Recon, exploitation, validation, and reporting. Every layer of an enterprise pentest, delivered by a coordinated swarm of 13 AI agents and 41+ scanner modules. You drive it from chat.
No CLI. No Burp config. No "scope" form to fill. You sign in, type a URL into the chat, and watch Zeroday IQ run a real pentest in front of you.
An LLM intent classifier (with a regex fallback) decides whether your message is a scan request, a follow‑up question on a previous scan, or a general security question. SCAN intents trigger a real background scan and stream progress live; FOLLOWUP intents are answered by an LLM bound exclusively to your stored scan data. It physically cannot invent findings the scan did not produce.
Point Zeroday IQ at your stack. About ten minutes later (twenty five for a deep scan), the report is on your dashboard.
DNS, CT logs, subdomain enumeration, OSINT, GitHub leaks, dark‑web breach data. Synthesised into an attack‑surface map.
41+ modules dispatched in one thread‑pool wave with per‑module timeouts (Nuclei 200s, vuln‑scanner 180s, WAF‑bypass 90s; others tighter).
Up to three high‑risk subdomains (admin, staging, dev, vpn, api) auto‑deep‑scan with their own sub‑module batch.
The Validator agent drops anything without raw evidence. The Report agent ships a compliance‑mapped PDF the moment the scan completes.
One set of agents runs on every external scan; another set activates when you deploy the internal network agent. Each agent owns one phase of the kill chain, with its own toolset, memory, and reasoning trace.
DNS, OSINT, CT‑logs, subdomains, GitHub leaks, dark‑web breach data. Synthesised into a target attack‑surface map.
Walks endpoints, params, GraphQL introspection, JS bundles, and config exposures to build the live application surface.
Fingerprints the WAF in front of the target, then runs 70+ bypass payloads to score real evasion risk before exploits run.
Drives the 41+ scanner modules: Nuclei (9000+ templates), CVE matching, custom active checks. Aggregates raw findings.
Confirms each candidate with a real PoC and writes the attack narrative: SSRF chains, SSTI, deserialization, BOLA, JWT misuse.
The zero‑FP gate. Re‑checks every finding against raw scanner evidence; anything without proof is dropped before the report.
Builds the executive summary, severity rollup, immediate‑actions list, and long‑term remediation plan. Hands off to the PDF generator and the chat formatter.
One context window cannot hold a real pentest. Each agent has its own toolset, its own memory, and its own reasoning trace. So when you click a finding, you see exactly which agent ran what command and what came back. Auditable, not a black box. The Validator is the last gate, and it has no power to add a finding. Only to drop ones that fail proof check.
From a host inside the perimeter, enumerates internal CIDRs, live hosts, and exposed services that never touch the internet.
Probes for weak Kerberos config, AS‑REP‑roastable accounts, kerberoastable SPNs, and ACL paths to Domain Admin.
Looks for plaintext credentials in shares, configs, and process memory; cracks weak hashes; correlates leaked‑cred reuse.
Maps reachable services per credential (SMB, WinRM, SSH, RDP) and validates pivot paths between hosts.
Per host, checks for unquoted services, SUID gaps, sudo misconfig, kernel CVEs, GPO abuse, token‑impersonation paths.
Composes findings into multi‑step kill chains, scores blast radius (which data classes are reachable), and maps every step to MITRE ATT&CK tactics & techniques.
External pentests miss internal RCE, weak shares, exposed databases, and misconfigured services that never touch the public internet. Zeroday IQ ships a lightweight Docker agent installed on a host inside your network. It runs the same 41+‑module pipeline from inside the perimeter and streams findings back to the dashboard.
10.0.6.810.0.4.12:27017users with password hashes · BCrypt cost-1010.0.0.5\\10.0.7.21\backups readable anonymously10.0.6.12 (build host)Every model call (analysis, chat, classification) runs against a static system prompt that explicitly forbids invented findings. The variable scan data goes in as the user message; the immutable rules are cached server‑side for prompt‑cache hits and audit consistency.
Hand the report to your auditor as is. Each finding is tagged with control IDs across seven frameworks plus CWE, CVSS 3.1, and MITRE ATT&CK references.
CC6.1, CC6.6, CC7.1 trust‑services criteria mapped per finding.
Annex A.8 / A.12 / A.14 / A.18 controls.
Security Rule §164.308 / §164.312 safeguards.
Art. 32 technical & organisational measures.
Requirements 6 (secure dev) & 11 (testing).
Identify · Protect · Detect functions tagged.
A01 to A10 categories auto‑mapped.
Per‑finding CWE ID, CVSS 3.1 vector, MITRE ATT&CK technique.
Authenticated surface, cross‑user access control, and ongoing change‑detection. The three layers commodity scanners either skip or charge enterprise prices to unlock.
Hand over a login URL, username, and password. Zeroday IQ runs the form login in a real browser, captures the session, and exercises the post‑auth surface. The place 80% of real bugs live. JWT and OAuth‑based auth work the same way.
Provide a second account and Zeroday IQ tests whether user B can access user A's resources. IDOR / BOLA / horizontal‑privilege bugs that pure unauthenticated scanners simply cannot detect. The exact class of bug that keeps causing breaches.
Schedule re‑scans every 1, 6, 12, 24, 48 hours or weekly. Each run is diffed against the previous; only new findings trigger alerts. Notifications via Slack, webhook, or email. Alert‑fatigue prevention is the point.