search
Ctrlk

Entities

Entities represent distinct objects in the attack surface that can be discovered, analyzed, and exploited. Each entity type has specific properties and unique identifiers that allow the system to track and deduplicate findings across different assessment phases.

Pentest Copilot supports an exhaustive list of entities that are capable to handle any kind of engagement, below are a few important entities:

Types of Entities

  • Domain (Root):Represents a DNS domain or subdomain that is part of the target organization's attack surface. It can be either a root domain (e.g., example.com) or a subdomain (e.g., api.example.com).

    • WebPage: Represents a specific URL endpoint discovered on a web application. It captures both the structure of URLs (with dynamic parameters) and their raw content for analysis.

  • Subnet (Root): Represents a network subnet discovered during internal assessment. It defines an IP address range that can contain multiple hosts and is used as a starting point for internal network enumeration.

    • Host: Represents an individual computer, server, or device discovered within a network subnet during internal assessment.

  • APKFile (Root): Represents an Android application package file that can be analyzed for security vulnerabilities

    • Activity: Represents an Android application screen or activity discovered through APK analysis. In Android development, an Activity is a single screen with a user interface, and each APK can contain multiple activities that define the app's functionality and user interaction flows.

  • Trajectory: Represents a sequence of interactions (actions) that achieve a specific goal on a web application or mobile app. It's used for automated testing and vulnerability discovery by recording and replaying user behaviors. [Found in external assessments for both Android and Web scans]

    • APIAction: Represents HTTP API calls made during the trajectory

    • BrowserAction: Represents browser-based user interactions eg. clicking a button, filling a form

    • AndroidAction: Represents mobile app interactions e.g. Click, swipe, type, scroll

hashtag
List of all entities

Entity
Description

Activity

Android app screen (activity) tied to APK analysis and navigation flows.

ADOBJ

Generic Active Directory object with DN/GUID, privileges, and ACEs for attack-path mapping.

AnonymousLogin

Credential pair representing anonymous or guest access where it was accepted.

APKFile

Android package (APK) used as the root target for mobile analysis.

Application

Logical application asset in attack-surface modeling (distinct app identity in ASM).

ASN

Autonomous System Number associated with discovered network infrastructure.

BrowserSession

Captured browser state: cookies, storage, auth metadata, and recorded browser actions.

Certificate

TLS/X.509 material: CN, SANs, validity, and related serving endpoints.

CertificateAuthority

Enterprise AD CS certificate authority configuration (web enrollment, permissions, exposure).

CertificateTemplate

AD CS certificate template definition (EKUs, enrollment flags, and misconfiguration context).

CloudResource

Exposed cloud endpoint or object (URL, access level, provider, scan metadata).

Delegation

Kerberos delegation relationship or finding (constrained/unconstrained style trust abuse surface).

Device

External asset or host fingerprint: OS, addresses, hostname, CPE, and discovery context.

Disk

Storage volume or mount surfaced during internal assessment for further file-level inspection.

Domain

DNS domain or subdomain: scope anchor with optional paths, DX/DNS metadata, and crawl settings.

DomainEscalation

Cross-domain or trust abuse scenario (trust direction/type, success, affected domains).

Employee

Person record from OSINT (name, role, contact, location, linked socials).

File

File artifact (path/type/content or URL-flag) tracked with a deduplication key.

Generic

Catch-all node wrapping a single scalar value when no specialized type applies.

GithubAccount

GitHub profile/account node for social/OSINT correlation.

Goal

High-level testing goal for crawling/automation (domain, APK, session, or parent linkage).

GraphQLSchema

Introspected GraphQL schema tied to a web URL for API security testing.

Group

Security group (membership, tiering, privileges, ACL/control edges) in the internal model.

GPO

Group Policy Object (paths, affected objects, control/abuse-relevant metadata).

Host

Internal assessment host: hostname/IP, OS, DC flags, delegation, and compromise state.

InternalSubnet

Subnet or network segment used in external/ASM-style internal network modeling.

IPAddress

Single IP asset with liveness, ports, services, CPE, and sighting timestamps.

IPRange

CIDR or ranged network block with geo/hosting/asn context (lightweight non-Entity helper type in code).

LinkedinAccount

LinkedIn profile/account node for OSINT.

MailServer

MX host record (address and priority) for a domain’s mail infrastructure.

MediumAccount

Medium profile/account node for OSINT.

Memory

Short- or long-term agent memory blob linked to a parent entity for context retention.

NetworkHost

Network-visible host abstraction in ASM (host-level discovery complementing IP/Device).

PasswordFiles

Recovered credential material from files (username, hash, cracked password when available).

Secret

Normalized credential or sensitive artifact (identifiers + typed secrets + metadata).

Service

Network service on an IP (name, port, protocol, banner) driving follow-on checks.

ServiceName

Kerberos service principal / SPN-style record with delegation-related attributes.

Session

Interactive session identifier with user binding and active/inactive state.

S3Bucket

Object storage bucket with permissions, ownership, and enumeration summary.

SMB

SMB relationship or SMB-oriented finding distinct from a named share (SMBShare).

SMBShare

Discovered SMB share name with assessed access level.

SocialAccount

Platform-agnostic social profile (username, URL, stats, verification, enrichments).

Subnet

Internal engagement subnet (CIDR/name/gateway/DHCP context) for host discovery.

Technology

Stack or product fingerprint (e.g. framework/CMS) on an asset.

TestCase

Structured security test definition (ideas, indicators, CWE, severity, execution traces).

TestCaseSet

Batch container of test cases with category and optional downstream tester dispatch.

TGS

Kerberos service ticket (TGS) material with SPN, user, and expiry metadata.

TGT

Kerberos Ticket-Granting Ticket for a user/realm with expiry and encrypted payload.

Trajectory

Ordered list of actions (browser/API/mobile) summarizing a user flow for replay and deduped testing.

TwitterAccount

Twitter/X profile/account node for OSINT.

User

Domain or internal user with sam/name, membership, session/privilege edges, and compromise flag.

Vulnerability

Reported finding with target, CWE/CVE, CVSS, narrative, references, and verification state.

WebApplication

Web app surface (URL, title, tech, behaviors) grouping pages and behaviors.

WebPage

Concrete URL (dynamic-parameter pattern, content, screenshots) as the unit of web testing.

WebPageGroup

Deduplicated cluster of related WebPage records processed as a single batch.

WhoisData

Registrar/WHOIS fields for a domain (lifecycle, registrant hints, name servers, status).

Wordlist

Wordlist file path used for cracking or spraying workflows.

PreviousExploit GraphNextRelations

Last updated