โšก

6-Phase Pipeline

From Phase 0 through Phase 5 โ€” every engagement follows a structured, auditable pipeline with operator approval at every gate.

Overview

PortShim's 6-phase pipeline turns an ad-hoc pentest into a repeatable, auditable process. Each phase has a defined goal, a dedicated LLM model assignment, and a gate review that must pass before advancing.

Phase 0 โ€” Scope & Setup

The engagement starts here. Bootstrap the environment, sync knowledge bases (CVE data, device classifiers, exploit templates), and configure the engagement profile. The operator defines the target scope, selects the noise profile, and chooses the LLM mode (local / hybrid / cloud).

Gate 0: Operator confirms scope, profile, and model config. Pipeline won't proceed without explicit APPROVE.

Phase 1 โ€” Reconnaissance

Full network sweep using nmap with all-port scanning, OS detection, and service versioning. Device classification assigns roles (40+ types โ€” router, switch, printer, CCTV, PLC, etc.). Topology mapping builds a network graph.

Key scripts: topology.py โ€” parses XML output, classifies devices, builds topology map. stealth-profiles.py โ€” adjusts timing and parallelism per engagement profile.

Gate 1: topology.py --gate1 produces never-truncated host summaries. Operator reviews the full device inventory before proceeding.

Phase 2 โ€” Vulnerability Analysis

CVE cross-referencing via nmap-vulners NSE script, nuclei deep-scan with templated checks, and CVSS v3.1 scoring. Findings are prioritised by severity with exploit availability markers (public PoC, Metasploit module, or none).

Recommended model: Qwen3-Coder 30B โ€” 447 PP tok/s on Vulkan, strong at CVE analysis and code-level vulnerability reasoning.

Gate 2: Operator reviews the prioritised findings list, marks false positives, and approves the exploitation target list.

Phase 3 โ€” Exploitation

Controlled, non-destructive exploitation using hydra brute-force, paramiko SSH automation, and manual probing of discovered services (telnet, HTTP, UPnP, etc.). The LLM analyses service banners and suggests targeted exploit strategies.

Recommended model: SuperGemma4 26B โ€” 525 PP tok/s, strong at exploit analysis and unstructured data reasoning.

Constraint: Non-destructive escalation only. No service denial, no data exfiltration without explicit authorisation.

Gate 3: Operator reviews successful footholds and decides whether to deepen access or move to reporting.

Phase 4 โ€” Reporting

Multi-format deliverables from a single command. All reports share consistent branding, severity colouring, and structured findings.

Gate 4: Operator reviews draft reports, edits findings, and approves final deliverables.

Phase 5 โ€” Retest

After the client remediates, rescan the affected hosts, compare baseline vs. retest results, and auto-classify each finding as FIXED, STILL OPEN, NEW, or REGRESSION. The remediation checklist is updated with retest status and re-exported.

Key script: retest-diff.py โ€” compares NSE and nuclei output from baseline and retest scans, generates a structured diff.

Gate 5: Final sign-off. Operator confirms all critical/high findings are addressed or accepted as risk.

Gate Review Outcomes

At every phase gate, the operator has four options: