Skip to content

9. Project Settings Reference

Jump to bottom
“samuele edited this page Feb 21, 2026 · 2 revisions

Project Settings Reference

Every project in RedAmon has 180+ configurable parameters that control the behavior of each reconnaissance module and the AI agent. These settings are managed through the project form UI (11 tabs), stored in PostgreSQL, and fetched by the recon container and agent at runtime.

Project Form Tabs

Defaults: Sensible defaults are loaded automatically from the server when creating a new project. You only need to fill in the required fields (project name and target domain) and adjust what you want.

Table of Contents

Target Configuration

Parameter Default Description
Target Domain The root domain to assess (required)
Subdomain List [] Specific subdomain prefixes to scan (empty = discover all)
Verify Domain Ownership false Require DNS TXT record proof before scanning
Ownership Token (auto) Unique token for TXT record verification
Ownership TXT Prefix _redamon DNS record name prefix
Stealth Mode false Forces passive-only techniques — disables active scanning, brute force, and GVM
Use Tor false Route all recon traffic through the Tor network
Use Bruteforce true Enable Knockpy active subdomain bruteforcing

Scan Module Toggles

Modules can be individually enabled/disabled with automatic dependency resolution — disabling a parent module automatically disables all children:

domain_discovery (root)
  └── port_scan
       └── http_probe
            ├── resource_enum
            └── vuln_scan
Parameter Default Description
Scan Modules all enabled Array of phases to execute
Update Graph DB true Auto-import results into Neo4j
WHOIS Max Retries 3 Retry attempts for WHOIS lookups
DNS Max Retries 3 Retry attempts for DNS resolution

Port Scanner (Naabu)

Controls how ports are discovered on target hosts.

Parameter Default Description
Top Ports 1000 Port selection: 100, 1000, or custom
Custom Ports Manual port range (e.g., 80,443,8080-8090)
Scan Type SYN SYN (fast, requires root) or CONNECT (slower, no root needed)
Rate Limit 1000 Packets per second
Threads 25 Parallel scanning threads
Timeout 10000 Per-port timeout in milliseconds
Retries 3 Retry attempts for unresponsive ports
Exclude CDN true Skip CDN-hosted IPs (Cloudflare, Akamai, etc.)
Display CDN true Show CDN info but don't scan deeper
Skip Host Discovery false Skip ping-based host check
Verify Ports false Double-check ports with TCP handshake
Passive Mode false Use Shodan InternetDB instead of active scanning (zero packets)

HTTP Prober (httpx)

Controls what metadata is extracted from live HTTP services.

Connection Settings:

Parameter Default Description
Threads 50 Concurrent HTTP probes
Timeout 15 Request timeout (seconds)
Retries 0 Retry attempts for failed requests
Rate Limit 150 Requests per second
Follow Redirects true Follow HTTP redirects
Max Redirects 10 Maximum redirect chain depth

Probe Toggles (each individually enabled/disabled):

Probe Default Description
Status Code true HTTP response status code
Content Length true Response body size
Content Type true MIME type of response
Title true HTML page title
Server true Server header value
Response Time true Time to first byte
Word Count true Number of words in response
Line Count true Number of lines in response
Tech Detect true Built-in technology fingerprinting
IP true Resolved IP address
CNAME true CNAME DNS records
TLS Info true TLS certificate details
TLS Grab true Full TLS handshake data
Favicon false Favicon hash (for fingerprinting)
JARM false JARM TLS fingerprint
ASN true Autonomous System Number
CDN true CDN provider detection
Response Hash Hash algorithm for response body
Include Response false Include full response body
Include Response Headers false Include all response headers

Filtering:

Parameter Default Description
Paths [] Additional paths to probe on each host
Custom Headers [] Extra headers to send with requests
Match Codes [] Only keep responses with these status codes
Filter Codes [] Exclude responses with these status codes

Technology Detection (Wappalyzer)

Second-pass technology fingerprinting engine with 6,000+ fingerprints.

Parameter Default Description
Enabled true Master toggle for Wappalyzer
Min Confidence 50 Minimum detection confidence (0-100%)
Require HTML false Only fingerprint responses with HTML content
Auto Update true Update fingerprint database from npm
NPM Version 6.10.56 Wappalyzer npm package version
Cache TTL (hours) 24 How long to cache fingerprint data

Banner Grabbing

Raw socket banner extraction for non-HTTP services.

Parameter Default Description
Enabled true Master toggle for banner grabbing
Timeout 5 Connection timeout (seconds)
Threads 10 Concurrent banner grab connections
Max Length 1024 Maximum banner size (bytes)

Web Crawler (Katana)

Active web crawling for endpoint and parameter discovery.

Parameter Default Description
Enable Katana true Master toggle for active web crawling
Crawl Depth 2 How many links deep to follow (1-10). Each level adds ~50% time
Max URLs 300 Maximum URLs to collect per domain. 300: ~1-2 min/domain, 1000+: scales linearly
Rate Limit 50 Requests per second
Timeout 3600 Overall crawl timeout in seconds (default: 60 minutes)
JavaScript Crawling false Parse JS files with headless browser (+50-100% time)
Parameters Only false Only keep URLs with query parameters for DAST fuzzing
Exclude Patterns [100+ patterns] URL patterns to skip — static assets, images, CDN URLs
Custom Headers [] Browser-like headers to avoid detection

Passive URL Discovery (GAU)

Passive URL discovery from web archives and threat intelligence sources.

Parameter Default Description
Enable GAU false Master toggle for passive URL discovery
Providers wayback, commoncrawl, otx, urlscan Data sources for archived URLs
Max URLs 1000 Maximum URLs per domain (0 = unlimited)
Timeout 60 Request timeout per provider (seconds)
Threads 5 Parallel fetch threads (1-20)
Year Range [] Filter Wayback by year (e.g., "2020, 2024"). Empty = all
Verbose Output false Detailed logging
Blacklist Extensions [png, jpg, css, pdf, zip, ...] File extensions to exclude

URL Verification (when enabled, GAU confirms URLs are still live):

Parameter Default Description
Verify URLs false HTTP check on archived URLs
Verify Timeout 5 Seconds per URL check
Verify Rate Limit 100 Verification requests per second
Verify Threads 50 Concurrent verification threads (1-100)
Accept Status Codes [200, 201, 301, ...] Status codes indicating a live URL
Filter Dead Endpoints true Exclude 404/500/timeout URLs

HTTP Method Detection (when verification is enabled):

Parameter Default Description
Detect Methods false Send OPTIONS to discover allowed methods
Method Detect Timeout 5 Seconds per OPTIONS request
Method Detect Rate Limit 50 Requests per second
Method Detect Threads 25 Concurrent threads

API Discovery (Kiterunner)

API endpoint brute-forcing using real-world Swagger/OpenAPI wordlists.

Parameter Default Description
Enable Kiterunner true Master toggle for API brute-forcing
Wordlist routes-large routes-large (~100k, 10-30 min) or routes-small (~20k, 5-10 min)
Rate Limit 100 Requests per second
Connections 100 Concurrent connections per target
Timeout 10 Per-request timeout (seconds)
Scan Timeout 1000 Overall scan timeout (seconds)
Threads 50 Parallel scanning threads
Min Content Length 0 Ignore responses smaller than this (bytes)

Status Code Filters:

Parameter Default Description
Ignore Status Codes [] Blacklist: filter out noise (e.g., 404, 500)
Match Status Codes [200, 201, ...] Whitelist: only keep these codes. Includes 401/403
Custom Headers [] For authenticated API scanning

Method Detection:

Parameter Default Description
Detect Methods true Find POST/PUT/DELETE methods beyond GET
Detection Mode bruteforce bruteforce (slower, more accurate) or options (faster)
Bruteforce Methods POST, PUT, DELETE, PATCH Methods to try in bruteforce mode
Method Detect Timeout 5 Seconds per request
Method Detect Rate Limit 50 Requests per second
Method Detect Threads 25 Concurrent threads

Vulnerability Scanner (Nuclei)

Template-based vulnerability scanning with 9,000+ community templates.

Performance Settings:

Parameter Default Description
Severity Levels critical, high, medium, low, info Severity filter. Excluding "info" is ~70% faster
Rate Limit 100 Requests per second
Bulk Size 25 Hosts processed in parallel
Concurrency 25 Templates executed in parallel
Timeout 10 Request timeout per check (seconds)
Retries 1 Retry attempts for failed requests (0-10)
Max Redirects 10 Maximum redirect chain (0-50)

Template Configuration:

Parameter Default Description
Template Folders [] Directories to include (cves, vulnerabilities, misconfiguration, exposures, etc.). Empty = all
Exclude Template Paths [] Exclude specific directories or files
Custom Template Paths [] Your own templates in addition to the official repo
Include Tags [] Filter by tags: cve, xss, sqli, rce, lfi, ssrf, xxe, ssti. Empty = all
Exclude Tags [] Exclude tags — recommended: dos, fuzz for production

Template Options:

Parameter Default Description
Auto Update Templates true Download latest before scan (+10-30 seconds)
New Templates Only false Only run templates added since last update
DAST Mode true Active fuzzing for XSS, SQLi, RCE (+50-100% time)

Advanced Options:

Parameter Default Description
Headless Mode false Use headless browser for JS pages (+100-200% time)
System DNS Resolvers false Use OS DNS instead of Nuclei defaults
Interactsh true Blind vulnerability detection via out-of-band callbacks
Follow Redirects true Follow HTTP redirects during scanning
Scan All IPs false Scan all resolved IPs, not just hostnames

CVE Enrichment

Enrich findings with CVSS scores, descriptions, and references.

Parameter Default Description
Enable CVE Lookup true Master toggle
CVE Source nvd Data source: nvd or vulners
Max CVEs per Finding 20 Maximum entries per technology (1-100)
Min CVSS Score 0 Only include CVEs at or above this score (0-10)
NVD API Key Free key from nist.gov — ~80x faster with key
Vulners API Key Key for Vulners data source

MITRE Mapping

CWE/CAPEC enrichment of CVE findings.

Parameter Default Description
Auto Update DB true Auto-update CWE/CAPEC database
Include CWE true Map CVEs to CWE weaknesses
Include CAPEC true Map CWEs to CAPEC attack patterns
Enrich Recon CVEs true Enrich CVEs from reconnaissance
Enrich GVM CVEs true Enrich CVEs from GVM scans
Cache TTL (hours) 24 Database cache duration

Security Checks

25+ individual toggle-controlled checks grouped into six categories. Each check creates a Vulnerability node in the graph if the condition is detected.

Global Settings:

Parameter Default Description
Enable Security Checks true Master toggle for all checks
Timeout 10 Per-check timeout (seconds)
Max Workers 10 Concurrent check threads

Network Exposure:

Check Default Description
Direct IP HTTP true HTTP accessible via IP address
Direct IP HTTPS true HTTPS accessible via IP address
IP API Exposed true API endpoints accessible via IP
WAF Bypass true WAF can be bypassed via direct IP

TLS/Certificate:

Check Default Description
TLS Expiring Soon true Certificate expires within configurable days
TLS Expiry Days 30 Days before expiry to trigger warning

Security Headers:

Check Default Description
Missing Referrer-Policy true No Referrer-Policy header
Missing Permissions-Policy true No Permissions-Policy header
Missing COOP true No Cross-Origin-Opener-Policy
Missing CORP true No Cross-Origin-Resource-Policy
Missing COEP true No Cross-Origin-Embedder-Policy
Cache-Control Missing true No Cache-Control header
CSP Unsafe Inline true Content-Security-Policy allows unsafe-inline

Authentication:

Check Default Description
Login No HTTPS true Login form served over HTTP
Session No Secure true Session cookie missing Secure flag
Session No HttpOnly true Session cookie missing HttpOnly flag
Basic Auth No TLS true Basic Authentication without TLS

DNS Security:

Check Default Description
SPF Missing true No SPF record for the domain
DMARC Missing true No DMARC record
DNSSEC Missing true DNSSEC not configured
Zone Transfer true DNS zone transfer allowed

Exposed Services:

Check Default Description
Admin Port Exposed true Administrative ports publicly accessible
Database Exposed true Database ports publicly accessible
Redis No Auth true Redis accessible without authentication
Kubernetes API Exposed true Kubernetes API publicly accessible
SMTP Open Relay true SMTP server allows open relay

Application:

Check Default Description
Insecure Form Action true Form submits over HTTP
No Rate Limiting true No rate limiting detected on endpoints

GVM Vulnerability Scan

Configure GVM/OpenVAS network-level scanning.

Scan Configuration:

Parameter Default Description
Scan Profile Full and fast GVM scan preset — see GVM Vulnerability Scanning for all 7 profiles
Scan Targets Strategy both both (IPs + hostnames), ips_only, or hostnames_only

Timeouts & Polling:

Parameter Default Description
Task Timeout 14400 Maximum seconds per scan task (4 hours). 0 = unlimited
Poll Interval 5 Seconds between status checks (5-300)

Post-Scan:

Parameter Default Description
Cleanup After Scan true Remove targets/tasks from GVM after results are extracted

GitHub Secret Hunting

Configure GitHub repository scanning for leaked credentials.

Parameter Default Description
GitHub Access Token Personal Access Token (ghp_...)
Target Organization GitHub org or username to scan
Target Repositories (all) Comma-separated repo names to limit scope
Scan Member Repositories false Include individual member repos
Scan Gists false Search gists for secrets
Scan Commits false Examine git history for removed secrets
Max Commits to Scan 100 Max commits per repo (1-1000)
Output as JSON false Save results as downloadable JSON

See GitHub Secret Hunting for a step-by-step setup guide including how to create a GitHub Personal Access Token.

Agent Behavior

Configure the AI agent orchestrator for autonomous pentesting.

Agent Behaviour Settings

LLM & Phase Configuration:

Parameter Default Description
LLM Model claude-opus-4-6 AI model for the agent. 400+ models from 5 providers — see AI Model Providers
Post-Exploitation Type statefull statefull (Meterpreter sessions) or stateless (one-shot commands)
Activate Post-Exploitation Phase true Whether post-exploitation is available
Informational Phase System Prompt Custom instructions for the informational phase
Exploitation Phase System Prompt Custom instructions for the exploitation phase
Post-Exploitation Phase System Prompt Custom instructions for the post-exploitation phase

Payload Direction:

Parameter Default Description
LHOST (Attacker IP) Your IP for reverse shell callbacks. Leave empty for bind mode
LPORT Listening port for reverse shells. Leave empty for bind mode
Bind Port on Target Port the target opens for bind shell payloads
Payload Use HTTPS false Use reverse_https instead of reverse_tcp

Agent Limits:

Parameter Default Description
Max Iterations 100 Maximum LLM reasoning-action loops per objective
Trace Memory Steps 100 Past steps kept in agent's working context
Tool Output Max Chars 20000 Truncation limit for tool output (min: 1000)

Approval Gates:

Parameter Default Description
Require Approval for Exploitation true User confirmation before exploitation phase
Require Approval for Post-Exploitation true User confirmation before post-exploitation phase

Retries, Logging & Debug:

Parameter Default Description
Cypher Max Retries 3 Neo4j query retry attempts (0-10)
Log Max MB 10 Maximum log file size before rotation
Log Backups 5 Number of rotated log backups
Create Graph Image on Init false Generate a LangGraph visualization on startup

Hydra Brute Force

Configure THC Hydra password cracking (50+ protocols: SSH, FTP, RDP, SMB, HTTP forms, databases, etc.).

Attack Paths Settings

Parameter Default Description
Hydra Enabled true Enable/disable Hydra brute force
Threads (-t) 16 Parallel connections per target. Protocol limits: SSH max 4, RDP max 1, VNC max 4
Wait Between Connections (-W) 0 Seconds between each connection. 0 = no delay
Connection Timeout (-w) 32 Max seconds to wait for a response
Stop On First Found (-f) true Stop when valid credentials are found
Extra Password Checks (-e) nsr Additional checks: n=null, s=username-as-password, r=reversed username
Verbose Output (-V) true Show each login attempt
Max Wordlist Attempts 3 Wordlist strategies to try before giving up (1-10)

Tool Phase Restrictions

A matrix controlling which tools the agent can use in each operational phase. Each tool can be independently enabled/disabled per phase.

Tool Informational Exploitation Post-Exploitation
query_graph
web_search
execute_curl
execute_naabu
execute_nmap
execute_nuclei
kali_shell
execute_code
execute_hydra
metasploit_console
msf_restart

This matrix is configurable per project in the Attack Paths tab (Tab 11) of the project settings form.

RedAmon GitHub Repository | Report an Issue | Back to Home

Home

User Guide

  1. Getting Started
  2. User Management
  3. Creating a Project
  4. The Graph Dashboard
  5. Running Reconnaissance
  6. GVM Vulnerability Scanning
  7. GitHub Secret Hunting
  8. AI Agent Guide

Reference

  1. Project Settings Reference
  2. AI Model Providers
  3. Attack Surface Graph
  4. Data Export & Import
  5. EvoGraph — Attack Chain Evolution

Help

  1. Troubleshooting

Clone this wiki locally