CLOUD RECON PLAYBOOKNOTES AND REPORTING PLAYBOOK
ZYPHERON

ZYPHERON Desktop is a cybersecurity IDE for offensive and defensive workflows. The open source CLI remains available for terminal-first users.

AUTHORIZED USE ONLY

Infrastructure

Network

© 2025 ZYPHERON SYSTEMS//DESKTOP + CLI