OPSEC stealth mode

Stealth mode is a per-engagement (or per-scan) OPSEC posture knob. Three levels, controlling which detectors run based on how noisy their network shape is to a SOC or WAF:

Detector noise levels

Every detector is classified into one of three noise levels:

• Quiet — passive recon, single benign-shape request, or callback-oracle wait (no payload sent). Examples: header misconfiguration check, TLS audit, subdomain takeover, source-map exposure, websocket handshake.
• Moderate — single-shot active probe per (target × vector) with realistic payload shapes. Most detectors live here: error-based SQLi, reflected XSS, open-redirect, SSRF, CSRF.
• Loud — high-volume, time-based, brute-force, or vendor-IDS-friendly payload corpus. Race condition, parameter discovery, time-based SQLi, command injection (often time-based + many shells), exhaustive CVE active-probe fan-out, JWT key fuzz.

How to set stealth mode

Three places, in priority order:

1. Per-scan override — on the New Scan form's Advanced configuration, pick stealth_mode. Wins over everything else.
2. Per-engagement default — when creating an engagement, set its stealth_mode. Every scan launched under that engagement inherits this value (unless the scan overrides it).
3. Account default — Settings → Engagements → Default stealth mode. Applies to new engagements and ad-hoc scans without an explicit value.

Audit trail

The chosen stealth_mode is recorded on every scan row and shown on the scan-detail page. When a detector is skipped because of stealth mode (rather than because it didn't apply to the target), the orchestrator logs a structured event: stealth=moderate: skipped 6 loud/moderate rules — race_condition(loud), param_discovery(loud), …. The skip list appears in the "Coverage" section of the scan-detail page so you can see what was deliberately omitted.

Related

• Engagements
• Hard-refusal policy