Bug Hunts
Overview
Nullify performs offensive security testing across your external attack surface. Bug hunts combine passive reconnaissance, active service discovery, and protocol-specific security analysis to uncover compound vulnerabilities that automated scanners miss.
Scheduling
Bug hunts support flexible scheduling:
Frequencies: Daily, weekly, or monthly
Time Control: Specify exact start time with timezone support
Default: Must be explicitly enabled (no automatic weekly schedule)
On-Demand: Can be triggered immediately via API
Configuration during onboarding or via the Nullify platform interface.
How Bug Hunts Work
1. Trigger
Security Program Management campaigns or high-risk events kick off a hunt:
New internet-facing service deployment
Critical CVE advisory affecting your stack
Leaked credentials detected
Scheduled execution (daily/weekly/monthly)
2. Reconnaissance
Nullify maps your attack surface:
Subdomain Discovery:
Passive: Certificate transparency logs, DNS records, search engines
Active: DNS brute forcing with smart wordlists
Tools: Amass, Subdominator
Port Scanning:
Network service discovery across all subdomains
Optimized scanning (Nmap, Masscan)
25+ protocol-specific security analysis
Service Fingerprinting:
Technology stack identification
Version detection for running services
Banner grabbing and HTTP analysis
3. Intelligence Integration
Bug hunts leverage context from other Nullify assessments:
Static Analysis Integration:
SAST findings identify injection points (SQL, command, path traversal)
Known vulnerable code patterns guide testing strategies
CWE mapping prioritizes attack classes
Dependency Intelligence:
SCA findings identify exploitable CVEs (e.g., Log4Shell)
Package versions inform exploit selection
Supply chain vulnerabilities guide compound attack chains
Cloud Context:
Infrastructure topology from cloud audits
Network reachability analysis
Code-to-cloud mapping for blast radius assessment
4. Compound Vulnerability Discovery
Nullify discovers multi-stage attack patterns:
Critical Infrastructure Attacks:
Remote Code Execution chains (RCE)
SQL Injection → Data Extraction → Credential Harvesting
Authentication Bypass → Privilege Escalation
Container Escape sequences
Web Application Attacks:
Injection chains (SQLi → LDAPi → Code Exec)
Broken Authorization (IDOR, path traversal, role bypass)
Business Logic Flaws (price manipulation, workflow bypass, race conditions)
Network & Cloud Attacks:
SSRF → AWS Metadata Service → IAM Credential Theft
MITM with protocol downgrade
Lateral movement via credential reuse
Advanced Persistent Techniques:
Multi-stage lateral movement
Data exfiltration patterns
Cross-domain traversal
5. Protocol-Specific Security Analysis
Supported Protocols (25+):
Web: HTTP/HTTPS, WebSocket
Databases: MySQL, PostgreSQL, MongoDB, Redis, MSSQL, Oracle
Infrastructure: SSH, FTP, SMTP, LDAP, SMB
Container Orchestration: Kubernetes API, Docker socket
Cloud Services: AWS, Azure, GCP APIs
Each protocol analyzer performs:
Authentication testing
Configuration review
Known vulnerability checks
Weak credential detection
6. Safe Operation
Bug hunts operate in PASSIVE mode by default:
Read-Only Operations: GET, HEAD, OPTIONS only
Conservative Rate Limits: 1 request/sec for discovery, 0.5 req/sec for banner grabbing
No Exploit Validation: Theory-based findings only (no active exploitation)
Adaptive Throttling: Backs off if target shows stress signals
Distributed Locking: Prevents concurrent scans of same tenant
Operating Modes
Nullify supports three bug hunt intensity levels:
PASSIVE (Default - Production Safe)
Network discovery and service enumeration
No intrusive testing
1 req/sec maximum per host
Read-only HTTP methods
ACTIVE (Cautious Testing)
Limited vulnerability validation
0.5 req/sec maximum for tests
Selective exploit attempts
Requires explicit authorization
PENTEST (Full Exploitation - See Pentests)
Aggressive testing
Exploit chain validation
Multi-stage attacks
Separate capability with different triggers
Attack Graph Construction
Nullify builds an attack graph connecting:
Entry Points: Discovered services and endpoints
Vulnerabilities: Known weaknesses and misconfigurations
Assets: Target resources and data
Objectives: Potential attack goals
Graph analysis identifies:
Shortest path to compromise
Highest impact attack chains
Most likely exploitation sequences
Evidence Collection
Bug hunt findings include:
Network topology maps
Service inventory with versions
Open port listings
Technology stack fingerprints
Theoretical attack chains
Prioritized remediation guidance
No Active Exploitation: Evidence comes from reconnaissance, not validated exploits (use Pentests for validation).
Workflow Integration
Bug hunt findings flow into:
Jira: Auto-created tickets with ownership mapping
Slack: Notifications for critical attack surface changes
GitHub/Bitbucket: Correlation with code repositories
Security Program Management: Campaign tracking for attack surface reduction
Pentests: Discovered applications can be added to pentest targets
Security Posture Monitoring
Nullify continuously monitors your attack surface for security weaknesses and misconfigurations:
Exposed Services: Detects internet-facing services with weak configurations or known vulnerabilities
Infrastructure Weaknesses: Identifies overpermissive network rules, default credentials, unencrypted protocols
Workload Context: Understands business criticality of exposed services and data sensitivity
Risk Validation: Active testing determines if detected weaknesses pose genuine security risks
Change Tracking: Monitors service versions, certificate expiry, and topology changes to catch new exposures
Configuration
Configure bug hunts during Onboarding:
Define in-scope assets (domains, IP ranges, CIDR blocks)
Specify excluded assets (third-party services, partner networks)
Link bug bounty program data (HackerOne, BugCrowd)
Set scanning schedule and frequency
Credential Management
Nullify has a credential vault and supports any method of authentication with your applications
Last updated
Was this helpful?