From a domain to a decision, in five acts.
Every assessment follows the same arc — submit, observe, orient, decide, act — wrapped in a cognitive core that reasons over your attack surface as a model, not a wall of output. Here is the whole flow in plain language.
The five acts
You authorize a target
You enter a domain or IP you own or are authorized to test. Before a single packet leaves the box, an intake gate scores the target and refuses off-limits categories — hospitals, governments, schools, critical infrastructure. Authorized targets are queued; everything else is declined with a reason.
Recon maps the attack surface
The pipeline runs the same tools a human tester reaches for — subdomain discovery, port discovery, live-web probing with technology fingerprinting, and service-version scanning of each discovered asset. The result is one structured picture of your surface: what exists, what is exposed, and what is running.
The agent ranks what matters
A security-tuned model reads that whole picture and writes a prioritized threat assessment: an executive summary, an overall risk level, and findings with severity, evidence, impact and remediation. You see the few findings that matter — not five hundred undifferentiated alerts.
It decides whether to dig deeper
After each pass the agent asks itself whether one more focused scan wave is worth it. That decision runs under a hard step budget and is fully audited — you can read why it continued or stopped. It is built to stop itself; the budget is the guarantee, not a hope.
It confirms the findings that count
For high and critical findings, Xseth runs a non-destructive validation probe. A confirmed finding comes back badged CONFIRMED with the evidence behind it; an unconfirmed one is left honestly marked as unproven. Probes that send real attack traffic never fire on their own — they wait for an operator to approve them.
You get a deliverable
Export the whole assessment as a client-ready PDF — prioritized findings, evidence, impact and remediation, written up in plain prose. It is the artifact you hand to a client or drop straight into a ticket.
A brain, not a bigger checklist
A scanner has a checklist. The thing that makes Xseth reason is its cognitive core — three capabilities that work over a shared, persistent picture of your surface. This is what we mean by Observe, Orient, Decide, Act.
The world-model
Every scan is projected into a persistent graph of hosts, subdomains, services, web endpoints and the edges between them. The agent reasons over that structure instead of treating each finding in isolation — and the model grows as you re-scan, so coverage compounds.
Attack-path chaining
A separate reasoning pass looks for places where individually-low findings combine into a high-impact path — an exposed config plus a weak service that, together, unlock something a checklist would never connect. "No genuine chain here" is a valid, common answer; it is reasoning about candidate paths, not a claim of proof.
The bounded decide-loop
The Observe → Orient → Decide → Act cycle is the loop. Each turn the agent decides to continue or stop, bounded by a step budget and recorded as an audit trail. Convergence usually halts it first; the budget is the hard guarantee that it always terminates.
Reachability, not exploitability
When Xseth badges a finding CONFIRMED, it means a non-destructive probe reached the issue and matched real evidence — the weakness is genuinely there and reachable. It does not mean Xseth broke in. Proving a weakness is real (reachability) and proving you can exploit it end-to-end (exploitability) are different claims, and we only make the first. Anything not confirmed stays marked unproven rather than dressed up as fact.