| name | fullscan |
| description | Full security assessment with brain coordination. Multi-phase, skips known-exhausted areas, builds on prior knowledge. |
ALL agents dispatched by this command MUST use in the subagent dispatch tool call.
Full security assessment on: $ARGUMENTS
Phase 0: Brain Briefing
uv run python3 ../../tools/brain.py init (if first run)
uv run python3 ../../tools/brain.py brief $ARGUMENTS
uv run python3 ../../tools/scope_check.py $ARGUMENTS
Phase 1: Recon (skip already-discovered assets)
Launch recon agent with brain context. Focus on discovering NEW subdomains and services beyond what's already known.
Phase 2: Scanning (skip exhausted areas)
Launch IN PARALLEL, each with brain context about what's been scanned before:
vuln-scanner — skip known false positives, focus new hosts
config-auditor — check if previously noted misconfigs are fixed
js-analyzer — focus on new/changed JS files
Record all results to the brain after each agent returns.
Phase 3: Targeted Testing (brain-guided)
Based on Phase 2 + brain knowledge, selectively launch ONLY agents targeting UNTESTED or ACTIVE vectors:
xss-hunter ONLY on endpoints not marked exhausted
api-audit ONLY on newly discovered or untested endpoints
auth-tester ONLY if new auth flows found
Record all results to the brain.
Phase 4: Reporting
uv run python3 ../../tools/dedup_findings.py --scan-dir scans/ --db findings.json --stats
uv run python3 ../../tools/brain.py status
- Launch
poc-builder for each confirmed finding
- Launch
report-writer with full brain context
uv run python3 ../../tools/brain.py log "Full scan completed on $ARGUMENTS"
Top-Tier Fullscan Standard
A full scan must leave a defensible coverage ledger.
- Start with the crown jewels: auth, tenant data, billing, admin, integrations, uploads, webhooks, exports, AI/tool surfaces, and source/repo exposure.
- For each phase, record both positives and negatives. "Scanned" is invalid unless it names tools, targets, timestamps, and skipped areas.
- Do not let scanner output dominate. Use scanners to find leads, then spend human-grade effort on state changes, authorization boundaries, and parser differentials.
- Before reporting, run
/correlate or /chain on all confirmed and partial findings. Single low bugs should not escape the scan if a plausible chain remains.
- Final output must contain: confirmed findings, killed false positives, exhausted high-value paths, untested residual risk, and the next best command.