GraphQL API Reference

Welcome to the Horizon3.ai GraphQL API Reference. This guide covers every query, mutation, and type available in the API, along with everything you need to start making requests.

Getting Started

Client Examples

  • h3-cli Examples — Use the Horizon3.ai CLI to run queries from the command line.
  • Python Examples — Run queries with a ready-to-use Python script.
  • cURL Examples — Run queries with a ready-to-use bash/cURL script.

GraphQL vs. REST

If you have worked with REST APIs before, GraphQL will feel familiar — you are still sending HTTP requests and receiving JSON responses. However, there are a few important differences to be aware of.

Single Endpoint

REST APIs expose many endpoints (e.g., /pentests, /pentests/:id, /assets). GraphQL uses a single endpoint (/graphql) for all operations. The request body determines what data is returned.

Requests Are Defined in the POST Body

Instead of encoding the operation in the URL path and HTTP method (GET, PUT, DELETE), GraphQL requests are always sent as an HTTP POST with a JSON body containing a query field. The query is a structured string that describes exactly which fields and relationships you want to retrieve. See Sending Requests for an example.

You Choose the Fields You Receive

With a REST API, each endpoint returns a fixed set of fields. GraphQL lets you specify exactly which fields to include in the response — no more, no less. This reduces payload sizes and eliminates unnecessary data transfer.

REST often requires multiple round-trips to assemble related data (e.g., fetching a pentest, then its weaknesses, then each affected host). A GraphQL query can traverse deeply nested relationships in a single request, returning all the data you need at once.

Status Codes Work Differently

REST APIs use HTTP status codes (200, 404, 500, etc.) to indicate success or failure. GraphQL requests always return HTTP 200, even when errors occur. Errors are reported in the errors field of the response body. See Handling Errors for details.

Strongly Typed Schema

Every field, argument, and return type in the API is defined in a typed schema. This reference is generated directly from that schema, so it always reflects the current state of the API.

REST (Multiple Requests)
# Fetch a list of pentests
GET /v1/pentests

# Fetch details for one pentest
GET /v1/pentests/abc-123

# Fetch weaknesses for that pentest
GET /v1/pentests/abc-123/weaknesses

# Fetch affected host for a weakness
GET /v1/pentests/abc-123/weaknesses/weakness-1/affected_host
GraphQL (Single Request)
query {
  pentest(op_id: "abc-123") {
    name
    state
    weaknesses_page {
      weaknesses {
        vuln {
          id
          name
          description
        }
        affected_host {
          ip
          host_names
          os_names
        }
        score
        severity
      }
    }
  }
}

Authentication

All API requests require a JSON Web Token (JWT). To obtain one, send your API key to the /auth endpoint as shown in the example on the right. The response contains a token field that you will include in subsequent requests.

API Key Required

You can generate an API key from the Horizon3.ai Portal.

Auth Endpoints

Use the endpoint for your region:

  • US: H3_AUTH_URL=https://api.gateway.horizon3ai.com/v1/auth
  • EU: H3_AUTH_URL=https://api.gateway.horizon3ai.eu/v1/auth

JWT Expiration

Tokens expire after 1 hour. When a token expires, the API returns the following message. Simply re-authenticate to the /auth endpoint to obtain a new token.

{"message":"The incoming token has expired"}
Authenticate
H3_AUTH_URL="https://api.gateway.horizon3ai.com/v1/auth"
H3_API_KEY="<your-api-key-here>"
curl -X POST $H3_AUTH_URL \
    -H "Content-Type: application/json" \
    -d @- <<HERE 
{
  "key": "$H3_API_KEY"
}
HERE
Response
{"token": "<your-jwt>"}

Sending Requests

Send an HTTP POST request to the /graphql endpoint with your JWT in the Authorization header. The example on the right retrieves all pentests for your account, ordered by most recent.

API Endpoints

Use the endpoint for your region:

  • US: H3_API_URL=https://api.gateway.horizon3ai.com/v1/graphql
  • EU: H3_API_URL=https://api.gateway.horizon3ai.eu/v1/graphql

Request Body

The POST body is a JSON object with two fields:

  • query — The GraphQL query or mutation string.
  • variables — An optional JSON object containing variables referenced in the query or mutation.

For additional examples, see the Getting Started guide.

GraphQL Request
H3_API_URL="https://api.gateway.horizon3ai.com/v1/graphql"
H3_API_JWT="<your-jwt>"
curl -X POST $H3_API_URL \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $H3_API_JWT" \
    -d @- <<HERE 
{
  "query": "
    query q(\$page_input: PageInput) {
      pentests_count(page_input: \$page_input)
      pentests_page(page_input: \$page_input) {
        pentests {
          ...PentestFragment
        }
      }
    }
    fragment PentestFragment on Pentest {
      op_id
      op_type
      name
      state
      scheduled_at
      launched_at
      completed_at
      etl_completed_at
      hosts_count
      weaknesses_count
    }
  ",
  "variables": {
    "page_input": {
      "page_num": 1
    }
  }
}
HERE

Response Format

Every response is a JSON object with up to two top-level fields:

  • data — The results of your query or mutation, mirroring the shape of the request.
  • errors — Present only if one or more errors occurred during execution. See Handling Errors for details.
GraphQL Response
{
  "data": {
    "pentests_count": 8,
    "pentests_page": {
      "pentests": [
        {
          "op_id": "12341234-1234-1234-1234-123412341234",
          "op_type": "NodeZero",
          "name": "Sample Pentest",
          "state": "done",
          "scheduled_at": "2025-03-06T20:37:31.973429",
          "launched_at": "2025-03-06T20:44:22.567519",
          "completed_at": "2025-03-06T21:22:33.893341",
          "etl_completed_at": "2025-03-06T21:30:01.073779",
          "hosts_count": 10,
          "weaknesses_count": 5
        },
        ...
      ]
    }
  }
}

Handling Errors

Errors are returned in the errors array of the response. See the example on the right.

Status Codes

GraphQL requests return HTTP 200 in most cases, even when there are application-level errors. An HTTP 5xx status code indicates a network or system failure that prevented the API from responding.

Each error object may include an HTTP-style status code embedded in its message field, enclosed in square brackets (e.g., [403] You are not authorized).

The table below summarizes the status codes you may encounter.

Code Title Description
200 Success The response contains the requested data.
400 Bad Request The request is malformed. Check the errors field for details.
401 Unauthorized Authentication failed due to an invalid or expired JWT.
403 Forbidden You do not have permission to access the requested resource.
5xx Internal Server Error An unexpected server-side error occurred.
Example Error Response
{
  "data": {
    "pentests_count": null,
    "pentests_page": null
  },
  "errors": [
    {
      "message": "[403] You are not authorized",
      "locations": [ { "line": 2, "column": 13 } ],
      "path": [ "pentests_count" ]
    }
  ]
}

Versioning

The Horizon3.ai GraphQL API does not use version numbers. All changes are additive and backward-compatible, so existing integrations continue to work as the API evolves.

Deprecations: Queries, mutations, and fields may be deprecated over time. Deprecated items are flagged in this documentation and remain functional until they are no longer in active use.

h3-cli Examples

h3-cli is a command-line tool for interacting with the Horizon3.ai GraphQL API. You can use it to run any of the query and mutation examples in this reference.

Installation

Install h3-cli using the commands shown on the right.

Usage

Run h3 help to see all available subcommands.

The h3 gql subcommand executes any GraphQL query or mutation. Save your query in a .graphql file and pass it to h3 gql:

h3 gql <graphql_file> [params_json]

Parameters

  • graphql_file — Path to a .graphql file containing your query or mutation.
  • params_json — Optional JSON string with variables for the query or mutation.

The h3-cli tabs throughout this reference show the exact command for each query and mutation.

Pretty-Printing with jq

h3-cli bundles jq for formatting JSON output. Pipe the result to jq . to pretty-print:

h3 gql ./my_pentests.graphql '{"page_input": {"page_num": 1}}' | jq .

Auto-Pagination

For queries that accept a $page_input: PageInput argument, use h3 gql-stream to automatically iterate through all pages:

h3 gql-stream ./my_pentests.graphql data.pentests_page.pentests

The second argument (data.pentests_page.pentests in this example) is the path to the paginated array in the response. h3-cli fetches each page and streams the individual objects until all results have been returned.

JSON Streaming

The output of gql-stream is a stream of JSON objects, not a JSON array. To collect the stream into an array, pipe the output to jq -s:

h3 gql-stream ./my_pentests.graphql data.pentests_page.pentests | jq -s .
Installation
H3_API_KEY="<your-api-key-here>"
H3_DOWNLOAD_URL="https://downloads.horizon3ai.com/utilities/cli/easy_install.sh"

curl $H3_DOWNLOAD_URL | bash -s "$H3_API_KEY"

export H3_CLI_HOME="`pwd`/h3-cli"
export PATH="$H3_CLI_HOME/bin:$PATH"

# Commands
h3 help
h3 whoami
h3 pentests

Python Examples

h3_gql.py is a ready-to-use Python script that handles authentication and query execution in a single call. The full source is shown on the right.

Required Environment Variables

  • H3_API_KEY — Your API key.
  • H3_AUTH_URL — The authentication endpoint for your region. See Authentication.
  • H3_API_URL — The GraphQL endpoint for your region. See Sending Requests.

Usage

python h3_gql.py <graphql_file> [params_json]

Parameters

  • graphql_file — Path to a .graphql file containing your query or mutation.
  • params_json — Optional JSON string with variables for the query or mutation.

The Python tabs throughout this reference show the exact command for each query and mutation.

h3_gql.py
import json
import os
import sys
from pathlib import Path
import requests

def authenticate():
    url = os.environ["H3_AUTH_URL"]
    api_key = os.environ["H3_API_KEY"]
    response = requests.post(url, json={"key": api_key})
    response.raise_for_status()
    return response.json()["token"]

def execute_query(jwt, graphql_file, variables):
    url = os.environ["H3_API_URL"]
    headers = {
        "Content-Type": "application/json",
        "Authorization": f"Bearer {jwt}",
    }
    query = Path(graphql_file).read_text()
    payload = {"query": query, "variables": variables}
    response = requests.post(url, headers=headers, json=payload)
    return response.json()

if __name__ == "__main__":
    graphql_file = sys.argv[1]
    params = json.loads(sys.argv[2]) if len(sys.argv) > 2 else {}
    jwt = authenticate()
    result = execute_query(jwt, graphql_file, params)
    print(json.dumps(result, indent=2))

cURL Examples

h3_gql.sh is a ready-to-use bash script that handles authentication and query execution using only cURL and sed — no additional dependencies required. The full source is shown on the right.

Required Environment Variables

  • H3_API_KEY — Your API key.
  • H3_AUTH_URL — The authentication endpoint for your region. See Authentication.
  • H3_API_URL — The GraphQL endpoint for your region. See Sending Requests.

Usage

chmod +x h3_gql.sh
./h3_gql.sh <graphql_file> [params_json]

Parameters

  • graphql_file — Path to a .graphql file containing your query or mutation.
  • params_json — Optional JSON string with variables for the query or mutation.

The cURL tabs throughout this reference show the exact command for each query and mutation.

h3_gql.sh
#!/usr/bin/env bash
set -euo pipefail

graphql_file="${1:?Usage: ./h3_gql.sh <graphql_file> [params_json]}"
variables="${2:-{}}"

# Authenticate and extract JWT using sed (no jq/python dependency)
jwt=$(curl -s -X POST "$H3_AUTH_URL" \
    -H "Content-Type: application/json" \
    -d "{\"key\": \"$H3_API_KEY\"}" \
    | sed -n 's/.*"token"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')

query=$(cat "$graphql_file" | sed 's/"/\\\\"/g' | tr '\n' ' ')

curl -s -X POST "$H3_API_URL" \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $jwt" \
    -d "{\"query\": \"$query\", \"variables\": $variables}"

Using the API

Core utilities for working with the Horizon3.ai GraphQL API. This section covers pagination controls for managing large datasets, filtering and sorting options, and metadata queries for API introspection and type definitions.

Using the API: Pagination

Control pagination, filtering, and sorting for query results that return large datasets. Use PageInput to navigate through paginated results, apply filters to narrow results, and specify sort order.

PageInput

Description

Controls pagination, sorting, and filtering for any paginated query.

Pass a PageInput to any *_page query to specify which page of results to return, how to order them, and which filters to apply. Pages are 1-indexed, with a default size of 20 and a maximum of 100 results per page.

Fields
page_num - Int
Page number to retrieve, starting at 1. Combined with page_size to determine the offset into the result set. Defaults to 1 if not specified.
page_size - Int
Number of results per page. Minimum is 1, maximum is 100. Defaults to 20 if not specified.
order_by - String
Name of the field to sort by. Must correspond to a field on the returned type. Not all fields are sortable; an error is returned for non-sortable fields. For multi-field sorting, use sort_inputs instead.
sort_order - SortOrder
Sort direction (ASC or DESC). Used together with order_by.
sort_inputs - [SortInput]
List of sort criteria for multi-field ordering. Each entry specifies a field and direction. See SortInput.
filter_by_inputs - [FilterByInput]
List of filter criteria. By default, multiple filters are combined with AND logic. Use filter_by_input_mode to switch to OR. See FilterByInput.
filter_by_input_mode - FilterByInputMode
Logical operator (AND or OR) for combining multiple filter_by_inputs entries. Defaults to AND. See FilterByInputMode.
text_search - String
Free-text search across text-based fields of the target type. Results include any record containing a match in at least one text field. 
# Example 1: Basic pagination
query BasicPagination($page_input: PageInput = {
    page_num: 1,
    page_size: 5
}) {
  pentests_page(page_input: $page_input) {
    pentests {
      op_id
      name
      state
    }
  }
}

# Example 2: Pagination with sorting
query PaginationWithSorting($page_input: PageInput = {
    page_size: 10,
    sort_inputs: [
        { order_by: "scheduled_at", sort_order: DESC }
    ]
}) {
  pentests_page(page_input: $page_input) {
    pentests {
      op_id
      name
      scheduled_at
    }
  }
}

# Example 3: Pagination with filtering
query PaginationWithFiltering($page_input: PageInput = {
    filter_by_inputs: [
        { field_name: "state", values: ["done"] }
    ]
}) {
  pentests_page(page_input: $page_input) {
    pentests {
      op_id
      name
      op_type
      state
    }
  }
}

Examples may not include all available fields for a type.

Using the API: Pagination

FacetValue

Description

Represents a single filterable value within a faceted navigation set. Each FacetValue provides a value, its count in the current result set, and a prebuilt FilterBy object that can be passed directly to PageInput filter_by_inputs to narrow results to this value.

Fields
label - String
Human-readable display name for this facet value.
value - String
The raw value used when filtering via the API.
value_count - Int
Number of results matching this facet value in the current dataset.
filter_by - FilterBy
A prebuilt FilterBy object that can be passed to PageInput filter_by_inputs to filter results by this facet value. 
fragment FacetValueFragment on FacetValue {
  label
  value
  value_count
  filter_by {
    field_name
    values
  }
}

Examples may not include all available fields for a type.

Using the API: Pagination

FilterBy

Description

Represents an active filter applied to query results. This is the output counterpart of FilterByInput, returned within PageInfo to confirm which filters were applied.

Fields
field_name - StringNoWhitespace!
Name of the field being filtered.
values - [String]
Values included in the filter. See FilterByInput.
not_values - [String]
Values excluded by the filter. See FilterByInput.
less_than - String
Upper bound (exclusive) applied to the field. See FilterByInput.
less_than_or_equal - String
Upper bound (inclusive) applied to the field. See FilterByInput.
greater_than - String
Lower bound (exclusive) applied to the field. See FilterByInput.
greater_than_or_equal - String
Lower bound (inclusive) applied to the field. See FilterByInput. 
fragment FilterByFragment on FilterBy {
  field_name
  values
  not_values
  less_than
  less_than_or_equal
  greater_than
  greater_than_or_equal
}

Examples may not include all available fields for a type.

Using the API: Pagination

FilterByInput

Description

Defines a single filter criterion for querying data. Specify a field_name and one or more conditions (values, not_values, range comparisons, or is_null) to restrict results. Multiple conditions within a single FilterByInput are combined with AND logic.

Fields
field_name - StringNoWhitespace!
Name of the field to filter by. Must correspond to a field name on the returned type.
values - [String]
Include only results where the field matches one of these values. Mutually exclusive with not_values. Can be combined with range comparisons (greater_than*, less_than*) and is_null; combined conditions are AND'ed.
not_values - [String]
Exclude results where the field matches one of these values. Mutually exclusive with values. Can be combined with range comparisons (greater_than*, less_than*) and is_null; combined conditions are AND'ed.
greater_than - String
Include only results where the field value is strictly greater than this value. Mutually exclusive with greater_than_or_equal. Can be combined with less_than*, values, not_values, and is_null; combined conditions are AND'ed.
greater_than_or_equal - String
Include only results where the field value is greater than or equal to this value. Mutually exclusive with greater_than. Can be combined with less_than*, values, not_values, and is_null; combined conditions are AND'ed.
less_than - String
Include only results where the field value is strictly less than this value. Mutually exclusive with less_than_or_equal. Can be combined with greater_than*, values, not_values, and is_null; combined conditions are AND'ed.
less_than_or_equal - String
Include only results where the field value is less than or equal to this value. Mutually exclusive with less_than. Can be combined with greater_than*, values, not_values, and is_null; combined conditions are AND'ed.
filter_by_input_mode - FilterByInputMode
Logical operator (AND or OR) for combining multiple FilterByInput entries. Defaults to AND.
is_null - Boolean
Filter by null status. Set to true to include only rows where the field IS NULL. Set to false to include only rows where the field IS NOT NULL. Omit or set to null to skip null checking. Can be combined with other conditions; combined conditions are AND'ed. 
# Example 1: Filter by single value
query FilterBySingleValue($page_input: PageInput = {
    filter_by_inputs: [
        { field_name: "op_type", values: ["NodeZero"] }
    ]
}) {
  pentests_page(page_input: $page_input) {
    pentests {
      op_id
      name
      op_type
    }
  }
}

# Example 2: Filter by multiple values
query FilterByMultipleValues($page_input: PageInput = {
    filter_by_inputs: [
        { field_name: "state", values: ["done", "running"] }
    ]
}) {
  pentests_page(page_input: $page_input) {
    pentests {
      op_id
      name
      op_type
      state
    }
  }
}

# Example 3: Exclude specific values
query FilterExcludeValues($page_input: PageInput = {
    filter_by_inputs: [
        { field_name: "state", not_values: ["ended", "error"] }
    ]
}) {
  pentests_page(page_input: $page_input) {
    pentests {
      op_id
      name
      state
    }
  }
}

Examples may not include all available fields for a type.

Using the API: Pagination

FilterByInputMode

Description

Logical operator used to combine multiple FilterByInput entries when filtering query results.

Values
AND
All filters must match. This is the default when filter_by_input_mode is not specified.
OR
At least one filter must match.
Example
"AND"
Using the API: Pagination

PageInfo

Description

Echoes back the pagination parameters that were applied to produce the current page of results. Returned by all paginated queries alongside the result data.

Fields
page_num - Int
The page number that was returned.
page_size - Int
The maximum number of items per page that was requested.
text_search - String
The free-text search string that was applied, if any.
filter_by_inputs - [FilterBy]
The list of filters that were applied to the query. See FilterBy. 
fragment PageInfoFragment on PageInfo {
  page_num
  page_size
  text_search
}

Examples may not include all available fields for a type.

Using the API: Pagination

SortInput

Description

Defines a single sort criterion. Use within PageInput sort_inputs to sort results by one or more fields.

Fields
order_by - StringNoWhitespace!

Name of the field to sort by. Must correspond to a field name on the returned type.

Not all fields are sortable. An error is returned if you specify a non-sortable field. The set of sortable fields depends on the type being queried.

sort_order - SortOrder
Sort direction. Defaults to ASC if not specified.
nulls_first - Boolean
Controls the ordering of null values in descending sorts. When false (default), nulls are placed last even in DESC order. Set to true to place nulls first in DESC queries. 
# Example 1: Sort by a single field
query SortBySingleField($page_input: PageInput = {
    sort_inputs: [
        { order_by: "severity", sort_order: DESC }
    ]
}) {
  weaknesses_page(
    op_id: "1234abcd-1234-abcd-1234-abcd1234abcd"
    page_input: $page_input
  ) {
    weaknesses {
      uuid
      vuln_name
      severity
    }
  }
}

# Example 2: Sort by multiple fields
query SortByMultipleFields($page_input: PageInput = {
    sort_inputs: [
        { order_by: "severity", sort_order: DESC },
        { order_by: "vuln_name", sort_order: ASC }
    ]
}) {
  weaknesses_page(
    op_id: "1234abcd-1234-abcd-1234-abcd1234abcd"
    page_input: $page_input
  ) {
    weaknesses {
      uuid
      vuln_name
      severity
    }
  }
}

Examples may not include all available fields for a type.

Using the API: Pagination

SortOrder

Description

Specifies the direction in which to order query results.

Values
ASC
Ascending order (smallest to largest, A to Z, oldest to newest).
DESC
Descending order (largest to smallest, Z to A, newest to oldest).
Example
"ASC"

Using the API: Metadata

Query GraphQL schema metadata and type definitions. Introspect the API to discover available types, fields, queries, and mutations programmatically, such as with an LLM and MCP server.

graphql_def

Description

Returns the GraphQLDef schema definition for a single element in the API. No authentication is required. The id parameter identifies the schema element and can be one of:

Response

Returns an GraphQLDef!

Arguments
id - String!
The schema element ID, eg. Query, Weakness, Mutation.create_op, etc. 
query GetGraphQLDefinition($id: String!) {
  graphql_def(id: $id) {
    ...GraphQLDefFragment
  }
}

fragment GraphQLDefFragment on GraphQLDef {
  id
  name
  type
  type_name
  declaration
  description
  parent_id
  default_value
  related_type_ids
  args
  fields {
    id
    name
    type
    type_name
    description
  }
}

Examples may not include all available fields for a type.

Using the API: Metadata

hello

Description

A simple connectivity test that returns the string world!. Use this query to verify that your API client can successfully reach the GraphQL endpoint. No authentication is required.

query {
    hello
}

Response

Returns a String! 

query HelloWorld {
  hello
}

Examples may not include all available fields for a type.

Using the API: Metadata

GraphQLDef

Description

Represents the schema definition of a single element in the GraphQL API. Use the graphql_def query to retrieve definitions programmatically. A GraphQLDef can represent one of:

  • a Type (e.g. Query, Mutation, WeaknessesPage, Weakness)
  • a Field within a type (e.g. Query.weaknesses_page, Weakness.op_id)
  • an Enum (e.g. AuthzRole, PortalOpState)
  • an Enum Value (e.g. AuthzRole.ORG_ADMIN, PortalOpState.running)
Fields
id - String!

Unique identifier for this schema element.

  • For a Type: the type name (e.g. Query, WeaknessesPage)
  • For a Field: the parent type + field name (e.g. Query.weaknesses_page)
  • For an Enum: the enum name (e.g. AuthzRole)
  • For an Enum Value: the enum name + value (e.g. AuthzRole.ORG_ADMIN)
description - String
The documentation string for this schema element, sourced from its GraphQL doc comment.
declaration - String

The full GraphQL declaration syntax for this schema element. For example:

weaknesses_page(input: OpInput!, page_input: PageInput): WeaknessesPage!

: WeaknessesPage!)

name - String!

The name of this schema element.

  • For a Type: the type name (e.g. Query, WeaknessesPage)
  • For a Field: the field name (e.g. weaknesses_page)
  • For an Enum: the enum name (e.g. AuthzRole)
  • For an Enum Value: the enum value (e.g. ORG_ADMIN)
type - String!
The return type of this element, including GraphQL modifiers such as ! (non-null) and [] (list).
type_name - String!
The base type name without modifiers (!, []).
parent_id - String
The parent type ID. Applies only to fields and enum values. For example, a field weaknesses_page on Query has a parent_id of Query.
default_value - String
The default value for an input field or argument, if one is defined.
related_type_ids - [String!]
IDs of all types related to this schema element. Applies to fields with arguments: includes the field's return type and the types of all arguments.
related_types - [GraphQLDef!]
The full GraphQLDef objects for all related types. Applies to fields with arguments: includes the return type and argument types.
args - [JSONObject!]

The list of arguments accepted by this field, if any. Each argument is a JSON object with keys:

[
  {
    "declaration": "page_input: PageInput",
    "defaultValue": null,
    "description": null,
    "name": "page_input",
    "type": "PageInput",
    "type_name": "PageInput"
  }
]
fields - [GraphQLDef!]
Child fields of this type. Only populated for Object and Input types. 
fragment GraphQLDefFragment on GraphQLDef {
  id
  name
  description
  declaration
  type
  type_name
  parent_id
  default_value
  related_type_ids
  args
  fields {
    id
    name
    type
    type_name
    description
  }
}

Examples may not include all available fields for a type.

Setup

Configure your pentesting environment and define your attack surface. Create and manage pentest templates, deploy NodeZero runners, schedule recurring pentests, organize assets into groups, and authorize domains and IPs for external testing. This section provides all the tools needed to prepare your pentesting infrastructure.

Setup: Op Config

Configure pentest parameters and settings including scope, attack types, feature flags, credentials, and runtime limits. This section defines the comprehensive configuration object used when creating or scheduling pentests and other operations.

ScheduleOpForm

Description

The configuration used to create an Op or an OpTemplate.

This type represents the read view of an op's configuration. To create or update a configuration, use ScheduleOpFormInput.

Key configuration fields include:

  • op_type: The type of operation (e.g. internal pentest, external pentest, AD password audit). See OpType for the full list and configuration requirements.
  • op_param_max_scope / op_param_min_scope: Define the network scope for the op.
  • feature_flags: Advanced configuration settings that control specific attack behaviors. See FeatureFlag.
  • asset_group_uuid: The AssetGroup to target for external pentests.
  • runner_uuid: The NodeZero Runner that launches the op.
  • k8s_deployment and related k8s_* fields: Configuration for Kubernetes-based pentests.
  • auto_injected_credential_uuids: Credentials to be auto-injected by a NodeZero Runner.
  • minimum_run_time / maximum_run_time: Control how long the op runs.

Note: Despite its name, ScheduleOpForm is not used for creating a recurring schedule. Use Schedule and ScheduledAction for that purpose.

Fields
op_name - String

The name of the operation.

The name can be anything. It is used in reports and the UI to label the operation.

op_type - OpType

The type of operation.

Defaults to NodeZero (an internal pentest).

See OpType for the full list of supported op types and their configuration requirements.

op_param_blacklist - String

Hosts and subnets that are EXCLUDED from the op.

Any hosts or subnets that fall within this scope will not be scanned during the op.

Specified as comma-separated CIDR ranges and/or individual IP addresses.

op_param_min_scope - String

op_param_min_scope and op_param_max_scope are mutually exclusive ways to define the scope of an op. You can define one or the other, but not both at the same time.

If op_param_min_scope is defined, then the Auto-Expand Scope feature is enabled. This means NodeZero will scan not only the hosts defined in op_param_min_scope, but it will dynamically expand the scope during the operation to include any additional hosts it discovers organically.

Use op_param_min_scope if you're not sure of your full scope, and you want NodeZero to dynamically discover and scan additional hosts and scope, beyond the scope you defined in op_param_min_scope.

op_param_min_scope is typically configured as a set of individual host IPs, not large CIDR ranges or subnets. NodeZero will specifically search for and scan the defined IPs, in addition to any other hosts and subnets it discovers during the op.

Use op_param_max_scope if you know exactly the scope of hosts and subnets you want to scan, and you do NOT want NodeZero to scan any hosts or subnets beyond that scope. This is the more commonly used option, as it gives you the most control over which hosts and subnets are included in the scan.

If neither op_param_min_scope nor op_param_max_scope are defined, then NodeZero defaults to using Intelligent Scope. Intelligent Scope starts with the IP of the host that NodeZero is deployed on. From there, NodeZero enumerates and scans the /16 subnet that the host belongs to. NodeZero then expands into adjacent /23 subnets, continuously identifying and testing nearby assets. The cycle repeats until no additional devices are detected. The ultimate scope of the test depends on the level of privilege and access NodeZero has, either through captured or granted permissions.

The scope is specified as a list of comma-separated IPs and/or CIDR ranges.

op_param_max_scope - String

op_param_min_scope and op_param_max_scope are mutually exclusive ways to define the scope of an op. You can define one or the other, but not both at the same time.

If op_param_max_scope is defined, then the Auto-Expand Scope feature is disabled. This means NodeZero will only scanthe hosts and subnets defined in op_param_max_scope. NodeZero will NOT try to dynamically expand the scope during the operation to include any additional hosts it discovers organically. Only the hosts and subnets that fall within the scope defined in op_param_max_scope will be scanned.

Use op_param_max_scope if you know exactly the scope of hosts and subnets you want to scan, and you do NOT want NodeZero to scan any hosts or subnets beyond that scope. This is the more commonly used option, as it gives you the most control over which hosts and subnets are included in the scan.

Use op_param_min_scope if you're not sure of your full scope, and you want NodeZero to dynamically discover and scan additional hosts and scope.

If neither op_param_min_scope nor op_param_max_scope are defined, then NodeZero defaults to using Intelligent Scope. Intelligent Scope starts with the IP of the host that NodeZero is deployed on. From there, NodeZero enumerates and scans the /16 subnet that the host belongs to. NodeZero then expands into adjacent /23 subnets, continuously identifying and testing nearby assets. The cycle repeats until no additional devices are detected. The ultimate scope of the test depends on the level of privilege and access NodeZero has, either through captured or granted permissions.

The scope is specified as a list of comma-separated IPs and/or CIDR ranges.

op_param_application_url - String
For web app pentesting, the primary URL of the web application being tested.
op_param_application_alt_urls - [String]
For web app pentesting, supplementary URLs representing APIs or app subdomains to include in the test.
web_application_uuid - String
For web app pentesting, the UUID of the web application entity being tested.
feature_flags - [FeatureFlag]
Advanced configuration settings that control specific attack behaviors during the op. See FeatureFlag.
osint_domains - [String]
Public-facing domains to scan for OSINT (open-source intelligence) data such as leaked credentials.
osint_company_names - [String]
Company names used for discovering OSINT (open-source intelligence) data such as leaked credentials.
passwords_to_spray - [String]
Passwords to use for password spraying during the op.
git_accounts - [GitAccount]
Git accounts to scan during the op for exposed repositories and secrets.
aws_account_ids - [AWSAccountId]
AWS account IDs to scan during the op.
asset_group_uuid - String
ID of the AssetGroup containing authorized assets to pentest. Applies to external pentests only (op_type=ExternalAttack).
start_paused - Boolean
When true, the op starts in a paused state. This is useful for external pentests when NodeZero's IP address must first be known in order to configure firewall rules.
minimum_run_time - Int
The minimum number of minutes the op will run, even if it has fully completed its scan of the target environment. This is useful for giving extra time to password spraying and man-in-the-middle relay attacks.
maximum_run_time - Int
The maximum number of minutes the op will run. The op will stop after this duration even if it has not yet completed its scan of the target environment.
runner_uuid - String
ID of the NodeZero Runner that will launch this op.
auto_injected_credential_uuids - [String!]
UUIDs of credentials to be auto-injected by a NodeZero Runner when launching the op.
targeted_test_id - String
ID of the targeted test to use for the op. Targeted tests focus the op on specific weaknesses or assets.
k8s_deployment - Boolean
Set to true when deploying NodeZero in a Kubernetes cluster. Required for the K8sPentest op type.
k8s_node - String
The Kubernetes node to target for the op. Used by the K8sPentest op type.
k8s_namespace - String
The Kubernetes namespace to target for the op. Used by the K8sPentest op type.
k8s_service_account_name - String
The Kubernetes service account to use for the op. Used by the K8sPentest op type.
aws_connection_uuids - [String!]
UUIDs of AWSConnection objects to use for the op. Required for the AWSPentest op type.
aws_connection_identifier_uuid - String
Global AWS connection identifier for the client account.
inventory_op_scope_uuids - [ID!]
UUIDs of InventoryOpScope objects that define the authorized scope for external operations. Applies to ExternalAssetDiscovery and ExternalAttack op types.
all_authorized_assets - Boolean
When true, the op includes all authorized assets with no additional scope filtering. Currently only supported for the ExternalAttack op type. Mutually exclusive with asset_group_uuid, op_series_uuid, and inventory_op_scope_uuids. 
fragment ScheduleOpFormFragment on ScheduleOpForm {
  op_name
  op_type
  op_param_blacklist
  op_param_max_scope
  feature_flags {
    name
    value
  }
  osint_domains
  osint_company_names
  passwords_to_spray
  asset_group_uuid
  start_paused
  minimum_run_time
  maximum_run_time
  runner_uuid
  auto_injected_credential_uuids
  targeted_test_id
  k8s_deployment
  k8s_node
  k8s_namespace
  k8s_service_account_name
  aws_connection_uuids
  aws_connection_identifier_uuid
}

Examples may not include all available fields for a type.

Setup: Op Config

ScheduleOpFormInput

Description

Input configuration for creating an Op or an OpTemplate.

This is the input version of ScheduleOpForm, used when creating or updating op configurations.

See OpType for the list of op types and their configuration requirements.

Key configuration fields include:

  • op_type: The type of operation (e.g. internal pentest, external pentest, AD password audit).
  • op_param_max_scope / op_param_min_scope: Define the network scope for the op.
  • feature_flags: Advanced configuration settings that control specific attack behaviors.
  • asset_group_uuid: The AssetGroup to target for external pentests.
  • runner_uuid: The NodeZero Runner that launches the op.
  • k8s_deployment and related k8s_* fields: Configuration for Kubernetes-based pentests.
  • auto_injected_credential_uuids: Credentials to be auto-injected by a NodeZero Runner.
  • minimum_run_time / maximum_run_time: Control how long the op runs.

Partial/patch updates of an op template's configuration are supported via Mutation.update_op_template.

Fields
op_name - String

The name of the operation.

The name can be anything. It is used in reports and the UI to label the operation.

This also sets AssetGroup.name when used with create_asset_group and update_asset_group_template.

op_type - OpType

The type of operation.

Defaults to NodeZero (an internal pentest).

See OpType for the full list of supported op types and their configuration requirements.

op_param_blacklist - String

Hosts and subnets that are EXCLUDED from the op.

Any hosts or subnets that fall within this scope will not be scanned during the op.

Specified as comma-separated CIDR ranges and/or individual IP addresses.

op_param_min_scope - String

op_param_min_scope and op_param_max_scope are mutually exclusive ways to define the scope of an op. You can define one or the other, but not both at the same time.

If op_param_min_scope is defined, then the Auto-Expand Scope feature is enabled. This means NodeZero will scan not only the hosts defined in op_param_min_scope, but it will dynamically expand the scope during the operation to include any additional hosts it discovers organically.

Use op_param_min_scope if you're not sure of your full scope, and you want NodeZero to dynamically discover and scan additional hosts and scope, beyond the scope you defined in op_param_min_scope.

op_param_min_scope is typically configured as a set of individual host IPs, not large CIDR ranges or subnets. NodeZero will specifically search for and scan the defined IPs, in addition to any other hosts and subnets it discovers during the op.

Use op_param_max_scope if you know exactly the scope of hosts and subnets you want to scan, and you do NOT want NodeZero to scan any hosts or subnets beyond that scope. This is the more commonly used option, as it gives you the most control over which hosts and subnets are included in the scan.

If neither op_param_min_scope nor op_param_max_scope are defined, then NodeZero defaults to using Intelligent Scope. Intelligent Scope starts with the IP of the host that NodeZero is deployed on. From there, NodeZero enumerates and scans the /16 subnet that the host belongs to. NodeZero then expands into adjacent /23 subnets, continuously identifying and testing nearby assets. The cycle repeats until no additional devices are detected. The ultimate scope of the test depends on the level of privilege and access NodeZero has, either through captured or granted permissions.

The scope is specified as a list of comma-separated IPs and/or CIDR ranges.

op_param_max_scope - String

op_param_min_scope and op_param_max_scope are mutually exclusive ways to define the scope of an op. You can define one or the other, but not both at the same time.

If op_param_max_scope is defined, then the Auto-Expand Scope feature is disabled. This means NodeZero will only scanthe hosts and subnets defined in op_param_max_scope. NodeZero will NOT try to dynamically expand the scope during the operation to include any additional hosts it discovers organically. Only the hosts and subnets that fall within the scope defined in op_param_max_scope will be scanned.

Use op_param_max_scope if you know exactly the scope of hosts and subnets you want to scan, and you do NOT want NodeZero to scan any hosts or subnets beyond that scope. This is the more commonly used option, as it gives you the most control over which hosts and subnets are included in the scan.

Use op_param_min_scope if you're not sure of your full scope, and you want NodeZero to dynamically discover and scan additional hosts and scope.

If neither op_param_min_scope nor op_param_max_scope are defined, then NodeZero defaults to using Intelligent Scope. Intelligent Scope starts with the IP of the host that NodeZero is deployed on. From there, NodeZero enumerates and scans the /16 subnet that the host belongs to. NodeZero then expands into adjacent /23 subnets, continuously identifying and testing nearby assets. The cycle repeats until no additional devices are detected. The ultimate scope of the test depends on the level of privilege and access NodeZero has, either through captured or granted permissions.

The scope is specified as a list of comma-separated IPs and/or CIDR ranges.

op_param_application_url - String
DEPRECATED. For web app pentesting, the primary URL of the web application being tested. Use web_application_uuid instead.
web_application_uuid - String

For web app pentesting, the UUID of the web application entity being tested.

The web application object identified by this UUID provides the op_param_application_url and other web app-specific configuration automatically.

feature_flags - [FeatureFlagInput]
Advanced configuration settings that control specific attack behaviors during the op. See FeatureFlagInput. Partial/patch updates are supported via Mutation.update_op_template. Only flags included in the input will be updated; unspecified flags retain their current values.
osint_domains - [String]
Public-facing domains to scan for OSINT (open-source intelligence) data such as leaked credentials.
osint_company_names - [String]
Company names used for discovering OSINT (open-source intelligence) data such as leaked credentials.
passwords_to_spray - [String]
Passwords to use for password spraying during the op.
git_accounts - [GitAccountInput]
Git accounts to scan during the op for exposed repositories and secrets.
aws_account_ids - [AWSAccountId]
AWS account IDs to scan during the op.
asset_group_uuid - String
ID of the AssetGroup containing authorized assets to pentest. Applies to external pentests only (op_type=ExternalAttack).
start_paused - Boolean
When true, the op starts in a paused state. This is useful for external pentests when NodeZero's IP address must first be known in order to configure firewall rules.
minimum_run_time - Int
The minimum number of minutes the op will run, even if it has fully completed its scan of the target environment. This is useful for giving extra time to password spraying and man-in-the-middle relay attacks.
maximum_run_time - Int
The maximum number of minutes the op will run. The op will stop after this duration even if it has not yet completed its scan of the target environment.
runner_uuid - String
ID of the NodeZero Runner that will launch this op.
auto_injected_credential_uuids - [String!]
UUIDs of credentials to be auto-injected by a NodeZero Runner when launching the op.
targeted_test_id - String
ID of the targeted test to use for the op. Targeted tests focus the op on specific weaknesses or assets.
k8s_deployment - Boolean
Set to true when deploying NodeZero in a Kubernetes cluster. Required for the K8sPentest op type.
k8s_node - String
The Kubernetes node to target for the op. Used by the K8sPentest op type.
k8s_namespace - String
The Kubernetes namespace to target for the op. Used by the K8sPentest op type.
k8s_service_account_name - String
The Kubernetes service account to use for the op. Used by the K8sPentest op type.
aws_connection_uuids - [String!]
UUIDs of AWSConnection objects to use for the op. Required for the AWSPentest op type.
aws_connection_identifier_uuid - String
Global AWS connection identifier for the client account.
enable_tripwires - Boolean
Enables dropping tripwires during the op, provided the client account has the tripwires feature enabled. The specific types of tripwires to drop must also be configured via the feature_flags field.
inventory_op_scope_uuids - [ID!]
UUIDs of InventoryOpScope objects that define the authorized scope for external operations. Applies to ExternalAssetDiscovery and ExternalAttack op types. Mutually exclusive with asset_group_uuid.
all_authorized_assets - Boolean
When true, the op includes all authorized assets with no additional scope filtering. Currently only supported for the ExternalAttack op type. Mutually exclusive with asset_group_uuid, op_series_uuid, and inventory_op_scope_uuids. 
# Example 1: Create an internal pentest with basic configuration
mutation CreateInternalPentest($schedule_op_form: ScheduleOpFormInput = {
    op_name: "Weekly Internal Pentest",
    op_type: NodeZero,
    op_param_max_scope: "10.0.0.0/8",
    maximum_run_time: 480
}) {
  create_op(schedule_op_form: $schedule_op_form) {
    op {
      op_id
      op_type
      op_name
      op_state
      op_param_max_scope
      nodezero_script_url
    }
  }
}

# Example 2: Create an external pentest
mutation CreateExternalPentest($schedule_op_form: ScheduleOpFormInput = {
    op_name: "External Attack Assessment",
    op_type: ExternalAttack,
    asset_group_uuid: "1234abcd-1234-abcd-1234-abcd1234abcd"
}) {
  create_op(schedule_op_form: $schedule_op_form) {
    op {
      op_id
      op_type
      op_name
      op_state
      asset_group_uuid
    }
  }
}

Examples may not include all available fields for a type.

Setup: Op Config

AWSAccountId

Description

String scalar type representing an AWS Account ID (a 12-digit number).

Example
123456789012
Setup: Op Config

AttackConfigValue

Description

The user-provided value for a FeatureFlag. Exactly one field will be set, corresponding to the option's data_type.

Fields
bool_value - Boolean
Value for boolean-type options.
int_value - Int
Value for integer-type options.
float_value - Float
Value for floating-point-type options.
string_value - String
Value for string-type options. 
fragment AttackConfigValueFragment on AttackConfigValue {
  bool_value
  int_value
  float_value
  string_value
}

Examples may not include all available fields for a type.

Setup: Op Config

AttackConfigValueInput

Description

Input type for specifying the value of a FeatureFlag. Provide exactly one of the value fields, matching the option's data_type.

Fields
bool_value - Boolean
Value for boolean-type options.
int_value - Int
Value for integer-type options.
float_value - Float
Value for floating-point-type options.
string_value - String
Value for string-type options. 
# Example: Set a boolean config value via op template update
mutation SetAttackConfig($input: UpdateOpTemplateInput! = {
    uuid: "1234abcd-1234-abcd-1234-abcd1234abcd",
    schedule_op_form: {
        feature_flags: [
            {
                name: "get_proof.bluekeep",
                config_value: { bool_value: true }
            }
        ]
    }
}) {
  update_op_template(input: $input) {
    op_template {
      uuid
      schedule_op_form {
        feature_flags {
          name
          config_value {
            bool_value
            int_value
            string_value
          }
        }
      }
    }
  }
}

Examples may not include all available fields for a type.

Setup: Op Config

FeatureFlag

Description

An advanced configuration option (also known as a feature flag) that controls specific attack behaviors during an op.

Feature flags are configured via ScheduleOpFormInput.feature_flags and can be read from Op.feature_flags or ScheduleOpForm.feature_flags.

For more information about advanced configuration options, see the Attack Configurations section of the Horizon3.ai documentation.

Fields
name - String!
The identifier of the advanced configuration option.
value - Boolean
Indicates whether the option is enabled or disabled.
config_value - AttackConfigValue
The user-provided value for this option. See AttackConfigValue for details.
property_name - String
Human-friendly display name for this option. )
property_description - String
A description of what this option does and when to use it.
category_name - String
The category this option belongs to (e.g. Exploitation, Reconnaissance).
category_description - String
A description of the category.
risk - FeatureFlagRiskType
The disruption risk level associated with enabling this option. See FeatureFlagRiskType.
enables_min_runtime - Boolean
When true, indicates this option works best when ScheduleOpFormInput.minimum_run_time is also configured, to give the attack enough time to execute.
enables_password_spray - Boolean
When true, indicates this option works best when ScheduleOpFormInput.passwords_to_spray is also configured with a list of passwords.
is_new - Boolean!
When true, indicates this option was introduced after the containing OpTemplate was last saved. This helps alert users to new configuration options available in their template. The flag resets once the template is re-saved. 
fragment FeatureFlagFragment on FeatureFlag {
  name
  value
  config_value {
    bool_value
    int_value
    float_value
    string_value
  }
  property_name
  property_description
  category_name
  category_description
  risk
  enables_min_runtime
  enables_password_spray
  is_new
}

Examples may not include all available fields for a type.

Setup: Op Config

FeatureFlagInput

Description

Input for configuring an advanced attack configuration option.

Advanced configuration options (also known as feature flags) control specific attack behaviors during an op. Specify these via ScheduleOpFormInput.feature_flags.

For more information about advanced configuration options, see the Attack Configurations section of the Horizon3.ai documentation.

Fields
name - String!
The identifier of the advanced configuration option.
value - Boolean
Indicates whether the option is enabled or disabled. Used for boolean-type options only.
config_value - AttackConfigValueInput
The configuration value for this option. The value type should match the option's data_type. See AttackConfigValueInput for details. 
# Example 1: Enable a boolean feature flag
mutation EnableFeatureFlag($input: UpdateOpTemplateInput! = {
    uuid: "1234abcd-1234-abcd-1234-abcd1234abcd",
    schedule_op_form: {
        feature_flags: [
            {
                name: "get_proof.bluekeep",
                value: true
            }
        ]
    }
}) {
  update_op_template(input: $input) {
    op_template {
      uuid
      schedule_op_form {
        feature_flags {
          name
          value
        }
      }
    }
  }
}

# Example 2: Set a feature flag with a config value
mutation SetFeatureFlagConfig($input: UpdateOpTemplateInput! = {
    uuid: "1234abcd-1234-abcd-1234-abcd1234abcd",
    schedule_op_form: {
        feature_flags: [
            {
                name: "get_proof.bluekeep",
                config_value: { bool_value: true }
            }
        ]
    }
}) {
  update_op_template(input: $input) {
    op_template {
      uuid
      schedule_op_form {
        feature_flags {
          name
          config_value {
            bool_value
          }
        }
      }
    }
  }
}

Examples may not include all available fields for a type.

Setup: Op Config

FeatureFlagRiskType

Description

The disruption risk level associated with an advanced configuration option (FeatureFlag).

Higher-risk options may cause service interruptions or other observable effects in your environment during the op.

Values
none
No risk of disruption to your environment.
low
Low risk of disruption to your environment.
moderate
Moderate risk of disruption to your environment.
high
High risk of disruption to your environment. Use with caution.
Example
"none"
Setup: Op Config

GitAccount

Description

A Git account discovered or configured during an op.

Git accounts can be specified in the op configuration (via ScheduleOpFormInput.git_accounts) or discovered automatically by NodeZero during the op.

Fields
name - String!
Name of the Git account (user or organization name on the hosting service).
source - GitAccountSource!
The git hosting service for this account. See GitAccountSource. 
fragment GitAccountFragment on GitAccount {
  name
  source
}

Examples may not include all available fields for a type.

Setup: Op Config

GitAccountInput

Description

Input type for specifying a Git account to scan during an op.

Configure Git accounts via ScheduleOpFormInput.git_accounts to have NodeZero scan the specified repositories for exposed secrets and sensitive data.

Fields
name - StringNoWhitespace!
Name of the Git account (user or organization name on the hosting service).
source - GitAccountSource!
The git hosting service for this account. See GitAccountSource. 
# Example: Add git accounts to an op template
mutation SetGitAccounts($input: UpdateOpTemplateInput! = {
    uuid: "1234abcd-1234-abcd-1234-abcd1234abcd",
    schedule_op_form: {
        git_accounts: [
            { name: "my-org", source: GitHub },
            { name: "my-team", source: GitLab }
        ]
    }
}) {
  update_op_template(input: $input) {
    op_template {
      uuid
      schedule_op_form {
        git_accounts {
          name
          source
        }
      }
    }
  }
}

Examples may not include all available fields for a type.

Setup: Op Config

GitAccountSource

Description

The git hosting service for a GitAccount.

Values
GitLab
GitLab.
GitHub
GitHub.
Bitbucket
Bitbucket.
Example
"GitLab"
Setup: Op Config

OpInput

Description

An input type for identifying an Op by its unique identifier.

Fields
op_id - String!
The unique identifier of the op. 
# Example: Fetch EDR hosts CSV
query EDRHostsCSV($input: OpInput!) {
  edr_overview_hosts_csv_presigned_url(input: $input)
}

Examples may not include all available fields for a type.

Setup: Op Templates

Create and manage reusable pentest templates that define standard configurations for different testing scenarios. Templates can be linked to schedules for automated recurring pentests and shared across your organization.

op_templates_page

Description

Retrieve a paginated list of op templates for the current client account. Does not include default templates provided by Horizon3.ai.

Use the OpTemplate.uuid or OpTemplate.op_template_name fields from the results to fetch complete details about a specific OpTemplate via Query.op_template.

Response

Returns an OpTemplatesPage!

Arguments
page_input - PageInput 
query GetOpTemplatesPage($page_input: PageInput) {
  op_templates_page(page_input: $page_input) {
    op_templates {
      uuid
      op_template_name
      op_type
      row_created_at
      schedule_op_form {
        op_name
        op_param_max_scope
      }
    }
  }
}

Examples may not include all available fields for a type.

Setup: Op Templates

op_templates_count

Description

Get the total count of OpTemplate records for the current client account. Does not include default templates provided by Horizon3.ai.

Response

Returns an Int!

Arguments
page_input - PageInput 
query GetOpTemplatesCount($page_input: PageInput) {
  op_templates_count(page_input: $page_input)
}

Examples may not include all available fields for a type.

Setup: Op Templates

op_template

Description

Retrieve a single op template by its unique identifier or name. Exactly one parameter must be provided. Returns the matching OpTemplate or null if not found.

Response

Returns an OpTemplate

Arguments
op_template_uuid - String
Unique identifier of the op template to retrieve. Provide either this or op_template_name, not both.
op_template_name - String
Display name of the op template to retrieve. Provide either this or op_template_uuid, not both. 
query GetOpTemplate($op_template_uuid: String) {
  op_template(op_template_uuid: $op_template_uuid) {
    ...OpTemplateFragment
  }
}

fragment OpTemplateFragment on OpTemplate {
  uuid
  op_template_name
  name
  op_type
  user_account_uuid
  client_account_uuid
  row_created_at
  row_updated_at
  schedule_op_form {
    op_name
    op_type
    op_param_max_scope
    maximum_run_time
  }
}

Examples may not include all available fields for a type.

Setup: Op Templates

create_op_template

Description

Create an OpTemplate. An OpTemplate is a reusable template for running pentests and other op types.

Response

Returns a SaveOpTemplateOutput!

Arguments
op_template_name - String!
Display name for the template. Must be unique within the client account.
schedule_op_form - ScheduleOpFormInput!
Configuration data for the template. See ScheduleOpFormInput for available options.
campaign_uuid - String
Optional campaign UUID. When provided, the automatically created perspective will be added to this campaign. 
mutation CreateOpTemplate(
  $op_template_name: String!
  $schedule_op_form: ScheduleOpFormInput!
) {
  create_op_template(
    op_template_name: $op_template_name
    schedule_op_form: $schedule_op_form
  ) {
    op_template {
      uuid
      op_template_name
      op_type
      row_created_at
      schedule_op_form {
        op_name
        op_type
        op_param_max_scope
        maximum_run_time
      }
    }
  }
}

Examples may not include all available fields for a type.

Setup: Op Templates

update_op_template

Description

Update an OpTemplate.

  • Allows for template renaming.
  • Allows for partial/patch updates of OpTemplate.schedule_op_form.
Response

Returns an UpdateOpTemplateOutput!

Arguments
input - UpdateOpTemplateInput!
Input data for updating the template. 
mutation UpdateOpTemplate($input: UpdateOpTemplateInput!) {
  update_op_template(input: $input) {
    op_template {
      uuid
      op_template_name
      op_type
      row_updated_at
      schedule_op_form {
        op_name
        op_type
        op_param_max_scope
        maximum_run_time
      }
    }
  }
}

Examples may not include all available fields for a type.

Setup: Op Templates

update_op_templates

Description

Update a batch of OpTemplates.

  • Allows for template renaming.
  • Allows for partial/patch updates of OpTemplate.schedule_op_form.
Response

Returns [UpdateOpTemplateOutput!]!

Arguments
input - [UpdateOpTemplateInput!]!
Input data for updating pentest template. 
mutation UpdateOpTemplates($input: [UpdateOpTemplateInput!]!) {
  update_op_templates(input: $input) {
    op_template {
      uuid
      name
      op_type
      schedule_op_form {
        op_name
        op_type
        op_param_max_scope
      }
      row_updated_at
    }
  }
}

Examples may not include all available fields for a type.

Setup: Op Templates

delete_op_template

Description

Delete an op template by its display name.

Response

Returns a DeleteOpTemplateOutput!

Arguments
op_template_name - String!
Display name of the template to delete.
op_type - String
Type of operation. See OpType for available options.
also_delete_schedules - Boolean
When true, also deletes any schedules that reference this template. 
mutation DeleteOpTemplate($op_template_name: String!) {
  delete_op_template(op_template_name: $op_template_name) {
    op_template {
      uuid
      op_template_name
      op_type
    }
  }
}

Examples may not include all available fields for a type.

Setup: Op Templates

delete_op_template_by_uuid

Description

Delete an op template by its unique identifier.

Response

Returns a DeleteOpTemplateOutput!

Arguments
uuid - String!
Unique identifier of the template to delete.
also_delete_schedules - Boolean
When true, also deletes any schedules that reference this template. 
mutation DeleteOpTemplateByUuid($uuid: String!, $also_delete_schedules: Boolean) {
  delete_op_template_by_uuid(uuid: $uuid, also_delete_schedules: $also_delete_schedules) {
    op_template {
      uuid
      name
      op_type
    }
  }
}

Examples may not include all available fields for a type.

Setup: Op Templates

delete_op_templates_by_uuids

Description

Delete multiple op templates by their unique identifiers.

Response

Returns [DeleteOpTemplateOutput!]!

Arguments
uuids - [String!]!
List of unique identifiers for the templates to delete.
also_delete_schedules - Boolean
When true, also deletes any schedules that reference these templates. 
mutation DeleteOpTemplatesByUuids($uuids: [String!]!, $also_delete_schedules: Boolean) {
  delete_op_templates_by_uuids(uuids: $uuids, also_delete_schedules: $also_delete_schedules) {
    op_template {
      uuid
      name
      op_type
    }
  }
}

Examples may not include all available fields for a type.

Setup: Op Templates

op_templates

Description

List of op templates for the current client account. Includes default templates provided by Horizon3.ai.

Response

Returns [OpTemplate]

Arguments
op_type - String
Filter by op type. Defaults to "NodeZero". 
query OpTemplates($op_type: String) {
  op_templates(op_type: $op_type) {
    uuid
    name
    op_type
    schedule_op_form {
      op_name
      op_type
      op_param_blacklist
      op_param_min_scope
      op_param_max_scope
      runner_uuid
    }
    row_created_at
    row_updated_at
  }
}

Examples may not include all available fields for a type.

Setup: Op Templates

op_templates_facets

Description

Retrieve available filter values and counts for op templates. Returns distinct values that can be used to filter the op templates list, such as runner names.

Response

Returns an OpTemplatesFacets!

Arguments
page_input - PageInput 
query OpTemplatesFacets($page_input: PageInput) {
  op_templates_facets(page_input: $page_input) {
    page_info {
      page_size
    }
    runner_name {
      label
      value
      value_count
    }
  }
}

Examples may not include all available fields for a type.

Setup: Op Templates

OpTemplate

Description

An OpTemplate is a reusable template for running pentests and other op types.

An OpTemplate can be linked to a Schedule to run ops on a regular schedule.

See ScheduleOpForm for the configuration options available when creating an OpTemplate.

Fields
uuid - String!
Unique identifier of the op template.
user_account_uuid - String!
Unique identifier of the user account that created this template.
client_account_uuid - String!
Unique identifier of the client account that owns this template.
client_account - ClientAccount!
The ClientAccount that owns this template.
op_template_name - String!
Display name of the template. Must be unique within the client account.
name - String!
Display name of the template. Must be unique within the client account.
op_type - OpType!
Type of op this template applies to. See OpType for details.
schedule_op_form - ScheduleOpForm!
The template's configuration data. See ScheduleOpForm for details on available configuration options.
schedules - [Schedule!]!
The Schedules that use this template for recurring pentest execution.
row_created_at - Datetime!
Timestamp when this template was created.
row_updated_at - Datetime
Timestamp when this template was last modified. 
fragment OpTemplateFragment on OpTemplate {
  uuid
  op_template_name
  name
  op_type
  user_account_uuid
  client_account_uuid
  row_created_at
  row_updated_at
  schedule_op_form {
    op_name
    op_type
    op_param_max_scope
    op_param_blacklist
    maximum_run_time
    minimum_run_time
  }
  schedules {
    uuid
    name
  }
}

Examples may not include all available fields for a type.

Setup: Op Templates

DeleteOpTemplateOutput

Description

Output returned when deleting an OpTemplate.

Fields
op_template - OpTemplate
The deleted op template. Null if the template was not found. 
fragment DeleteOpTemplateOutputFragment on DeleteOpTemplateOutput {
  op_template {
    uuid
    op_template_name
    op_type
  }
}

Examples may not include all available fields for a type.

Setup: Op Templates

OpTemplatesFacets

Description

Facets for op templates filtering. Provides available filter values with counts for the current dataset.

Fields
page_info - PageInfo
Pagination information
runner_name - [FacetValue!]!
List of unique runner names from OpTemplate.schedule_op_form.runner_name values present in the data after applying any filters. 
fragment OpTemplatesFacetsFragment on OpTemplatesFacets {
  page_info {
    page_size
  }
  runner_name {
    label
    value
    value_count
  }
}

Examples may not include all available fields for a type.

Setup: Op Templates

OpTemplatesPage

Description

Contains a paginated list of OpTemplate records.

Fields
page_info - PageInfo
Pagination metadata including total count and cursor information.
op_templates - [OpTemplate!]!
List of op templates in the current page. 
fragment OpTemplatesPageFragment on OpTemplatesPage {
  page_info {
    page_size
    page_num
  }
  op_templates {
    uuid
    op_template_name
    op_type
    row_created_at
  }
}

Examples may not include all available fields for a type.

Setup: Op Templates

SaveOpTemplateOutput

Description

Output returned when creating or saving an OpTemplate.

Fields
op_template - OpTemplate!
The newly created or saved op template.
asset_group - AssetGroup
The op template's associated asset group, if applicable. 
fragment SaveOpTemplateOutputFragment on SaveOpTemplateOutput {
  op_template {
    uuid
    op_template_name
    op_type
    row_created_at
    schedule_op_form {
      op_name
      op_param_max_scope
    }
  }
  asset_group {
    uuid
    name
  }
}

Examples may not include all available fields for a type.

Setup: Op Templates

UpdateOpTemplateInput

Description

Input type for Mutation.update_op_template.

Fields
uuid - String!
The unique identifier of the op template to update.
op_template_name - String
New display name for the template. Must be unique within the client account.
schedule_op_form - ScheduleOpFormInput
Configuration updates for the template. Supports partial updates - only fields provided in this input will be modified. Existing configuration values are preserved for fields not included in the update. 
# Example 1: Rename an op template
mutation RenameOpTemplate($input: UpdateOpTemplateInput! = {
    uuid: "1234abcd-1234-abcd-1234-abcd1234abcd",
    op_template_name: "New Template Name"
}) {
  update_op_template(input: $input) {
    op_template {
      uuid
      op_template_name
    }
  }
}

# Example 2: Update op template scope (partial update)
mutation UpdateOpTemplateScope($input: UpdateOpTemplateInput! = {
    uuid: "1234abcd-1234-abcd-1234-abcd1234abcd",
    schedule_op_form: {
        op_param_max_scope: "192.168.0.0/16"
    }
}) {
  update_op_template(input: $input) {
    op_template {
      uuid
      op_template_name
      schedule_op_form {
        op_param_max_scope
      }
    }
  }
}

# Example 3: Update multiple fields
mutation UpdateOpTemplateMultiple($input: UpdateOpTemplateInput! = {
    uuid: "1234abcd-1234-abcd-1234-abcd1234abcd",
    op_template_name: "Updated Weekly Pentest",
    schedule_op_form: {
        op_param_max_scope: "10.0.0.0/8",
        maximum_run_time: 600
    }
}) {
  update_op_template(input: $input) {
    op_template {
      uuid
      op_template_name
      schedule_op_form {
        op_param_max_scope
        maximum_run_time
      }
    }
  }
}

Examples may not include all available fields for a type.

Setup: Op Templates

UpdateOpTemplateOutput

Description

Output returned when updating an OpTemplate.

Fields
op_template - OpTemplate!
The op template with updated configuration. 
fragment UpdateOpTemplateOutputFragment on UpdateOpTemplateOutput {
  op_template {
    uuid
    op_template_name
    op_type
    row_updated_at
    schedule_op_form {
      op_name
      op_param_max_scope
      maximum_run_time
    }
  }
}

Examples may not include all available fields for a type.

Setup: Runners

Deploy and manage NodeZero runners (agents and Kubernetes operators) that execute pentests from within your network perimeter. Runners simplify the process of launching internal pentests on a Docker host within your network. Runners are required for running internal pentests on an automated recurring basis using a Schedule.

agents_page

Description

Returns a paginated list of NodeZero Runners (Agents) belonging to the current user's ClientAccount.

Use PageInput to control pagination, sorting, and filtering. Set include_sub_client_agents to true to also include Runners from sub-client accounts (requires multi-tenancy to be enabled).

Response

Returns an AgentsPage!

Arguments
page_input - PageInput
include_sub_client_agents - Boolean 
query AgentsPage($page_input: PageInput) {
  agents_page(page_input: $page_input) {
    agents {
      uuid
      name
      user_account_name
      api_key_uuid
      created_at
      is_kubernetes
      kubernetes_namespace
      h3_cli_version
      last_heartbeat_at
      last_heartbeat_time_ago
      active_op_id
    }
    page_info {
      page_num
      page_size
    }
  }
}

Examples may not include all available fields for a type.

Setup: Runners

agents_count

Description

Returns the total count of NodeZero Runners (Agents) belonging to the current user's ClientAccount.

Supports the same filtering criteria as agents_page via PageInput. Set include_sub_client_agents to true to include Runners from sub-client accounts.

Response

Returns an Int!

Arguments
page_input - PageInput
include_sub_client_agents - Boolean 
query AgentsCount($page_input: PageInput, $include_sub_clients: Boolean) {
  agents_count(
    page_input: $page_input
    include_sub_client_agents: $include_sub_clients
  )
}

Examples may not include all available fields for a type.

Setup: Runners

agent

Description

Retrieves a single NodeZero Runner (Agent) by its uuid or name within the current user's ClientAccount.

You must provide either uuid or name. Returns null if no matching Runner is found.

Response

Returns an Agent

Arguments
uuid - String
The unique identifier of the NodeZero Runner to retrieve. Either uuid or name must be provided.
name - String
The name of the NodeZero Runner to retrieve. Either uuid or name must be provided. 
query Agent($uuid: String, $name: String) {
  agent(uuid: $uuid, name: $name) {
    uuid
    name
    user_account_name
    api_key_uuid
    api_key {
      uuid
      starts_with
    }
    uname
    log_file
    last_heartbeat_at
    last_heartbeat_time_ago
    last_heartbeat_source_ip
    last_command {
      command
      received_at
      completed_at
      exit_status
    }
    commands {
      command
      received_at
      completed_at
      exit_status
    }
    created_at
    h3_cli_version
    is_kubernetes
    kubernetes_namespace
    active_op_id
    op_next_scheduled_at
  }
}

Examples may not include all available fields for a type.

Setup: Runners

install_agent

Description

Creates a new NodeZero Runner and returns the installation command needed to deploy it.

NodeZero Runners are lightweight agents that run on your infrastructure and automatically launch NodeZero pentests whenever an Op is created and configured to use the Runner. You can also configure an OpTemplate to use a Runner for all ops created from that template.

This mutation creates a new API key with NODEZERO_RUNNER permissions (or reuses the existing NODEZERO_OPERATOR key for Kubernetes deployments). The API key is embedded in the installation command and stored on the Runner's host.

The InstallAgentOutput includes:

  • The shell command to install and start the Runner (either command for Docker hosts or kubernetes_install_command for K8s).
  • The Agent record representing the Runner, whose uuid can be used to assign it to an Op or OpTemplate even before installation completes.

Note: NodeZero Runners are referred to as Agents throughout the API.

Response

Returns an InstallAgentOutput!

Arguments
agent_name - String
DEPRECATED - use name instead.
name - String
The name of the NodeZero Runner. This is used to identify the Runner in the API. The name is required and must not be empty. The name must not contain spaces and must conform to RFC 1123 DNS subdomain naming conventions.
is_kubernetes - Boolean
Flag to indicate if the Runner is being deployed in a Kubernetes environment. Defaults to false.
kubernetes_namespace - String
The Kubernetes namespace to deploy the Runner in. Defaults to nodezero if omitted. Only applicable when is_kubernetes is true. 
mutation InstallAgent($name: String!, $is_kubernetes: Boolean, $kubernetes_namespace: String) {
  install_agent(
    name: $name
    is_kubernetes: $is_kubernetes
    kubernetes_namespace: $kubernetes_namespace
  ) {
    command
    kubernetes_install_command
    agent {
      uuid
      name
      created_at
      is_kubernetes
      kubernetes_namespace
    }
  }
}

Examples may not include all available fields for a type.

Setup: Runners

hello_agent

Description

Sends a hello-world command to the Runner identified by the given AgentInput.name.

Use this mutation to test connectivity with a Runner and verify that it is active and able to receive and execute commands. The command is queued and delivered to the Runner during its next heartbeat. The resulting AgentCommand can be monitored to confirm the Runner successfully received and executed the ping.

Response

Returns an AgentCommand

Arguments
input - AgentInput! 
mutation HelloAgent($input: AgentInput!) {
  hello_agent(input: $input) {
    uuid
    agent_uuid
    command
    received_at
    completed_at
    exit_status
    log
    created_at
  }
}

Examples may not include all available fields for a type.

Setup: Runners

upgrade_agent

Description

Queues an upgrade command to the Runner identified by the given agent_name or agent_uuid. The Runner will upgrade to the latest version of h3-cli and restart itself.

The Runner must be active and running h3-cli version 2023-06-05 or later to receive the upgrade command. The command is delivered during the Runner's next heartbeat.

You may provide either agent_name or agent_uuid to identify the target Runner.

Response

Returns an AgentCommandOutput!

Arguments
agent_name - String
agent_uuid - String 
mutation UpgradeAgent($agent_name: String) {
  upgrade_agent(agent_name: $agent_name) {
    agent_command {
      uuid
      agent_uuid
      command
      received_at
      completed_at
      exit_status
      log
      created_at
    }
    message
  }
}

Examples may not include all available fields for a type.

Setup: Runners

delete_agent

Description

Deletes the NodeZero Runner (Agent) identified by the given agent_name or agent_uuid.

When a Runner is deleted:

  • For Docker-based Runners, the associated API key is revoked.
  • For Kubernetes Runners, the API key is not revoked because it belongs to the Operator.
  • The Runner is removed from any OpTemplates it was assigned to.

You may provide either agent_name or agent_uuid to identify the target Runner.

Response

Returns an AgentOutput!

Arguments
agent_name - String
agent_uuid - String 
mutation DeleteAgent($agent_uuid: String) {
  delete_agent(agent_uuid: $agent_uuid) {
    agent {
      uuid
      name
      created_at
      is_kubernetes
    }
  }
}

Examples may not include all available fields for a type.

Setup: Runners

operators_page

Description

Returns a paginated list of NodeZero Kubernetes Operators belonging to the current user's ClientAccount.

Use PageInput to control pagination, sorting, and filtering. Set include_sub_client_operators to true to also include Operators from sub-client accounts (requires multi-tenancy to be enabled).

Response

Returns an OperatorsPage!

Arguments
page_input - PageInput
include_sub_client_operators - Boolean 
query OperatorsPage($page_input: PageInput, $include_sub_clients: Boolean) {
  operators_page(
    page_input: $page_input
    include_sub_client_operators: $include_sub_clients
  ) {
    operators {
      uuid
      name
      version
      chart_version
      is_registered
    }
    page_info {
      page_num
      page_size
    }
  }
}

Examples may not include all available fields for a type.

Setup: Runners

operators_count

Description

Returns the total count of NodeZero Kubernetes Operators belonging to the current user's ClientAccount.

Supports the same filtering criteria as operators_page via PageInput. Set include_sub_client_operators to true to include Operators from sub-client accounts.

Response

Returns an Int!

Arguments
page_input - PageInput
include_sub_client_operators - Boolean 
query OperatorsCount($page_input: PageInput, $include_sub_clients: Boolean) {
  operators_count(
    page_input: $page_input
    include_sub_client_operators: $include_sub_clients
  )
}

Examples may not include all available fields for a type.

Setup: Runners

create_operator

Description

Creates a new NodeZero Kubernetes Operator and returns the Helm install command needed to deploy it to your cluster.

The Operator manages the lifecycle of NodeZero Runners within Kubernetes. Once installed, you can create Runners as Kubernetes custom resources via install_agent with is_kubernetes: true.

This mutation also creates a new API key with NODEZERO_OPERATOR permissions. The key is embedded in the Helm install command.

  • operator_name (required): The name for the Operator.
  • use_cilium: Set to true if the cluster uses Cilium, to include a CiliumNetworkPolicy in the deployment. Defaults to false.
  • use_kyverno: Set to true if the cluster uses Kyverno, to include a Kyverno PolicyException in the deployment. Defaults to false.
Response

Returns a CreateOperatorOutput!

Arguments
operator_name - String!
use_cilium - Boolean
Default = false
use_kyverno - Boolean
Default = false 
mutation CreateOperator($operator_name: String!, $use_cilium: Boolean, $use_kyverno: Boolean) {
  create_operator(
    operator_name: $operator_name
    use_cilium: $use_cilium
    use_kyverno: $use_kyverno
  ) {
    command
    operator {
      uuid
      name
      version
      chart_version
      is_registered
    }
  }
}

Examples may not include all available fields for a type.

Setup: Runners

upgrade_operator

Description

Returns a Helm upgrade command to upgrade the NodeZero Kubernetes Operator Helm chart to the latest available version.

Run the returned command against your Kubernetes cluster to apply the upgrade.

Response

Returns an UpgradeOperatorOutput! 

mutation UpgradeOperator {
  upgrade_operator {
    command
  }
}

Examples may not include all available fields for a type.

Setup: Runners

delete_operator

Description

Deletes the NodeZero Kubernetes Operator identified by the given operator_uuid.

Deleting an Operator also revokes and deletes the API key associated with it. Any Runners managed by this Operator should be removed from the cluster before deleting the Operator.

Response

Returns an Operator

Arguments
operator_uuid - String! 
mutation DeleteOperator($operator_uuid: String!) {
  delete_operator(operator_uuid: $operator_uuid) {
    uuid
    name
    version
    chart_version
    is_registered
  }
}

Examples may not include all available fields for a type.

Setup: Runners

agents_facets

Description

Returns the available facet (filter) values for the Runner list, along with occurrence counts for each value.

Use these facets to build dynamic filter controls for the agents_page query. Supports the same filtering criteria via PageInput. Set include_sub_client_agents to true to include facet values from sub-client accounts.

Response

Returns an AgentsFacets!

Arguments
page_input - PageInput
include_sub_client_agents - Boolean 
query AgentsFacets($page_input: PageInput, $include_sub_clients: Boolean) {
  agents_facets(
    page_input: $page_input
    include_sub_client_agents: $include_sub_clients
  ) {
    kubernetes_namespace {
      label
      value
      value_count
    }
    user_account_name {
      label
      value
      value_count
    }
    user_role_id {
      label
      value
      value_count
    }
    page_info {
      page_num
      page_size
    }
  }
}

Examples may not include all available fields for a type.

Setup: Runners

agent_commands_facets

Description

Returns the available facet (filter) values for a specific Runner's command list, along with occurrence counts for each value.

The agent_uuid parameter identifies the Runner whose commands should be analyzed.

Response

Returns an AgentCommandsFacets!

Arguments
page_input - PageInput
agent_uuid - String! 
query AgentCommandsFacets(
  $agent_uuid: String!
  $page_input: PageInput
) {
  agent_commands_facets(
    agent_uuid: $agent_uuid
    page_input: $page_input
  ) {
    exit_status {
      label
      value
      value_count
    }
    page_info {
      page_num
      page_size
    }
  }
}

Examples may not include all available fields for a type.

Setup: Runners

operators_facets

Description

Returns the available facet (filter) values for the Operator list, along with occurrence counts for each value.

Use these facets to build dynamic filter controls for the operators_page query. Supports the same filtering criteria via PageInput. Set include_sub_client_operators to true to include facet values from sub-client accounts.

Response

Returns an OperatorsFacets!

Arguments
page_input - PageInput
include_sub_client_operators - Boolean 
query OperatorsFacets(
  $page_input: PageInput
  $include_sub_client_operators: Boolean
) {
  operators_facets(
    page_input: $page_input
    include_sub_client_operators: $include_sub_client_operators
  ) {
    version {
      label
      value
      value_count
    }
    chart_version {
      label
      value
      value_count
    }
    user_role_id {
      label
      value
      value_count
    }
  }
}

Examples may not include all available fields for a type.

Setup: Runners

Agent

Description

Represents a NodeZero Runner.

A NodeZero Runner is a lightweight agent that runs on your infrastructure and enables the automated deployment and execution of NodeZero pentests. Runners periodically heartbeat to the platform to receive and execute commands such as launching an Op, upgrading, or caching credentials.

Note: Runners are referred to as "Agents" throughout the API.

Fields
uuid - String!
The unique identifier of the Runner.
name - String!
The name of the Runner. This name is used when assigning scheduled ops or OpTemplates to a specific Runner.
user_account_name - String
The display name of the user who most recently started or registered this Runner.
api_key_uuid - String!
The unique identifier of the API key associated with this Runner. The API key is used by the Runner to authenticate with the platform.
api_key - APIKey!
The API key associated with this Runner. The API key is created automatically when the Runner is installed via install_agent.
uname - String
The output of the uname system command on the Runner's host machine. Provides operating system and kernel information.
log_file - String
The path to the log file on the Runner's host machine.
last_heartbeat_at - Datetime
The timestamp of the Runner's most recent heartbeat to the platform. A heartbeat occurs each time the Runner contacts the API to check for new commands.
last_heartbeat_time_ago - String
A human-friendly representation of last_heartbeat_at, for example "3 minutes ago". Returns null if the Runner has never sent a heartbeat.
last_heartbeat_source_ip - String
The source IP address observed during the Runner's most recent heartbeat.
last_command - AgentCommand
The most recent AgentCommand for this Runner (either pending or already executed).
commands - [AgentCommand]
The last last_n commands for this Runner, ordered by most recent first. Defaults to 20; maximum is 100.
Arguments
last_n - Int
commands_page - AgentCommandsPage
A paginated list of commands for this Runner. Supports filtering and sorting via PageInput.
Arguments
page_input - PageInput
created_at - Datetime!
The timestamp when this Runner record was first created.
h3_cli_version - String
The version of the h3-cli software running on this Runner. If the Runner has sent at least one heartbeat but has not reported a version, a default beta version string is returned.
is_kubernetes - Boolean!
Indicates whether this Runner is deployed in a Kubernetes environment.
kubernetes_namespace - String
The Kubernetes namespace where this Runner is deployed. Only applicable when is_kubernetes is true.
active_op_id - String
The Op ID of any currently active (running) pentest being executed by this Runner. Returns null if the Runner is idle.
op_next_scheduled_at - Datetime
The next scheduled execution date for any Op assigned to this Runner. Computed from the cron expressions of all scheduled actions targeting this Runner. 
fragment AgentFragment on Agent {
  uuid
  name
  user_account_name
  api_key_uuid
  api_key
  uname
  log_file
  last_heartbeat_at
  last_heartbeat_time_ago
  last_heartbeat_source_ip
  last_command
  commands
  created_at
  h3_cli_version
  is_kubernetes
  kubernetes_namespace
  active_op_id
  op_next_scheduled_at
}

Examples may not include all available fields for a type.

Setup: Runners

Operator

Description

A Kubernetes (K8s) Operator that manages the lifecycle of NodeZero Runners (Agents) within a Kubernetes cluster.

The Operator is installed via a Helm chart (see create_operator) and manages the deployment, scaling, and upgrading of Runners as Kubernetes custom resources.

Fields
uuid - ID!
The unique identifier of the Operator.
name - String!
The name of the Operator, as specified when it was created via create_operator.
version - String
The software version of the Operator, as reported when the Operator registers itself with the platform.
chart_version - String
The version of the Helm chart used to install or upgrade the Operator.
is_registered - Boolean!
Indicates whether the Operator has successfully registered itself with the platform. An Operator registers automatically after the Helm chart is installed and the Operator pod starts running. 
fragment OperatorFragment on Operator {
  uuid
  name
  version
  chart_version
  is_registered
}

Examples may not include all available fields for a type.

Setup: Runners

AgentCommand

Description

Represents a command that has been queued or executed by a NodeZero Runner (see Agent).

Commands are created by the platform (for example, via hello_agent or upgrade_agent) and delivered to the Runner during its next heartbeat. The Runner then executes the command and reports back the exit status and log output.

Fields
uuid - String!
The unique identifier of this command.
agent_uuid - String!
The unique identifier of the Agent (Runner) assigned to execute this command.
command - String!
The command string to be executed by the Runner (for example, hello-world, upgrade, or run-nodezero <op_id>).
received_at - Datetime
The timestamp when the Runner received the command during a heartbeat. null if the command has not yet been picked up.
completed_at - Datetime
The timestamp when the Runner finished executing the command. null if the command has not yet completed.
exit_status - String
The exit status (return code) from the command process. A value of "0" indicates success.
log - String
The combined stdout and stderr log output from the command process. The log is retrieved from cloud storage and may be truncated for very large outputs.
created_at - Datetime!
The timestamp when this command record was created. 
fragment AgentCommandFragment on AgentCommand {
  uuid
  agent_uuid
  command
  received_at
  completed_at
  exit_status
  log
  created_at
}

Examples may not include all available fields for a type.

Setup: Runners

AgentCommandOutput

Description

Output type for mutations that create or update AgentCommands, such as upgrade_agent and hello_agent.

Fields
agent_command - AgentCommand
The AgentCommand that was created or updated by the mutation.
message - String
An optional informational message about the result of the mutation. 
fragment AgentCommandOutputFragment on AgentCommandOutput {
  agent_command {
    uuid
    agent_uuid
    command
    received_at
    completed_at
    exit_status
    log
    created_at
  }
  message
}

Examples may not include all available fields for a type.

Setup: Runners

AgentCommandsFacets

Description

Facet values for filtering AgentCommands. Each facet field returns the distinct values present in the current dataset along with their occurrence counts, enabling you to build dynamic filter controls.

Fields
page_info - PageInfo
Pagination metadata for the facet result set.
exit_status - [FacetValue]
The distinct AgentCommand.exit_status values present in the data after applying any active filters, along with the count of commands for each value. 
fragment AgentCommandsFacetsFragment on AgentCommandsFacets {
  exit_status {
    label
    value
    value_count
  }
  page_info {
    page_num
    page_size
  }
}

Examples may not include all available fields for a type.

Setup: Runners

AgentCommandsPage

Description

A paginated list of AgentCommands for a given Runner.

Fields
agent_commands - [AgentCommand]!
The list of AgentCommands for the current page.
page_info - PageInfo
Pagination metadata for navigating the result set.
total_count - Int!
The total number of commands matching the query, across all pages. 
fragment AgentCommandsPageFragment on AgentCommandsPage {
  agent_commands {
    uuid
    agent_uuid
    command
    exit_status
    received_at
    completed_at
    created_at
  }
  page_info {
    page_num
    page_size
  }
}

Examples may not include all available fields for a type.

Setup: Runners

AgentInput

Description

Input type for Mutation.hello_agent.

Identifies a NodeZero Runner by name. The name field is required and must match an existing Runner in your ClientAccount.

Fields
name - String!
The name of the Runner. Must match the name of an existing Agent in your account. 
mutation HelloAgent($input: AgentInput! = {
  name: "runner-production"
}) {
  hello_agent(input: $input) {
    uuid
    agent_uuid
    command
    created_at
  }
}

Examples may not include all available fields for a type.

Setup: Runners

AgentOutput

Description

Output type for mutations that operate on Agents, such as delete_agent.

Fields
agent - Agent
The Agent record that was affected by the mutation. 
fragment AgentOutputFragment on AgentOutput {
  agent {
    uuid
    name
    user_account_name
    uname
    last_heartbeat_at
    last_heartbeat_time_ago
    h3_cli_version
    created_at
    is_kubernetes
  }
}

Examples may not include all available fields for a type.

Setup: Runners

AgentsFacets

Description

Facet values for filtering Agents (NodeZero Runners). Each facet field returns the distinct values present in the current dataset along with their occurrence counts, enabling you to build dynamic filter controls for the Runner list.

Fields
page_info - PageInfo
Pagination metadata for the facet result set.
kubernetes_namespace - [FacetValue]
The distinct Agent.kubernetes_namespace values present in the data after applying any active filters, along with the count of Runners for each namespace.
user_account_name - [FacetValue]
The distinct Agent.user_account_name values present in the data after applying any active filters, along with the count of Runners for each user.
user_role_id - [FacetValue]
The distinct APIKey role values (user_role_id) present in the data after applying any active filters, along with the count of Runners for each role. 
fragment AgentsFacetsFragment on AgentsFacets {
  kubernetes_namespace
  user_account_name
  user_role_id
  page_info {
    page_num
    page_size
  }
}

Examples may not include all available fields for a type.

Setup: Runners

AgentsPage

Description

A paginated list of NodeZero Runners (Agents).

Fields
page_info - PageInfo
Pagination metadata for navigating the result set.
agents - [Agent!]!
The list of Agents (Runners) for the current page. 
fragment AgentsPageFragment on AgentsPage {
  agents {
    uuid
    name
    user_account_name
    created_at
    is_kubernetes
  }
  page_info {
    page_num
    page_size
  }
}

Examples may not include all available fields for a type.

Setup: Runners

CreateOperatorOutput

Description

Output type for create_operator.

Contains the Helm install command, the newly created API key, and the Operator record.

Fields
command - String!
The Helm install command to run against your Kubernetes cluster. This command deploys the NodeZero Operator Helm chart and configures it with the generated API key.
api_key - APIKey!
The API key that was created for the Operator. The key has NODEZERO_OPERATOR permissions and is embedded in the Helm install command.
operator - Operator!
The Operator record that was created in the platform. 
fragment CreateOperatorOutputFragment on CreateOperatorOutput {
  command
  operator {
    uuid
    name
    version
    chart_version
    is_registered
  }
}

Examples may not include all available fields for a type.

Setup: Runners

InstallAgentOutput

Description

Output type for install_agent.

Contains the shell command needed to install and start a NodeZero Runner on the target host, along with the API key and Agent record created for the Runner.

Fields
command - String

The shell command for installing the NodeZero Runner on a Docker host. Run this command on the machine where you want the Runner to operate. It downloads, installs, and starts the Runner process.

This field is populated only when is_kubernetes is false (or omitted) in install_agent. For Kubernetes deployments, use the kubernetes_install_command field instead.

kubernetes_install_command - String

The kubectl command for deploying the NodeZero Runner as a custom resource in a Kubernetes cluster. Run this command against the cluster where the Operator is installed.

This field is populated only when is_kubernetes is true in install_agent. For non-Kubernetes deployments, use the command field instead.

api_key - APIKey
The API key that was created for the Runner. For Docker-based Runners, the key has NODEZERO_RUNNER permissions. For Kubernetes Runners, the existing Operator's NODEZERO_OPERATOR key is returned.
agent - Agent
The Agent record representing the newly created Runner. This record is created immediately and can be referenced by its uuid to assign the Runner to an OpTemplate or Op even before the Runner has been installed and started on the host. 
fragment InstallAgentOutputFragment on InstallAgentOutput {
  command
  kubernetes_install_command
  agent {
    uuid
    name
    created_at
    is_kubernetes
  }
}

Examples may not include all available fields for a type.

Setup: Runners

OperatorsFacets

Description

Facet values for filtering Operators. Each facet field returns the distinct values present in the current dataset along with their occurrence counts, enabling you to build dynamic filter controls for the Operator list.

Fields
page_info - PageInfo
Pagination metadata for the facet result set.
version - [FacetValue]
The distinct Operator.version values present in the data after applying any active filters, along with the count of Operators for each version.
chart_version - [FacetValue]
The distinct Operator.chart_version values present in the data after applying any active filters, along with the count of Operators for each Helm chart version.
user_role_id - [FacetValue]
The distinct APIKey role values (user_role_id) present in the data after applying any active filters, along with the count of Operators for each role. 
fragment OperatorsFacetsFragment on OperatorsFacets {
  page_info {
    page_num
    page_size
  }
  version {
    label
    value
    value_count
  }
  chart_version {
    label
    value
    value_count
  }
  user_role_id {
    label
    value
    value_count
  }
}

Examples may not include all available fields for a type.

Setup: Runners

OperatorsPage

Description

A paginated list of NodeZero Kubernetes Operators.

Fields
page_info - PageInfo
Pagination metadata for navigating the result set.
operators - [Operator!]!
The list of Operators for the current page. 
fragment OperatorsPageFragment on OperatorsPage {
  operators {
    uuid
    name
    version
    chart_version
    is_registered
  }
  page_info {
    page_num
    page_size
  }
}

Examples may not include all available fields for a type.

Setup: Runners

UpgradeOperatorOutput

Description

Output type for upgrade_operator.

Fields
command - String!
The Helm upgrade command to run against your Kubernetes cluster. This command upgrades the NodeZero Operator Helm chart to the latest available version. 
fragment UpgradeOperatorOutputFragment on UpgradeOperatorOutput {
  command
}

Examples may not include all available fields for a type.

Setup: Schedules

Automate recurring pentests and operations with flexible scheduling. Create, update, and manage scheduled actions that run pentests at specified intervals (daily, weekly, monthly) to maintain continuous security validation.

schedules_page

Description

List of Schedules and ScheduledActions in the current account.

The Schedule.uuid field can be used to fetch more details about a specific Schedule via Query.schedule.

Response

Returns a SchedulesPage!

Arguments
page_input - PageInput 
query SchedulesPage($page_input: PageInput) {
  schedules_page(page_input: $page_input) {
    schedules {
      uuid
      name
      is_disabled
      ops_count
      last_op {
        op_name
        op_state
      }
      actions {
        uuid
        action
        cadence
        cron_expression
        cron_description
        is_disabled
        schedule_uuid
        schedule_name
        op_template_uuid
        last_triggered_at
        last_triggered_time_ago
        next_triggered_at
        next_triggered_time_in
        total_triggers
      }
    }
    page_info {
      page_num
      page_size
    }
  }
}

Examples may not include all available fields for a type.

Setup: Schedules

schedules_count

Description

Count of Schedules in the current account.

Response

Returns an Int!

Arguments
page_input - PageInput 
query SchedulesCount($page_input: PageInput) {
  schedules_count(page_input: $page_input)
}

Examples may not include all available fields for a type.

Setup: Schedules

schedule

Description

Get the Schedule with the given uuid or name. Provide either uuid or name to identify the schedule.

Response

Returns a Schedule

Arguments
uuid - String
The uuid of the Schedule to fetch.
name - String
The name of the Schedule to fetch. 
query Schedule($uuid: String, $name: String) {
  schedule(uuid: $uuid, name: $name) {
    uuid
    name
    is_disabled
    ops_count
    last_op {
      op_name
      op_state
      op_type
    }
    actions {
      uuid
      action
      cadence
      cron_expression
      cron_description
      is_disabled
      schedule_uuid
      schedule_name
      op_template_uuid
      last_triggered_at
      last_triggered_time_ago
      next_triggered_at
      next_triggered_time_in
      total_triggers
    }
  }
}

Examples may not include all available fields for a type.

Setup: Schedules

create_scheduled_action

Description

Create or update a ScheduledAction.

ScheduledActions are actions within a Schedule that run at a specific time, similar to a cron job. A Schedule is automatically created if one doesn't already exist for the given schedule_name.

A ScheduledAction can be used to run a pentest on a recurring basis, eg. weekly or monthly.

You can also use ScheduledActions to pause, resume, and cancel a pentest at specific times, for example to pause a pentest during a maintenance window. See CreateScheduledActionInput.action for more details.

Response

Returns a ScheduledActionOutput!

Arguments
input - CreateScheduledActionInput! 
mutation CreateScheduledAction($input: CreateScheduledActionInput!) {
  create_scheduled_action(input: $input) {
    scheduled_action {
      uuid
      action
      cadence
      cron_expression
      cron_description
      is_disabled
      schedule_uuid
      schedule_name
      op_template_uuid
      last_triggered_at
      next_triggered_at
      next_triggered_time_in
      total_triggers
    }
  }
}

Examples may not include all available fields for a type.

Setup: Schedules

trigger_scheduled_action

Description

Trigger a ScheduledAction to run now.

This mutation can be used to verify a ScheduledAction's configuration and ensure it behaves as expected. It can also be used as a convenient way to run a pentest immediately, without waiting for the next scheduled time.

Response

Returns a ScheduledActionOutput!

Arguments
input - TriggerScheduledActionInput! 
mutation TriggerScheduledAction($input: TriggerScheduledActionInput!) {
  trigger_scheduled_action(input: $input) {
    scheduled_action {
      uuid
      action
      schedule_name
      last_triggered_at
      last_triggered_time_ago
      next_triggered_at
      next_triggered_time_in
      total_triggers
    }
  }
}

Examples may not include all available fields for a type.

Setup: Schedules

update_scheduled_action

Description

Update a ScheduledAction.

Response

Returns a ScheduledActionOutput!

Arguments
input - UpdateScheduledActionInput! 
mutation UpdateScheduledAction($input: UpdateScheduledActionInput!) {
  update_scheduled_action(input: $input) {
    scheduled_action {
      uuid
      action
      cadence
      cron_expression
      cron_description
      is_disabled
      schedule_uuid
      schedule_name
      op_template_uuid
      last_triggered_at
      next_triggered_at
      next_triggered_time_in
      total_triggers
    }
  }
}

Examples may not include all available fields for a type.

Setup: Schedules

delete_scheduled_action

Description

Delete a ScheduledAction. To fully delete a Schedule, delete all ScheduledActions within it.

Response

Returns a ScheduledActionOutput!

Arguments
input - DeleteScheduledActionInput! 
mutation DeleteScheduledAction($input: DeleteScheduledActionInput!) {
  delete_scheduled_action(input: $input) {
    scheduled_action {
      uuid
      action
      schedule_name
      is_disabled
    }
  }
}

Examples may not include all available fields for a type.

Setup: Schedules

Schedule

Description

A Schedule is a set of ScheduledActions that can be used together to control the execution of a pentest on a recurring basis.

Use Mutation.create_scheduled_action to create a Schedule.

Typically a Schedule has only one ScheduledAction, with its action set to run-pentest. This is used to run a pentest at a specific date and time on a recurring basis.

A Schedule may further control the execution of pentests by using additional ScheduledActions with actions set to pause-pentest, resume-pentest, and/or cancel-pentest, for pausing, resuming, and canceling/ending the pentest respectively.

Fields
uuid - String!
Unique ID of the Schedule.
name - String!
The Schedule name.
op_template_name - String
Name of the OpTemplate assigned to this schedule's run-pentest action.
actions - [ScheduledAction]
The ScheduledActions defined in this schedule.
created_at - Datetime!
When the Schedule was created.
last_updated_at - Datetime
When the Schedule was last updated.
is_disabled - Boolean
Whether all actions in this schedule are disabled. When true, no actions will execute at their scheduled times. Use Mutation.enable_schedule or Mutation.disable_schedule to toggle.
state - String
Display label for the schedule's enabled/disabled status. Returns ENABLED or DISABLED.
ops_count - Int!
The number of operations that have been run under this schedule.
Arguments
page_input - PageInput
ops_page - OpsPage!
Paginated list of operations run under this schedule. See Op for operation details.
Arguments
page_input - PageInput
run_pentest_action - ScheduledAction
The run-pentest ScheduledAction for this schedule, if one exists.
last_op - Op
The most recent Op that ran (or is currently running) under this schedule.
total_triggers - Int
Number of times the schedule has run. 
fragment ScheduleFragment on Schedule {
  uuid
  name
  is_disabled
  ops_count
  last_op {
    op_name
    op_state
    op_type
  }
  actions {
    uuid
    action
    cadence
    cron_expression
    cron_description
    is_disabled
    op_template_uuid
    last_triggered_at
    next_triggered_at
    total_triggers
  }
}

Examples may not include all available fields for a type.

Setup: Schedules

ScheduledAction

Description

An action to run at a specific time on a recurring schedule, like a cron job. ScheduledActions are useful for running pentests on a recurring basis, such as weekly or monthly.

There are four types of actions:

  • run-pentest: Run a pentest using the OpTemplate configured in the ScheduledAction.
  • pause-pentest: Pause a pentest that is currently running.
  • resume-pentest: Resume a paused pentest.
  • cancel-pentest: Cancel a pentest that is currently running.
Fields
uuid - String!
Unique ID of the ScheduledAction.
schedule_name - String!
The name of the Schedule that the ScheduledAction belongs to. A Schedule is a collection of ScheduledActions.
schedule_uuid - String!
ID of the Schedule that the ScheduledAction belongs to. A Schedule is a collection of ScheduledActions.
action - String!

The action to execute. Supported actions are:

  • run-pentest: Run a pentest using the OpTemplate configured in the ScheduledAction.
  • pause-pentest: Pause a pentest that is currently running.
  • resume-pentest: Resume a paused pentest.
  • cancel-pentest: Cancel a pentest that is currently running.

cron_expression - String!

A cron expression that defines when the action is executed.

A cron expression is a string consisting of 5 fields separated by spaces. The 5 fields represent the following:

  • minute (0–59) - this field must always be set to '*' or '0'.
  • hour (0–23) - note this is in UTC time.
  • day of the month (1–31)
  • month (1–12)
  • day of the week (0–6) (Sunday to Saturday)

Notes:

  • ScheduledActions only support hourly resolution. The minutes field must always be set to '*' or '0'.
  • The cron expression is configured in UTC time. If you want to run the action at a specific time in another timezone, you will need to convert that time to UTC.

- runs at midnight UTC every saturday

cron_description - String
A human-readable description of the cron schedule, e.g. 'Every Saturday at midnight UTC'.
op_template_uuid - String
This field is used with the run-pentest action. This is the uuid of the OpTemplate that will be used to run the pentest when the ScheduledAction is triggered.
op_template - OpTemplate
This field is used with the run-pentest action. This is the OpTemplate that will be used to run the pentest when the ScheduledAction is triggered.
last_triggered_at - Datetime
The last time the action was triggered.
last_triggered_time_ago - String
last_triggered_at as a human-friendly "time ago" statement, eg. "3 minutes ago"
last_triggered_error - String
The error message, if an error occurred the last time the action was triggered.
next_triggered_at - Datetime
The next time the action will be triggered.
next_triggered_time_in - String
next_triggered_at as a human-friendly statement, eg. "3 minutes from now"
next_triggered_ats - [Datetime]
The next scheduled execution times. Use the next_n argument to specify how many upcoming times to return.
Arguments
next_n - Int
cadence - String
The cadence text (Daily/Weekly/Monthly/Quarterly/Custom) of the schedule.
is_disabled - Boolean
Whether this scheduled action is disabled. Disabled actions will not execute at their scheduled times.
total_triggers - Int
Number of times the schedule has run. 
fragment ScheduledActionFragment on ScheduledAction {
  uuid
  action
  cadence
  cron_expression
  cron_description
  is_disabled
  schedule_uuid
  schedule_name
  op_template_uuid
  last_triggered_at
  last_triggered_time_ago
  last_triggered_error
  next_triggered_at
  next_triggered_ats
  next_triggered_time_in
  total_triggers
}

Examples may not include all available fields for a type.

Setup: Schedules

CreateScheduledActionInput

Description

Input type for Mutation.create_scheduled_action

Fields
schedule_name - String!
The name of the Schedule that the ScheduledAction belongs to. A Schedule is a collection of ScheduledActions.
action - String!

The action to execute. Supported actions are:

  • run-pentest: Run a pentest using the OpTemplate configured in the ScheduledAction.
  • pause-pentest: Pause a pentest that is currently running.
  • resume-pentest: Resume a paused pentest.
  • cancel-pentest: Cancel a pentest that is currently running.
cron_expression - String!

A cron expression that defines when the action is executed.

A cron expression is a string consisting of 5 fields separated by spaces. The 5 fields represent the following:

  • minute (0–59) - this field must always be set to '*' or '0'.
  • hour (0–23) - note this is in UTC time.
  • day of the month (1–31)
  • month (1–12)
  • day of the week (0–6) (Sunday to Saturday)

Notes:

  • ScheduledActions only support hourly resolution. The minutes field must always be set to '*' or '0'.
  • The cron expression is configured in UTC time. If you want to run the action at a specific time in another timezone, you will need to convert that time to UTC.
op_template_uuid - String
This field is used with the run-pentest action. This is the OpTemplate that will be used to run the pentest when the ScheduledAction is triggered. 
mutation CreateScheduledActionExample(
  $input: CreateScheduledActionInput = {
    schedule_name: "Weekly Infrastructure Scan"
    action: "run-pentest"
    cron_expression: "0 2 * * MON"
    op_template_uuid: "9999aaaa-9999-aaaa-9999-aaaa9999aaaa"
  }
) {
  create_scheduled_action(input: $input) {
    scheduled_action {
      uuid
      schedule_name
      action
      cron_expression
    }
  }
}

Examples may not include all available fields for a type.

Setup: Schedules

DeleteScheduledActionInput

Description

Input type for Mutation.delete_scheduled_action

Fields
schedule_name - String!
Name of the Schedule containing the action to delete.
action - String!
The action to delete. Supported actions: run-pentest, pause-pentest, resume-pentest, cancel-pentest 
mutation DeleteScheduledActionExample(
  $input: DeleteScheduledActionInput = {
    schedule_name: "Weekly Infrastructure Scan"
    action: "run-pentest"
  }
) {
  delete_scheduled_action(input: $input) {
    scheduled_action {
      uuid
      schedule_name
      action
      is_disabled
    }
  }
}

Examples may not include all available fields for a type.

Setup: Schedules

ScheduledActionOutput

Description

Output type for Mutation.create_scheduled_action and other mutations.

Fields
scheduled_action - ScheduledAction
The created ScheduledAction 
fragment ScheduledActionOutputFragment on ScheduledActionOutput {
  scheduled_action {
    uuid
    action
    cadence
    cron_expression
    cron_description
    is_disabled
    schedule_uuid
    schedule_name
    op_template_uuid
    total_triggers
  }
}

Examples may not include all available fields for a type.

Setup: Schedules

SchedulesPage

Description

Paginated list of Schedules.

Fields
page_info - PageInfo
Pagination of response.
schedules - [Schedule!]!
List of Schedules. 
fragment SchedulesPageFragment on SchedulesPage {
  schedules {
    uuid
    name
    is_disabled
    ops_count
    actions {
      uuid
      action
    }
  }
  page_info {
    page_num
    page_size
  }
}

Examples may not include all available fields for a type.

Setup: Schedules

TriggerScheduledActionInput

Description

Input type for Mutation.trigger_scheduled_action.

Fields
schedule_name - String!
Name of the Schedule containing the action to trigger.
action - String!
The action to trigger. Supported actions: run-pentest, pause-pentest, resume-pentest, cancel-pentest 
mutation TriggerScheduledActionExample(
  $input: TriggerScheduledActionInput = {
    schedule_name: "Weekly Infrastructure Scan"
    action: "run-pentest"
  }
) {
  trigger_scheduled_action(input: $input) {
    scheduled_action {
      uuid
      schedule_name
      action
      last_triggered_at
      total_triggers
    }
  }
}

Examples may not include all available fields for a type.

Setup: Schedules

UpdateScheduledActionInput

Description

Input type for Mutation.update_scheduled_action

Fields
uuid - String!
ID of ScheduledAction to update.
cron_expression - String

A cron expression that defines when the action is executed.

A cron expression is a string consisting of 5 fields separated by spaces. The 5 fields represent the following:

  • minute (0–59) - this field must always be set to '*' or '0'.
  • hour (0–23) - note this is in UTC time.
  • day of the month (1–31)
  • month (1–12)
  • day of the week (0–6) (Sunday to Saturday)

Notes:

  • ScheduledActions only support hourly resolution. The minutes field must always be set to '*' or '0'.
  • The cron expression is configured in UTC time. If you want to run the action at a specific time in another timezone, you will need to convert that time to UTC.
op_template_uuid - String
This field is used with the run-pentest action. This is the OpTemplate that will be used to run the pentest when the ScheduledAction is triggered. 
mutation UpdateScheduledActionExample(
  $input: UpdateScheduledActionInput = {
    uuid: "5678abcd-5678-abcd-5678-abcd5678abcd"
    cron_expression: "0 3 * * *"
    op_template_uuid: "9999aaaa-9999-aaaa-9999-aaaa9999aaaa"
  }
) {
  update_scheduled_action(input: $input) {
    scheduled_action {
      uuid
      cron_expression
      cron_description
    }
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups

Organize external attack surface assets (domains and IP ranges) into logical groups for targeted pentesting. Asset groups enable you to define and manage different segments of your external infrastructure for focused security assessments.

asset_groups_page

Description

Paginated list of asset groups in this account.

The AssetGroup.uuid field can be used to fetch more details about a specific AssetGroup using Query.asset_group.

Response

Returns an AssetGroupsPage!

Arguments
page_input - PageInput 
query AssetGroupsPage($page_input: PageInput) {
  asset_groups_page(page_input: $page_input) {
    asset_groups {
      ...AssetGroupPageFragment
    }
  }
}

fragment AssetGroupPageFragment on AssetGroup {
  uuid
  name
  op_template_uuid
  user_account_name
  client_account_company_name
  last_ead_etl_completed_at
  created_at
  updated_at
  op_series_uuid
  op_series_status
  assets_count
  authorized_assets_count
  external_domain_xops_count
  in_scope_host_tab_xops_count
}

Examples may not include all available fields for a type.

Setup: Asset Groups

asset_groups_count

Description

The total number of asset groups in this account.

Response

Returns an Int!

Arguments
page_input - PageInput 
query AssetGroupsCount($page_input: PageInput) {
  asset_groups_count(page_input: $page_input)
}

Examples may not include all available fields for a type.

Setup: Asset Groups

asset_group

Description

Fetch a specific asset group by its unique identifier.

Response

Returns an AssetGroup

Arguments
uuid - String! 
query AssetGroup($uuid: String!) {
  asset_group(uuid: $uuid) {
    ...AssetGroupFragment
  }
}

fragment AssetGroupFragment on AssetGroup {
  uuid
  name
  op_template_uuid
  user_account_uuid
  user_account_name
  client_account_uuid
  client_account_company_name
  last_ead_etl_completed_at
  created_at
  updated_at
  op_series_uuid
  op_series_status
  assets_count
  authorized_assets_count
  external_domain_xops_count
  authorized_external_domain_xops_count
  in_scope_host_tab_xops_count
  authorized_host_tab_xops_count
}

Examples may not include all available fields for a type.

Setup: Asset Groups

create_asset_group

Description

Create a new asset group.

The asset group's scan scope is defined by the provided ScheduleOpFormInput. Set the asset group name via schedule_op_form.op_name.

Response

Returns an AssetGroupOutput!

Arguments
schedule_op_form - ScheduleOpFormInput!
Scope for discovering assets. 
mutation CreateAssetGroup(
  $schedule_op_form: ScheduleOpFormInput!
) {
  create_asset_group(schedule_op_form: $schedule_op_form) {
    asset_group {
      uuid
      name
      op_template_uuid
      op_series_uuid
      op_series_status
      created_at
      assets_count
      external_domain_xops_count
      in_scope_host_tab_xops_count
    }
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups

update_asset_group_template

Description

Update an asset group's scan scope configuration.

The asset group name can be updated via schedule_op_form.op_name.

Response

Returns a SaveOpTemplateOutput!

Arguments
asset_group_uuid - String!
ID of asset group.
schedule_op_form - ScheduleOpFormInput!
Scope for discovering assets. 
mutation UpdateAssetGroupTemplate(
  $asset_group_uuid: String!
  $schedule_op_form: ScheduleOpFormInput!
) {
  update_asset_group_template(
    asset_group_uuid: $asset_group_uuid
    schedule_op_form: $schedule_op_form
  ) {
    op_template {
      uuid
      op_template_name
      op_type
      schedule_op_form {
        op_name
        osint_domains
      }
    }
    asset_group {
      uuid
      name
      op_series_uuid
    }
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups

AssetGroup

Description

An asset group represents a collection of discovered assets (domains and IPs) in your environment.

Assets are discovered by running External Asset Discovery scans using the scope defined in the asset group's associated OpTemplate. Once discovered, assets can be authorized for pentesting and used as the scope for External Attack operations.

Use Mutation.create_asset_group to create a new asset group.

Fields
uuid - String!
Unique identifier of the asset group.
name - String!
Display name of the asset group.
op_template_uuid - String!
Unique identifier of the OpTemplate that defines this asset group's scan scope.
op_template - OpTemplate!
The OpTemplate that defines this asset group's scan scope and configuration.
user_account_uuid - String!
Unique identifier of the user account that created this asset group.
user_account_name - String!
Display name of the user account that created this asset group.
client_account_uuid - String!
Unique identifier of the client account that owns this asset group.
client_account_company_name - String!
Company name of the client account that owns this asset group.
last_ead_etl_completed_at - Datetime
Timestamp when the most recent External Asset Discovery scan completed for this asset group.
created_at - Datetime!
Timestamp when this asset group was created.
updated_at - Datetime
Timestamp when this asset group was last modified.
op_series_uuid - String!
Unique identifier of the External Asset Discovery op series associated with this asset group.
assets_count - Int!
Total number of discovered assets (domains and IPs) in this asset group.
authorized_assets_count - Int!
Number of assets in this asset group that have been authorized for pentesting.
external_domain_xops_count - Int!
Total number of discovered domains in this asset group.
external_domain_xops_page - ExternalDomainXopsPage!
Paginated list of discovered domains in this asset group.
Arguments
page_input - PageInput
authorized_external_domain_xops_count - Int!
Number of domains in this asset group that have been authorized for pentesting.
in_scope_host_tab_xops_count - Int!
Total number of discovered IPs in this asset group.
in_scope_host_tab_xops_page - HostTabXopsPage!
Paginated list of discovered IPs in this asset group.
Arguments
page_input - PageInput
authorized_host_tab_xops_count - Int!
Number of IPs in this asset group that have been authorized for pentesting. 
fragment AssetGroupFragment on AssetGroup {
  uuid
  name
  op_template_uuid
  user_account_uuid
  user_account_name
  client_account_uuid
  client_account_company_name
  last_ead_etl_completed_at
  created_at
  updated_at
  op_series_uuid
  op_series_status
  assets_count
  authorized_assets_count
  external_domain_xops_count
  authorized_external_domain_xops_count
  in_scope_host_tab_xops_count
  authorized_host_tab_xops_count
}

Examples may not include all available fields for a type.

Setup: Asset Groups

AssetGroupOutput

Description

Output type returned by asset group mutations.

Fields
asset_group - AssetGroup!
The AssetGroup. 
fragment AssetGroupOutputFragment on AssetGroupOutput {
  asset_group {
    uuid
    name
    op_template_uuid
    op_series_uuid
    op_series_status
    created_at
    updated_at
    assets_count
    authorized_assets_count
    external_domain_xops_count
    in_scope_host_tab_xops_count
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups

AssetGroupsPage

Description

Contains a paginated list of AssetGroup records.

Fields
page_info - PageInfo
Page details.
asset_groups - [AssetGroup!]!
List of asset groups. 
fragment AssetGroupsPageFragment on AssetGroupsPage {
  page_info {
    page_num
    page_size
  }
  asset_groups {
    uuid
    name
    op_template_uuid
    user_account_name
    last_ead_etl_completed_at
    created_at
    updated_at
    op_series_uuid
    op_series_status
    assets_count
    authorized_assets_count
    external_domain_xops_count
    in_scope_host_tab_xops_count
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Domains

Manage domains within asset groups for external pentesting. Query discovered domains, view their testing history across operations, and add or remove domains from asset groups to control your external attack surface scope.

external_domain_xops_page

Description

Returns a paginated list of ExternalDomainXop records (domains) in the given AssetGroup.op_series_uuid. Supports filtering, sorting, and pagination via page_input.

Response

Returns an ExternalDomainXopsPage!

Arguments
op_series_uuid - String!
page_input - PageInput 
query ExternalDomainXopsPage(
  $op_series_uuid: String!
  $page_input: PageInput
) {
  external_domain_xops_page(
    op_series_uuid: $op_series_uuid
    page_input: $page_input
  ) {
    external_domain_xops {
      ...ExternalDomainXopPageFragment
    }
  }
}

fragment ExternalDomainXopPageFragment on ExternalDomainXop {
  uuid
  op_series_uuid
  xop_id
  last_op_id
  current_op_id
  is_authorized
  is_dynamic_ip
  third_party_aliases
  pentestable_rules {
    is_allowed
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Domains

external_domain_xops_count

Description

Returns the total number of ExternalDomainXop records (domains) in the given AssetGroup.op_series_uuid. Supports filtering via page_input.

Response

Returns an Int!

Arguments
op_series_uuid - String!
page_input - PageInput 
query ExternalDomainXopsCount(
  $op_series_uuid: String!
  $page_input: PageInput
) {
  external_domain_xops_count(
    op_series_uuid: $op_series_uuid
    page_input: $page_input
  )
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Domains

external_domain_xop

Description

Returns the ExternalDomainXop with the given uuid. The UUID is in the format {op_series_uuid}/{domain_name}.

Response

Returns an ExternalDomainXop

Arguments
uuid - String! 
query ExternalDomainXop($uuid: String!) {
  external_domain_xop(uuid: $uuid) {
    ...ExternalDomainXopFragment
  }
}

fragment ExternalDomainXopFragment on ExternalDomainXop {
  uuid
  op_series_uuid
  xop_id
  last_op_id
  current_op_id
  is_authorized
  is_dynamic_ip
  third_party_aliases
  third_party_certificate_subject_cns
  pentestable_rules {
    is_allowed
    action_tooltip
    authz_warning
  }
  excluded_domain_from_last_pentest {
    op_id
    domain
    reason
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Domains

add_domains_to_asset_group

Description

Adds one or more domains to the given AssetGroup's configured scope. The new domains are merged into the AssetGroup's existing domain list. Duplicate domains are automatically deduplicated. Returns the updated AssetGroup.

Response

Returns an AssetGroupOutput!

Arguments
asset_group_uuid - String!
The UUID of the AssetGroup to update.
domains - [StringNotEmpty]!
List of domain names to add to the AssetGroup's scope (e.g., ["example.com", "sub.example.com"]). 
mutation AddDomainsToAssetGroup(
  $asset_group_uuid: String!
  $domains: [StringNotEmpty]!
) {
  add_domains_to_asset_group(
    asset_group_uuid: $asset_group_uuid
    domains: $domains
  ) {
    asset_group {
      uuid
      name
      op_series_uuid
      assets_count
      external_domain_xops_count
      authorized_external_domain_xops_count
    }
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Domains

remove_domains_from_asset_group

Description

Removes one or more domains from the given AssetGroup's configured scope. Returns the updated AssetGroup.

Response

Returns an AssetGroupOutput!

Arguments
asset_group_uuid - String!
The UUID of the AssetGroup to update.
domains - [StringNotEmpty]!
List of domain names to remove from the AssetGroup's scope. 
mutation RemoveDomainsFromAssetGroup(
  $asset_group_uuid: String!
  $domains: [StringNotEmpty]!
) {
  remove_domains_from_asset_group(
    asset_group_uuid: $asset_group_uuid
    domains: $domains
  ) {
    asset_group {
      uuid
      name
      op_series_uuid
      assets_count
      external_domain_xops_count
      authorized_external_domain_xops_count
    }
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Domains

external_domain_xops_csv_presigned_url

Description

Returns a temporary presigned URL for downloading a CSV export of all ExternalDomainXop records (domains) in the given AssetGroup.op_series_uuid.

The CSV format is documented under ExternalDomainXopCSV.

Response

Returns a String

Arguments
op_series_uuid - String! 
query ExternalDomainXopsCsvPresignedUrl(
  $op_series_uuid: String!
) {
  external_domain_xops_csv_presigned_url(
    op_series_uuid: $op_series_uuid
  )
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Domains

ExternalDomainXop

Description

An ExternalDomainXop represents a unique external domain name tracked across a series of Ops within an AssetGroup. Each ExternalDomainXop is uniquely identified by its xop_id, which is the domain name itself (e.g., example.com).

As new pentests run within the same AssetGroup, the ExternalDomainXop record is updated with data from the most recent Op while retaining historical tracking information such as the first and last time the domain appeared.

Fields
uuid - String!
Unique identifier for this ExternalDomainXop, in the format {op_series_uuid}/{xop_id}.
op_series_uuid - String!
The ID of the OpSeries (and corresponding AssetGroup) that this domain is tracked under.
xop_id - String!
The durable cross-op identity for this asset. Always derived from the data itself rather than an arbitrary UUID. For ExternalDomainXop, the xop_id is the domain name (e.g., example.com).
last_external_domain - ExternalDomain!
The underlying ExternalDomain record from the most recent Op in which this domain name was discovered.
last_external_domains - [ExternalDomain]!
All underlying ExternalDomain records from the most recent Op in which this domain name was discovered. A domain name may resolve to multiple ExternalDomain records within a single Op.
last_op_id - String
The ID of the most recent Op in which this domain name was discovered.
current_op_id - String
The ID of the most recently run Op in the OpSeries.
is_authorized - Boolean
Indicates whether this domain has been authorized for external pentesting by the user. Domains must be authorized before they can be included in an External Attack pentest. Use authorize_domains or deauthorize_domains to change this value.
pentestable_rules - PentestableRules
The PentestableRules evaluation result for this domain. These rules determine whether the user is permitted to authorize this domain for external pentesting. Domains may be blocked if they are determined to belong to third-party providers that do not permit pentesting.
is_dynamic_ip - Boolean
Indicates whether the user has flagged this domain as using dynamic IP addresses. When set to true, the platform accounts for the fact that the domain's resolved IP may change between pentests.
excluded_domain_from_last_pentest - ExcludedDomain
The ExcludedDomain record from the most recent External Attack pentest against this AssetGroup. This field is non-null when the domain was authorized for pentesting but was subsequently excluded from scope during the pentest, typically due to DNS drift or unreachability.
third_party_aliases - [String]
Full list of third-party aliases for this domain. These are subdomains that are NOT covered by a top-level domain (TLD) configured in the AssetGroup. Aliases include CNAME chain entries and DNS reverse-lookup hostnames.
third_party_certificate_subject_cns - [String]
Third-party certificate subject Common Names (CNs). Includes all certificate CNs that are NOT covered by a top-level domain (TLD) configured in the AssetGroup. 
fragment ExternalDomainXopFragment on ExternalDomainXop {
  uuid
  op_series_uuid
  xop_id
  last_op_id
  current_op_id
  is_authorized
  is_dynamic_ip
  third_party_aliases
  third_party_certificate_subject_cns
  pentestable_rules {
    is_allowed
    action_tooltip
    authz_warning
    authz_warning_label
  }
  excluded_domain_from_last_pentest {
    op_id
    domain
    reason
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Domains

ExcludedDomain

Description

Represents an external domain that was authorized for pentesting but was excluded from the pentest at runtime. Domains are typically excluded due to DNS drift (the domain's IP changed), unreachability, or the domain no longer resolving. See ExcludedReason for the possible reasons.

Fields
op_id - String!
The ID of the Op (pentest) during which the domain was excluded.
domain - String!
The domain name that was excluded from the pentest. 
fragment ExcludedDomainFragment on ExcludedDomain {
  op_id
  domain
  reason
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Domains

ExternalDomainXopsPage

Description

Contains a paginated list of ExternalDomainXop records (domains tracked across pentests).

Fields
page_info - PageInfo
Pagination metadata for the current page.
external_domain_xops - [ExternalDomainXop!]!
The list of ExternalDomainXop records for the current page. 
fragment ExternalDomainXopsPageFragment on ExternalDomainXopsPage {
  page_info {
    page_num
    page_size
  }
  external_domain_xops {
    uuid
    op_series_uuid
    xop_id
    last_op_id
    current_op_id
    is_authorized
    is_dynamic_ip
    third_party_aliases
    pentestable_rules {
      is_allowed
    }
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: IPs

Manage IP addresses and ranges within asset groups for external pentesting. Query discovered IPs, view their testing history across operations, and add or remove IPs from asset groups to control your external attack surface scope.

host_tab_xops_page

Description

Returns a paginated list of HostTabXop records (IPs) in the given AssetGroup.op_series_uuid. This includes all discovered IPs, whether or not they fall within the configured scope. For only in-scope IPs, use in_scope_host_tab_xops_page. Supports filtering, sorting, and pagination via page_input.

Response

Returns a HostTabXopsPage!

Arguments
op_series_uuid - String!
page_input - PageInput 
query HostTabXopsPage($op_series_uuid: String!, $page_input: PageInput) {
  host_tab_xops_page(op_series_uuid: $op_series_uuid, page_input: $page_input) {
    host_tab_xops {
      ...HostTabXopPageFragment
    }
  }
}

fragment HostTabXopPageFragment on HostTabXop {
  uuid
  op_series_uuid
  xop_id
  ip
  last_op_id
  current_op_id
  is_authorized
  third_party_aliases
  third_party_certificate_subject_cns
  pentestable_rules {
    is_allowed
    action_tooltip
    authz_warning
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: IPs

host_tab_xops_count

Description

Returns the total number of HostTabXop records (IPs) in the given AssetGroup.op_series_uuid. This includes all discovered IPs, whether or not they fall within the configured scope. Supports filtering via page_input.

Response

Returns an Int!

Arguments
op_series_uuid - String!
page_input - PageInput 
query HostTabXopsCount($op_series_uuid: String!, $page_input: PageInput) {
  host_tab_xops_count(op_series_uuid: $op_series_uuid, page_input: $page_input)
}

Examples may not include all available fields for a type.

Setup: Asset Groups: IPs

host_tab_xop

Description

Returns the HostTabXop with the given uuid. The UUID is in the format {op_series_uuid}/{ip_address}.

Response

Returns a HostTabXop

Arguments
uuid - String! 
query HostTabXop($uuid: String!) {
  host_tab_xop(uuid: $uuid) {
    ...HostTabXopFragment
  }
}

fragment HostTabXopFragment on HostTabXop {
  uuid
  op_series_uuid
  xop_id
  ip
  last_op_id
  current_op_id
  is_authorized
  third_party_aliases
  third_party_certificate_subject_cns
  pentestable_rules {
    is_allowed
    action_tooltip
    authz_warning
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: IPs

in_scope_host_tab_xops_page

Description

Returns a paginated list of HostTabXop records (unique IPs) that fall within the configured scope of the AssetGroup associated with the given op_series_uuid.

An External Asset Discovery may find many domains that resolve to IPs outside the AssetGroup's configured scope. Those out-of-scope IPs are excluded from this result set but are included in host_tab_xops_page.

Response

Returns a HostTabXopsPage!

Arguments
op_series_uuid - String!
page_input - PageInput 
query InScopeHostTabXopsPage($op_series_uuid: String!, $page_input: PageInput) {
  in_scope_host_tab_xops_page(op_series_uuid: $op_series_uuid, page_input: $page_input) {
    host_tab_xops {
      ...InScopeHostTabXopFragment
    }
  }
}

fragment InScopeHostTabXopFragment on HostTabXop {
  uuid
  op_series_uuid
  xop_id
  ip
  last_op_id
  current_op_id
  is_authorized
  third_party_aliases
  third_party_certificate_subject_cns
  excluded_ip_from_last_pentest {
    op_id
    ip
    reason
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: IPs

in_scope_host_tab_xops_count

Description

Returns the total number of HostTabXop records (unique IPs) that fall within the configured scope of the AssetGroup associated with the given op_series_uuid.

An External Asset Discovery may find many domains that resolve to IPs outside the AssetGroup's configured scope. Those out-of-scope IPs are excluded from this count but are included in host_tab_xops_count.

Response

Returns an Int!

Arguments
op_series_uuid - String!
page_input - PageInput 
query InScopeHostTabXopsCount($op_series_uuid: String!, $page_input: PageInput) {
  in_scope_host_tab_xops_count(op_series_uuid: $op_series_uuid, page_input: $page_input)
}

Examples may not include all available fields for a type.

Setup: Asset Groups: IPs

in_scope_host_tab_xops_csv_presigned_url

Description

Returns a temporary presigned URL for downloading a CSV export of in-scope HostTabXop records (unique IPs) in the AssetGroup associated with the given op_series_uuid.

The CSV format is documented under HostXopCSV.

Response

Returns a String

Arguments
op_series_uuid - String! 
query InScopeHostTabXopsCsvPresignedUrl($op_series_uuid: String!) {
  in_scope_host_tab_xops_csv_presigned_url(op_series_uuid: $op_series_uuid)
}

Examples may not include all available fields for a type.

Setup: Asset Groups: IPs

HostTabXop

Description

A HostTabXop represents a unique IP address tracked across a series of Ops within an AssetGroup. Each HostTabXop is uniquely identified by its xop_id, which is the IP address itself.

As new pentests run within the same AssetGroup, the HostTabXop record is updated with data from the most recent Op while retaining historical tracking information.

Fields
uuid - String!
Unique identifier for this HostTabXop, in the format {op_series_uuid}/{xop_id}.
op_series_uuid - String!
The ID of the OpSeries (and corresponding AssetGroup) that this IP is tracked under.
xop_id - String!
The durable cross-op identity for this asset. Always derived from the data itself rather than an arbitrary UUID. For HostTabXop, the xop_id is the IP address (e.g., 192.168.1.1).
ip - String!
The IP address of this host. For AssetGroup IPs, this value uniquely identifies the HostTabXop within the OpSeries.
last_op_id - String
The ID of the most recent Op in which this IP address was discovered.
current_op_id - String
The ID of the most recently run Op in the OpSeries.
is_authorized - Boolean
Indicates whether this IP has been authorized for external pentesting by the user. IPs must be authorized before they can be included in an External Attack pentest. Use authorize_ips or deauthorize_ips to change this value.
excluded_ip_from_last_pentest - ExcludedIP
The ExcludedIP record from the most recent External Attack pentest against this AssetGroup. This field is non-null when the IP was authorized for pentesting but was subsequently excluded from scope during the pentest, typically due to drift or unreachability.
pentestable_rules - PentestableRules
The PentestableRules evaluation result for this IP. These rules determine whether the user is permitted to authorize this IP for external pentesting. IPs may be blocked if they are determined to belong to third-party providers that do not permit pentesting.
third_party_aliases - [String]
Full list of third-party aliases for domains associated with this IP. These are subdomains that are NOT covered by a top-level domain (TLD) configured in the AssetGroup. Aliases include CNAME chain entries and DNS reverse-lookup hostnames.
third_party_certificate_subject_cns - [String]
Third-party certificate subject Common Names (CNs). Includes all certificate CNs that are NOT covered by a top-level domain (TLD) configured in the AssetGroup. 
fragment HostTabXopFragment on HostTabXop {
  uuid
  op_series_uuid
  xop_id
  ip
  last_op_id
  current_op_id
  is_authorized
  third_party_aliases
  third_party_certificate_subject_cns
  excluded_ip_from_last_pentest {
    op_id
    ip
    reason
  }
  pentestable_rules {
    is_allowed
    action_tooltip
    authz_warning
    authz_warning_label
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: IPs

ExcludedIP

Description

Represents an IP address that was authorized for pentesting but was excluded from the pentest at runtime. IPs are typically excluded due to drift (the IP is no longer associated with the domain) or unreachability. See ExcludedReason for the possible reasons.

Fields
op_id - String!
The ID of the Op (pentest) during which the IP was excluded.
ip - String!
The IP address that was excluded from the pentest. 
fragment ExcludedIPFragment on ExcludedIP {
  op_id
  ip
  reason
}

Examples may not include all available fields for a type.

Setup: Asset Groups: IPs

HostTabXopsPage

Description

Contains a paginated list of HostTabXop records (IP addresses tracked across pentests).

Fields
page_info - PageInfo
Pagination metadata for the current page.
host_tab_xops - [HostTabXop!]!
The list of HostTabXop records for the current page. 
fragment HostTabXopsPageFragment on HostTabXopsPage {
  page_info {
    page_num
    page_size
  }
  host_tab_xops {
    uuid
    op_series_uuid
    xop_id
    ip
    last_op_id
    current_op_id
    is_authorized
    third_party_aliases
    pentestable_rules {
      is_allowed
      action_tooltip
    }
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Authorization

Authorize or deauthorize domains and IP addresses for external pentesting.

authorize_domains

Description

Authorizes the specified ExternalDomainXop domains for External Attack pentesting. Each domain is evaluated against PentestableRules; domains that pass the rules are authorized, while domains owned by providers that do not permit pentesting are returned in the blocked_pentestable_entities list.

Response

Returns a PentestableEntitiesOutput!

Arguments
external_domain_xop_uuids - [String!]!
List of ExternalDomainXop UUIDs to authorize. 
mutation AuthorizeDomains($external_domain_xop_uuids: [String!]!) {
  authorize_domains(external_domain_xop_uuids: $external_domain_xop_uuids) {
    pentestable_entities {
      uuid
      entity_type
      is_authorized
    }
    blocked_pentestable_entities {
      pentestable_entity {
        uuid
        entity_type
        is_authorized
      }
      pentestable_rules {
        is_allowed
        action_tooltip
        authz_warning
      }
    }
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Authorization

deauthorize_domains

Description

Deauthorizes the specified ExternalDomainXop domains, removing them from the scope of future External Attack pentests. Deauthorization requests are always allowed (they are not subject to PentestableRules blocking).

Response

Returns a PentestableEntitiesOutput!

Arguments
external_domain_xop_uuids - [String!]!
List of ExternalDomainXop UUIDs to deauthorize. 
mutation DeauthorizeDomains($external_domain_xop_uuids: [String!]!) {
  deauthorize_domains(external_domain_xop_uuids: $external_domain_xop_uuids) {
    pentestable_entities {
      uuid
      entity_type
      is_authorized
    }
    blocked_pentestable_entities {
      pentestable_entity {
        uuid
        entity_type
        is_authorized
      }
      pentestable_rules {
        is_allowed
        action_tooltip
      }
    }
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Authorization

bulk_authorize_domains

Description

Bulk authorizes all eligible ExternalDomainXop domains in the given OpSeries for External Attack pentesting. Only domains whose PentestableRules evaluate to is_allowed = true will be authorized. Optionally filter to only domains within the configured scope or matching specific criteria.

Response

Returns a PentestableEntitiesBulkOutput!

Arguments
op_series_uuid - String!
The UUID of the OpSeries (and corresponding AssetGroup).
configured_domains_only - Boolean
When true, only domains configured in the AssetGroup's scope will be authorized. Defaults to false.
page_input - PageInput
Optional filters to narrow which domains are authorized. Only domains matching the filters will be authorized. 
mutation BulkAuthorizeDomains(
  $op_series_uuid: String!,
  $configured_domains_only: Boolean,
  $page_input: PageInput
) {
  bulk_authorize_domains(
    op_series_uuid: $op_series_uuid,
    configured_domains_only: $configured_domains_only,
    page_input: $page_input
  ) {
    pentestable_entities_count
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Authorization

bulk_deauthorize_domains

Description

Bulk deauthorizes all ExternalDomainXop domains in the given OpSeries, removing them from the scope of future External Attack pentests. Optionally use page_input filters to narrow which domains are deauthorized.

Response

Returns a PentestableEntitiesBulkOutput!

Arguments
op_series_uuid - String!
The UUID of the OpSeries (and corresponding AssetGroup).
page_input - PageInput
Optional filters to narrow which domains are deauthorized. Only domains matching the filters will be deauthorized. 
mutation BulkDeauthorizeDomains(
  $op_series_uuid: String!,
  $page_input: PageInput
) {
  bulk_deauthorize_domains(
    op_series_uuid: $op_series_uuid,
    page_input: $page_input
  ) {
    pentestable_entities_count
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Authorization

authorize_ips

Description

Authorizes the specified HostTabXop IPs for External Attack pentesting. Each IP is evaluated against PentestableRules; IPs that pass the rules are authorized, while IPs owned by providers that do not permit pentesting are returned in the blocked_pentestable_entities list.

Response

Returns a PentestableEntitiesOutput!

Arguments
host_tab_xop_uuids - [String!]!
List of HostTabXop UUIDs to authorize. 
mutation AuthorizeIps($host_tab_xop_uuids: [String!]!) {
  authorize_ips(host_tab_xop_uuids: $host_tab_xop_uuids) {
    pentestable_entities {
      uuid
      entity_type
      is_authorized
    }
    blocked_pentestable_entities {
      pentestable_entity {
        uuid
        entity_type
        is_authorized
      }
      pentestable_rules {
        is_allowed
        action_tooltip
        authz_warning
      }
    }
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Authorization

deauthorize_ips

Description

Deauthorizes the specified HostTabXop IPs, removing them from the scope of future External Attack pentests. Deauthorization requests are always allowed (they are not subject to PentestableRules blocking).

Response

Returns a PentestableEntitiesOutput!

Arguments
host_tab_xop_uuids - [String!]!
List of HostTabXop UUIDs to deauthorize. 
mutation DeauthorizeIps($host_tab_xop_uuids: [String!]!) {
  deauthorize_ips(host_tab_xop_uuids: $host_tab_xop_uuids) {
    pentestable_entities {
      uuid
      entity_type
      is_authorized
    }
    blocked_pentestable_entities {
      pentestable_entity {
        uuid
        entity_type
        is_authorized
      }
      pentestable_rules {
        is_allowed
        action_tooltip
      }
    }
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Authorization

bulk_authorize_ips

Description

Bulk authorizes all eligible in-scope HostTabXop IPs in the given OpSeries for External Attack pentesting. Only IPs whose PentestableRules evaluate to is_allowed = true and that are within the configured scope will be authorized. Optionally use page_input filters to narrow which IPs are authorized.

Response

Returns a PentestableEntitiesBulkOutput!

Arguments
op_series_uuid - String!
The UUID of the OpSeries (and corresponding AssetGroup).
page_input - PageInput
Optional filters to narrow which IPs are authorized. Only IPs matching the filters will be authorized. 
mutation BulkAuthorizeIps(
  $op_series_uuid: String!,
  $page_input: PageInput
) {
  bulk_authorize_ips(
    op_series_uuid: $op_series_uuid,
    page_input: $page_input
  ) {
    pentestable_entities_count
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Authorization

bulk_deauthorize_ips

Description

Bulk deauthorizes all HostTabXop IPs in the given OpSeries, removing them from the scope of future External Attack pentests. Optionally use page_input filters to narrow which IPs are deauthorized.

Response

Returns a PentestableEntitiesBulkOutput!

Arguments
op_series_uuid - String!
The UUID of the OpSeries (and corresponding AssetGroup).
page_input - PageInput
Optional filters to narrow which IPs are deauthorized. Only IPs matching the filters will be deauthorized. 
mutation BulkDeauthorizeIps(
  $op_series_uuid: String!,
  $page_input: PageInput
) {
  bulk_deauthorize_ips(
    op_series_uuid: $op_series_uuid,
    page_input: $page_input
  ) {
    pentestable_entities_count
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Authorization

PentestableEntity

Description

A PentestableEntity links a domain (ExternalDomainXop) or IP (HostTabXop) to its current authorization status for external pentesting.

Fields
uuid - String!
The UUID of the domain or IP asset.
is_authorized - Boolean!
Whether this asset is currently authorized for external pentesting. 
fragment PentestableEntityFragment on PentestableEntity {
  uuid
  entity_type
  is_authorized
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Authorization

PentestableRules

Description

The result of evaluating authorization rules for an ExternalDomainXop or HostTabXop. These rules determine whether a domain or IP asset is permitted to be authorized for External Attack pentesting. The evaluation considers factors such as third-party ownership and provider policies regarding pentesting.

Fields
action_tooltip - String
Tooltip text explaining why an asset was blocked from authorization. When an asset is blocked, this field provides a human-readable explanation of the reason.
authz_warning - String
Warning text displayed when the user attempts to authorize this asset. Advises the user about additional vetting of asset ownership that may be required before authorization.
authz_warning_label - String
Short label for the authz_warning message (e.g., the category of warning).
is_allowed - Boolean!
The final result of the authorization rules evaluation. When true, the asset is permitted to be authorized for external pentesting. When false, the asset is blocked. 
fragment PentestableRulesFragment on PentestableRules {
  is_allowed
  action_tooltip
  authz_warning
  authz_warning_label
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Authorization

BlockedPentestableEntity

Description

A BlockedPentestableEntity pairs a domain or IP asset (PentestableEntity) with the PentestableRules that caused it to be blocked from authorization. Assets are blocked when the rules determine they are owned by providers that do not permit pentesting.

Fields
pentestable_entity - PentestableEntity
The domain or IP asset that was blocked from authorization.
pentestable_rules - PentestableRules
The PentestableRules evaluation that determined why this asset was blocked from external pentesting. 
fragment BlockedPentestableEntityFragment on BlockedPentestableEntity {
  pentestable_entity {
    uuid
    entity_type
    is_authorized
  }
  pentestable_rules {
    is_allowed
    action_tooltip
    authz_warning
    authz_warning_label
  }
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Authorization

PentestableEntitiesBulkOutput

Description

Output type for bulk authorization mutations such as bulk_authorize_domains, bulk_deauthorize_domains, bulk_authorize_ips, and bulk_deauthorize_ips.

Fields
pentestable_entities_count - Int!
The number of domain or IP assets that were updated by this bulk request. 
fragment PentestableEntitiesBulkOutputFragment on PentestableEntitiesBulkOutput {
  pentestable_entities_count
}

Examples may not include all available fields for a type.

Setup: Asset Groups: Authorization

PentestableEntitiesOutput

Description

Output type for mutations that authorize or deauthorize individual domain and IP assets for external pentesting, such as authorize_domains, deauthorize_domains, authorize_ips, and deauthorize_ips.

Fields
pentestable_entities - [PentestableEntity]
List of domain and IP assets, along with their updated authorization status, that were successfully modified by this request.
blocked_pentestable_entities - [BlockedPentestableEntity]
List of domain and IP assets that were blocked from authorization. Assets are blocked when the PentestableRules determine they are owned by providers that do not permit pentesting. See BlockedPentestableEntity.pentestable_rules for details on why each asset was blocked. 
fragment PentestableEntitiesOutputFragment on PentestableEntitiesOutput {
  pentestable_entities {
    uuid
    entity_type
    is_authorized
  }
  blocked_pentestable_entities {
    pentestable_entity {
      uuid
      entity_type
      is_authorized
    }
    pentestable_rules {
      is_allowed
      action_tooltip
      authz_warning
      authz_warning_label
    }
  }
}

Examples may not include all available fields for a type.

Pentesting

Access comprehensive pentest results and operational data. Query pentests and their findings including attack paths (impacts), weaknesses (vulnerabilities), compromised credentials, discovered hosts and services, proof artifacts, EDR detections, and detailed action logs. This is the core section for retrieving and analyzing the results of your autonomous pentests.

Pentesting: Ops

Manage operations (ops) which represent cybersecurity activities conducted by NodeZero. Query ops, create new pentests and other operation types, control execution (pause, resume, cancel), and track operational status and configuration.

ops_page

Description

Returns a paginated list of ops for the current client account.

Includes all op types and archived ops. Use page_input to paginate, sort, and filter results.

Response

Returns an OpsPage!

Arguments
page_input - PageInput 
query OpsPage($page_input: PageInput) {
  ops_page(page_input: $page_input) {
    ops {
      ...OpFragment
    }
  }
}

fragment OpFragment on Op {
  op_id
  op_type
  op_name
  op_state
  portal_op_state
  op_param_max_scope
  scheduled_at
  created_at
  launched_at
  completed_at
  duration_hms
  hosts_count
  weaknesses_count
  runner_uuid
  runner_name
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Ops

ops_count

Description

Returns the total number of ops for the current client account.

Includes all op types, including non-pentest types such as ExternalAssetDiscovery. Includes archived ops.

Use page_input filters to narrow results (e.g. by op_type or date range).

Response

Returns an Int!

Arguments
client_account_uuid - String
Optional subclient UUID, for MSSP accounts that manage multiple subclients. Defaults to the current client account.
page_input - PageInput 
query OpsCount($client_account_uuid: String) {
  ops_count(client_account_uuid: $client_account_uuid)
}

Examples may not include all available fields for a type.

Pentesting: Ops

op

Description

Returns a single Op by its op_id.

The returned Op includes summary counts, timestamps, configuration, and links to related entities such as weaknesses, attack paths, and assets.

Response

Returns an Op

Arguments
op_id - String!
The unique identifier of the op to retrieve. 
query Op($op_id: String!) {
  op(op_id: $op_id) {
    ...OpFragment
  }
}

fragment OpFragment on Op {
  op_id
  op_type
  op_name
  op_state
  portal_op_state
  op_param_max_scope
  scheduled_at
  created_at
  launched_at
  completed_at
  duration_hms
  hosts_count
  weaknesses_count
  runner_uuid
  runner_name
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Ops

create_op

Description

Creates a new Op for immediate execution. An op is an autonomous cybersecurity assessment conducted by NodeZero.

See ScheduleOpFormInput for the full set of configuration options available when creating an op, and OpType for the list of supported operation types (e.g. internal pentest, external pentest, AD password audit) and their configuration requirements.

You can optionally base the op on an OpTemplate by passing op_template_uuid. Op templates store reusable configurations, making it easy to run similar ops repeatedly. See Mutation.create_op_template for creating op templates.

To run ops on an automated recurring schedule (e.g. weekly or monthly), see Schedule and Mutation.create_scheduled_action.

Response

Returns a CreateOpOutput!

Arguments
op_template_uuid - String

The OpTemplate UUID to use as the base configuration for this op.

If not specified, the default op template for the op type in schedule_op_form.op_type is used. If schedule_op_form.op_type is also not defined, the default op type is NodeZero (internal pentest).

schedule_op_form - ScheduleOpFormInput
Optional configuration overrides. Any parameters defined here will override the corresponding parameters in the OpTemplate's schedule_op_form. See ScheduleOpFormInput for available options. 
mutation CreateOp($schedule_op_form: ScheduleOpFormInput) {
  create_op(schedule_op_form: $schedule_op_form) {
    op {
      ...OpFragment
    }
  }
}

fragment OpFragment on Op {
  op_id
  op_type
  op_name
  op_state
  portal_op_state
  op_param_max_scope
  scheduled_at
  nodezero_script_url
  nodezero_ip
  runner_uuid
  runner_name
}

Examples may not include all available fields for a type.

Pentesting: Ops

pause_op

Description

Pauses a running Op.

The op must be in a pausable state (e.g. running). Returns an error if the op is already paused or in a non-pausable state.

Use Mutation.resume_op to resume a paused op.

Response

Returns an OpTab!

Arguments
op_id - String!
The unique identifier of the op to pause. 
mutation PauseOp($op_id: String!) {
  pause_op(op_id: $op_id) {
    op_id
    op_name
    op_state
    portal_op_state
  }
}

Examples may not include all available fields for a type.

Pentesting: Ops

resume_op

Description

Resumes a paused Op.

The op must be in a resumable state (e.g. paused, user_paused, start_paused). Returns an error if the op is already running or in a non-resumable state.

Use Mutation.pause_op to pause a running op.

Response

Returns an OpTab!

Arguments
op_id - String!
The unique identifier of the op to resume. 
mutation ResumeOp($op_id: String!) {
  resume_op(op_id: $op_id) {
    op_id
    op_name
    op_state
    portal_op_state
  }
}

Examples may not include all available fields for a type.

Pentesting: Ops

cancel_op

Description

Cancels an Op, ending it early.

The op must be in a cancelable state (e.g. running, paused, ready). Returns an error if the op is already in a terminal state such as done or canceled.

Partial results from the op may still be available in Portal after cancellation.

Response

Returns an OpTab!

Arguments
op_id - String!
The unique identifier of the op to cancel. 
mutation CancelOp($op_id: String!) {
  cancel_op(op_id: $op_id) {
    op_id
    op_name
    op_state
    portal_op_state
  }
}

Examples may not include all available fields for a type.

Pentesting: Ops

update_op

Description

Updates an existing Op. Supports renaming, archiving, and deleting ops.

See UpdateOpInput for the set of fields that can be updated.

Response

Returns an UpdateOpOutput

Arguments
op_id - String!
The unique identifier of the op to update.
update_op_input - UpdateOpInput!
The fields to update. See UpdateOpInput. 
mutation UpdateOp($op_id: String!, $update_op_input: UpdateOpInput!) {
  update_op(op_id: $op_id, update_op_input: $update_op_input) {
    op {
      ...OpFragment
    }
  }
}

fragment OpFragment on Op {
  op_id
  op_type
  op_name
  op_state
  portal_op_state
  op_param_max_scope
  scheduled_at
  created_at
  launched_at
  completed_at
  duration_hms
  hosts_count
  weaknesses_count
  runner_uuid
  runner_name
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Ops

rerun_op

Description

Creates a new Op using the same configuration as a previously run op.

This is a convenient way to re-run an op with the same (or similar) settings. You can optionally override specific configuration parameters via schedule_op_form.

The new op is created for immediate execution.

Response

Returns a ScheduleOpOutput!

Arguments
op_id - String!
The op_id of the previously run op whose configuration will be used as the base.
op_name - String
Optionally override the name of the new op.
schedule_op_form - ScheduleOpFormInput
Optional parameters that, if set, override the corresponding parameters from the base op's configuration. See ScheduleOpFormInput.
agent_name - String
Optionally override the h3-cli agent in the base configuration.
runner_uuid - String
Optionally specify a NodeZero Runner to launch this op, overriding the base configuration. 
mutation RerunOp($op_id: String!, $op_name: String, $runner_uuid: String) {
  rerun_op(op_id: $op_id, op_name: $op_name, runner_uuid: $runner_uuid) {
    op {
      ...OpFragment
    }
  }
}

fragment OpFragment on Op {
  op_id
  op_type
  op_name
  op_state
  portal_op_state
  op_param_max_scope
  scheduled_at
  created_at
  nodezero_script_url
  runner_uuid
  runner_name
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Ops

sample_ops_page

Description

Get a list of ops for the Horizon3 sample client account. Includes all op types. Includes archived ops.

Response

Returns an OpsPage!

Arguments
page_input - PageInput 
query SampleOpsPage($page_input: PageInput) {
  sample_ops_page(page_input: $page_input) {
    ops {
      ...OpFragment
    }
  }
}

fragment OpFragment on Op {
  op_id
  op_type
  op_name
  op_state
  portal_op_state
  op_param_max_scope
  scheduled_at
  created_at
  launched_at
  completed_at
  duration_hms
  hosts_count
  weaknesses_count
  runner_uuid
  runner_name
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Ops

sample_op

Description

Get pentest data for a Horizon3 sample client account Op.

Response

Returns an Op

Arguments
op_id - String!
ID of pentest. 
query SampleOp($op_id: String!) {
  sample_op(op_id: $op_id) {
    ...OpFragment
  }
}

fragment OpFragment on Op {
  op_id
  op_type
  op_name
  op_state
  portal_op_state
  op_param_max_scope
  scheduled_at
  created_at
  launched_at
  completed_at
  duration_hms
  hosts_count
  weaknesses_count
  runner_uuid
  runner_name
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Ops

Op

Description

An Op represents an autonomous cybersecurity operation conducted by NodeZero.

The most common type of Op is an internal Pentest, but NodeZero supports several other operation types including external pentesting, asset discovery, Active Directory password audits, and more.

See OpType for the full list of supported operation types and their configuration requirements.

Use Query.ops_page to list ops, Query.op to retrieve a single op, and Mutation.create_op to create a new op.

Fields
op_id - String
Unique identifier for the op.
op_type - OpType
The type of operation. See OpType for descriptions of the supported operation types.
op_state - String!

The current state of the op. Possible values include:

  • scheduled - The op has been created and is queued to start.
  • provisioning - Resources are being provisioned.
  • ready - NodeZero is ready to launch.
  • running - The op is actively scanning the environment.
  • complete - The scan has finished; results are being processed.
  • post-processing - Op results are undergoing post-processing.
  • done - The op is complete and results are available.
  • cancelling - The op is in the process of being canceled.
  • canceled - The op was canceled by a user.
  • paused - The op is paused.
  • error - The op encountered an error.

See PortalOpState for an alternative representation of op state used by the Portal UI.

portal_op_state - PortalOpState!
The current state of the op, as displayed in the Portal UI. See PortalOpState for the list of possible states.
op_name - String!
Name of the op. The name is used for display purposes in Portal and in generated reports.
op_param_min_scope - [String]

The minimum scope for this op, as a list of IPs and CIDR ranges.

When set, the Auto-Expand Scope feature is enabled. NodeZero will scan these specific hosts plus any additional hosts it discovers organically during the op.

See ScheduleOpForm.op_param_min_scope for full details on how minimum and maximum scope interact.

op_param_max_scope - [String]

The maximum scope for this op, as a list of IPs and CIDR ranges.

When set, NodeZero will only scan hosts and subnets that fall within this scope. The Auto-Expand Scope feature is disabled.

See ScheduleOpForm.op_param_max_scope for full details on how minimum and maximum scope interact.

op_param_blacklist - String
IPs and CIDR ranges excluded from the op, as a comma-separated list.
scheduled_timestamp - Float!
Timestamp when the op was created, in epoch seconds.
scheduled_timestamp_iso - String!
Timestamp when the op was created, in ISO format (UTC). use scheduled_at instead
scheduled_at - Datetime!
Timestamp when the op was created. Alias of created_at.
scheduled_at_date - Date!
Date when the op was created (date only, no time component).
created_at - Datetime!
Timestamp when the op was created.
completed_timestamp_iso - String
Timestamp when the op completed its scan, in ISO format (UTC). use completed_at instead
completed_at - Datetime
Timestamp when the op completed its scan. This does not include post-processing time. Use Op.etl_completed_at to get the timestamp that includes post-processing.
canceled_at - Datetime
Timestamp when the op was canceled. Null if the op was not canceled.
launched_timestamp_iso - String
Timestamp when the op launched, in ISO format (UTC). use launched_at instead
launched_at - Datetime
Timestamp when the op launched. This is when NodeZero begins actively scanning the target environment.
etl_completed_at - Datetime
Timestamp when the op completed post-processing. This is when the full op results become available in Portal.
duration_s - Int
Op duration in seconds, calculated as the difference between launched_at and completed_at.
services_count - Int!
Number of network services discovered during the op.
credentials_count - Int!
Total number of credentials found, including both discovered and confirmed credentials.
confirmed_credentials_count - Int
Number of credentials that were confirmed (proven) during the op.
hosts_count - Int
Number of in-scope hosts (IPs) scanned during the op.
out_of_scope_hosts_count - Int
Number of out-of-scope hosts (IPs) discovered during the op.
external_domains_count - Int
Number of external domains discovered during the op.
users_count - Int
Number of users discovered during the op.
websites_count - Int
Number of websites discovered during the op.
data_stores_count - Int
Number of data stores discovered during the op (e.g. file shares, databases, S3 buckets, Git repos). Excludes websites.
data_resources_count - Long
Total count of data resources (files, database records, etc.) found across all discovered data stores.
weaknesses_count - Int
Number of individual weakness instances found during the op. A single weakness type (e.g. weak password) may have multiple instances across different assets.
weaknesses_page - WeaknessesPage!
Paginated list of individual weakness instances found during this op. See WeaknessesPage.
Arguments
page_input - PageInput
proven_weaknesses_count - Int
Number of weakness instances that were confirmed with proof. Proven weaknesses are those NodeZero was able to successfully exploit.
in_scope_hosts_count - Int
Number of in-scope hosts discovered during the op. Alias of hosts_count.
feature_flags - [FeatureFlag]
Advanced configuration settings for this op. See FeatureFlag for details.
nodezero_script_url - String
URL of the script that downloads and launches NodeZero on a Docker Host.
nodezero_ip - String
IP address assigned to NodeZero for this op.
duration_hms - String
Op duration in HH:MM:SS format, calculated as the difference between launched_at and completed_at.
duration_humanize - String
Op duration in human-readable format, calculated as the difference between launched_at and completed_at.
op_template_uuid - String
ID of the OpTemplate used to configure this op.
op_template_name - String
Name of the OpTemplate used to configure this op.
impact_paths_count - Int
Number of attack paths discovered during the op. An attack path is a sequence of steps NodeZero took to reach a business impact. Alias of attack_paths_count.
attack_paths_count - Int
Number of attack paths discovered during the op. An attack path is a sequence of steps NodeZero took to reach a business impact. Alias of impact_paths_count.
attack_paths_page - AttackPathsPage!
Paginated list of attack paths discovered during this op. See AttackPathsPage.
Arguments
page_input - PageInput
phished_impact_paths_count - Int!
Number of attack paths that originated from phished credentials. Alias of phished_attack_paths_count.
phished_attack_paths_count - Int!
Number of attack paths that originated from phished credentials. Alias of phished_impact_paths_count.
runner_uuid - String
ID of the NodeZero Runner assigned to launch this op.
runner_name - String
Name of the NodeZero Runner assigned to launch this op.
schedule_uuid - String
ID of the Schedule associated with this op, if the op was created by an automated schedule.
schedule_name - String
Name of the Schedule associated with this op, if the op was created by an automated schedule.
schedule - Schedule
The Schedule associated with this op, if the op was created by an automated schedule.
schedule_op_form - ScheduleOpForm!
The full configuration that was used to run this op. See ScheduleOpForm for details.
asset_group_uuid - String
The ID of the AssetGroup associated with this op. Set for ExternalAssetDiscovery and ExternalAttack op types.
asset_group - AssetGroup
The AssetGroup associated with this op. Set for ExternalAssetDiscovery and ExternalAttack op types.
portal_url - String
The Portal URL for viewing this op's results. 
fragment OpFragment on Op {
  op_id
  op_type
  op_name
  op_state
  portal_op_state
  op_param_max_scope
  op_param_blacklist
  scheduled_at
  created_at
  launched_at
  completed_at
  etl_completed_at
  canceled_at
  duration_s
  duration_hms
  duration_humanize
  hosts_count
  services_count
  credentials_count
  users_count
  weaknesses_count
  attack_paths_count
  nodezero_script_url
  nodezero_ip
  runner_uuid
  runner_name
  schedule_uuid
  schedule_name
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Ops

OpType

Description

The type of operation to run. You must specify an op type when creating an Op or an OpTemplate.

Each op type has different configuration requirements. See the individual enum values below for details on each type and how to configure it via ScheduleOpFormInput.

For more information about op types, visit the Tests & Assessments section of the Horizon3.ai documentation.

Values
NodeZero

An Internal Pentest op, a simulated attack on your organization's internal network designed to identify vulnerabilities, misconfigurations, and exploitable attack paths.

NodeZero autonomously enumerates devices in scope, then chains together context, exploitable vulnerabilities, misconfigurations, and captured data to identify attack paths ranked by impact, with proof of exploitability.

Minimum configuration to get started:

  1. A network scope to pentest, specified in CIDR notation via op_param_min_scope or op_param_max_scope
  2. A Docker Host within your network, on which to launch NodeZero

Scope options include:

  • Intelligent Scope: NodeZero automatically expands from the Docker Host's subnet to discover nearby assets. Useful for scenario-based testing.
  • Full private IP space (RFC 1918): Covers 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 for comprehensive coverage.
  • Custom IPs or subnets: Specify exact CIDR ranges. Can be combined with auto-expand scope (op_param_min_scope) to let NodeZero discover additional assets beyond the initial scope.

Additional configuration options include attack configurations, credential injection, AWS account integration, OSINT terms, and tripwire deployment.

ExternalAssetDiscovery

An External Asset Discovery op, for discovering public-facing domains and IPs in an AssetGroup.

This op is usually run in advance of an ExternalAttack pentest. It performs initial discovery of your external attack surface, identifying domains, subdomains, and IP addresses associated with your organization. You may then select one or more of the discovered domains and IPs to authorize for external pentesting.

To run an ExternalAssetDiscovery op for an AssetGroup, use Mutation.create_op and pass the AssetGroup.uuid via schedule_op_form.asset_group_uuid. Alternatively, you can pass the AssetGroup.op_template_uuid via the op_template_uuid parameter.

This is an external operation and therefore NodeZero is launched from the H3 cloud. It does not require a Docker Host within your network.

ExternalAttack

An External Pentest op, for pentesting public-facing domains and IPs in an AssetGroup.

In many cases users will run an ExternalAssetDiscovery op first, to discover their external attack surface, then authorize NodeZero to pentest one or more of the discovered domains and IPs. This workflow involves several steps:

  1. create an AssetGroup
  2. run an ExternalAssetDiscovery op, to discover public domains and IPs
  3. authorize discovered domains and IPs for external pentesting
  4. run an ExternalAttack op against the authorized assets

However, this workflow is no longer strictly required. As of April 2025, you may now configure and run an external pentest directly, without first running an ExternalAssetDiscovery op. NodeZero will auto-discover your attack surface during the pentest, and it will auto-authorize and pentest any discovered domain that doesn't have a CNAME record from a third-party service.

After the external pentest completes, all discovered domains and IPs are included in the results in Portal. You may then authorize additional domains and IPs for further pentesting.

To run an ExternalAttack op for an AssetGroup use Mutation.create_op and pass the AssetGroup.uuid via schedule_op_form.asset_group_uuid.

Alternatively you can create an OpTemplate for the ExternalAttack op and set the AssetGroup.uuid in OpTemplate.schedule_op_form.asset_group_uuid.

This is an external operation and therefore NodeZero is launched from the H3 cloud. It does not require a Docker Host within your network.

NetworkEnumeration

A Network Enumeration op (also known as a Segmentation Test), for scanning and enumerating assets on an internal network.

NodeZero discovers IPs, ports, services, and applications within the target scope, but does not perform any attacks or exploitation. This is a discovery-only operation.

Common use cases include:

  • Initial reconnaissance: Understand what exists on a network before running exploit-based tests.
  • Asset inventorying: Get a snapshot of hosts, services, and applications on the network.
  • Segmentation validation: Verify which assets are reachable from a given network segment.

Scope is configured via op_param_min_scope or op_param_max_scope using IPs or subnets in CIDR notation. The full private IP space (RFC 1918) can also be used for comprehensive coverage.

This is an internal operation and therefore requires that you launch NodeZero on a Docker Host within your network.

ADPasswordAudit

An Active Directory Password Audit op, for auditing the strength and security of user passwords in your Active Directory environment.

This is a gray-box style audit. NodeZero uses a privileged credential with DCSync permissions to extract NTLM password hashes from Active Directory domain controllers, then attempts to crack those hashes using multiple methods:

  • Common weak passwords
  • Passwords that resemble usernames
  • Company-specific terms (company names, domain names)
  • Dark web breach data associated with your organization
  • Known breached password databases
  • Custom weak password terms you provide via OSINT configuration

NodeZero also analyzes the population of passwords for password reuse -- cases where two or more users share the exact same or similar passwords.

The minimum required credential is a domain user account with DCSync privileges (Replicating Directory Changes, Replicating Directory Changes All, and Replicating Directory Changes in Filtered Set). A domain admin account may also be used.

Configure the domain controller IP address and the privileged credential via ScheduleOpFormInput.

This is an internal operation and therefore requires that you launch NodeZero on a Docker Host within your network.

Phishing

A Phishing Impact Test op, for measuring the real-world impact of successful phishing attacks within your organization.

This op works in conjunction with your organization's phishing simulation tools (e.g. KnowBe4, ProofPoint). NodeZero generates a JavaScript payload to embed in your phishing campaign's landing page. When a user is phished, their credentials are automatically captured and injected into NodeZero, which uses them to perform an authenticated internal pentest.

The results convey the business risk of a successful phishing attack by showing what an attacker could accomplish with the phished credentials, including lateral movement and privilege escalation.

Key configuration considerations:

  • A minimum campaign runtime must be configured to match the duration of your phishing campaign. Campaigns of up to 28 days are supported.
  • Up to 100 phished credentials can be captured per test.
  • Scope should include networks where phishing targets have access, as well as networks they should not have access to, in order to validate security controls.

This is an internal operation and therefore requires that you launch NodeZero on a Docker Host within your network.

AWSPentest

An AWS Pentest op, a gray-box style assessment of your AWS cloud account security.

NodeZero uses a read-only IAM role to gain a comprehensive view of your AWS account and identify exploitable vulnerabilities and misconfigurations in IAM policies, security configurations, and cloud resources.

To run an AWS Pentest, you must first configure one or more AWSConnection objects, one for each AWS account you want to assess. Cloud connections are long-lived and reusable across multiple pentests. The connections are specified via schedule_op_form.aws_connection_uuids.

Two IAM policy options are available when creating a connection:

  • SecurityAudit: Grants access to read security configuration metadata only, allowing NodeZero to analyze IAM and security configurations.
  • ReadOnlyAccess: Provides read-only access to all AWS services, allowing NodeZero to also analyze sensitive information stored in resources such as S3 buckets and Lambda functions.

This is an external operation and therefore NodeZero is launched from the H3 cloud. It does not require a Docker Host within your network.

K8sPentest

A Kubernetes Pentest op, for pentesting the security of your Kubernetes clusters.

NodeZero runs from inside your cluster to simulate the scenario where an attacker has gained a foothold -- for example, through a compromised kubeconfig file or a vulnerable application running in a pod. All Kubernetes resources (nodes, pods, services) are treated as in-scope.

Prerequisites:

  • The NodeZero Operator must be installed in the target cluster. Supported on Kubernetes cluster versions 1.24.0 and above.
  • NodeZero is launched from within the cluster using a NodeZero Runner for Kubernetes. See Mutation.install_agent for how to install a Runner.

Scope configuration options to consider include:

  • k8s_deployment (should be set to true)
  • k8s_namespace: the namespace for NodeZero to run in
  • k8s_service_account_name: specify a service account to simulate a compromised pod scenario
  • k8s_node: target a specific node

Including the CIDR ranges of your cluster and the surrounding internal network or VPC is recommended, to test whether NodeZero can reach outside the cluster to other hosts.

AzurePentest

An Azure Entra ID Pentest op, for assessing the security of your Azure Active Directory / Entra ID environment.

This is a gray-box style pentest that evaluates the security posture of your hybrid Azure AD environment by identifying misconfigurations and exploitable weaknesses. NodeZero requires a privileged AD credential with DCSync permissions and an Azure Entra ID user credential to enumerate the environment and identify attack paths.

This is an internal operation and therefore requires that you launch NodeZero on a Docker Host within your network.

See also AzureInternalPentest for an enhanced Azure assessment with additional cloud-native capabilities.

AzureInternalPentest

An Azure Internal Pentest op, a gray-box style assessment that evaluates attack paths from on-premise Active Directory to Azure Entra ID tenant compromise.

This pentest requires two credentials:

  • A privileged AD credential with DCSync permissions, allowing NodeZero to simulate a domain compromise and evaluate attack vectors such as Entra Connect credential dumping and Azure Seamless SSO Silver Ticket attacks.
  • An Azure Entra ID user credential, allowing NodeZero to enumerate the Entra ID environment and identify privilege escalation misconfigurations. This credential does not need to be privileged, as Entra ID allows users to enumerate a significant portion of tenant configuration by default.

NodeZero uses the Azure Device Code Flow (OAuth Device Authorization Grant) for the Entra ID credential. During configuration, provide the Entra tenant ID. After the pentest launches, you will be prompted to complete the MFA authentication flow.

This is an internal operation and therefore requires that you launch NodeZero on a Docker Host within your private network.

InsiderThreatAttack

An Insider Threat Attack op, for simulating the fallout from an insider-turned-attacker and measuring the blast radius of compromised employee credentials.

This is essentially an internal pentest with the additional requirement of injecting the credentials of an insider-threat actor (e.g. an employee's domain credentials). NodeZero uses these credentials as a starting point and demonstrates how far an attacker could move laterally, escalate privileges, and access sensitive data.

The pentest results help you understand the degree to which that employee -- or an attacker who has compromised that employee's credentials -- can attack your network, and identify security controls that can mitigate the risk.

Credential types supported include cleartext passwords and NTLM hashes. Additional configuration options include AWS account integration, OSINT terms, tripwire deployment, and attack configurations. See ScheduleOpFormInput for details.

This is an internal operation and therefore requires that you launch NodeZero on a Docker Host within your network.

TripwiresInternal

A "Drop Tripwires" op, for deploying deceptive tokens (tripwires) on designated targets within your internal network. Tripwires detect real-world unauthorized access by triggering alerts when an attacker interacts with them.

An injected credential should be included for each target in the scope of the op, allowing NodeZero to authenticate and deploy the tripwire tokens on those targets. A maximum of 100 tripwires are deployed per operation.

This op type requires that the Tripwires feature is enabled for your account.

This is an internal operation and therefore requires that you launch NodeZero on a Docker Host within your network.

Example
"NodeZero"
Pentesting: Ops

PortalOpState

Description

Represents the current state of an Op as displayed in the Portal UI.

These states map to the op lifecycle: scheduling, provisioning, running, pausing/resuming, post-processing, and completion. See Op.portal_op_state for usage.

Values
done
The op is fully complete and results are available in Portal.
ended
The op was ended early by the user. Partial results may still be available in Portal.
error
The op encountered an error during execution.
installation_needed
The op is waiting for NodeZero to be launched on a Docker Host. Copy and run the launch command to proceed.
awaiting_runner
The op is waiting for its assigned NodeZero Runner to launch NodeZero.
start_paused
The op was configured to start in a paused state. Use Mutation.resume_op to begin the scan.
user_paused
The op is paused by a user. Use Mutation.resume_op to continue.
paused
The op is paused, possibly due to connectivity issues with NodeZero.
pausing
The op is in the process of pausing.
preparing
Resources are being provisioned for the op.
preparing_start_paused
Resources are being provisioned. Once provisioning is complete, the op will start in a paused state.
processing
The op scan has completed and results are being processed. Results will be available shortly.
resuming
The op is resuming from a paused state.
running
The op is actively scanning the target environment.
scheduled
The op is queued and will begin provisioning resources shortly.
queued
The op is queued and will begin provisioning resources shortly.
unknown
The op is in an unknown state. Contact support if this persists.
Example
"done"
Pentesting: Ops

CreateOpOutput

Description

The output from Mutation.create_op.

Fields
op - Op!
The newly created Op. 
fragment CreateOpOutputFragment on CreateOpOutput {
  op {
    op_id
    op_type
    op_name
    op_state
    portal_op_state
    op_param_max_scope
    scheduled_at
    nodezero_script_url
    runner_uuid
    runner_name
  }
}

Examples may not include all available fields for a type.

Pentesting: Ops

OpTab

Description

Pentest data.

DEPRECATED:: use Op type or Pentest type instead.

Fields
uuid - String
ID of pentest.
op_id - String
ID of pentest. Same as uuid.
op_state - String!

State of pentest:

  • scheduled
  • provisioning
  • ready
  • running
  • complete
  • post-processing
  • done
  • cancelling
  • canceled
  • paused
  • error

portal_op_state - PortalOpState!
Op State surfaced in portal.
op_name - String!
Name of pentest.
scheduled_timestamp - Float!
Timestamp of pentest scheduling, in epoch seconds.
scheduled_at - Datetime!
Timestamp of pentest scheduling
scheduled_at_date - Date!
Date of pentest scheduling
scheduled_timestamp_iso - String!
Timestamp of pentest scheduling, in ISO format (UTC).
create_timestamp - Int!
Timestamp of pentest creation, in epoch seconds.
create_timestamp_iso - String!
Timestamp of pentest creation, in ISO format (UTC).
launched_timestamp - Int
Timestamp of pentest launching, in epoch seconds.
launched_timestamp_iso - String
Timestamp of pentest launching, in ISO format (UTC).
launched_at - Datetime
Timestamp of pentest launching
completed_at - Datetime
Timestamp of pentest completion.
completed_timestamp - Float
Timestamp of pentest completion, in epoch seconds.
completed_timestamp_iso - String
Timestamp of pentest completion, in ISO format (UTC).
canceled_at - Datetime
Timestamp of pentest cancellation.
canceled_timestamp - Int
Timestamp of pentest cancellation, in epoch seconds.
canceled_timestamp_iso - String
Timestamp of pentest cancellation, in ISO format (UTC).
duration_hms - String
Pentest duration in HH:MM:SS format .
duration_humanize - String
Pentest duration in "humanized" format .
op_type - OpType
Type of pentest.
weakness_types_count - Int
Number of unique weakness IDs found.
weaknesses_count - Int
Number of weaknesses found (weakness INSTANCEs, not unique weakness IDs).
host_tabs_count - Int
Number of hosts found in scope. Same as in_scope_endpoints_count.
domain_controllers_count - Int
Number of domain controllers found in scope.
credentials_count - Int
Number of credentials and potential credentials found.
proven_credentials_count - Int
Number of credentials and potential credentials found with proof.
confirmed_credentials_count - Int
Number of credentials with proof. Alias of proven_credentials_count.
unproven_credentials_count - Int
Number of credentials without proof.
activedir_passwords_count - Int
Number of credentials found in Active Directory Password Audit(s).
enabled_activedir_passwords_count - Int
Number of enabled credentials found in Active Directory Password Audit(s).
disabled_activedir_passwords_count - Int
Number of disabled credentials found in Active Directory Password Audit(s).
feature_flags - [FeatureFlag]
Advanced configuration settings for this pentest.
impacts_headline_count - Int
Number of impacts in the pentest, which generally refers to the number of assets affected by an impact.
impact_paths_count - Int
Number of impact paths in the pentest. Alias of attack_paths_count.
attack_paths_count - Int
Number of attack paths in the pentest. Alias of impact_paths_count.
phished_impact_paths_count - Int!
Number of impact paths downstream of phished credentials in the pentest. Alias of phished_attack_paths_count
phished_attack_paths_count - Int!
Number of attack paths downstream of phished credentials in the pentest. Alias of phished_impact_paths_count.
nodezero_script_url - String
URL of the script that downloads and launches NodeZero.
nodezero_ip - String
The IP address where NodeZero was launched.
etl_completed_at - Datetime
Timestamp of pentest post-processing completion, in ISO format (UTC).
start_paused - Boolean
Start paused.
minimum_run_time - Int
Op minimum run-time, in minutes.
maximum_run_time - Int
Op maximum run-time, in minutes.
paused_at - Datetime
Time when the pentest was most recently paused.
paused_by_user_account_uuid - String
ID of the user that most recently paused the pentest.
paused_by_user_account - UserAccount
Data of user account that most recently paused the pentest.
op_template_uuid - String
ID of OpTemplate used for this pentest.
op_template_name - String
Name of OpTemplate used for this pentest.
excluded_ips - [ExcludedIP]
IPs that were excluded from the pentest scope. Applies to external pentests only.
excluded_domains - [ExcludedDomain]
Domains that were excluded from the pentest scope. Applies to external pentests only.
runner_uuid - String
ID of NodeZero Runner the op is assigned to.
runner_name - String
Name of NodeZero Runner the op is assigned to.
schedule_uuid - String
ID of schedule the op is associated with.
schedule_name - String
Name of schedule the op is associated with.
schedule - Schedule
The schedule the op is associated with.
auto_injected_credential_uuids - [String]
The set of credentials to be auto-injected (by a NodeZero Runner) into the op.
tripwires_count - Int
The number of Tripwires dropped during the op 
fragment OpTabFragment on OpTab {
  uuid
  op_id
  op_state
  portal_op_state
  op_name
  op_type
  scheduled_at
  launched_at
  completed_at
  canceled_at
  etl_completed_at
  duration_hms
  duration_humanize
  weaknesses_count
  weakness_types_count
  host_tabs_count
  credentials_count
  attack_paths_count
  impacts_headline_count
  nodezero_script_url
  nodezero_ip
  runner_uuid
  runner_name
  schedule_uuid
  schedule_name
  op_template_uuid
  op_template_name
  tripwires_count
}

Examples may not include all available fields for a type.

Pentesting: Ops

OpTabsPage

Description

A paginated list of pentests.

DEPRECATED: Use OpsPage and related APIs instead.

Fields
page_info - PageInfo
Pagination metadata including total count and cursor information.
op_tabs - [OpTab!]!
The list of pentests in this page. 
fragment OpTabsPageFragment on OpTabsPage {
  page_info {
    page_num
    page_size
  }
  op_tabs {
    op_id
    op_name
    op_state
    op_type
  }
}

Examples may not include all available fields for a type.

Pentesting: Ops

OpsPage

Description

A paginated list of Op objects. Returned by Query.ops_page.

Fields
page_info - PageInfo
Pagination metadata including total count and cursor information.
ops - [Op!]!
The list of Op objects in this page. 
fragment OpsPageFragment on OpsPage {
  page_info {
    page_num
    page_size
  }
  ops {
    ...OpFragment
  }
}

fragment OpFragment on Op {
  op_id
  op_type
  op_name
  op_state
  portal_op_state
  op_param_max_scope
  scheduled_at
  created_at
  launched_at
  completed_at
  duration_hms
  hosts_count
  weaknesses_count
  runner_uuid
  runner_name
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Ops

ScheduleOpOutput

Description

The output from a range of mutations that create ops.

Fields
op - Op!
The newly created Op. 
fragment ScheduleOpOutputFragment on ScheduleOpOutput {
  op {
    op_id
    op_type
    op_name
    op_state
    portal_op_state
    op_param_max_scope
    scheduled_at
    created_at
    nodezero_script_url
    runner_uuid
    runner_name
    portal_url
  }
}

Examples may not include all available fields for a type.

Pentesting: Ops

UpdateOpInput

Description

Input for Mutation.update_op. Supports renaming, archiving, and deleting ops.

Fields
op_name - StringNotEmpty
Set a new name for the op. The name is used for display purposes in Portal and in generated reports.
is_deleted - Boolean
When set to true, permanently deletes the op. Deleted ops are removed from the main views and most aggregations, and are no longer retrievable in Portal or via the API.
is_archived - Boolean
When set to true, archives the op. Archived ops are removed from the main views and most aggregations, but remain retrievable in Portal and via the API. 
# Example 1: Rename an op
mutation RenameOp($op_id: String!, $update_op_input: UpdateOpInput! = {
    op_name: "Renamed Pentest"
}) {
  update_op(op_id: $op_id, update_op_input: $update_op_input) {
    op {
      op_id
      op_name
    }
  }
}

# Example 2: Archive an op
mutation ArchiveOp($op_id: String!, $update_op_input: UpdateOpInput! = {
    is_archived: true
}) {
  update_op(op_id: $op_id, update_op_input: $update_op_input) {
    op {
      op_id
      op_name
    }
  }
}

# Example 3: Delete an op
mutation DeleteOp($op_id: String!, $update_op_input: UpdateOpInput! = {
    is_deleted: true
}) {
  update_op(op_id: $op_id, update_op_input: $update_op_input) {
    op {
      op_id
      op_name
    }
  }
}

Examples may not include all available fields for a type.

Pentesting: Ops

UpdateOpOutput

Description

The output from Mutation.update_op.

Fields
op - Op
The updated Op. 
fragment UpdateOpOutputFragment on UpdateOpOutput {
  op {
    op_id
    op_type
    op_name
    op_state
    portal_op_state
    op_param_max_scope
    scheduled_at
    created_at
    launched_at
    completed_at
    duration_hms
    hosts_count
    weaknesses_count
    runner_uuid
    runner_name
    portal_url
  }
}

Examples may not include all available fields for a type.

Pentesting: Pentests

Access completed pentest results with high-level metrics and status information. Query pentests to retrieve summary data including discovered assets, findings counts, completion timestamps, and download comprehensive reports.

pentests_page

Description

Returns a paginated list of Pentest records in the current client account. By default, archived pentests are excluded unless the is_archived filter is explicitly set. Non-pentest operation types (such as external asset discovery) are always excluded.

Use the Pentest.op_id field to fetch full details about a specific pentest via Query.pentest.

Response

Returns a PentestsPage!

Arguments
page_input - PageInput
Optional pagination, sorting, and filter parameters. 
query PentestsPage($page_input: PageInput) {
  pentests_page(page_input: $page_input) {
    pentests {
      ...PentestFragment
    }
  }
}

fragment PentestFragment on Pentest {
  op_id
  op_type
  name
  state
  user_name
  scheduled_at
  launched_at
  completed_at
  duration_s
  impacts_count
  attack_paths_count
  weaknesses_count
  hosts_count
  credentials_count
}

Examples may not include all available fields for a type.

Pentesting: Pentests

pentests_count

Description

Returns the total number of Pentest records in the current client account, after applying any filters specified in page_input. By default, archived pentests are excluded unless the is_archived filter is explicitly set. Non-pentest operation types (such as external asset discovery) are always excluded from this count.

Response

Returns an Int!

Arguments
page_input - PageInput
Optional pagination and filter parameters. Supports filtering by op type, state, and other pentest attributes. 
query PentestsCount($page_input: PageInput) {
  pentests_count(page_input: $page_input)
}

Examples may not include all available fields for a type.

Pentesting: Pentests

pentest

Description

Returns a single Pentest by its op_id. Returns null if the pentest does not exist or the caller does not have access to it.

Response

Returns a Pentest

Arguments
op_id - String!
Unique identifier of the pentest to retrieve. 
query Pentest($op_id: String!) {
  pentest(op_id: $op_id) {
    ...PentestFragment
  }
}

fragment PentestFragment on Pentest {
  op_id
  op_type
  name
  state
  user_name
  client_name
  min_scope
  max_scope
  exclude_scope
  scheduled_at
  launched_at
  completed_at
  duration_s
  impacts_count
  attack_paths_count
  weakness_types_count
  weaknesses_count
  hosts_count
  credentials_count
  nodezero_script_url
  nodezero_ip
}

Examples may not include all available fields for a type.

Pentesting: Pentests

pentest_reports_zip_url

Description

Returns a pre-signed URL to download a zip archive containing all CSV and PDF reports for the specified pentest. The pentest must have completed post-processing before reports are available.

If the zip file already exists, the pre-signed URL is returned immediately. If the zip file has not yet been generated (e.g., for older pentests prior to Sep 2022), the system will initiate an asynchronous build job and return a [202] error indicating the request is being processed. An email with a download link will be sent to the requesting user when the zip is ready. Subsequent calls after the zip is built will return the pre-signed URL directly.

The zip archive contains the following CSV files and their corresponding schema types:

Response

Returns a String

Arguments
input - OpInput! 
query PentestReportsZipUrl($input: OpInput!) {
  pentest_reports_zip_url(input: $input)
}

Examples may not include all available fields for a type.

Pentesting: Pentests

Pentest

Description

A Pentest represents an autonomous penetration test or security assessment conducted by NodeZero. During a pentest, NodeZero identifies misconfigurations, vulnerabilities, exposed credentials, and other security risks within a defined network scope.

The Pentest type is a specialized view of Op that excludes non-pentest operation types such as external asset discovery. Use Query.pentests_page to list pentests, Query.pentest to retrieve a single pentest by ID, or Mutation.create_op to schedule a new pentest.

The Pentest type encompasses the following OpType values:

  • Internal Pentest (NodeZero) -- Tests your internal network from a Docker host deployed within it.
  • External Pentest (ExternalAttack) -- Tests your public-facing assets from the Horizon3.ai cloud.
  • AD Password Audit (ADPasswordAudit) -- Audits Active Directory passwords for weak, breached, or reused credentials.
  • Phishing Campaign (Phishing) -- Measures the downstream impact of phished credentials via an internal pentest.
  • AWS Pentest (AWSPentest) -- Discovers vulnerabilities and misconfigurations in your AWS environment.
  • Azure Pentest (AzurePentest) -- Assesses attack paths within your hybrid Azure Entra ID environment.
  • Kubernetes Pentest (K8sPentest) -- Tests security controls and vulnerabilities within a Kubernetes cluster.

See OpType for configuration details on each type.

Fields
op_id - String!
Unique identifier for the pentest. Use this value with Query.pentest to fetch full pentest details.
op_type - OpType
The type of pentest. See OpType for the supported pentest types and their configuration requirements.
name - String!
Display name assigned to the pentest at scheduling time.
state - PortalOpState!
Current lifecycle state of the pentest as displayed in the Portal. See PortalOpState for possible values.
user_name - String!
Email or display name of the user who scheduled the pentest.
client_name - String!
Name of the client account that owns the pentest.
min_scope - [String]
The minimum scope defines the set of IPs and CIDR ranges that must be scanned during the pentest. When "auto-expand scope" is enabled, NodeZero may discover and scan additional IPs beyond this set, up to and including the max_scope (if defined). If auto-expand is disabled, only the IPs in min_scope are scanned.
max_scope - [String]
The maximum scope defines the upper boundary of IPs and CIDR ranges that NodeZero is permitted to discover and scan. Any IP addresses encountered outside this range are treated as out of scope, even if auto-expand is enabled.
exclude_scope - [String]
IPs and CIDR ranges explicitly excluded from the pentest scope. NodeZero will not scan these addresses regardless of other scope settings.
git_accounts - [GitAccount]
List of GitAccount entries included in the pentest for Git repository scanning.
aws_account_ids - [AWSAccountId]
List of AWS account IDs included in the pentest for AWS cloud security assessment.
feature_flags - [FeatureFlag]
Advanced configuration options (attack configurations) applied to this pentest. See FeatureFlag for details.
scheduled_at - Datetime!
Timestamp when the pentest was scheduled (i.e., created).
launched_at - Datetime
Timestamp when NodeZero began actively scanning. Null if the pentest has not yet launched.
completed_at - Datetime
Timestamp when the pentest scan completed. Null if the pentest is still running or has not launched.
canceled_at - Datetime
Timestamp when the pentest was canceled by a user. Null if the pentest was not canceled.
etl_completed_at - Datetime
Timestamp when post-processing (ETL) of pentest results completed. Results are fully available in the API once this timestamp is set.
duration_s - Int
Pentest duration in seconds, measured from launched_at to completed_at. For pentests still in progress, reflects the elapsed time since launch.
impacts_count - Int
Number of impacts found during the pentest. Each impact represents a unique combination of impact type and affected asset.
impact_paths_count - Int
Total number of attack paths (impact paths) found. Alias of attack_paths_count.
attack_paths_count - Int
Total number of attack paths found during the pentest. Alias of impact_paths_count.
attack_paths_page - AttackPathsPage!

Returns a paginated list of AttackPath records for this pentest.

Each attack path describes a sequence of steps NodeZero took to achieve an impact. Use the AttackPath.uuid field to fetch additional details via Query.attack_path.

Arguments
page_input - PageInput
phished_impact_paths_count - Int!
Number of attack paths discovered downstream of phished credentials. Alias of phished_attack_paths_count. Relevant only for Phishing pentests.
phished_attack_paths_count - Int!
Number of attack paths discovered downstream of phished credentials. Alias of phished_impact_paths_count. Relevant only for Phishing pentests.
weakness_types_count - Int
Number of distinct weakness types found during the pentest. Each weakness type represents a unique category of vulnerability or misconfiguration.
weaknesses_count - Int
Total number of Weakness instances found during the pentest.
weaknesses_page - WeaknessesPage!

Returns a paginated list of Weakness records for this pentest.

Use the Weakness.uuid field to fetch additional details about a specific weakness via Query.weakness.

Arguments
page_input - PageInput
hosts_count - Int
Number of in-scope hosts (IP addresses) scanned during the pentest.
out_of_scope_hosts_count - Int
Number of out-of-scope hosts (IP addresses) discovered but not scanned during the pentest.
external_domains_count - Int
Number of external domains discovered during the pentest.
services_count - Int
Number of network services (e.g., SSH, HTTP, SMB) discovered during the pentest.
credentials_count - Int
Number of credentials found during the pentest, including both discovered and confirmed credentials.
users_count - Int
Number of user accounts discovered during the pentest.
cred_access_count - Int
Number of unique credential-to-asset access relationships, where each represents a distinct credential used to access a specific asset.
data_stores_count - Int
Number of data stores found (e.g., file shares, database repositories, S3 buckets, Git repositories, Docker registries). Excludes websites.
websites_count - Int
Number of websites discovered during the pentest.
data_resources_count - Long
Aggregate count of all data resources (files, database records, etc.) across all discovered data stores.
nodezero_script_url - String
URL of the one-time launch script that downloads and starts NodeZero on the Docker host. Applicable to internal pentest types that require a local Docker host.
nodezero_ip - String
IP address assigned to the NodeZero instance running this pentest.
schedule - Schedule
The Schedule this pentest is associated with, if it was created from a recurring schedule. 
fragment PentestFragment on Pentest {
  op_id
  op_type
  name
  state
  user_name
  client_name
  min_scope
  max_scope
  exclude_scope
  scheduled_at
  launched_at
  completed_at
  etl_completed_at
  duration_s
  impacts_count
  attack_paths_count
  weakness_types_count
  weaknesses_count
  hosts_count
  out_of_scope_hosts_count
  services_count
  credentials_count
  users_count
  data_stores_count
  websites_count
  nodezero_script_url
  nodezero_ip
}

Examples may not include all available fields for a type.

Pentesting: Pentests

PentestsPage

Description

Contains a paginated list of Pentest records. Returned by Query.pentests_page.

Fields
page_info - PageInfo
Pagination metadata including total count and cursor information.
pentests - [Pentest!]!
The list of Pentest records for the current page. 
fragment PentestsPageFragment on PentestsPage {
  pentests {
    op_id
    op_type
    name
    state
    user_name
    scheduled_at
    completed_at
    duration_s
    impacts_count
    weaknesses_count
    hosts_count
  }
}

Examples may not include all available fields for a type.

Pentesting: Impacts

Explore attack paths (also called impacts) that show how NodeZero compromised critical assets. View attack graphs visualizing the sequence of exploits, examine attack vectors with detailed technique information, and understand the complete kill chain from initial access to objective.

attack_paths_page

Description

Returns a paginated list of AttackPaths discovered during the specified pentest. Each AttackPath represents the sequence of steps NodeZero took to achieve a specific Impact.

Use the AttackPath.uuid field to fetch full details about a specific AttackPath via Query.attack_path.

Response

Returns an AttackPathsPage!

Arguments
input - OpInput!
page_input - PageInput 
query AttackPathsPage($input: OpInput!, $page_input: PageInput) {
  attack_paths_page(input: $input, page_input: $page_input) {
    attack_paths {
      ...AttackPathFragment
    }
  }
}

fragment AttackPathFragment on AttackPath {
  uuid
  impact_type
  impact_title
  name
  score
  severity
  op_id
  weakness_refs
  credential_refs
  host_refs
  time_to_finding_hms
  created_at
  affected_asset_text
  ip
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Impacts

attack_paths_count

Description

Returns the total count of AttackPaths discovered during the specified pentest. Supports the same filtering options as Query.attack_paths_page via page_input.

Response

Returns an Int!

Arguments
input - OpInput!
page_input - PageInput 
query AttackPathsCount($input: OpInput!, $page_input: PageInput) {
  attack_paths_count(input: $input, page_input: $page_input)
}

Examples may not include all available fields for a type.

Pentesting: Impacts

attack_path

Description

Returns a single AttackPath by its UUID. The AttackPath includes the target ImpactType, risk score, and the Weaknesses, Credentials, and Hosts involved.

Response

Returns an AttackPath

Arguments
uuid - String! 
query AttackPath($uuid: String!) {
  attack_path(uuid: $uuid) {
    ...AttackPathFragment
  }
}

fragment AttackPathFragment on AttackPath {
  uuid
  impact_type
  impact_title
  name
  score
  severity
  op_id
  weakness_refs
  credential_refs
  host_refs
  time_to_finding_hms
  created_at
  affected_asset_text
  ip
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Impacts

attack_paths_csv_url

Description

Returns a temporary presigned URL to a CSV file containing all AttackPaths discovered during the specified pentest.

The CSV format is documented under ImpactCSV.

Response

Returns a String

Arguments
input - OpInput! 
query AttackPathsCsvUrl($input: OpInput!) {
  attack_paths_csv_url(input: $input)
}

Examples may not include all available fields for a type.

Pentesting: Impacts

AttackPath

Description

An AttackPath represents the sequence of steps NodeZero took to achieve a specific Impact during a pentest. Each AttackPath links to a target Impact and includes the exploited Weaknesses, compromised Credentials, and traversed Hosts that enabled NodeZero to reach that Impact.

Use Query.attack_paths_page to retrieve AttackPaths for a given pentest, or Query.attack_path to fetch a single AttackPath by its UUID.

The attack_vector field provides the full step-by-step AttackVector graph detailing how NodeZero navigated through your environment to achieve the Impact.

Fields
uuid - String!
Unique identifier for this AttackPath.
impact_type - ImpactType!
The ImpactType of the target Impact (e.g., DomainCompromise, RansomwareExposure).
impact_title - String!
The display title for this AttackPath's target ImpactType.
impact_description - String!
A human-readable description of the target ImpactType.
name - String!
The display name of this AttackPath. Describes the Impact and the entity that caused it.
attack_path_title - String!
The display title of this AttackPath. Equivalent to name.
score - Float
The context-adjusted risk score for the target Impact, on a scale of 0 to 10. Higher values indicate greater risk.
severity - Severity
The Severity level corresponding to the target Impact's risk score.
context_score_description_md - String
A narrative description of this AttackPath, summarizing the target Impact along with the Weaknesses, Credentials, and Hosts involved. Returned in markdown format.
context_score_description - String
A narrative description of this AttackPath, summarizing the target Impact along with the Weaknesses, Credentials, and Hosts involved. Returned as plain text.
attack_vector - AttackVector
The AttackVector for this AttackPath. The AttackVector provides the full directed acyclic graph (DAG) of Nodes and Edges representing the step-by-step actions NodeZero took to reach the target Impact. Use the algorithm argument to select the graph version (e.g., v3 for chronological layers, v4 for a consolidated view).
Arguments
algorithm - AttackVectorAlgorithmInput
op_id - String!
The identifier of the pentest (op) in which this AttackPath was discovered.
weakness_refs - [String]
Reference strings for the Weaknesses that appear in this AttackPath. See Weakness.weakness_ref for the format of the ref string.
weaknesses - [Weakness!]
The Weakness records that appear in this AttackPath.
credential_refs - [String]
Reference strings for the Credentials that appear in this AttackPath. Each ref is formatted as {credential_uuid},{user_or_role_name},{asset_name}.
credentials - [Credential!]
The Credential records that appear in this AttackPath.
host_refs - [String]
Reference strings for the Hosts that appear in this AttackPath. Each ref is formatted as {host_uuid},{ip}.
hosts - [Host!]
The Host records that appear in this AttackPath.
time_to_finding_hms - String
The elapsed time from the start of the pentest to when the target Impact was achieved. Formatted as HH:MM:SS.
time_to_finding_s - Int
The elapsed time (in seconds) from the start of the pentest to when the target Impact was achieved.
created_at - Datetime
The UTC timestamp when the target Impact was achieved.
target_entity_text - String
The display name of the entity that is the direct cause of the target Impact (e.g., a Weakness or Credential).
target_entity_short_text - String
The abbreviated name of the entity that is the direct cause of the target Impact.
affected_asset_text - String
The display name of the asset affected by the target Impact.
affected_asset_short_text - String
The abbreviated name of the asset affected by the target Impact.
ip - String
The IP address of the Host affected by the target Impact.
host_name - String
The hostname of the Host affected by the target Impact.
host_text - String
The display name of the Host affected by the target Impact.
affected_host - Host
The Host record for the host affected by the target Impact.
affected_credential - Credential
The Credential affected by the target Impact, if applicable. Resolves based on the type of entity that caused the Impact.
affected_data_store - DataStore
The DataStore affected by the target Impact, if applicable (e.g., for Sensitive Data Exposure or Ransomware Exposure impacts).
proofs_count - Int
The number of Proofs captured during this AttackPath.
proofs - [Proof]
The list of Proofs captured during this AttackPath, providing evidence of the exploitation steps.
portal_url - String
The Portal URL where this AttackPath can be viewed in the Horizon3.ai web interface.
business_risks - [String]
List of business risk categories associated with this Impact (e.g., data loss, operational disruption). 
fragment AttackPathFragment on AttackPath {
  uuid
  impact_type
  impact_title
  impact_description
  name
  attack_path_title
  score
  severity
  context_score_description_md
  context_score_description
  op_id
  weakness_refs
  credential_refs
  host_refs
  time_to_finding_hms
  time_to_finding_s
  created_at
  target_entity_text
  target_entity_short_text
  affected_asset_text
  affected_asset_short_text
  ip
  host_name
  host_text
  proofs_count
  portal_url
  business_risks
}

Examples may not include all available fields for a type.

Pentesting: Impacts

AttackVector

Description

An AttackVector is a directed acyclic graph (DAG) of Nodes and Edges that represents the step-by-step attack path NodeZero took to reach a target entity.

The full graph structure can be retrieved via the attack_graph field as an AttackGraph.

NodeZero tracks AttackVectors for the following entity types:

Each Node in the attack graph has a found_by_module_instance field, which references the ModuleInstance used by NodeZero during that step of the attack path. The ModuleInstance can be used to retrieve further details about that step, including:

  • Information about the module that was used (ModuleInstance.module_meta)
  • How the module maps to the MITRE ATT&CK framework (ModuleInstance.module_meta.mitre_mappings)
  • The commands it ran during the pentest (ModuleInstance.action_logs)

When summarizing an AttackVector, it can be useful to break it down by:

  • The hosts involved (host_nodes)
  • The credentials used (credential_nodes)
  • The weaknesses exploited (weakness_nodes)

The complexity of an attack path is related to its length (number of nodes) and the types of nodes involved. The more credentials and weaknesses involved, the more complex the path. This complexity is relevant when assessing the likelihood that a real-world attacker could replicate the attack path.

Fields
uuid - String!
Unique identifier for this AttackVector.
target_node - Node!
The target Node of the attack vector -- i.e., the final entity that NodeZero reached at the end of this attack path.
algorithm - AttackVectorAlgorithm!
The AttackVectorAlgorithm used to generate this AttackVector (e.g., POC, v3, v4).
total_score - Float
The sum of risk scores across all Nodes in the attack vector.
max_score - Float
The highest risk score among all Nodes in the attack vector.
attack_graph - AttackGraph
The AttackGraph for this AttackVector -- the directed acyclic graph of Nodes and Edges that comprise the attack path.
op_id - String!
The identifier of the pentest (op) in which this AttackVector was observed.
nodes_count - Int
Total number of Nodes in this attack vector.
credentials_count - Int
Number of Credentials (including unverified potential credentials) involved in this attack vector.
credential_nodes - [Node]
The Nodes from the attack graph that represent Credentials or unverified potential credentials used during the attack.
weaknesses_count - Int
Number of Weaknesses exploited in this attack vector.
weakness_nodes - [Node]
The Nodes from the attack graph that represent Weaknesses exploited during the attack.
hosts_count - Int
Number of Hosts traversed in this attack vector.
host_nodes - [Node]
The Nodes from the attack graph that represent Hosts traversed during the attack.
narrative - [Node]
A curated subset of Nodes that form a step-by-step narrative of the attack path, suitable for summarizing the key actions NodeZero took.
has_phished_cred - Boolean
true if this attack vector includes credentials obtained through a phishing simulation.
has_injected_cred - Boolean
true if this attack vector includes credentials that were injected as inputs to the pentest. 
fragment AttackVectorFragment on AttackVector {
  uuid
  algorithm
  target_node {
    uuid
    label_line1
    label_line2
    score
    severity
  }
  total_score
  max_score
  attack_graph {
    nodes {
      uuid
      label_line1
      score
      severity
    }
    edges {
      from_uuid
      to_uuid
    }
  }
  op_id
  nodes_count
  credentials_count
  weaknesses_count
  hosts_count
  narrative {
    uuid
    label_line1
    description
    icon_label
  }
  has_phished_cred
  has_injected_cred
}

Examples may not include all available fields for a type.

Pentesting: Impacts

AttackGraph

Description

An AttackGraph is the directed acyclic graph (DAG) structure within an AttackVector, comprising the set of Nodes and Edges that represent the attack path.

The Nodes represent the hosts, services, Weaknesses, Credentials, and other entities that NodeZero discovered and exploited as part of the attack path.

The Edges define the sequence of steps from one node to the next that NodeZero took along the path.

The attack path can be organized into layers, where each layer represents a distinct time step. Each node is associated with a layer via Node.layer_label. All nodes in the same layer were discovered or exploited at the same time. The layers can be used to render the graph as a timeline showing the progression of the attack.

Fields
nodes - [Node]
The Nodes of the graph. Each node represents a host, service, Weakness, Credential, or other entity that NodeZero discovered and exploited as part of the attack path.
edges - [Edge]
The Edges of the graph. Each edge connects two nodes and defines a step in the sequence that NodeZero took along the attack path. 
fragment AttackGraphFragment on AttackGraph {
  nodes {
    uuid
    label_line1
    label_line2
    label_line3
    icon_label
    score
    severity
    description
    time_to_finding
  }
  edges {
    from_uuid
    to_uuid
  }
}

Examples may not include all available fields for a type.

Pentesting: Impacts

Node

Description

A node in an AttackVector graph.

A Node wraps attack-vector context around a target entity such as a Host, Weakness, Credential, or service that NodeZero discovered or exploited during its attack path.

The icon_label, label_line1, label_line2, and label_line3 fields are useful for rendering the node in a visual representation of the attack graph.

Fields
uuid - String!
The UUID of this node in the attack graph. Referenced by graph edges via Edge.from_uuid and Edge.to_uuid.
attack_vector_node_uuid - String!
The UUID of the underlying AVNode record, which can be used to fetch this specific node.
found_by_module_meta - ModuleMeta
Metadata about the NodeZero module that discovered this node, including its name, category, and MITRE ATT&CK mappings.
found_by_module_instance - ModuleInstance
The specific ModuleInstance that discovered this node during the pentest. Use this to access action logs and detailed execution information.
score - Float
The cyber risk score of this node, on a scale of 0 to 10. Higher values indicate greater risk.
severity - Severity
The Severity level of this node, derived from its risk score.
proofs - [Proof]
The Proofs captured at this step of the attack path, providing evidence of the exploitation.
time_to_finding - String
The elapsed time from the start of the pentest to when NodeZero discovered this node. Formatted as HH:MM:SS.
label_line1 - String
The first line of the node label. Used in v3 and v4 attack vector renderings.
label_line2 - String
The second line of the node label. Used in v3 and v4 attack vector renderings.
label_line3 - String
The third line of the node label. Used in v3 and v4 attack vector renderings.
icon_label - String
The icon label describing the action NodeZero performed on this node (e.g., Found Host, Exploited Weakness).
description - String
A human-readable description of the action NodeZero took at this step of the attack path.
subflow_nodes - [Node]
Downstream nodes in the attack path that occurred at the same time as this node. These nodes are grouped in the same timestamp layer in the attack graph timeline, and are rendered alongside this node in v3 and v4 attack vector visualizations.
weakness - Weakness
The corresponding Weakness for this Node, if the node represents an exploited vulnerability.
credential - Credential
The corresponding Credential for this Node, if the node represents a compromised or unverified potential credential.
host - Host
The corresponding Host for this Node, if the node represents an endpoint or network address. 
fragment NodeFragment on Node {
  uuid
  attack_vector_node_uuid
  score
  severity
  label_line1
  label_line2
  label_line3
  icon_label
  description
  time_to_finding
  found_by_module_meta {
    id
    name
  }
  proofs {
    uuid
  }
  subflow_nodes {
    uuid
    label_line1
    score
  }
}

Examples may not include all available fields for a type.

Pentesting: Impacts

Edge

Description

An edge in an AttackVector graph. Connects two Nodes in the directed acyclic graph (DAG): the source (from) node and the target (to) node. Each edge represents a single step in the attack path that NodeZero traversed.

Fields
from_uuid - String!
The UUID of the source Node (the "from" side of this edge). Corresponds to Node.uuid in the AttackGraph.
to_uuid - String!
The UUID of the target Node (the "to" side of this edge). Corresponds to Node.uuid in the AttackGraph. 
fragment EdgeFragment on Edge {
  from_uuid
  to_uuid
}

Examples may not include all available fields for a type.

Pentesting: Impacts

AttackPathsPage

Description

A paginated list of AttackPath records. Returned by Query.attack_paths_page.

Fields
page_info - PageInfo
Pagination metadata including total count and cursor information.
attack_paths - [AttackPath!]!
The list of AttackPath records for the current page. 
fragment AttackPathsPageFragment on AttackPathsPage {
  page_info {
    page_num
    page_size
  }
  attack_paths {
    uuid
    impact_type
    impact_title
    name
    score
    severity
    op_id
    portal_url
  }
}

Examples may not include all available fields for a type.

Pentesting: Impacts

AttackVectorAlgorithm

Description

The available algorithms for generating AttackVector graphs. Each algorithm produces a different level of detail and graph structure.

Values
POC
Also known as v1. The base algorithm that produces the most detailed graph. No nodes are pruned or consolidated.
v2
This algorithm is no longer used.
v3

A streamlined version of the POC graph with the following modifications:

  • Impact and proof nodes are removed and surfaced as labels on their connected nodes.
  • AWS Connection nodes are removed.
  • The graph is structured chronologically by timestep "layers". All nodes created at the same time are grouped into the same layer. The first node in each layer remains in the main graph; subsequent nodes are stored as subflow_nodes of that first node. This structure facilitates rendering the graph on a timeline, as it appears in the Portal.
v4
A further consolidated version of the v3 graph, providing the most compact representation of the attack path.
Example
"POC"
Pentesting: Impacts

AttackVectorAlgorithmInput

Description

The available algorithms for generating AttackVector graphs, as an input type. Accepts the same values as AttackVectorAlgorithm.

Values
POC
Also known as v1. The base algorithm that produces the most detailed graph. No nodes are pruned or consolidated.
v2
This algorithm is no longer used.
v3

A streamlined version of the POC graph with the following modifications:

  • Impact and proof nodes are removed and surfaced as labels on their connected nodes.
  • AWS Connection nodes are removed.
  • The graph is structured chronologically by "layers". All nodes created at the same time are grouped into the same layer. The first node in each layer remains in the main graph; subsequent nodes are stored as subflow_nodes of that first node. This structure facilitates rendering the graph on a timeline, as it appears in the Portal.
v4
A further consolidated version of the v3 graph, providing the most compact representation of the attack path.
Example
"POC"
Pentesting: Impacts

ImpactType

Description

The categories of business impact that NodeZero can demonstrate during a pentest. Each AttackPath targets one of these impact types, representing the real-world consequence that NodeZero was able to achieve by chaining together exploited Weaknesses and compromised Credentials.

Values
AWSUserRoleCompromise
An AWS IAM user or role has been compromised. Anything that user or role has access to -- including cloud resources, cloud services, and data -- should be considered compromised.
AWSAccountCompromise
An AWS account has been fully compromised. All cloud resources, cloud services, and data that exist in that AWS account should be considered fully compromised.
AzureADUserCompromise
DEPRECATED.
MicrosoftEntraUserCompromise
A Microsoft Entra user has been compromised. Anything that user has access to should be considered compromised, including access to the Microsoft Entra tenant, Microsoft 365, and Azure subscriptions.
MicrosoftEntraAccountCompromise
A Microsoft Entra (AzureAD) tenant has been fully compromised. Any application, service, or resource that utilizes the Entra tenant for Identity and Access Management (IAM) should be considered compromised. This includes cloud services such as Microsoft 365 and Azure-hosted resources such as virtual machines or databases.
MicrosoftEntraFullTenantCompromise
DEPRECATED
BrandCompromise
Brand compromise covers ways in which an attacker can harm your company's reputation, such as defacing the company's website, hosting malware on the company's domain, or carrying out phishing attacks that appear to originate from the company.
BusinessEmailCompromise
Business email compromise enables attackers to send and receive emails under the guise of a legitimate user. Attackers commonly leverage email access to conduct business accounting fraud, carry out highly targeted phishing attacks, gain access to sensitive information, and elicit trusting coworkers to perform actions on their behalf.
CloudCompromise
DEPRECATED.
CloudServiceCompromise
DEPRECATED.
CriticalInfrastructureCompromise
Critical infrastructure compromise involves key devices and applications that provide attackers a privileged position in the network from which they can access sensitive data and launch further attacks.
DomainCompromise
Full domain compromise means all hosts, domain user accounts, data, infrastructure, and applications tied to that Active Directory domain should be considered fully compromised. Additionally, any application running on a domain-joined machine or using Active Directory integration for authentication should be considered fully compromised.
DomainUserCompromise
A domain user account has been compromised. Anything that user account has access to should be considered compromised.
HostCompromise
Host compromise can lead to attackers gaining access to sensitive information, maintaining persistence within your network, and performing lateral movement to other systems.
PerimeterBreach
Perimeter breach indicates that an attacker can gain access to your internal network from the public internet.
RansomwareExposure
Ransomware exposure indicates that attackers could obtain access to business-critical data stores, encrypt them with a secret key, and demand a ransom payment before releasing the decryption key. Ransomware attacks can cause severe disruption to business operations, even after the ransom is paid, as data stores must be decrypted and affected services restored.
SensitiveDataExposure
Sensitive data exposure indicates that attackers could obtain user credentials, PII (Personally Identifiable Information), financial account data, and other business-critical information to further exploit or gain profit.
ThirdPartySaaSUserCompromise
A Third Party SaaS user has been compromised. Anything that user has access to should be considered compromised, including private messages, files, and other application-specific items.
KubernetesIdentityCompromise
A Kubernetes identity has been compromised. Anything that identity has access to -- including pods, services, secrets, service accounts, and data -- should be considered compromised.
KubernetesClusterCompromise
A Kubernetes cluster has been fully compromised. All pods, services, secrets, service accounts, and data should be considered compromised.
WebSessionCompromise
Web session compromise allows attackers to hijack authenticated user sessions through vulnerabilities such as cross-site scripting (XSS). Once a session is compromised, attackers can perform actions as the victim user, access sensitive data visible to that user, steal session tokens or credentials, and potentially escalate access to other systems that trust the compromised application.
WebApplicationUserCompromise
A web application user has been compromised. Anything that user account has access to within the application should be considered compromised, including sensitive data, application functionality, and any integrated services that trust the user's session.
Example
"AWSUserRoleCompromise"

Pentesting: Weaknesses

Query discovered vulnerabilities and security weaknesses including CVE details, severity ratings, affected assets, threat actor intelligence, and remediation guidance. Weaknesses represent exploitable security flaws found during pentesting.

weaknesses_page

Description

Returns a paginated list of Weaknesses discovered during the specified pentest.

Each Weakness record represents a specific vulnerability found on a specific asset -- there is one record per unique vuln_id + affected asset combination.

Use the Weakness.uuid field to fetch full details about a specific Weakness via Query.weakness.

Response

Returns a WeaknessesPage!

Arguments
input - OpInput
page_input - PageInput 
query WeaknessesPage($input: OpInput, $page_input: PageInput) {
  weaknesses_page(input: $input, page_input: $page_input) {
    weaknesses {
      ...WeaknessFragment
    }
  }
}

fragment WeaknessFragment on Weakness {
  uuid
  vuln_id
  vuln_name
  vuln_short_name
  vuln_category
  vuln_cisa_kev
  op_id
  ip
  has_proof
  score
  severity
  base_score
  context_score
  time_to_finding_hms
  affected_asset_display_name
  attack_paths_count
  portal_url
  weakness_ref
}

Examples may not include all available fields for a type.

Pentesting: Weaknesses

weaknesses_count

Description

Returns the total count of Weaknesses discovered during the specified pentest. Supports the same filtering options as Query.weaknesses_page via page_input.

Response

Returns an Int!

Arguments
input - OpInput
page_input - PageInput 
query WeaknessesCount($input: OpInput, $page_input: PageInput) {
  weaknesses_count(input: $input, page_input: $page_input)
}

Examples may not include all available fields for a type.

Pentesting: Weaknesses

weakness

Description

Returns a single Weakness by its UUID, including its risk scores, affected asset, vulnerability details, and related AttackPaths.

Response

Returns a Weakness

Arguments
uuid - String! 
query Weakness($uuid: String!) {
  weakness(uuid: $uuid) {
    ...WeaknessFragment
  }
}

fragment WeaknessFragment on Weakness {
  uuid
  vuln_id
  vuln_name
  vuln_short_name
  vuln_category
  vuln_cisa_kev
  op_id
  ip
  has_proof
  score
  severity
  base_score
  context_score
  time_to_finding_hms
  affected_asset_display_name
  attack_paths_count
  portal_url
  weakness_ref
}

Examples may not include all available fields for a type.

Pentesting: Weaknesses

weaknesses_csv_url

Description

Returns a temporary presigned URL to a CSV file containing all Weaknesses discovered during the specified pentest.

Each row in the CSV represents one Weakness (one vulnerability on one asset). The CSV format is documented under WeaknessCSV.

Response

Returns a String

Arguments
input - OpInput! 
query WeaknessesCsvUrl($input: OpInput!) {
  weaknesses_csv_url(input: $input)
}

Examples may not include all available fields for a type.

Pentesting: Weaknesses

Weakness

Description

A Weakness represents a specific vulnerability found on a specific asset by NodeZero during a pentest. One Weakness record is created for each unique combination of vulnerability ID (vuln_id) + affected asset + pentest (op_id).

The vuln_id field identifies the vulnerability type (e.g., a CVE or an H3-defined vulnerability), while the Vuln field provides static catalog information about that vulnerability, including its name, description, recommended mitigations, and CISA KEV status.

Weaknesses have three levels of risk scoring:

  • base_score: The statically assigned risk score for the vulnerability type.
  • context_score: An environment-adjusted score that accounts for downstream impacts this weakness enables.
  • score: The effective risk score (equals context_score if set, otherwise base_score).

Use Query.weaknesses_page to list weaknesses for a pentest, or Query.weakness to fetch a single weakness by UUID.

To track how a weakness evolves across pentests, see WeaknessSeries.

Fields
uuid - String!
Unique identifier for this Weakness instance.
created_at - Datetime!
The UTC timestamp when NodeZero discovered this Weakness during the pentest.
vuln_id - String!
The vulnerability identifier for this Weakness (e.g., a CVE ID or an H3-defined vulnerability ID).
vuln - Vuln!
Static catalog information about the vulnerability, including its name, description, mitigations, and references. See Vuln.
vuln_aliases - [String!]
Well-known aliases for this vulnerability (e.g., alternate CVE IDs or common names).
vuln_category - VulnCategory
The high-level VulnCategory of this vulnerability (e.g., SECURITY_MISCONFIGURATION, VULNERABILITY).
vuln_name - String
The official name of the vulnerability.
vuln_short_name - String
An abbreviated name for the vulnerability, useful for display in compact views.
vuln_cisa_kev - Boolean
true if the vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
vuln_known_ransomware_campaign_use - Boolean
true if the vulnerability is known to be used in ransomware campaigns, according to CISA.
op_id - String!
The identifier of the pentest (op) in which this Weakness was discovered.
ip - String
The IP address of the asset where this Weakness was observed.
has_proof - Boolean
true if NodeZero captured proof of successful exploitation for this Weakness. See also the proofs field.
proof_failure_code - String
A code indicating why proof was not captured, if applicable. Possible values: exploit_failed, not_configured, no_exploit, timeout.
proof_failure_reason - String
A human-readable explanation of why proof was not captured, if applicable.
score - Float
The effective risk score for this Weakness (0-10). Equals context_score if available, otherwise base_score. Higher values indicate greater risk.
severity - Severity
The Severity level corresponding to the effective score.
base_score - Float
The statically assigned base risk score for the vulnerability type (0-10), before environment-specific context adjustments.
base_severity - Severity
The Severity level corresponding to the base_score.
context_score - Float
The environment-adjusted risk score (0-10), which accounts for the downstream impacts this Weakness enables. May be higher than the base_score when the weakness contributes to significant downstream impacts.
context_severity - Severity
The Severity level corresponding to the context_score.
context_score_description_md - String
A narrative explaining how the context score was determined, including the downstream impacts this Weakness enables. Returned in markdown format.
context_score_description - String
A narrative explaining how the context score was determined, including the downstream impacts this Weakness enables. Returned as plain text.
time_to_finding_hms - String
The elapsed time from the start of the pentest to when this Weakness was discovered. Formatted as HH:MM:SS.
time_to_finding_s - Int
The elapsed time (in seconds) from the start of the pentest to when this Weakness was discovered.
affected_asset_display_name - String
The display name of the asset directly affected by this Weakness.
affected_asset_short_name - String
An abbreviated name for the asset directly affected by this Weakness.
downstream_impact_types - [ImpactType!]
The list of ImpactTypes found downstream of this Weakness (e.g., DomainCompromise, RansomwareExposure).
attack_paths_count - Int!
The number of AttackPaths that include this Weakness. Equivalent to the number of Impacts found downstream of this Weakness.
Arguments
page_input - PageInput
attack_paths_page - AttackPathsPage!
A paginated list of AttackPaths that include this Weakness. Each AttackPath represents an Impact that this Weakness contributed to.
Arguments
page_input - PageInput
proofs - [Proof]
Proof records captured for this Weakness, providing evidence of successful exploitation.
affected_host - Host
The Host on which this Weakness was discovered.
diff_status - DiffStatus

Populated only when performing a diff between pentests, for example via Query.weaknesses_diff_page.

If a weakness was present in the first pentest but not the second, its diff_status will be REMOVED.

If a weakness was present in the second pentest but not the first, its diff_status will be ADDED.

mitre_mappings - [MitreMapping!]
The MITRE ATT&CK techniques associated with the discovery and exploitation of this Weakness.
affected_credentials_count - Int!
The number of Credentials affected by this Weakness. Typically there is only one affected Credential per Weakness, but in some edge cases there can be multiple.
Arguments
page_input - PageInput
affected_credentials_page - CredentialsPage!
A paginated list of Credentials affected by this Weakness. Typically there is only one affected Credential per Weakness, but in some edge cases there can be multiple.
Arguments
page_input - PageInput
affected_service - Service
The Service affected by this Weakness, if applicable.
affected_application - Application
The Application affected by this Weakness, if applicable.
affected_cloud_resource - CloudResource
The CloudResource affected by this Weakness, if applicable.
affected_cloud_role - CloudRole
The CloudRole affected by this Weakness, if applicable.
affected_external_domain - ExternalDomain
The ExternalDomain affected by this Weakness, if applicable.
affected_interesting_resource - InterestingResource
The InterestingResource affected by this Weakness, if applicable.
affected_ldap_domain - LDAPDomain
The LDAPDomain affected by this Weakness, if applicable.
affected_data_store - DataStore
The DataStore affected by this Weakness, if applicable.
portal_url - String
The Portal URL where this Weakness can be viewed in the Horizon3.ai web interface.
weakness_ref - String
A reference string that uniquely identifies this Weakness instance. Formatted as {weakness_uuid},{vuln_short_name},{affected_asset_short_name}. Used for filtering in various APIs, such as Query.attack_paths_page. See also AttackPath.weakness_refs. 
fragment WeaknessFragment on Weakness {
  uuid
  created_at
  vuln_id
  vuln_aliases
  vuln_category
  vuln_name
  vuln_short_name
  vuln_cisa_kev
  vuln_known_ransomware_campaign_use
  op_id
  ip
  has_proof
  proof_failure_code
  proof_failure_reason
  score
  severity
  base_score
  base_severity
  context_score
  context_severity
  context_score_description_md
  context_score_description
  time_to_finding_hms
  time_to_finding_s
  affected_asset_display_name
  affected_asset_short_name
  downstream_impact_types
  attack_paths_count
  diff_status
  affected_credentials_count
  portal_url
  weakness_ref
}

Examples may not include all available fields for a type.

Pentesting: Weaknesses

Severity

Description

Severity levels derived from a finding's cyber risk score (0-10 scale). Used throughout the API to classify the risk level of Weaknesses, AttackPaths, and Nodes.

       score <= 0  : INFO
0   <  score <  4.0: LOW
4.0 <= score <  7.0: MEDIUM
7.0 <= score <  9.0: HIGH
9.0 <= score       : CRITICAL
Values
INFO
Informational finding. Score is 0 or below.
LOW
Low-severity finding. Score is between 0 (exclusive) and 4.0.
MEDIUM
Medium-severity finding. Score is between 4.0 (inclusive) and 7.0.
HIGH
High-severity finding. Score is between 7.0 (inclusive) and 9.0.
CRITICAL
Critical-severity finding. Score is 9.0 or above.
Example
"INFO"
Pentesting: Weaknesses

ThreatActor

Description

Information about a known threat actor group that is associated with specific vulnerabilities. Threat actors are linked to Vulns via the Vuln.threat_actors field, enabling you to assess whether vulnerabilities in your environment are being actively targeted by known adversaries.

Fields
name - String!
The commonly known name of the threat actor group.
short_description - String
A brief summary of the threat actor's known activities and targets.
description - String!
A detailed description of the threat actor, including tactics, techniques, and known campaigns.
origin_country - String!
The country or region where the threat actor is believed to originate.
remediation_urgency - String!
A brief assessment of how urgently vulnerabilities exploited by this threat actor should be remediated.
aliases - [String!]!
Well-known alternative names for this threat actor (e.g., APT group designations used by different vendors).
references - [ThreatActorReference!]!
External references and resources with additional information about this threat actor. See ThreatActorReference. 
fragment ThreatActorFragment on ThreatActor {
  name
  short_description
  description
  origin_country
  remediation_urgency
  aliases
  references {
    display_name
    url
  }
}

Examples may not include all available fields for a type.

Pentesting: Weaknesses

ThreatActorReference

Description

A reference to external documentation or resources related to a ThreatActor.

Fields
display_name - String!
The display name or title of the reference document.
url - String!
The URL of the reference document. 
fragment ThreatActorReferenceFragment on ThreatActorReference {
  display_name
  url
}

Examples may not include all available fields for a type.

Pentesting: Weaknesses

Vuln

Description

Static catalog information about a vulnerability type. Each Weakness references a Vuln via the vuln_id field to provide details about the vulnerability, including its name, description, base risk score, recommended mitigations, CISA KEV status, and associated ThreatActors.

Fields
id - String!
The unique identifier for this Vuln (e.g., a CVE ID like CVE-2021-44228 or an H3-defined ID).
base_score - Float!
The statically assigned base risk score for this Vuln (0-10). Note that the corresponding Weakness may have a different effective score, based on context scoring that considers the weakness's actual impact within the environment.
name - String!
The official name of the Vuln.
short_name - String!
An abbreviated name for the Vuln, suitable for display in compact views.
description - String!
A detailed description of the vulnerability, including how it can be exploited.
impact - String
A description of the potential impact if an attacker successfully exploited this Vuln.
category - VulnCategory!
The high-level VulnCategory for this Vuln (e.g., SECURITY_MISCONFIGURATION, VULNERABILITY).
base_severity - Severity!
The Severity level corresponding to the Vuln's base_score.
aliases - [String]!
Well-known aliases for this Vuln (e.g., alternate CVE IDs or common names).
mitigations - [VulnMitigation]!
Recommended remediation actions to mitigate this Vuln. See VulnMitigation.
references - [VulnReference]!
External references and resources related to this Vuln. See VulnReference.
impact_categories - [VulnImpactCategory]!
Categories describing the potential impact if this Vuln were exploited. See VulnImpactCategory.
one_click_verify - Boolean!
true if this Vuln supports one-click verification, allowing you to quickly re-test whether the vulnerability has been remediated. Most Vulns are one-click verifiable. Vulns that require complex multi-step attack paths may not be one-click verifiable.
cisa_kev - Boolean!
true if this Vuln is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild.
known_ransomware_campaign_use - Boolean
true if this Vuln is known to be used in ransomware campaigns, according to CISA.
threat_actors - [ThreatActor!]!
ThreatActors that are known to exploit this Vuln. 
fragment VulnFragment on Vuln {
  id
  name
  short_name
  description
  base_score
  base_severity
  category
  impact
  aliases
  mitigations {
    description
  }
  references {
    name
    url
  }
  impact_categories
  one_click_verify
  cisa_kev
  known_ransomware_campaign_use
  threat_actors {
    name
    short_description
  }
}

Examples may not include all available fields for a type.

Pentesting: Weaknesses

VulnCategory

Description

High-level categories for classifying vulnerabilities.

Values
SECURITY_MISCONFIGURATION
The vulnerability stems from a security misconfiguration of an asset (e.g., default settings, open ports, unnecessary services).
VULNERABILITY
A product or asset vulnerability, such as a software bug or known CVE.
SECURITY_CONTROLS
The vulnerability stems from ineffective or insufficient security controls or policies (e.g., missing MFA, weak access controls).
CREDENTIALS
The vulnerability is related to credential management or policies (e.g., weak passwords, default credentials, credential reuse).
Example
"SECURITY_MISCONFIGURATION"
Pentesting: Weaknesses

VulnImpactCategory

Description

Categories describing the potential impact if a vulnerability is exploited.

Values
FILE_UPLOAD
Exploitation may allow unauthorized file uploads to the target system.
DENIAL_OF_SERVICE
Exploitation may result in a Denial-of-Service (DoS) condition, disrupting availability.
REMOTE_CODE_EXECUTION
Exploitation may enable remote code execution on the target system.
INFORMATION_DISCLOSURE
Exploitation may lead to disclosure of sensitive information.
PRIVILEGE_ESCALATION
Exploitation may enable an attacker to escalate privileges beyond their intended level.
DEFACEMENT
Exploitation may enable defacement of a website or web application.
IMPERSONATION
Exploitation may allow an attacker to impersonate a legitimate user.
UNAUTHORIZED_ACCESS
Exploitation may grant unauthorized access to a system or resource.
Example
"FILE_UPLOAD"
Pentesting: Weaknesses

VulnMitigation

Description

A recommended remediation action to mitigate a Vuln.

Fields
description - String!
A description of the recommended mitigation action. 
fragment VulnMitigationFragment on VulnMitigation {
  description
}

Examples may not include all available fields for a type.

Pentesting: Weaknesses

VulnReference

Description

A reference to external documentation or resources related to a Vuln.

Fields
name - String!
The display name or title of the reference document.
url - String
The URL of the reference document. 
fragment VulnReferenceFragment on VulnReference {
  name
  url
}

Examples may not include all available fields for a type.

Pentesting: Weaknesses

WeaknessesPage

Description

A paginated list of Weakness records. Returned by Query.weaknesses_page.

Fields
page_info - PageInfo
Pagination metadata including total count and cursor information.
weaknesses - [Weakness!]!
The list of Weakness records for the current page. 
fragment WeaknessesPageFragment on WeaknessesPage {
  page_info {
    page_num
    page_size
  }
  weaknesses {
    uuid
    vuln_id
    vuln_name
    score
    severity
    ip
    op_id
    portal_url
  }
}

Examples may not include all available fields for a type.

Pentesting: Proofs

Access proof artifacts demonstrating successful exploitation including command outputs, screenshots, and enumeration results. Proof provides forensic evidence validating each finding discovered during pentesting.

Proof

Description

A Proof represents evidence captured by NodeZero during a pentest that demonstrates a specific finding, such as a compromised credential, an exploited weakness, or a discovered resource.

Each Proof is one of three types, as indicated by the proof_type field:

  • ScreenshotProofResource -- A screenshot image. Use the presigned_url field to download it. Presigned URLs are generated on demand and expire after a short period.
  • CommandOutputProofResource -- Output from one or more shell commands executed by NodeZero. Retrieve the data via the command_outputs field, which returns a list of CommandOutput objects.
  • EnumerationProofResource -- Structured enumeration data (e.g., processes, programs, or users discovered on a host). Retrieve the data via the enumeration_outputs field, which returns a list of EnumerationProofOutput objects.

A single Proof may apply to more than one entity (e.g., a Weakness, a Credential, or a web resource). The proven_entity_labels field lists labels for all associated entities.

Fields
uuid - String!
Unique identifier for this Proof.
created_at - Datetime!
When this Proof record was created (UTC). See also collected_at, which indicates when the proof was actually captured during the pentest.
proof_type - String!
The type of proof. One of CommandOutputProofResource, ScreenshotProofResource, or EnumerationProofResource.
collected_at - Datetime
When this Proof was captured by NodeZero during the pentest (UTC). This represents the actual collection time, as opposed to created_at which is the record creation time.
annotation - String
A human-readable caption or annotation that describes what this Proof demonstrates.
url - String
The target URL that was captured in a screenshot. Only populated for screenshot-type proofs.
presigned_url - String
A presigned URL for downloading the screenshot image. Only populated for screenshot-type proofs. Presigned URLs are generated on demand at request time and expire within a short period.
command_outputs - [CommandOutput]
The list of CommandOutput objects containing the shell commands and their output. Only populated for command-output-type proofs.
enumeration_type - String
The type of enumeration performed. Known values include Process, Program, and User. Only populated for enumeration-type proofs.
enumeration_outputs - [EnumerationProofOutput]
The structured enumeration data captured during discovery. Returns a list of EnumerationProofOutput objects. Only populated for enumeration-type proofs.
proven_entity_labels - [String]
A set of human-readable labels identifying the entities this Proof applies to. A single Proof may apply to more than one entity -- for example, a Weakness, a Credential, and/or a web resource.
found_by_module_meta - ModuleMeta
Metadata about the NodeZero module that found this Proof, including associated MITRE ATT&CK tactics and techniques. See ModuleMeta.
op_id - String!
The ID of the Op (pentest) in which this Proof was captured. 
fragment ProofFragment on Proof {
  uuid
  created_at
  proof_type
  collected_at
  annotation
  url
  presigned_url
  command_outputs {
    command
    output
  }
  enumeration_type
  enumeration_outputs {
    name
    metadata
  }
  proven_entity_labels
  found_by_module_meta {
    id
    name
    description
    mitre_mappings {
      mitre_tactic_id
      mitre_technique_id
      mitre_subtechnique_id
    }
  }
  op_id
}

Examples may not include all available fields for a type.

Pentesting: Proofs

CommandOutput

Description

Output from a shell command executed by NodeZero during a pentest. Each CommandOutput contains the command that was run and the resulting output. A single Proof of type CommandOutputProofResource may contain multiple CommandOutput entries.

Fields
command - String
The shell command that was executed by NodeZero.
output - String
The text output produced by the command. 
fragment CommandOutputFragment on CommandOutput {
  command
  output
}

Examples may not include all available fields for a type.

Pentesting: Proofs

EnumerationProofOutput

Description

A structured enumeration item captured during host discovery. Enumeration proofs contain lists of items such as running processes, installed programs, or user accounts found on a compromised host. Each item has a display name and a set of metadata key-value pairs with additional detail.

Fields
name - String!
The primary display name for this enumeration item (e.g., a process name, program name, or username).
metadata - JSONObject!
Additional metadata for this enumeration item, provided as key-value pairs. The available keys vary by enumeration type. 
fragment EnumerationProofOutputFragment on EnumerationProofOutput {
  name
  metadata
}

Examples may not include all available fields for a type.

Pentesting: Credentials

View credentials compromised during pentesting including usernames, password hashes, cloud roles, and their usage in attacks. Track credential exposure across your environment and identify weak password patterns in Active Directory.

credentials_page

Description

Returns a paginated list of Credential records for the given pentest. Anonymous credentials are excluded unless they were used in an AttackPath and have a high risk score.

Response

Returns a CredentialsPage!

Arguments
input - OpInput!
page_input - PageInput 
query CredentialsPage($input: OpInput!, $page_input: PageInput) {
  credentials_page(input: $input, page_input: $page_input) {
    credentials {
      ...CredentialPageFragment
    }
  }
}

fragment CredentialPageFragment on Credential {
  uuid
  created_at
  cred_type
  user_name
  ip
  product
  cleartext
  has_proof
  is_validated
  score
  severity
  weaknesses_count
  attack_paths_count
  display_name
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Credentials

credentials_count

Description

Returns the total number of Credential records for the given pentest. Anonymous credentials are excluded unless they were used in an AttackPath and have a high risk score. Uses the same filtering logic as Query.credentials_page.

Response

Returns an Int!

Arguments
input - OpInput!
page_input - PageInput 
query CredentialsCount($input: OpInput!, $page_input: PageInput) {
  credentials_count(input: $input, page_input: $page_input)
}

Examples may not include all available fields for a type.

Pentesting: Credentials

credential

Description

Retrieves a single Credential by its unique identifier.

Response

Returns a Credential

Arguments
uuid - String! 
query Credential($uuid: String!) {
  credential(uuid: $uuid) {
    ...CredentialFragment
  }
}

fragment CredentialFragment on Credential {
  uuid
  created_at
  cred_type
  user_name
  ip
  product
  cleartext
  hash
  has_proof
  is_validated
  role
  role_name
  score
  severity
  weaknesses_count
  attack_paths_count
  display_name
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Credentials

credentials_csv_url

Description

Returns a presigned URL to download all Credential records for the given pentest as a CSV file. The presigned URL is generated on demand and expires after a short period.

The CSV format is documented under CredentialCSV.

Response

Returns a String

Arguments
input - OpInput! 
query CredentialsCsvUrl($input: OpInput!) {
  credentials_csv_url(input: $input)
}

Examples may not include all available fields for a type.

Pentesting: Credentials

activedir_passwords_csv_url

Description

Returns a presigned URL to download Active Directory password audit results as a CSV file. The presigned URL is generated on demand and expires after a short period. The CSV format is documented under ActiveDirPasswordCSV.

Response

Returns a String

Arguments
input - OpInput! 
query ActivedirPasswordsCsvUrl($input: OpInput!) {
  activedir_passwords_csv_url(input: $input)
}

Examples may not include all available fields for a type.

Pentesting: Credentials

Credential

Description

A Credential represents a user account, password, hash, API key, or other secret discovered or validated by NodeZero during a pentest.

Credentials encompass a range of access types, from traditional username/password pairs to cloud IAM roles, SNMP community strings, Kubernetes service accounts, and more. The cred_type field indicates the category of the credential, and the role field indicates the privilege level (e.g., Domain Admin, Local User).

Use Query.credentials_page to list credentials for a pentest, Query.credential to fetch a single credential by UUID, or Query.credentials_csv_url to export credentials as CSV.

Fields
uuid - String!
Unique identifier for this Credential.
created_at - Datetime!
When this Credential was discovered by NodeZero during the pentest (UTC).
cred_type - String
The type of Credential. Common values include STANDARD (username/password), AWS, SNMP_COMMUNITY_STRING, PUBLIC_WEB, SMB_NULL_BIND, LDAP_NULL_BIND, NFS_NULL_BIND, API_ANONYMOUS, and AWS_CROSS_ACCOUNT_USER.
user_name - String
The name of the user or subject associated with this Credential. This resolves to the first non-empty value among the Kubernetes identity name, cloud role name, user name, or API key ID. Defaults to (anonymous) if none are available.
k8s_identity_name - String
The Kubernetes identity name (e.g., service account) associated with this Credential, if applicable.
cloud_role_name - String
The name of the CloudRole (e.g., an AWS IAM role or Azure role) associated with this Credential.
cloud_account_id - String
The ID of the cloud account (e.g., an AWS account ID) where this Credential was found.
ip - String
One of the IPs where this Credential was used. Some Credentials (e.g., Domain User Credentials) may be used across multiple IPs. Use ips for the complete list.
ips - [String]
The complete list of IP addresses where this Credential was used. Some Credentials (e.g., Domain User Credentials) may span multiple IPs.
sockets - [String]
The list of IP:port socket pairs where this Credential was used. Each entry is formatted as {ip}:{port}.
product - String
The product or service name (e.g., ssh, smb, rdp) that this Credential was used to authenticate against.
permissions_list - [String]
The list of permissions (e.g., read, write, delete) associated with this Credential, indicating what access it grants.
api_key_id - String
The API key ID (e.g., an AWS Access Key ID) associated with this Credential.
api_secret_key - String
The API key secret (e.g., an AWS Secret Access Key) associated with this Credential. Values are masked for security.
api_session_token - String
The API key session token (e.g., an AWS Session Token) associated with this Credential. Values are masked for security.
cleartext - String
The cleartext password for this Credential, with most characters masked for security.
hash - String
The password hash for this Credential, with most characters masked for security.
has_proof - Boolean
true if NodeZero obtained Proof demonstrating this Credential. Defaults to false.
proofs - [Proof]
The list of Proof objects demonstrating this Credential.
is_validated - Boolean
true if NodeZero successfully used and validated this Credential during the pentest, confirming it grants access.
hosts - [Host]
The list of Host endpoints accessed by this Credential during the pentest.
is_injected - Boolean
true if this Credential was injected (i.e., provided as an input to the pentest) rather than discovered autonomously by NodeZero.
is_cracked - Boolean
true if NodeZero successfully cracked the password hash for this Credential during the pentest.
is_local_admin - Boolean
true if this Credential has local administrator privileges on a host.
is_domain_admin - Boolean
true if this Credential has Domain Admin privileges in Active Directory.
is_entra_global_admin - Boolean
true if this Credential has Global Admin privileges in Microsoft Entra (formerly Azure AD).
role_name - String
Human-readable display name for the role (e.g., Domain User, Local Admin, AWS Role).
context_score_description - String
A human-readable explanation of how the Credential's risk score was determined, including context about downstream impacts.
score - Float
The risk score for this Credential (0.0 to 10.0). Higher scores indicate greater risk. Factors include the credential's privilege level and downstream impacts.
severity - Severity
The Severity level derived from the score (e.g., CRITICAL, HIGH, MEDIUM, LOW, INFO).
weaknesses_count - Int!
The number of Weakness findings associated with this Credential.
weaknesses_page - WeaknessesPage!
A paginated list of Weakness findings associated with this Credential.
Arguments
page_input - PageInput
services_count - Int!
The number of Service endpoints accessed using this Credential.
data_stores_count - Int!
The number of DataStore resources (e.g., file shares, databases) accessed using this Credential.
data_stores_page - DataStoresPage!
A paginated list of DataStore resources (e.g., file shares, databases) accessed using this Credential.
Arguments
page_input - PageInput
op_id - String!
The ID of the Op (pentest) in which this Credential was found.
op - Op!
The Op (pentest) in which this Credential was found.
downstream_impact_types - [ImpactType!]
The list of ImpactType values representing the business impacts found downstream of this Credential. Equivalent to the impact types in attack_paths_page.
attack_paths_count - Int!
The number of AttackPath records this Credential is included in. This equals the count of business impacts found downstream of this Credential.
Arguments
page_input - PageInput
attack_paths_page - AttackPathsPage!
A paginated list of AttackPath records this Credential is included in, representing the business impacts found downstream.
Arguments
page_input - PageInput
time_to_finding_hms - String
The elapsed time from pentest start until this Credential was found, formatted as hh:mm:ss.
time_to_finding_s - Int
The elapsed time from pentest start until this Credential was found, in seconds.
display_name - String
A computed display name for this Credential. Depending on the credential type, this may be the username, username@ip, or the AWS access key ID.
portal_url - String
A direct URL to view this Credential in the NodeZero Portal. 
fragment CredentialFragment on Credential {
  uuid
  created_at
  cred_type
  user_name
  cloud_role_name
  cloud_account_id
  ip
  ips
  sockets
  product
  permissions_list
  cleartext
  hash
  has_proof
  is_validated
  is_injected
  is_cracked
  is_local_admin
  is_domain_admin
  role
  role_name
  score
  severity
  weaknesses_count
  services_count
  data_stores_count
  attack_paths_count
  time_to_finding_hms
  display_name
  op_id
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Credentials

CloudRole

Description

Represents a security role in a cloud environment, such as an AWS IAM role, an Azure role, or another cloud provider role. CloudRoles are discovered when NodeZero enumerates cloud infrastructure during a pentest and may be associated with one or more Credential records.

Fields
uuid - String!
Unique identifier for this CloudRole.
created_at - Datetime!
When this CloudRole was discovered during the pentest (UTC).
name - String!
The name of the cloud role (e.g., an AWS IAM role name or Azure role name).
cloud_account_id - String
The ID of the cloud account (e.g., an AWS account ID) where this CloudRole is defined.
cloud_provider_name - String
The name of the cloud provider for this CloudRole (e.g., AWS, Azure).
op_id - String!
The ID of the Op (pentest) in which this CloudRole was discovered. 
fragment CloudRoleFragment on CloudRole {
  uuid
  created_at
  name
  cloud_account_id
  cloud_provider_name
  op_id
}

Examples may not include all available fields for a type.

Pentesting: Credentials

CredentialsPage

Description

A paginated list of Credential records. Returned by Query.credentials_page.

Fields
page_info - PageInfo
Pagination metadata including total count and cursor information.
credentials - [Credential!]!
The list of Credential records for the current page. 
fragment CredentialsPageFragment on CredentialsPage {
  page_info {
    page_num
    page_size
  }
  credentials {
    uuid
    cred_type
    user_name
    ip
    product
    role_name
    score
    severity
    display_name
    op_id
    portal_url
  }
}

Examples may not include all available fields for a type.

Pentesting: Data Stores

Query discovered data stores and databases identified during pentesting including file shares, databases, cloud storage, and sensitive resources. View accessibility, permissions, and interesting files or data discovered.

data_stores_page

Description

Returns a paginated list of DataStores discovered during the specified pentest. Supports filtering (e.g., by data_store_type, severity, downstream_impact_types), sorting, and text search via page_input.

Response

Returns a DataStoresPage!

Arguments
input - OpInput!
page_input - PageInput 
query DataStoresPage($input: OpInput!, $page_input: PageInput) {
  data_stores_page(input: $input, page_input: $page_input) {
    data_stores {
      ...DataStoreFragment
    }
  }
}

fragment DataStoreFragment on DataStore {
  uuid
  data_store_type
  name
  title
  ip
  port
  service_type
  data_resources_count
  data_resources_label
  sensitive_resources_count
  is_authenticated
  score
  severity
}

Examples may not include all available fields for a type.

Pentesting: Data Stores

data_stores_count

Description

Returns the count of DataStores discovered during the specified pentest. Supports filtering via page_input (e.g., by data_store_type, severity, or text search).

Response

Returns an Int!

Arguments
input - OpInput!
page_input - PageInput 
query DataStoresCount($input: OpInput!, $page_input: PageInput) {
  data_stores_count(input: $input, page_input: $page_input)
}

Examples may not include all available fields for a type.

Pentesting: Data Stores

data_store

Description

Returns the DataStore with the given uuid. A DataStore represents a data repository (file share, database, S3 bucket, etc.) discovered during a pentest.

Response

Returns a DataStore

Arguments
uuid - String! 
query DataStore($uuid: String!) {
  data_store(uuid: $uuid) {
    ...DataStoreFragment
  }
}

fragment DataStoreFragment on DataStore {
  uuid
  data_store_type
  created_at
  name
  title
  ip
  port
  host_name
  service_type
  address
  data_resources_count
  data_resources_label
  sensitive_resources_count
  is_authenticated
  permissions_list
  score
  severity
  op_id
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Data Stores

data_stores_csv_url

Description

Returns a temporary presigned URL to a CSV export of all DataStores discovered during the specified pentest. The URL expires after a short time.

The CSV format is documented under ShareCSV.

Response

Returns a String

Arguments
input - OpInput! 
query DataStoresCSVUrl($input: OpInput!) {
  data_stores_csv_url(input: $input)
}

Examples may not include all available fields for a type.

Pentesting: Data Stores

DataStore

Description

A DataStore represents a data repository discovered by NodeZero during a pentest. DataStores include file shares (SMB, NFS), databases (PostgreSQL, MySQL, DynamoDB), AWS S3 buckets, Azure Storage accounts, Docker registries, Git repositories (GitHub, GitLab), and Microsoft 365 resources (Outlook, OneDrive, SharePoint).

The data_store_type field indicates which category of data store this record represents. Each DataStore is scored based on the sensitivity of the data it contains and the weaknesses that expose it.

Use Query.data_stores_page to list DataStores for a pentest, Query.data_store to fetch a single DataStore by UUID, or Query.data_stores_csv_url to export DataStores as CSV.

Fields
uuid - String!
Unique identifier for this DataStore.
created_at - Datetime!
When this DataStore was first observed during the pentest (UTC).
name - String
The name of this DataStore (e.g., share name, bucket name, repository name).
name_and_account - String
The DataStore name prefixed by the associated account when applicable, formatted as <account_name> : <data_store_name>. For Git repositories, this includes the Git account name.
title - String
A human-readable display title for this DataStore, e.g., File Share ADMIN$ on 123.4.5.6 Port 445.
ip - String
The IP address of the host where this DataStore resides. Falls back to the DNS FQDN if no IP is available.
port - Int
The network port on which this DataStore's service is accessible.
host_name - String
The hostname of the machine where this DataStore resides.
service_type - String

The protocol or service name associated with this DataStore. The value varies by data_store_type:

  • FileShare: The SMB/NFS service name (e.g., SMB, NFS)
  • DockerRegistry: Docker Registry
  • DatabaseRepo: The database engine name (e.g., PostgreSQL, MySQL, AWS DynamoDB)
  • S3Bucket / AzureStorage: The cloud service name
  • GitRepo: The Git hosting provider (e.g., GitHub, GitLab)
  • Microsoft365: Microsoft Outlook, Microsoft OneDrive, or Microsoft SharePoint
account - String

The account or owner associated with this DataStore. The value varies by data_store_type:

  • S3Bucket / AzureStorage / Microsoft365: The cloud account ID
  • GitRepo: The Git account name (e.g., the GitHub or GitLab organization)
  • Other types: null
address - String

The network address or URL used to access this DataStore. The value varies by data_store_type:

  • FileShare / DockerRegistry / DatabaseRepo: The IP address or DNS FQDN of the hosting service
  • S3Bucket: The S3 URI (e.g., s3://bucket-name)
  • GitRepo: The Git clone URL
  • Microsoft365 / AzureStorage: The resource name or URL
data_resources_count - Long

The total number of data resources discovered in this DataStore. The meaning varies by data_store_type:

  • FileShare / S3Bucket: Total file count
  • DockerRegistry: Total image count
  • DatabaseRepo: Total record count
  • GitRepo: Sensitive findings count
  • Microsoft365 (Outlook): Total email count
data_resources_label - String

A human-readable label describing the unit of data_resources_count. Possible values:

  • Files (FileShare, OneDrive, SharePoint)
  • Objects (S3Bucket, AzureStorage)
  • Emails (Outlook)
  • Sensitive Findings (GitRepo)
  • Records (DatabaseRepo)
  • Images (DockerRegistry)
sensitive_resources_count - Int!
The number of sensitive resources found in this DataStore. For FileShares and S3Buckets, this is the count of sensitive files. For GitRepos, this is the count of sensitive findings. Not applicable for DatabaseRepo, DockerRegistry, or Microsoft365 types.
is_authenticated - Boolean
true if the DataStore was accessed using a non-anonymous credential during the pentest.
cloud_resource_arn - String
The Amazon Resource Name (ARN) of the cloud resource that hosts this DataStore, if applicable.
cloud_service_name - String
The name of the cloud service hosting this DataStore (e.g., Amazon S3, Azure Blob Storage). Applies to S3Buckets, AzureStorage, and cloud-hosted resources.
cloud_provider_name - String
The cloud provider name for this DataStore (e.g., Amazon, Google, Microsoft). Applies to S3Buckets, AzureStorage, and cloud-hosted resources.
permissions_list - [String]
Aggregated list of permissions across all credentials that accessed this DataStore. Common values include read, write, and list.
aws_anonymous_user_permissions_list - [String]
Permissions granted to the AWS anonymous user on this S3 bucket. Only populated for DataStores of type S3Bucket.
aws_cross_account_user_permissions_list - [String]
Permissions granted to AWS cross-account users on this S3 bucket. Only populated for DataStores of type S3Bucket.
op_id - String!
The ID of the Op in which this DataStore was discovered.
score - Float
The overall risk score for this DataStore, rounded to one decimal place. Equal to context_score when available, otherwise base_score.
severity - Severity
The Severity level corresponding to score (e.g., CRITICAL, HIGH, MEDIUM, LOW, INFO).
base_score - Float
The base risk score for this DataStore before contextual impact is factored in.
base_severity - Severity
The Severity level corresponding to base_score.
context_score - Float
The context-adjusted risk score that accounts for downstream impacts, such as weaknesses and sensitive data reachable through this DataStore.
context_severity - Severity
The Severity level corresponding to context_score.
sensitive_data_item_count - Int
Total count of sensitive data items found across all InterestingResources in this DataStore. Sensitive data items include PII and PCI data such as social security numbers, credit card numbers, and similar.
sensitive_data_item_types_and_counts - [String!]
List of distinct sensitive data types with their aggregate counts across all InterestingResources in this DataStore. Each element is formatted as SensitiveDataType,count, e.g. ["CREDIT_CARD,2", ...].
sensitive_data_item_titles_and_counts - [String!]
List of distinct sensitive data titles with their aggregate counts across all InterestingResources in this DataStore. Each element is formatted as title,count, e.g. ["Credit Card Number,2", ...].
downstream_impact_types - [ImpactType!]
List of ImpactType values representing the downstream business impacts reachable from this DataStore.
downstream_impact_types_and_counts - [String!]
List of downstream ImpactType values with their associated counts for this DataStore. Each element is formatted as ImpactType,count, e.g. ["RansomwareExposure,2", "SensitiveDataExposure,2"].
impact_paths_count - Int!
The number of impact paths (attack paths) this DataStore is included in. Alias of attack_paths_count.
attack_paths_count - Int!
The number of AttackPaths this DataStore is included in. Alias of impact_paths_count.
weaknesses_count - Int!
The number of Weaknesses affecting this DataStore.
portal_url - String
A direct URL to view this DataStore in the Horizon3.ai Portal. 
fragment DataStoreFragment on DataStore {
  uuid
  data_store_type
  created_at
  name
  name_and_account
  title
  ip
  port
  host_name
  service_type
  account
  address
  data_resources_count
  data_resources_label
  sensitive_resources_count
  is_authenticated
  permissions_list
  score
  severity
  base_score
  context_score
  sensitive_data_item_count
  downstream_impact_types
  attack_paths_count
  weaknesses_count
  op_id
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Data Stores

DataStoresPage

Description

A paginated list of DataStore records. Returned by Query.data_stores_page.

Fields
page_info - PageInfo
Pagination metadata including total count and cursor information.
data_stores - [DataStore!]!
The list of DataStore records for the current page. 
fragment DataStoresPageFragment on DataStoresPage {
  page_info {
    page_num
    page_size
  }
  data_stores {
    uuid
    data_store_type
    name
    title
    ip
    port
    service_type
    data_resources_count
    sensitive_resources_count
    score
    severity
    op_id
    portal_url
  }
}

Examples may not include all available fields for a type.

Pentesting: Data Stores

InterestingResource

Description

An InterestingResource represents a file or web page flagged by NodeZero as potentially containing sensitive information during a pentest. Examples include configuration files with embedded credentials (AWS keys, SSH keys), exposed admin panels, and files containing PII or PCI data.

InterestingResources are typically found within a DataStore and may have associated Proof records (screenshots or command output) that document the finding.

Fields
uuid - String!
Unique identifier for this InterestingResource.
created_at - Datetime!
When this InterestingResource was discovered during the pentest (UTC).
uri - String
The URI or full file path of this InterestingResource (e.g., a web URL or file system path).
op_id - String!
The ID of the Op in which this InterestingResource was discovered.
service_uuid - String
The UUID of the Service where this InterestingResource was found.
service - Service!
The Service where this InterestingResource was found.
data_store_uuid - String
The UUID of the DataStore where this InterestingResource was found.
data_store - DataStore
The DataStore where this InterestingResource was found.
proofs - [Proof]
Proof records (screenshots or command output) documenting this InterestingResource as captured during the pentest. 
fragment InterestingResourceFragment on InterestingResource {
  uuid
  created_at
  uri
  service_uuid
  data_store_uuid
  op_id
}

Examples may not include all available fields for a type.

Pentesting: Hosts

Access information about discovered hosts including IP addresses, hostnames, operating systems, open ports, and their role in attack paths. Query the complete inventory of systems identified during pentesting.

hosts_page

Description

Returns a paginated list of in-scope Hosts discovered during the specified pentest. Supports filtering, sorting, and text search via page_input.

Response

Returns a HostsPage!

Arguments
input - OpInput!
page_input - PageInput 
query HostsPage($input: OpInput!, $page_input: PageInput) {
  hosts_page(input: $input, page_input: $page_input) {
    hosts {
      ...HostPageFragment
    }
  }
}

fragment HostPageFragment on Host {
  uuid
  ip
  host_name
  is_in_scope
  is_domain_controller
  os_fingerprints
  score
  severity
  subnet
  is_public
  display_name
  weaknesses_count
  credentials_count
  services_count
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Hosts

hosts_count

Description

Returns the number of in-scope Hosts discovered during the specified pentest. Supports filtering via page_input (e.g., by severity, is_domain_controller, or text search).

Response

Returns an Int!

Arguments
input - OpInput!
page_input - PageInput 
query HostsCount($input: OpInput!, $page_input: PageInput) {
  hosts_count(input: $input, page_input: $page_input)
}

Examples may not include all available fields for a type.

Pentesting: Hosts

host

Description

Returns the Host with the given uuid. A Host represents a unique IP address (network endpoint) discovered during a pentest.

Response

Returns a Host

Arguments
uuid - String! 
query Host($uuid: String!) {
  host(uuid: $uuid) {
    ...HostFragment
  }
}

fragment HostFragment on Host {
  uuid
  created_at
  ip
  mac
  host_name
  host_names
  is_in_scope
  is_domain_controller
  os_fingerprints
  op_id
  score
  severity
  subnet
  cloud_provider
  is_public
  display_name
  weaknesses_count
  credentials_count
  services_count
  attack_paths_count
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Hosts

hosts_csv_url

Description

Returns a temporary presigned URL to a CSV export of all Hosts discovered during the specified pentest. The URL expires after a short time. The CSV format is documented under HostCSV.

Response

Returns a String

Arguments
input - OpInput! 
query HostsCsvUrl($input: OpInput!) {
  hosts_csv_url(input: $input)
}

Examples may not include all available fields for a type.

Pentesting: Hosts

Host

Description

A Host represents a unique IP address discovered by NodeZero during a pentest. Each Host corresponds to a network endpoint such as a server, workstation, domain controller, cloud instance, printer, or IoT device.

Hosts serve as a central point for understanding the security posture of an individual machine -- including the Services it exposes, the Credentials that can access it, the DataStores it contains, and the Weaknesses that affect it.

Use Query.hosts_page to list Hosts for a pentest, Query.host to fetch a single Host by UUID, or Query.hosts_csv_url to export Hosts as CSV.

Fields
uuid - String!
Unique identifier for this Host.
created_at - Datetime!
When this Host was first discovered during the pentest (UTC).
ip - String
The IP address of this Host. Each Host record is uniquely identified by its IP address within a pentest.
mac - String
The MAC address of this Host, if detected.
cname_chains - [String]
CNAME chains associated with any DNS hostnames for this Host. Each element represents a chain of CNAME records.
host_name - String
The primary hostname for this Host. Resolved from LDAP or DNS hostnames, with preference given to LDAP when it matches a DNS hostname prefix.
host_names - [String]

All hostnames associated with this Host's IP address, aggregated from multiple sources:

  • Internal and external DNS hostnames
  • LDAP hostname
  • Virtual host (VHost) names
is_in_scope - Boolean
true if this Host was included in the configured pentest scope.
is_domain_controller - Boolean
true if this Host is an Active Directory domain controller.
is_database_server - Boolean
true if this Host is a database server.
is_load_balancer - Boolean
true if this Host is a load balancer.
is_mail_server - Boolean
true if this Host is a mail server.
is_vpn - Boolean
true if this Host is a VPN gateway.
is_waf - Boolean
true if this Host is a Web Application Firewall (WAF).
os_fingerprints - [String]
Operating system names and fingerprints detected on this Host (e.g., Windows Server 2019, Ubuntu 22.04).
hardware_fingerprints - [String]
Hardware vendor and model fingerprints detected on this Host.
device_fingerprints - [String]
Device type fingerprints detected on this Host (e.g., printer, router, IoT device).
op_id - String!
The ID of the Op in which this Host was discovered.
data_stores_count - Int!
The number of DataStores (file shares, databases, buckets, etc.) found on this Host.
data_stores_page - DataStoresPage!
Paginated list of DataStores found on this Host.
Arguments
page_input - PageInput
credentials_count - Int!
The number of Credentials that accessed this Host during the pentest.
credentials_page - CredentialsPage!
Paginated list of Credentials that accessed this Host during the pentest.
Arguments
page_input - PageInput
data_resources_count - Long
The number of data resources (files and database records) found on this Host. Excludes web pages -- see web_resources_count for web page counts.
web_resources_count - Long
The number of web pages discovered on this Host.
services_count - Int!
The number of Services (open ports/protocols) found on this Host.
context_score_description - String
A human-readable explanation of the factors contributing to this Host's risk score.
score - Float
The overall risk score for this Host, rounded to one decimal place. Derived from the weaknesses, credentials, and data linked to this Host.
severity - Severity
The Severity level corresponding to score (e.g., CRITICAL, HIGH, MEDIUM, LOW, INFO).
subnet - String
The network subnet containing this Host's IP address (e.g., 192.168.1.0/24).
cloud_provider - String
The cloud provider hosting this Host (e.g., aws, gcp, azure), if applicable.
cloud_region - String
The cloud region where this Host resides (e.g., us-east-1, us-central1), if applicable.
cloud_arns - [String!]
The Amazon Resource Names (ARNs) of any cloud resources associated with this Host.
is_public - Boolean
true if this Host has a publicly routable IP address.
action_logs_count - Int!
The number of ActionLogs (commands and actions run by NodeZero) recorded on this Host during the pentest.
Arguments
page_input - PageInput
action_logs_page - ActionLogsPage!
Paginated list of ActionLogs (commands and actions run by NodeZero) on this Host during the pentest.
Arguments
page_input - PageInput
action_logs_csv_url - String
A temporary presigned URL to a CSV export of all actions/commands run by NodeZero on this Host. The URL expires after a short time.
downstream_impact_types - [ImpactType!]
List of ImpactType values representing the downstream business impacts reachable from this Host.
os_names - [String!]
High-level operating system names detected on this Host (e.g., Windows, Linux, macOS). Derived from os_fingerprints.
attack_paths_count - Int!
The number of AttackPaths this Host is included in. Equivalent to the count of downstream business impacts reachable from this Host.
attack_paths_page - AttackPathsPage!
Paginated list of AttackPaths this Host is included in. Each attack path traces a sequence of exploits leading to a downstream business impact.
Arguments
page_input - PageInput
display_name - String
A human-friendly display name for this Host, typically combining the IP address and hostname.
weaknesses_count - Int!
The number of Weaknesses found on this Host.
Arguments
page_input - PageInput
weaknesses_page - WeaknessesPage!
Paginated list of Weaknesses found on this Host.
Arguments
page_input - PageInput
op - Op!
The Op in which this Host was discovered.
portal_url - String
A direct URL to view this Host in the Horizon3.ai Portal. 
fragment HostFragment on Host {
  uuid
  created_at
  ip
  mac
  cname_chains
  host_name
  host_names
  is_in_scope
  is_domain_controller
  is_database_server
  is_mail_server
  is_vpn
  is_waf
  os_fingerprints
  hardware_fingerprints
  device_fingerprints
  op_id
  data_stores_count
  credentials_count
  data_resources_count
  web_resources_count
  services_count
  context_score_description
  score
  severity
  subnet
  cloud_provider
  cloud_region
  cloud_arns
  is_public
  downstream_impact_types
  os_names
  attack_paths_count
  display_name
  weaknesses_count
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Hosts

HostsPage

Description

A paginated list of Host records. Returned by Query.hosts_page.

Fields
page_info - PageInfo
Pagination metadata including total count and cursor information.
hosts - [Host!]!
The list of Host records for the current page. 
fragment HostsPageFragment on HostsPage {
  page_info {
    page_num
    page_size
  }
  hosts {
    uuid
    ip
    host_name
    is_in_scope
    is_domain_controller
    os_fingerprints
    score
    severity
    subnet
    is_public
    display_name
    op_id
    portal_url
  }
}

Examples may not include all available fields for a type.

Pentesting: EDR

View EDR (Endpoint Detection and Response) events triggered during pentesting. Track which security controls detected NodeZero's activities to measure detection coverage and response effectiveness.

edr_overview_hosts_csv_presigned_url

Description

Generates a CSV export of hosts with endpoint detection and response (EDR) data from a pentest and returns a temporary presigned URL for downloading the file. Each row includes the host's risk score, IP address, detected EDR vendors, count of unblocked security control events, MITRE ATT&CK tactics observed, downstream impacts, and host classification flags (e.g., domain controller, database server, public-facing).

Use page_input to filter the exported hosts by any supported host field. Each unique filter combination produces a separately cached CSV file. The presigned URL expires after a short time.

The CSV format is documented under EDROverviewHostCSV.

Response

Returns a String

Arguments
input - OpInput!
page_input - PageInput 
query EDROverviewHostsCSVPresignedUrl(
  $input: OpInput!
  $page_input: PageInput
) {
  edr_overview_hosts_csv_presigned_url(
    input: $input
    page_input: $page_input
  )
}

Examples may not include all available fields for a type.

Pentesting: External Domains

Query external domains discovered during pentesting including subdomains, DNS records, and associated IPs and services.

ExternalDomain

Description

Represents a DNS domain name discovered during an external attack surface assessment. Each ExternalDomain is associated with a pentest and captures the domain's DNS resolution data (IP addresses, CNAME records), cloud infrastructure details, certificate information, and relationships to hosts and web resources found during the operation. Domains are organized hierarchically: top-level domains are specified in the pentest configuration, and subdomains are discovered through DNS enumeration.

Fields
uuid - String!
Unique identifier for this ExternalDomain record.
created_at - Datetime!
Timestamp (UTC) when this domain was first discovered during the pentest.
name - String!
The fully qualified domain name (FQDN), such as app.example.com.
cnames - [String]
CNAME DNS records associated with this domain. Returns the full CNAME chain if available, otherwise the direct CNAME list.
ips - [String]
The IP addresses this domain resolves to via DNS.
op_id - String!
The ID of the pentest (Op) during which this domain was discovered. 
fragment ExternalDomainFragment on ExternalDomain {
  uuid
  created_at
  name
  cnames
  ips
  op_id
}

Examples may not include all available fields for a type.

Pentesting: LDAP Domains

Access Active Directory and LDAP domain information discovered during pentesting including domain controllers and configuration details.

LDAPDomain

Description

Represents an Active Directory LDAP domain discovered by NodeZero during a pentest. An LDAPDomain corresponds to a Windows Active Directory domain identified through LDAP enumeration. These domains are central to Active Directory attack paths -- they appear as affected entities on Weaknesses, are associated with Credentials and Users, and provide context for Active Directory password audit results.

LDAPDomains are not queryable directly. They are accessible as related objects on types such as Weakness (affected_ldap_domain) and User (ldap_domain).

Fields
uuid - String!
Unique identifier for this LDAPDomain.
created_at - Datetime!
When this LDAP domain was first discovered during the pentest (UTC).
name - String!
The fully qualified Active Directory domain name (e.g., corp.example.com).
op_id - String!
The ID of the pentest in which this LDAP domain was discovered. 
fragment LDAPDomainFragment on LDAPDomain {
  uuid
  created_at
  name
  op_id
}

Examples may not include all available fields for a type.

Pentesting: Cloud Resources

Query cloud resources discovered during pentesting including AWS, Azure, and GCP assets. View cloud infrastructure, permissions, misconfigurations, and their role in attack paths.

CloudResource

Description

Represents a cloud resource instance discovered by NodeZero during a pentest. A CloudResource is a specific infrastructure component within a cloud account, such as an AWS EC2 instance, an AWS RDS database, an AWS Lambda function, an Azure Virtual Machine, or a Google Cloud Compute Engine instance.

Each CloudResource belongs to a CloudAccount (the owning account) and is associated with a cloud service type (e.g., aws_ec2, aws_rds). CloudResources link to the underlying network Endpoint when an IP address is available, and may have associated data resources such as database records and files tracked via data_resources_count.

CloudResources are not queryable directly. They are accessible as related objects on Host (cloud_resources) and Weakness (affected_cloud_resource).

Fields
uuid - String!
Unique identifier for this CloudResource.
cloud_service_name - String
The cloud service type identifier for this CloudResource (e.g., aws_ec2, aws_lambda, aws_rds). See cloud_service_h3_service_name for the human-readable equivalent.
ip - String
The IP address of this CloudResource, resolved from the associated network endpoint.
arn - String
The provider-assigned unique identifier for this CloudResource. For AWS resources this is the ARN (Amazon Resource Name); for Azure resources this is the Azure Resource ID.
data_resources_count - Long
The number of data resources discovered on this CloudResource. Includes database records and files. Excludes web pages.
op_id - String!
The ID of the pentest in which this CloudResource was discovered.
created_at - Datetime
When this CloudResource was first discovered during the pentest (UTC).
cloud_account_id - String
The cloud provider's account identifier for the account that owns this CloudResource (e.g., an AWS Account ID). Resolved from the associated CloudAccount record.
cloud_provider_name - String
The cloud provider for this CloudResource. Possible values include AWS, AZURE, and GCP. Resolved from the associated CloudAccount record. 
fragment CloudResourceFragment on CloudResource {
  uuid
  cloud_service_name
  ip
  arn
  data_resources_count
  created_at
  cloud_account_id
  cloud_provider_name
  op_id
}

Examples may not include all available fields for a type.

Pentesting: Applications

Access information about applications discovered during pentesting including web applications, services, and software versions. View application vulnerabilities and exposure.

Application

Description

An Application represents a software application discovered by NodeZero running on a Service. Examples include web servers, Active Directory Certificate Services, database management interfaces, and other network-accessible applications.

Each Application is associated with a single Service and inherits the Service's IP address and port. The name field identifies the application type based on fingerprint data collected during the pentest.

Fields
uuid - String!
Unique identifier for this Application.
created_at - Datetime!
When this Application was first discovered during the pentest (UTC).
service_uuid - String!
The unique identifier of the Service this Application is running on.
service - Service!
The Service this Application is running on. Loaded from service_uuid.
ip - String
The IP address of the Service this Application is running on.
port - Int!
The port number of the Service this Application is running on.
name - String!
The name of this Application, derived from fingerprint data collected during the pentest.
op_id - String!
The identifier of the pentest (Op) in which this Application was discovered. 
fragment ApplicationFragment on Application {
  uuid
  created_at
  service_uuid
  ip
  port
  name
  op_id
}

Examples may not include all available fields for a type.

Pentesting: Services

Query network services discovered during pentesting including service types, ports, protocols, banners, and versions. Understand the service landscape of your tested environment.

Service

Description

A Service represents a listening network port discovered on a Host during a pentest. Each Service record corresponds to a unique combination of IP address and port.

Services expose the entry points that NodeZero probes during a pentest. Use the fingerprints field to identify what software is running on the port, and navigate to related Applications, DataStores, Credentials, and Weaknesses to understand the full security posture of each listening port.

Fields
uuid - String!
Unique identifier for this Service.
created_at - Datetime!
When this Service was first discovered during the pentest (UTC).
ip - String!
IP address of the Service. Falls back to the fully qualified domain name if the IP is unavailable.
port - Int!
The port number on which this Service is listening.
protocol - String
Transport protocol of this Service (e.g., tcp, udp).
fingerprints - [String]
Application fingerprints identifying the software running on this Service, derived from banner and probe analysis during the pentest.
iana_service_name - String
The IANA (Internet Assigned Numbers Authority) standard name for the protocol or application running on this port (e.g., http, ssh, ms-sql-s).
host - Host
The Host where this Service is running. Loaded from the underlying endpoint identifier.
data_resources_count - Long
The number of data resources (files and database records) found on this Service. Excludes web pages -- see web_resources_count for web page counts.
web_resources_count - Long
The number of web pages discovered on this Service.
op_id - String!
The identifier of the pentest (Op) in which this Service was discovered.
context_score_description - String
A human-readable explanation of how the context score was determined for this Service.
score - Float
The overall risk score for this Service, combining base and context factors. Rounded to one decimal place.
severity - Severity
The Severity level derived from the score (e.g., CRITICAL, HIGH, MEDIUM, LOW, INFO). 
fragment ServiceFragment on Service {
  uuid
  created_at
  ip
  port
  protocol
  fingerprints
  iana_service_name
  data_resources_count
  web_resources_count
  score
  severity
  context_score_description
  op_id
}

Examples may not include all available fields for a type.

Pentesting: Action Logs

Access detailed logs of every action NodeZero performed during pentesting including MITRE ATT&CK mappings, module execution details, timestamps, and outcomes. Action logs provide complete forensic traceability of all pentest activities.

action_logs_page

Description

Returns a paginated list of ActionLog records for a given pentest.

The action log is the complete record of all commands executed by NodeZero across all hosts during the pentest. Results are sorted by start_time in ascending order by default. Supports filtering by module_id, endpoint_ip, exit_code, start_time, and end_time via the page_input argument.

Response

Returns an ActionLogsPage!

Arguments
input - OpInput!
Pentest to get action logs for.
page_input - PageInput
Pagination of action logs. 
query ActionLogsPage($input: OpInput!, $page_input: PageInput) {
  action_logs_page(input: $input, page_input: $page_input) {
    action_logs {
      ...ActionLogPageFragment
    }
  }
}

fragment ActionLogPageFragment on ActionLog {
  uuid
  start_time
  end_time
  endpoint_ip
  cmd
  module_id
  module_name
  exit_code
  target_h3_names
  op_id
}

Examples may not include all available fields for a type.

Pentesting: Action Logs

action_logs_count

Description

Returns the total number of ActionLog records for a given pentest.

The action log is the complete record of all commands executed by NodeZero across all hosts during the pentest. Use the page_input argument to apply filters (e.g., by module_id, endpoint_ip, or time range) before counting.

Response

Returns an Int!

Arguments
input - OpInput!
Pentest to get action logs for.
page_input - PageInput
Pagination of action logs. 
query ActionLogsCount($input: OpInput!, $page_input: PageInput) {
  action_logs_count(input: $input, page_input: $page_input)
}

Examples may not include all available fields for a type.

Pentesting: Action Logs

action_logs_csv_presigned_url

Description

Returns a temporary, presigned URL for downloading the action log as a CSV file.

The action log is the complete record of all commands executed by NodeZero across all hosts during the pentest. The CSV is generated on demand and stored in S3. The presigned URL expires after a short time.

Response

Returns a String

Arguments
input - OpInput! 
query ActionLogsCsvPresignedUrl($input: OpInput!) {
  action_logs_csv_presigned_url(input: $input)
}

Examples may not include all available fields for a type.

Pentesting: Action Logs

ActionLog

Description

Represents a single action or command executed by NodeZero during a pentest. Each ActionLog entry records a specific command that was run against a target host, including timing information, the attack module that generated the command, and the associated MITRE ATT&CK mappings.

Use action_logs_page to retrieve a paginated list of action logs for a given pentest.

Fields
uuid - String!
Unique identifier for this action log entry.
start_time - Datetime!
Timestamp when the action started, in ISO 8601 format (UTC).
endpoint_uuid - String
Unique identifier of the host targeted by this action.
endpoint_ip - String
IP address of the host targeted by this action.
end_time - Datetime!
Timestamp when the action completed, in ISO 8601 format (UTC).
cmd - String!
The full command string executed by NodeZero on the target host.
module_id - String
Identifier of the attack module that executed this action. Resolves to the module name if available, otherwise falls back to the module ID.
module_name - String
Display name of the attack module that executed this action.
module_description - String
Human-readable description of the attack module that executed this action.
module_meta - ModuleMeta
Detailed metadata for the attack module that executed this action. See ModuleMeta for available fields.
mitre_mappings - [MitreMapping]
The MITRE ATT&CK tactic, technique, and subtechnique mappings associated with this action. See MitreMapping.
target_h3_names - [String]
List of asset and weakness names associated with this action. Includes the IP address, service, application, URL, or data store that was targeted by the command.
exit_code - String!
Exit code returned by the command. A value of 0 typically indicates success; non-zero values indicate an error or alternative outcome.
op_id - String!
Unique identifier of the pentest in which this action was executed. 
fragment ActionLogFragment on ActionLog {
  uuid
  start_time
  end_time
  endpoint_uuid
  endpoint_ip
  cmd
  module_id
  module_name
  module_description
  module_meta {
    id
    name
    description
  }
  mitre_mappings {
    mitre_tactic_id
    mitre_technique_id
    mitre_subtechnique_id
  }
  target_h3_names
  exit_code
  op_id
}

Examples may not include all available fields for a type.

Pentesting: Action Logs

ActionLogsPage

Description

A paginated list of ActionLog records. Returned by action_logs_page.

Fields
page_info - PageInfo
Pagination metadata including total count and cursor information.
action_logs - [ActionLog!]!
The list of ActionLog records for the current page. 
fragment ActionLogsPageFragment on ActionLogsPage {
  page_info {
    page_num
    page_size
  }
  action_logs {
    uuid
    start_time
    end_time
    endpoint_ip
    cmd
    module_id
    module_name
    exit_code
    target_h3_names
    op_id
  }
}

Examples may not include all available fields for a type.

Pentesting: Action Logs

MitreMapping

Description

Represents a specific combination of a MITRE ATT&CK Tactic, Technique, and optionally a Subtechnique. Each MitreMapping links a NodeZero attack module to the adversary behaviors it emulates, as defined by the MITRE ATT&CK framework. MitreMappings are associated with attack modules via ModuleMeta.

Fields
mitre_tactic_id - String!
The MITRE ATT&CK Tactic identifier (e.g., TA0043).
mitre_tactic - MitreTactic
The full MitreTactic object, including name, description, and documentation URL.
mitre_technique_id - String!
The MITRE ATT&CK Technique identifier (e.g., T1595).
mitre_technique - MitreTechnique
The full MitreTechnique object, including name, description, and documentation URL.
mitre_subtechnique_id - String
The MITRE ATT&CK Subtechnique identifier (e.g., T1595.001), if applicable. Null when the mapping is at the technique level only.
mitre_subtechnique - MitreSubtechnique
The full MitreSubtechnique object, if applicable. Null when the mapping is at the technique level only. 
fragment MitreMappingFragment on MitreMapping {
  mitre_tactic_id
  mitre_tactic {
    id
    name
    url
  }
  mitre_technique_id
  mitre_technique {
    id
    name
    url
  }
  mitre_subtechnique_id
  mitre_subtechnique {
    id
    name
    url
  }
}

Examples may not include all available fields for a type.

Pentesting: Action Logs

MitreSubtechnique

Description

Represents a MITRE ATT&CK Subtechnique. Subtechniques provide a more granular description of adversary behavior within a parent MitreTechnique. For example, "Scanning IP Blocks" is a subtechnique of "Active Scanning."

Fields
id - String!
The MITRE ATT&CK Subtechnique identifier.
mitre_technique_id - String
The MITRE ATT&CK Technique identifier of the parent technique for this subtechnique.
name - String
The display name of the MITRE ATT&CK Subtechnique.
description - String
Description of the MITRE ATT&CK Subtechnique explaining the specific adversary behavior.
url - String
URL to the official MITRE ATT&CK documentation page for this Subtechnique. 
fragment MitreSubtechniqueFragment on MitreSubtechnique {
  id
  mitre_technique_id
  name
  description
  url
}

Examples may not include all available fields for a type.

Pentesting: Action Logs

MitreTactic

Description

Represents a MITRE ATT&CK Tactic. Tactics represent the adversary's tactical objective -- the reason for performing an action (e.g., Reconnaissance, Initial Access, Lateral Movement). Tactics are the columns in the MITRE ATT&CK Matrix.

Fields
id - String!
The MITRE ATT&CK Tactic identifier.
name - String
The display name of the MITRE ATT&CK Tactic.
description - String
Description of the MITRE ATT&CK Tactic explaining the adversary's objective.
url - String
URL to the official MITRE ATT&CK documentation page for this Tactic. 
fragment MitreTacticFragment on MitreTactic {
  id
  name
  description
  url
}

Examples may not include all available fields for a type.

Pentesting: Action Logs

MitreTechnique

Description

Represents a MITRE ATT&CK Technique. Techniques describe the specific method an adversary uses to achieve a tactical objective (e.g., Active Scanning, Brute Force). A technique belongs to one or more MitreTactics and may have more granular MitreSubtechniques.

Fields
id - String!
The MITRE ATT&CK Technique identifier.
name - String
The display name of the MITRE ATT&CK Technique.
description - String
Description of the MITRE ATT&CK Technique explaining the adversary method.
url - String
URL to the official MITRE ATT&CK documentation page for this Technique. 
fragment MitreTechniqueFragment on MitreTechnique {
  id
  name
  description
  url
}

Examples may not include all available fields for a type.

Pentesting: Action Logs

ModuleInstance

Description

Represents a specific execution of a NodeZero attack module during a pentest. Each ModuleInstance captures the lifecycle of one module run, including when it started and completed, whether it succeeded, and the commands it executed.

Use ModuleInstance.action_logs to retrieve the individual commands executed by this module instance.

Fields
uuid - String!
Unique identifier for this module instance.
created_at - Datetime!
Timestamp when the module instance was created. Note: this reflects when the module was queued, not when it began execution. See started_at for the actual execution start time.
module_id - String!
Identifier of the attack module. Corresponds to ModuleMeta.id.
options - String
Command-line options passed to this module instance at execution time.
started_at - Datetime!
Timestamp when the module began executing.
ended_at - Datetime!
Timestamp when the module finished executing.
success_flag - Boolean
Indicates whether the module completed execution successfully. true if the module ran to completion without errors.
error_msg - String
Error message describing why the module failed, if applicable. Null when the module succeeded.
op_id - String!
Unique identifier of the pentest in which this module instance executed.
name - String
Display name of the attack module. Equivalent to ModuleMeta.name.
description - String
Human-readable description of the attack module. Equivalent to ModuleMeta.description.
action_logs_count - Int
Total number of ActionLog entries (commands) executed by this module instance.
action_logs - [ActionLog]
List of ActionLog entries representing each command executed by this module instance.
module_meta - ModuleMeta
Detailed metadata for the attack module, including MITRE ATT&CK mappings. See ModuleMeta. 
fragment ModuleInstanceFragment on ModuleInstance {
  uuid
  module_id
  name
  description
  created_at
  started_at
  ended_at
  success_flag
  error_msg
  options
  op_id
  action_logs_count
  module_meta {
    id
    name
    description
  }
}

Examples may not include all available fields for a type.

Pentesting: Action Logs

ModuleMeta

Description

Static metadata describing a NodeZero attack module. Each attack module performs a specific offensive technique (such as host discovery, credential brute-forcing, or privilege escalation) and is mapped to one or more MITRE ATT&CK tactics, techniques, and subtechniques.

ModuleMeta is referenced by ActionLog and ModuleInstance to provide context about which module generated a given action or execution.

Fields
id - String!
Unique identifier for the attack module.
name - String
Display name of the attack module.
description - String
Human-readable description of what the attack module does.
mitre_mappings - [MitreMapping]
List of MITRE ATT&CK tactic, technique, and subtechnique mappings associated with this attack module. See MitreMapping. 
fragment ModuleMetaFragment on ModuleMeta {
  id
  name
  description
  mitre_mappings {
    mitre_tactic_id
    mitre_technique_id
    mitre_subtechnique_id
  }
}

Examples may not include all available fields for a type.

Pentesting: Op Compare

Compare weaknesses between two pentests to identify new, resolved, and persistent vulnerabilities. Track security posture changes over time and measure remediation effectiveness.

weaknesses_diff_page

Description

Returns a paginated list of Weakness records that differ between two pentests.

Only weaknesses that are present in one pentest but not the other are included. Each Weakness record in the result includes a diff_status field set to either ADDED or REMOVED.

A weakness with diff_status: REMOVED was present in the first pentest (OpDiffInput.op_id_1) but not the second. A weakness with diff_status: ADDED was present in the second pentest (OpDiffInput.op_id_2) but not the first.

If the diff data has not yet been computed for the given pair of pentests, it will be generated on demand before returning results.

Response

Returns a WeaknessesDiffPage!

Arguments
op_diff_input - OpDiffInput!
page_input - PageInput 
query WeaknessesDiffPage(
  $op_diff_input: OpDiffInput!,
  $page_input: PageInput
) {
  weaknesses_diff_page(
    op_diff_input: $op_diff_input,
    page_input: $page_input
  ) {
    weaknesses {
      ...WeaknessDiffFragment
    }
  }
}

fragment WeaknessDiffFragment on Weakness {
  uuid
  vuln_id
  vuln_name
  vuln_short_name
  op_id
  ip
  severity
  score
  diff_status
  affected_asset_display_name
  has_proof
  portal_url
}

Examples may not include all available fields for a type.

Pentesting: Op Compare

weaknesses_diff_stats

Description

Returns aggregate statistics summarizing the differences in weaknesses between two pentests, including the count of added, removed, and unchanged weaknesses. See weaknesses_diff_page for the full paginated diff.

If the diff data has not yet been computed for the given pair of pentests, it will be generated on demand before returning results.

Response

Returns a DiffStats!

Arguments
op_diff_input - OpDiffInput!
page_input - PageInput 
query WeaknessesDiffStats(
  $op_diff_input: OpDiffInput!,
  $page_input: PageInput
) {
  weaknesses_diff_stats(
    op_diff_input: $op_diff_input,
    page_input: $page_input
  ) {
    added_count
    removed_count
    unchanged_count
  }
}

Examples may not include all available fields for a type.

Pentesting: Op Compare

weaknesses_diff_csv_url

Description

Returns a temporary, presigned URL for downloading a CSV file containing the diff of weaknesses between two pentests. The CSV is generated on demand and the presigned URL expires after a short time. See weaknesses_diff_page for more details on how the diff is computed.

Response

Returns a String

Arguments
op_diff_input - OpDiffInput! 
query WeaknessesDiffCsvUrl($op_diff_input: OpDiffInput!) {
  weaknesses_diff_csv_url(op_diff_input: $op_diff_input)
}

Examples may not include all available fields for a type.

Pentesting: Op Compare

DiffStats

Description

Aggregate statistics summarizing the differences between two pentests. Returned by weaknesses_diff_stats.

Fields
added_count - Int
The number of weaknesses that were newly discovered in the second pentest (present in op_id_2 but not in op_id_1).
removed_count - Int
The number of weaknesses that were resolved or no longer detected in the second pentest (present in op_id_1 but not in op_id_2).
unchanged_count - Int
The number of weaknesses that are identical between the two pentests being compared. 
fragment DiffStatsFragment on DiffStats {
  added_count
  removed_count
  unchanged_count
}

Examples may not include all available fields for a type.

Pentesting: Op Compare

DiffStatus

Description

Indicates whether a record was added or removed when comparing two pentests. Used in the weaknesses_diff_page results where each Weakness record includes a diff_status field set to one of these values.

Values
ADDED
The weakness was NOT present in the first pentest (op_id_1) but IS present in the second pentest (op_id_2), indicating it is a newly discovered weakness.
REMOVED
The weakness was present in the first pentest (op_id_1) but is NOT present in the second pentest (op_id_2), indicating it has been resolved or is no longer detected.
Example
"ADDED"
Pentesting: Op Compare

OpDiffInput

Description

Input type specifying the two pentests to compare. Used by weaknesses_diff_page, weaknesses_diff_stats, weaknesses_diff_csv_url, and other diff-related APIs.

Fields
op_id_1 - String!
Unique identifier of the first (typically older) pentest in the comparison. Weaknesses present in this pentest but not in the second will have a DiffStatus of REMOVED.
op_id_2 - String!
Unique identifier of the second (typically newer) pentest in the comparison. Weaknesses present in this pentest but not in the first will have a DiffStatus of ADDED. 
# Example 1: Compare weaknesses between two pentests
query WeaknessesDiff($op_diff_input: OpDiffInput! = {
    op_id_1: "1234abcd-1234-abcd-1234-abcd1234abcd",
    op_id_2: "5678abcd-5678-abcd-5678-abcd5678abcd"
}, $page_input: PageInput) {
  weaknesses_diff_page(
    op_diff_input: $op_diff_input,
    page_input: $page_input
  ) {
    weaknesses {
      uuid
      vuln_id
      vuln_name
      diff_status
      severity
      score
    }
  }
}

# Example 2: Get diff stats between two pentests
query WeaknessesDiffStats($op_diff_input: OpDiffInput! = {
    op_id_1: "1234abcd-1234-abcd-1234-abcd1234abcd",
    op_id_2: "5678abcd-5678-abcd-5678-abcd5678abcd"
}) {
  weaknesses_diff_stats(op_diff_input: $op_diff_input) {
    added_count
    removed_count
    unchanged_count
  }
}

Examples may not include all available fields for a type.

Pentesting: Op Compare

WeaknessesDiffPage

Description

A paginated list of Weakness records representing differences between two pentests. Returned by weaknesses_diff_page. Only weaknesses that differ between the two pentests are included; weaknesses common to both are excluded.

Fields
page_info - PageInfo
Pagination metadata including total count and cursor information.
weaknesses - [Weakness!]!
The list of Weakness records for the current page. Each record includes a diff_status field set to ADDED or REMOVED indicating whether the weakness appeared in only the second or first pentest, respectively. 
fragment WeaknessesDiffPageFragment on WeaknessesDiffPage {
  page_info {
    page_num
    page_size
  }
  weaknesses {
    uuid
    vuln_id
    vuln_name
    vuln_short_name
    op_id
    ip
    severity
    score
    diff_status
    affected_asset_display_name
    has_proof
    portal_url
  }
}

Examples may not include all available fields for a type.

Vuln Management Hub

Track vulnerability trends and manage remediation over time. Access weakness series for historical vulnerability data, query assets across your environment, organize findings through custom perspectives, and run focused validation campaigns. The Vuln Management Hub provides a comprehensive view of your security posture evolution.

Vuln Management Hub: Weakness Series

Track vulnerability trends over time with weakness series that aggregate findings across multiple pentests. View historical data, apply annotations and tags for tracking, manage tickets, and analyze remediation progress for persistent vulnerabilities.

weakness_series_page

Description

Returns a paginated list of WeaknessSeries records for the current client account.

A weakness series tracks a single weakness on a single asset across multiple pentests over time, enabling vulnerability management workflows such as tracking remediation progress and identifying regressions.

Use page_input to filter by severity, status, vulnerability type, and other fields. Use as_of_date to view the state of weakness series as of a specific date.

Response

Returns a WeaknessSeriesPage!

Arguments
page_input - PageInput!
as_of_date - Date
Optional date in YYYY-MM-DD format specifying the point-in-time view for the weakness series data. Defaults to today. 
query WeaknessSeriesPage($page_input: PageInput!, $as_of_date: Date) {
  weakness_series_page(
    page_input: $page_input
    as_of_date: $as_of_date
  ) {
    weakness_series {
      ...WeaknessSeriesFragment
    }
  }
}

fragment WeaknessSeriesFragment on WeaknessSeries {
  name
  vuln_id
  vuln_name
  vuln_short_name
  vuln_category
  severity
  status
  score
  annotation_status
  is_one_click_verify
  affected_asset_name
  ip
  first_seen_date
  last_seen_date
  weakness_series_found_count
  attack_paths_count
  total_impacts_count
  business_risks
  last_found_op_types
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

weakness_series_count

Description

Returns the total number of WeaknessSeries records matching the given filters for the current client account.

Use page_input to apply filters before counting.

Response

Returns an Int!

Arguments
page_input - PageInput!
as_of_date - Date
Optional date in YYYY-MM-DD format specifying the point-in-time view for the weakness series data. Defaults to today. 
query WeaknessSeriesCount($page_input: PageInput!, $as_of_date: Date) {
  weakness_series_count(
    page_input: $page_input
    as_of_date: $as_of_date
  )
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

weakness_series_annotations_page

Description

Returns a paginated list of WeaknessSeriesAnnotations for the current client account. Annotations capture user-applied status updates, notes, and tags on weakness series records.

Response

Returns a WeaknessSeriesAnnotationsPage!

Arguments
page_input - PageInput! 
query WeaknessSeriesAnnotationsPage($page_input: PageInput!) {
  weakness_series_annotations_page(page_input: $page_input) {
    annotations {
      ...WeaknessSeriesAnnotationFragment
    }
  }
}

fragment WeaknessSeriesAnnotationFragment on WeaknessSeriesAnnotation {
  uuid
  row_created_at
  row_updated_at
  weakness_series_uuid
  annotation_uuid
  annotation_status
  annotation_text
  affected_asset_short_name
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

weakness_series_annotations_count

Description

Returns the total number of WeaknessSeriesAnnotations for the current client account.

Response

Returns an Int!

Arguments
page_input - PageInput! 
query WeaknessSeriesAnnotationsCount($page_input: PageInput!) {
  weakness_series_annotations_count(page_input: $page_input)
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

apply_annotations_to_weakness_series

Description

Applies one or more Annotations to WeaknessSeries records. Each AnnotationInput specifies the target weakness series UUID, status, text, and optional tags.

If an annotation_uuid is provided in the input, the existing annotation is updated; otherwise, a new annotation is created. Each weakness series can have at most one annotation. Returns the count and list of annotations that were applied.

Response

Returns an ApplyAnnotationOutput!

Arguments
inputs - [AnnotationInput!]! 
mutation ApplyAnnotationsToWeaknessSeries(
  $inputs: [AnnotationInput!]!
) {
  apply_annotations_to_weakness_series(inputs: $inputs) {
    annotations_count
    annotations {
      uuid
      target_entity_uuid
      target_entity_type
      text
      status
      risk_accepted
      is_suppressed
    }
  }
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

remove_annotations_from_weakness_series

Description

Removes all annotations from the specified WeaknessSeries records. Returns true if at least one annotation was successfully removed, false if no annotations were found for the given UUIDs.

Response

Returns a Boolean!

Arguments
weakness_series_uuids - [String!]! 
mutation RemoveAnnotationsFromWeaknessSeries(
  $weakness_series_uuids: [String!]!
) {
  remove_annotations_from_weakness_series(
    weakness_series_uuids: $weakness_series_uuids
  )
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

tickets_csv_presigned_url

Description

Returns a temporary, presigned URL for downloading a CSV file containing all tickets for the current client account across all pentests. The presigned URL expires after a short time.

The CSV format is documented under TicketCSV.

Response

Returns a String

Arguments
page_input - PageInput 
query TicketsCsvPresignedUrl($page_input: PageInput) {
  tickets_csv_presigned_url(page_input: $page_input)
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

weakness_series_facets

Description

Returns the available filter facets for WeaknessSeries queries. Each facet provides a list of distinct values and their counts in the current dataset, enabling construction of filtered list UIs.

Response

Returns a WeaknessSeriesFacets!

Arguments
page_input - PageInput
as_of_date - Date
Optional date in YYYY-MM-DD format specifying the point-in-time view for the facet data. Defaults to today. 
query WeaknessSeriesFacets($page_input: PageInput, $as_of_date: Date) {
  weakness_series_facets(
    page_input: $page_input
    as_of_date: $as_of_date
  ) {
    vuln_short_name {
      label
      value
      value_count
    }
    op_template_name {
      label
      value
      value_count
    }
    business_risks {
      label
      value
      value_count
    }
    vuln_threat_actor_names {
      label
      value
      value_count
    }
    downstream_impact_types {
      label
      value
      value_count
    }
  }
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

weakness_series_csv_presigned_url

Description

Returns a temporary, presigned URL for downloading the WeaknessSeries data as a CSV file. The CSV is generated on demand and the presigned URL expires after a short time. Use page_input to apply filters to the exported data.

Response

Returns a String

Arguments
page_input - PageInput!
as_of_date - Date
Optional date in YYYY-MM-DD format specifying the point-in-time view for the exported data. Defaults to today. 
query WeaknessSeriesCsvPresignedUrl(
  $page_input: PageInput!
  $as_of_date: Date
) {
  weakness_series_csv_presigned_url(
    page_input: $page_input
    as_of_date: $as_of_date
  )
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

weakness_series_downstream_impacts_count

Description

Returns the total number of downstream impacts for a given set of WeaknessSeries UUIDs. Downstream impacts represent the systems and data that could be compromised if this weakness is exploited.

Response

Returns an Int!

Arguments
page_input - PageInput!
weakness_series_uuids - [String!] 
query WeaknessSeriesDownstreamImpactsCount(
  $page_input: PageInput!
  $weakness_series_uuids: [String!]
) {
  weakness_series_downstream_impacts_count(
    page_input: $page_input
    weakness_series_uuids: $weakness_series_uuids
  )
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

WeaknessSeries

Description

A WeaknessSeries tracks a single weakness on a single asset across multiple pentests over time.

It aggregates weakness findings across an entire series of pentests (an OpSeries), enabling vulnerability management workflows such as monitoring remediation progress, identifying regressions, and applying Annotations to track status.

Use weakness_series_page to retrieve a paginated list of weakness series records.

Fields
name - String!
Display name for this weakness series, typically derived from the vulnerability name and affected asset.
last_weakness_uuid - String!
Unique identifier of the most recent weakness instance in this series. Can be used to retrieve the latest weakness details.
first_found_at - Date!
Timestamp (date and time) when the weakness was first discovered in this series. Deprecated in favor of first_seen_at. Use first_seen_at.
first_seen_at - Datetime!
Timestamp (date and time, in ISO 8601 format) when the weakness was first discovered in this series.
first_seen_date - Date!
Date (without time, in YYYY-MM-DD format) when the weakness was first discovered in this series.
first_found_op_id - String!
Unique identifier of the pentest in which this weakness was first discovered.
first_found_op_type - String!
The type of pentest (e.g., Internal, External) in which this weakness was first discovered.
last_found_at - Date!
Timestamp (date and time) when the weakness was most recently detected. Deprecated in favor of last_seen_at. Use last_seen_at.
last_seen_at - Datetime!
Timestamp (date and time, in ISO 8601 format) when the weakness was most recently detected in a pentest.
last_seen_date - Date!
Date (without time, in YYYY-MM-DD format) when the weakness was most recently detected.
vuln_id - String
The vulnerability identifier associated with this weakness series (e.g., CVE ID or internal vulnerability ID).
vuln_name - String
The full name of the vulnerability associated with this weakness series.
vuln_short_name - String
The abbreviated name of the vulnerability associated with this weakness series.
vuln_category - String
The category of the vulnerability (e.g., credential, configuration, software) associated with this weakness series.
weakness_series_found_count - Int!
The number of pentests in which this weakness was detected.
status - WeaknessSeriesOpStatus
Current status of this weakness series. See WeaknessSeriesOpStatus for possible values (OPEN, MITIGATED, REGRESSED, NO_LONGER_FOUND).
severity - Severity
The severity level of this weakness series as determined by the most recent pentest (e.g., CRITICAL, HIGH, MEDIUM, LOW, INFO).
is_one_click_verify - Boolean
Indicates whether this weakness series is eligible for one-click verification, which allows running a targeted re-pentest to confirm remediation.
affected_asset_name - String
Full name of the asset directly affected by this weakness series (e.g., IP address with port and service name).
ip - String
IP address of the asset directly affected by this weakness series, if available.
port - Int
Port number of the affected service, if available.
protocol - String
Network protocol of the affected service (e.g., tcp, udp), if available.
last_found_op_id - String!
Unique identifier of the pentest in which this weakness was most recently detected.
last_pentested_op_id - String!
Unique identifier of the most recent pentest that included the affected asset in its scope, regardless of whether the weakness was found.
annotation - Annotation
The user-applied Annotation for this weakness series, if one has been set. Annotations track remediation status, risk acceptance, and notes.
annotation_status - AnnotationStatus
The AnnotationStatus of this weakness series (e.g., FIXED, TO_DO, RISK_ACCEPTED), if an annotation has been applied.
min_time_to_finding_s - Int
The minimum time (in seconds) it took NodeZero to discover this weakness during any pentest in the series.
min_time_to_finding_hms - String
The minimum time to discovery formatted as HH:MM:SS.
attack_paths_count - Int!
The number of distinct attack paths that lead to this weakness.
credentials_count - Int!
The number of compromised credentials associated with this weakness.
impacts_count - Int!
The number of downstream impacts for this weakness series. No longer supported
critical_impacts_count - Int!
The number of critical downstream impacts reachable from this weakness (e.g., ransomware exposure, sensitive data exposure).
critical_impacts_percentage - Float!
The percentage of downstream impacts that are classified as critical.
total_impacts_count - Int!
The total number of downstream impacts reachable from this weakness, including both critical and non-critical impacts.
severity_ranking - Int!
Numeric ranking used for sorting by severity. Lower values indicate higher severity.
status_ranking - Int!
Numeric ranking used for sorting by WeaknessSeriesOpStatus. Lower values indicate higher priority statuses.
annotation_status_ranking - Int
Numeric ranking used for sorting by AnnotationStatus. Null if no annotation has been applied.
score - Float
Composite risk score for this weakness series, incorporating severity and downstream impact. Rounded to one decimal place.
vuln_threat_actor_names - [String!]!
List of known threat actor names associated with the vulnerability, derived from threat intelligence data.
business_risks - [String!]!
List of business risk categories associated with this weakness (e.g., Data Breach, Ransomware).
downstream_impact_types_and_counts - [String!]
List of downstream impact types and their counts reachable from this weakness. Each array element is formatted as ImpactType,count (e.g., ["RansomwareExposure,2", "SensitiveDataExposure,2"]). The downstream impacts and counts are from the most recent pentest containing this weakness.
last_found_op_types - [OpType!]
The pentest types in which this weakness was most recently found. Returns a single value for ungrouped queries or multiple unique values for grouped queries. 
fragment WeaknessSeriesFragment on WeaknessSeries {
  name
  vuln_id
  vuln_name
  vuln_short_name
  vuln_category
  severity
  status
  score
  annotation_status
  is_one_click_verify
  affected_asset_name
  ip
  first_found_at
  last_found_at
  first_seen_date
  last_seen_date
  first_found_op_id
  first_found_op_type
  last_found_op_id
  last_pentested_op_id
  last_weakness_uuid
  weakness_series_found_count
  attack_paths_count
  credentials_count
  total_impacts_count
  critical_impacts_count
  critical_impacts_percentage
  min_time_to_finding_hms
  business_risks
  last_found_op_types
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

Annotation

Description

Represents a user-applied annotation on a WeaknessSeries record. Annotations track the remediation lifecycle of a weakness, including status (e.g., FIXED, TO_DO, RISK_ACCEPTED), free-text notes, risk suppression dates, and user-defined Tags.

Use apply_annotations_to_weakness_series to create or update annotations.

Fields
uuid - ID!
Unique identifier of this annotation.
target_entity_uuid - StringNotEmpty!
Unique identifier of the target entity this annotation is applied to (typically a WeaknessSeries UUID).
text - StringNotEmpty
Free-text note providing additional context about the remediation status or risk decision.
status - AnnotationStatus
The current remediation or review status of this annotation. See AnnotationStatus for possible values.
risk_accepted - Boolean!
Indicates whether this annotation marks the associated risk as explicitly accepted.
suppress_until - Date
Date until which risk notifications are suppressed for this weakness. Null if no suppression is active.
is_suppressed - Boolean!
Indicates whether risk notifications are currently suppressed for this weakness based on the suppress_until date.
tags - [Tag!]!
List of user-defined Tags applied to this annotation for categorization and filtering. 
fragment AnnotationFragment on Annotation {
  uuid
  target_entity_uuid
  target_entity_type
  text
  status
  risk_accepted
  suppress_until
  is_suppressed
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

AnnotationInput

Fields
annotation_uuid - StringNotEmpty
Unique identifier of an existing annotation to update. If omitted, a new annotation will be created.
target_entity_uuid - StringNotEmpty!
Unique identifier of the WeaknessSeries to annotate.
text - StringNotEmpty
Free-text note to attach to the annotation. Required when status is RISK_ACCEPTED.
status - AnnotationStatus
The remediation or review status to assign. See AnnotationStatus for possible values.
suppress_until_epoch - Float
Unix epoch timestamp (in UTC milliseconds) until which risk notifications should be suppressed. Set to suppress alerts for a defined period.
remove_suppression - Boolean
Set to true to clear any existing risk suppression on this annotation.
tag_uuids - [StringNotEmpty]
List of Tag UUIDs to associate with this annotation for categorization. 
# Example 1: Create a new annotation
mutation CreateAnnotation($inputs: [AnnotationInput!]! = [
    {
        target_entity_uuid: "1234abcd-1234-abcd-1234-abcd1234abcd",
        target_entity_type: "WeaknessSeries",
        text: "Patched in maintenance window",
        status: "FIXED"
    }
]) {
  apply_annotations_to_weakness_series(inputs: $inputs) {
    annotations_count
    annotations {
      uuid
      target_entity_uuid
      target_entity_type
      text
      status
      risk_accepted
      is_suppressed
    }
  }
}

# Example 2: Suppress a weakness series with tags
mutation SuppressWithTags($inputs: [AnnotationInput!]! = [
    {
        target_entity_uuid: "1234abcd-1234-abcd-1234-abcd1234abcd",
        target_entity_type: "WeaknessSeries",
        status: "RISK_ACCEPTED",
        tag_uuids: ["b2c3d4e5-b2c3-d4e5-b2c3-d4e5b2c3d4e5"]
    }
]) {
  apply_annotations_to_weakness_series(inputs: $inputs) {
    annotations_count
    annotations {
      uuid
      status
      risk_accepted
      is_suppressed
    }
  }
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

AnnotationStatus

Description

Represents the user-assigned remediation or review status for a WeaknessSeries. Used to track the lifecycle of weakness management from discovery through resolution.

Values
FIXED
The weakness has been remediated and the underlying issue is no longer present.
POTENTIAL_FALSE_POSITIVE
The weakness may not be valid; an investigation is underway to determine whether the issue actually exists.
TO_DO
The weakness has been acknowledged and remediation is planned, but action has not yet been taken.
RISK_ACCEPTED
The weakness has been reviewed and the associated risk has been explicitly accepted without remediation.
COMPENSATING_CONTROL
The weakness has been addressed through alternative security controls rather than fixing the underlying issue directly.
VERIFY_COMPENSATING_CONTROL
The weakness is awaiting verification that alternative security controls have sufficiently mitigated the risk.
MUTE
The weakness has been hidden from active views without resolving or accepting the risk.
CLOSED
The weakness has been removed from the active remediation queue.
Example
"FIXED"
Vuln Management Hub: Weakness Series

ApplyAnnotationOutput

Description

Output returned by apply_annotations_to_weakness_series.

Fields
annotations_count - Int!
The total number of Annotations that were created or updated.
annotations - [Annotation!]
The list of Annotation records that were created or updated. 
fragment ApplyAnnotationOutputFragment on ApplyAnnotationOutput {
  annotations_count
  annotations {
    uuid
    target_entity_uuid
    target_entity_type
    text
    status
    risk_accepted
    is_suppressed
  }
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

Tag

Description

A user-defined or system-defined label that can be applied to Annotations for categorization and filtering. Tags support a hierarchical structure through the parent_tag relationship.

Fields
uuid - ID!
Unique identifier of this tag.
text - String!
The display text of the tag (e.g., Network, Critical Infrastructure).
parent_tag_uuid - String
Unique identifier of the parent tag, if this tag is part of a hierarchy. Null for top-level tags.
parent_tag - Tag
The parent Tag in the hierarchy, if applicable. Null for top-level tags.
client_account_uuid - String
Unique identifier of the client account that created this tag. Null if the tag was created by the platform (system-defined). 
fragment TagFragment on Tag {
  uuid
  text
  parent_tag_uuid
  client_account_uuid
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

WeaknessSeriesAnnotation

Description

Represents the association between an Annotation and a WeaknessSeries. This bridge record links user-applied annotations (status, notes, tags) to their corresponding weakness series records. Returned by weakness_series_annotations_page.

Fields
uuid - String!
Unique identifier for this weakness series annotation record.
row_created_at - Datetime!
Timestamp when this annotation record was created, in ISO 8601 format (UTC).
row_updated_at - Datetime
Timestamp when this annotation record was last updated, in ISO 8601 format (UTC). Null if never updated after creation.
weakness_series_uuid - String!
Unique identifier of the WeaknessSeries this annotation is associated with.
annotation_uuid - String!
Unique identifier of the underlying Annotation record containing the status, text, and tags.
annotation_status - AnnotationStatus!
The current AnnotationStatus of this annotation (e.g., FIXED, TO_DO, RISK_ACCEPTED).
annotation_text - String
Free-text note associated with this annotation, providing additional context about the remediation status or risk decision.
affected_asset_short_name - String!
Abbreviated name of the asset affected by this weakness series (e.g., IP address with port). 
fragment WeaknessSeriesAnnotationFragment on WeaknessSeriesAnnotation {
  uuid
  row_created_at
  row_updated_at
  weakness_series_uuid
  annotation_uuid
  annotation_status
  annotation_text
  affected_asset_short_name
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

WeaknessSeriesAnnotationsPage

Description

A paginated list of WeaknessSeriesAnnotation records. Returned by weakness_series_annotations_page.

Fields
page_info - PageInfo
Pagination metadata including total count and cursor information.
annotations - [WeaknessSeriesAnnotation!]!
The list of WeaknessSeriesAnnotation records for the current page. 
fragment WeaknessSeriesAnnotationsPageFragment on WeaknessSeriesAnnotationsPage {
  annotations {
    uuid
    row_created_at
    row_updated_at
    weakness_series_uuid
    annotation_uuid
    annotation_status
    annotation_text
    affected_asset_short_name
  }
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

WeaknessSeriesFacets

Description

Available filter facets for WeaknessSeries queries. Each facet provides a list of unique values and their counts in the current dataset, enabling construction of filtered list UIs. Returned by weakness_series_facets.

Fields
page_info - PageInfo
Pagination metadata for the facet query.
vuln_short_name - [FacetValue]
Distinct vulnerability short names present in the current dataset, with counts. Useful for filtering weakness series by vulnerability type.
op_template_name - [FacetValue]
Distinct pentest template names present in the current dataset, with counts. Useful for filtering weakness series by the pentest configuration that discovered them.
business_risks - [FacetValue]
Distinct business risk categories present in the current dataset, with counts. Useful for filtering weakness series by business impact category.
vuln_threat_actor_names - [FacetValue]
Distinct threat actor names associated with vulnerabilities in the current dataset, with counts. Useful for filtering weakness series by known threat actors.
downstream_impact_types - [FacetValue]
Distinct downstream impact types present in the current dataset, with counts. Useful for filtering weakness series by the type of downstream impact (e.g., ransomware exposure). 
fragment WeaknessSeriesFacetsFragment on WeaknessSeriesFacets {
  vuln_short_name {
    label
    value
    value_count
  }
  op_template_name {
    label
    value
    value_count
  }
  business_risks {
    label
    value
    value_count
  }
  vuln_threat_actor_names {
    label
    value
    value_count
  }
  downstream_impact_types {
    label
    value
    value_count
  }
}

Examples may not include all available fields for a type.

Vuln Management Hub: Weakness Series

WeaknessSeriesOpStatus

Description

Represents the lifecycle status of a WeaknessSeries as determined by pentest results over time.

Values
OPEN
The weakness is actively exploitable and was detected in the most recent pentest.
MITIGATED
The weakness was previously detected but a subsequent one-click verify pentest confirmed it has been remediated.
REGRESSED
The weakness was previously marked as MITIGATED but has reappeared in a more recent pentest, indicating the remediation was incomplete or has been undone.
NO_LONGER_FOUND
The affected asset was scanned in the most recent pentest but the weakness was not detected, suggesting it may have been resolved.
Example
"OPEN"
Vuln Management Hub: Weakness Series

WeaknessSeriesPage

Description

A paginated list of WeaknessSeries records. Returned by weakness_series_page.

Fields
page_info - PageInfo
Pagination metadata including total count and cursor information.
weakness_series - [WeaknessSeries!]!
The list of WeaknessSeries records for the current page. 
fragment WeaknessSeriesPageFragment on WeaknessSeriesPage {
  weakness_series {
    name
    vuln_id
    vuln_name
    vuln_short_name
    severity
    status
    score
    annotation_status
    is_one_click_verify
    affected_asset_name
    ip
    first_seen_date
    last_seen_date
    weakness_series_found_count
    attack_paths_count
    total_impacts_count
    business_risks
    last_found_op_types
  }
}

Examples may not include all available fields for a type.

Vuln Management Hub: Assets

Query your complete asset inventory across all pentests. An asset is a host discovered during pentesting and tracked over time, often identified by its domain name, IP address, cloud resource ID, and other attributes.

assets_page

Description

Returns a paginated list of unique Asset records discovered across all operations for the current client account. Assets are deduplicated across ops using a proprietary identification algorithm. Supports sorting by fields such as name, last_seen_at, first_seen_at, ops_count, and op_series_type. Supports filtering and text search across asset name, IPs, hostnames, OS names, cloud ARNs, and tags. For MSSP accounts, use client_account_uuid to query a subclient's assets.

Response

Returns an AssetsPage!

Arguments
client_account_uuid - String
Optional subclient UUID for MSSP accounts. When omitted, defaults to the authenticated user's client account.
page_input - PageInput 
query AssetsPage($page_input: PageInput) {
  assets_page(page_input: $page_input) {
    assets {
      ...AssetPageFragment
    }
  }
}

fragment AssetPageFragment on Asset {
  uuid
  name
  op_series_type
  first_seen_at
  last_seen_at
  ops_count
  last_op_id
  first_op_scheduled_at
  last_op_scheduled_at
  finding_series_uuid
}

Examples may not include all available fields for a type.

Vuln Management Hub: Assets

assets_count

Description

Returns the total number of unique Asset records discovered across all operations for the current client account. Accepts the same filtering and text search parameters as assets_page. For MSSP accounts, use client_account_uuid to count a subclient's assets.

Response

Returns an Int!

Arguments
client_account_uuid - String
Optional subclient UUID for MSSP accounts. When omitted, defaults to the authenticated user's client account.
page_input - PageInput 
query AssetsCount($page_input: PageInput) {
  assets_count(page_input: $page_input)
}

Examples may not include all available fields for a type.

Vuln Management Hub: Assets

assets_csv_url

Description

Returns a temporary presigned URL to download the full asset inventory as a CSV file. The CSV is pre-generated and stored in S3; this query returns a time-limited download link. Raises an error if no CSV has been generated for the account yet.

Response

Returns a String

Arguments
client_account_uuid - String
Optional subclient UUID for MSSP accounts. When omitted, defaults to the authenticated user's client account. 
query AssetsCsvUrl {
  assets_csv_url
}

Examples may not include all available fields for a type.

Vuln Management Hub: Assets

Asset

Description

Represents a unique asset tracked across multiple penetration testing operations (e.g., a Host).

Assets are identified using a proprietary algorithm that correlates observed attributes such as IP addresses, hostnames, operating systems, and cloud resource ARNs. This cross-operation tracking enables you to see how an asset has been observed over time, including which operations discovered it and when it was first and last seen. Due to the inherent challenges of scan-based asset tracking in dynamic environments, 100% accuracy in asset identification cannot be guaranteed.

Fields
uuid - String!
Unique identifier for this asset.
finding_series_uuid - String!
The finding series identifier that links this asset to its underlying cross-operation observation records.
host_tabs_count - Int!
Returns the total number of Host observations of this asset across operations.
Arguments
page_input - PageInput
last_op_id - String!
The operation identifier of the most recent op in which this asset was observed.
last_op - OpTab!
The most recent operation in which this asset was observed.
name - String!
The display name of the asset, typically derived from its primary hostname or IP address.
first_seen_at - Datetime!
Timestamp of when this asset was first observed across all operations.
last_seen_at - Datetime!
Timestamp of when this asset was most recently observed across all operations.
ops_count - Int!
The total number of operations in which this asset has been observed.
first_op_scheduled_at - Datetime!
The scheduled start time of the first operation in which this asset was observed.
last_op_scheduled_at - Datetime!
The scheduled start time of the most recent operation in which this asset was observed. 
fragment AssetFragment on Asset {
  uuid
  finding_series_uuid
  name
  op_series_type
  first_seen_at
  last_seen_at
  ops_count
  last_op_id
  first_op_scheduled_at
  last_op_scheduled_at
  host_tabs_count
}

Examples may not include all available fields for a type.

Vuln Management Hub: Assets

AssetsPage

Description

A paginated list of Asset records. Returned by assets_page.

Fields
page_info - PageInfo
Pagination metadata for the current result set. See PageInfo.
assets - [Asset!]!
The list of Asset records in the current page. 
fragment AssetsPageFragment on AssetsPage {
  page_info {
    page_num
    page_size
  }
  assets {
    uuid
    name
    op_series_type
    first_seen_at
    last_seen_at
    ops_count
    last_op_id
    first_op_scheduled_at
    last_op_scheduled_at
  }
}

Examples may not include all available fields for a type.

Vuln Management Hub: Perspectives

Create custom attacker perspectives and conduct continuous pentesting of specific segments of your network. Inject credentials to simulate insider threats and compromised accounts. Use perspectives to focus remediation efforts and continuously defend against real-world threat scenarios.

perspectives_page

Description

Returns a paginated list of Perspective records in the client's account. Only active (non-deleted) targeted perspectives are returned. Supports sorting by fields such as name, last_exposure_score, and last_op_scheduled_at. Supports filtering by last_exposure_severity, op_type, and scheduled status, as well as text search by perspective name and UUID. For MSSP accounts, use client_account_uuid to query a subclient's perspectives.

Response

Returns a PerspectivesPage!

Arguments
page_input - PageInput
client_account_uuid - String
Optional subclient UUID for MSSP accounts. When omitted, defaults to the authenticated user's client account. 
query PerspectivesPage($page_input: PageInput = {
  page_num: 1,
  page_size: 5
}) {
  perspectives_page(page_input: $page_input) {
    perspectives {
      ...PerspectiveFragment
    }
  }
}

fragment PerspectiveFragment on Perspective {
  uuid
  name
  op_template {
    uuid
    name
  }
  schedule {
    uuid
    name
  }
  ops_count
}

Examples may not include all available fields for a type.

Vuln Management Hub: Perspectives

perspectives_count

Description

Returns the total number of Perspective records in the client's account. Only active (non-deleted) targeted perspectives are counted. Accepts the same filtering parameters as perspectives_page. For MSSP accounts, use client_account_uuid to count a subclient's perspectives.

Response

Returns an Int!

Arguments
page_input - PageInput
client_account_uuid - String
Optional subclient UUID for MSSP accounts. When omitted, defaults to the authenticated user's client account. 
query PerspectivesCount($page_input: PageInput) {
  perspectives_count(page_input: $page_input)
}

Examples may not include all available fields for a type.

Vuln Management Hub: Perspectives

perspective

Description

Returns a single Perspective by its unique identifier. Returns null if the perspective does not exist or has been deleted.

Response

Returns a Perspective

Arguments
uuid - String! 
query Perspective($uuid: String!) {
  perspective(uuid: $uuid) {
    uuid
    name
    op_template {
      uuid
      name
    }
    schedule {
      uuid
      name
    }
    ops_count
  }
}

Examples may not include all available fields for a type.

Vuln Management Hub: Perspectives

org_perspective

Description

Returns the account-wide Org Perspective for the current client account.

The Org Perspective automatically aggregates data from all targeted perspectives in the account, covering operations from the past 12 months. This provides a holistic view of your organization's security posture trends without requiring manual perspective selection.

Response

Returns a Perspective

Arguments
client_account_uuid - String
Optional subclient UUID for MSSP accounts. When omitted, defaults to the authenticated user's client account. 
query OrgPerspective {
  org_perspective {
    uuid
    name
    op_template {
      uuid
      name
    }
    schedule {
      uuid
      name
    }
    ops_count
  }
}

Examples may not include all available fields for a type.

Vuln Management Hub: Perspectives

perspectives_up_next

Description

Returns Perspective records ordered by their next scheduled execution time (soonest first). Only perspectives with an active schedule are included. Defaults to returning 3 perspectives. Also includes scheduled operations that are not yet associated with a Perspective.

Response

Returns a PerspectivesPage!

Arguments
count - Int
client_account_uuid - String
Optional subclient UUID for MSSP accounts. When omitted, defaults to the authenticated user's client account. 
query PerspectivesUpNext($count: Int = 3) {
  perspectives_up_next(count: $count) {
    perspectives {
      ...PerspectiveFragment
    }
  }
}

fragment PerspectiveFragment on Perspective {
  uuid
  name
  op_template {
    uuid
    name
  }
  schedule {
    uuid
    name
  }
  ops_count
}

Examples may not include all available fields for a type.

Vuln Management Hub: Perspectives

Perspective

Description

Represents a recurring pentesting configuration, also referred to as an attacker's perspective.

A Perspective groups together the key components of a repeatable pentest:

  1. An asset scope and attack profile defined by an OpTemplate.
  2. Optionally, injected credentials to simulate specific attack scenarios.
  3. A consistent NodeZero Docker host (runner) for executing the pentest.
  4. A Schedule for automated recurring execution.

By running multiple pentests under the same Perspective, you can track trends over time and measure the effectiveness of remediation efforts.

Fields
uuid - String!
Unique identifier for this Perspective.
name - String!
The user-defined name for this Perspective.
op_template - OpTemplate
The OpTemplate that defines the asset scope and attack profile used when launching new pentests under this Perspective.
schedule - Schedule
The Schedule that controls automated pentest execution for this Perspective. Null if no schedule is configured.
ops_count - Int!
Returns the total number of pentesting operations associated with this Perspective's underlying op series.
Arguments
page_input - PageInput

Pagination and filtering options. See PageInput.

ops_page - OpsPage!
Returns a paginated list of pentesting operations associated with this Perspective's underlying op series. See OpsPage.
Arguments
page_input - PageInput

Pagination and filtering options. See PageInput.

fragment PerspectiveFragment on Perspective {
  uuid
  name
  op_template {
    uuid
    name
  }
  schedule {
    uuid
    name
  }
  ops_count
}

Examples may not include all available fields for a type.

Vuln Management Hub: Perspectives

PerspectivesPage

Description

A paginated list of Perspective records. Returned by queries such as perspectives_page and perspectives_up_next.

Fields
page_info - PageInfo
Pagination metadata for the current result set. See PageInfo.
perspectives - [Perspective!]!
The list of Perspective records in the current page. 
fragment PerspectivesPageFragment on PerspectivesPage {
  perspectives {
    uuid
    name
    op_template {
      uuid
      name
    }
    schedule {
      uuid
      name
    }
    ops_count
  }
  page_info {
    page_num
    page_size
  }
}

Examples may not include all available fields for a type.

Vuln Management Hub: Campaigns

Create and manage focused cybersecurity campaigns across a set of perspectives. Use campaigns to coordinate large-scale pentesting efforts and track remediation progress across your network.

campaigns

Description

Returns all active (non-deleted) Campaigns for the authenticated user's client account. Results are ordered with the ORG-scoped default campaign first, followed by TARGETED campaigns sorted alphabetically by name.

Response

Returns [Campaign!]! 

query Campaigns {
  campaigns {
    ...CampaignFragment
  }
}

fragment CampaignFragment on Campaign {
  uuid
  name
  description
  scope
  client_account_uuid
  is_deleted
  deleted_at
  row_created_at
  row_updated_at
  perspective_uuids
}

Examples may not include all available fields for a type.

Vuln Management Hub: Campaigns

campaign

Description

Retrieves a single Campaign by its UUID. Returns null if the campaign does not exist or has been soft-deleted. Only returns campaigns belonging to the authenticated user's client account.

Response

Returns a Campaign

Arguments
uuid - String! 
query Campaign($uuid: String!) {
  campaign(uuid: $uuid) {
    ...CampaignFragment
  }
}

fragment CampaignFragment on Campaign {
  uuid
  name
  description
  scope
  client_account_uuid
  is_deleted
  deleted_at
  row_created_at
  row_updated_at
  perspective_uuids
}

Examples may not include all available fields for a type.

Vuln Management Hub: Campaigns

create_campaign

Description

Creates a new Campaign for the authenticated user's client account. Campaign names must be unique within a client account. Only one ORG-scoped campaign may exist per client account. Returns the newly created campaign, including system-generated fields such as uuid and row_created_at.

Response

Returns a Campaign!

Arguments
input - CreateCampaignInput! 
mutation CreateCampaign($input: CreateCampaignInput!) {
  create_campaign(input: $input) {
    ...CampaignFragment
  }
}

fragment CampaignFragment on Campaign {
  uuid
  name
  description
  scope
  client_account_uuid
  is_deleted
  row_created_at
  row_updated_at
  perspective_uuids
}

Examples may not include all available fields for a type.

Vuln Management Hub: Campaigns

update_campaign

Description

Updates an existing Campaign. Only provided fields in the UpdateCampaignInput are modified. Perspective associations cannot be modified on ORG-scoped campaigns. Returns the updated campaign with all current field values.

Response

Returns a Campaign!

Arguments
input - UpdateCampaignInput! 
mutation UpdateCampaign($input: UpdateCampaignInput!) {
  update_campaign(input: $input) {
    ...CampaignFragment
  }
}

fragment CampaignFragment on Campaign {
  uuid
  name
  description
  scope
  client_account_uuid
  is_deleted
  row_created_at
  row_updated_at
  perspective_uuids
}

Examples may not include all available fields for a type.

Vuln Management Hub: Campaigns

delete_campaign

Description

Soft-deletes a Campaign by UUID. The default ORG-scoped campaign cannot be deleted. Returns true on success.

Response

Returns a Boolean!

Arguments
uuid - String! 
mutation DeleteCampaign($uuid: String!) {
  delete_campaign(uuid: $uuid)
}

Examples may not include all available fields for a type.

Vuln Management Hub: Campaigns

campaign_available_perspectives_page

Description

Returns a paginated list of Perspectives that are available to be added to a campaign. When a campaign_uuid is provided, perspectives already associated with that campaign are excluded from the results.

Response

Returns a PerspectivesPage!

Arguments
page_input - PageInput
campaign_uuid - String
When provided, excludes perspectives that are already associated with the specified campaign.
client_account_uuid - String
Subclient UUID for MSSP accounts. When omitted, defaults to the authenticated user's client account. 
query CampaignAvailablePerspectivesPage(
  $page_input: PageInput = { page_num: 1, page_size: 5 },
  $campaign_uuid: String
) {
  campaign_available_perspectives_page(
    page_input: $page_input
    campaign_uuid: $campaign_uuid
  ) {
    perspectives {
      ...PerspectiveFragment
    }
  }
}

fragment PerspectiveFragment on Perspective {
  uuid
  name
  op_template {
    uuid
    name
  }
  schedule {
    uuid
    name
  }
  ops_count
}

Examples may not include all available fields for a type.

Vuln Management Hub: Campaigns

campaign_available_perspectives_count

Description

Returns the total count of Perspectives available to be added to a campaign. When a campaign_uuid is provided, perspectives already associated with that campaign are excluded from the count.

Response

Returns an Int!

Arguments
page_input - PageInput
campaign_uuid - String
When provided, excludes perspectives that are already associated with the specified campaign.
client_account_uuid - String
Subclient UUID for MSSP accounts. When omitted, defaults to the authenticated user's client account. 
query CampaignAvailablePerspectivesCount(
  $campaign_uuid: String
) {
  campaign_available_perspectives_count(
    campaign_uuid: $campaign_uuid
  )
}

Examples may not include all available fields for a type.

Vuln Management Hub: Campaigns

Campaign

Description

A Campaign is an organizational grouping of Perspectives that allows users to track and manage related pentesting configurations together. Each client account has one system-generated ORG-scoped campaign that automatically includes all perspectives, plus any number of user-created TARGETED campaigns containing curated subsets. Campaign names must be unique within a client account. Campaigns support soft deletion -- the default ORG campaign cannot be deleted.

Fields
uuid - String!
Unique identifier for the campaign.
name - String!
Display name of the campaign. Unique within the client account.
description - String!
User-provided description of the campaign's purpose.
scope - CampaignScope!
Scope of the campaign. See CampaignScope for details.
client_account_uuid - String!
UUID of the client account that owns this campaign.
is_deleted - Boolean!
Indicates whether the campaign has been soft-deleted. Soft-deleted campaigns are excluded from list queries.
deleted_at - String
Timestamp when the campaign was soft-deleted, or null if the campaign is active.
row_created_at - String!
Timestamp when the campaign was created.
row_updated_at - String
Timestamp when the campaign was last updated, or null if the campaign has never been modified.
perspective_uuids - [String!]
List of perspective UUIDs associated with this campaign. For ORG campaigns, this includes all perspectives in the client account.
perspectives_page - PerspectivesPage!
Returns a paginated list of Perspectives included in this campaign. Accepts standard pagination, filtering, and sorting via page_input.
Arguments
page_input - PageInput
perspectives_count - Int!
Returns the total number of Perspectives included in this campaign. Accepts filtering via page_input.
Arguments
page_input - PageInput
up_next - PerspectivesPage!
Returns the next upcoming scheduled pentests for perspectives in this campaign, ordered by next execution time. Defaults to 3 results. For ORG campaigns, this also includes standalone schedules not attached to any perspective.
Arguments
count - Int
recommended_perspectives - [RecommendedPerspective!]!
Returns a list of RecommendedPerspective records summarizing perspective coverage by operation type for this campaign, sorted so that uncovered operation types appear first. 
fragment CampaignFragment on Campaign {
  uuid
  name
  description
  scope
  client_account_uuid
  is_deleted
  deleted_at
  row_created_at
  row_updated_at
  perspective_uuids
}

Examples may not include all available fields for a type.

Vuln Management Hub: Campaigns

CampaignScope

Description

Defines the scope of a Campaign, distinguishing between the system-managed organization-wide default campaign and user-created targeted campaigns.

Values
ORG
Organization-wide default campaign that automatically includes all perspectives for the client account. Each client account has exactly one ORG campaign, which cannot be deleted.
TARGETED
User-created campaign containing a curated subset of perspectives. TARGETED campaigns can be created, updated, and deleted by authorized users.
Example
"ORG"
Vuln Management Hub: Campaigns

CreateCampaignInput

Description

Input for the create_campaign mutation. Defines the attributes of the new Campaign to create.

Fields
name - String!
Name for the campaign. Required, must be unique within the client account, and cannot exceed 128 characters.
description - String!
Description for the campaign. Required and cannot exceed 256 characters.
scope - CampaignScope
Scope of the campaign. Defaults to TARGETED if not specified. Only one ORG-scoped campaign may exist per client account. See CampaignScope for details.
perspective_uuids - [String!]
List of perspective UUIDs to associate with the campaign at creation time. Only applicable for TARGETED campaigns; ORG campaigns automatically include all perspectives. 
mutation CreateCampaignExample(
  $input: CreateCampaignInput = {
    name: "Q1 Security Campaign"
    description: "Quarterly security assessment campaign"
    scope: TARGETED
    perspective_uuids: [
      "1234abcd-1234-abcd-1234-abcd1234abcd"
    ]
  }
) {
  create_campaign(input: $input) {
    uuid
    name
    description
    scope
  }
}

Examples may not include all available fields for a type.

Vuln Management Hub: Campaigns

RecommendedPerspective

Description

Represents a recommended operation type for a Campaign, along with counts of how many perspectives of that type are currently included. Results are sorted so that operation types with no perspectives appear first, making it easy to identify coverage gaps. The recommended operation types are: NodeZero, ExternalAttack, ADPasswordAudit, K8sPentest, Phishing, InsiderThreatAttack, AWSPentest, and AzurePentest.

Fields
id - String!
Unique identifier for the recommendation. Currently matches the op_type value.
op_type - OpType!
The operation type this recommendation covers (e.g., NodeZero, ExternalAttack, ADPasswordAudit).
total_count - Int!
Total number of perspectives of this operation type currently included in the campaign.
scheduled_count - Int!
Number of perspectives of this operation type that have an active schedule configured. 
fragment RecommendedPerspectiveFragment on RecommendedPerspective {
  id
  op_type
  total_count
  scheduled_count
}

Examples may not include all available fields for a type.

Vuln Management Hub: Campaigns

UpdateCampaignInput

Description

Input for the update_campaign mutation. All fields except uuid are optional; only provided fields will be modified. Perspective associations cannot be modified on ORG-scoped campaigns.

Fields
uuid - String!
UUID of the Campaign to update. Required.
name - String
Updated campaign name. Must be unique within the client account and cannot exceed 128 characters.
description - String
Updated campaign description. Cannot exceed 256 characters.
add_perspective_uuids - [String!]
List of perspective UUIDs to add to the campaign. Not applicable for ORG-scoped campaigns.
delete_perspective_uuids - [String!]
List of perspective UUIDs to remove from the campaign. Not applicable for ORG-scoped campaigns. 
mutation UpdateCampaignExample(
  $input: UpdateCampaignInput = {
    uuid: "1234abcd-1234-abcd-1234-abcd1234abcd"
    name: "Updated Campaign Name"
    description: "Updated campaign description"
    add_perspective_uuids: [
      "5678abcd-5678-abcd-5678-abcd5678abcd"
    ]
    delete_perspective_uuids: [
      "9999aaaa-9999-aaaa-9999-aaaa9999aaaa"
    ]
  }
) {
  update_campaign(input: $input) {
    uuid
    name
    description
  }
}

Examples may not include all available fields for a type.

Platform Features

Advanced platform capabilities to enhance your security testing. Leverage Rapid Response for immediate threat validation, deploy Tripwires for breach detection and monitoring, and integrate vulnerability scanner data with Vuln Risk Intelligence to prioritize findings based on NodeZero's exploitation validation.

Platform Features: Rapid Response

Be notified of emerging threats and zero-day vulnerabilities and launch targeted tests to assess if your environment is vulnerable to newly disclosed CVEs or attack techniques.

notifications_page

Description

Returns a paginated list of Notifications for the authenticated user. Includes notifications from both Rapid Response and Tripwire activity. Use the unread parameter to filter for unread notifications only.

Response

Returns a NotificationsPage!

Arguments
unread - Boolean
page_input - PageInput 
query NotificationsPage($unread: Boolean, $page_input: PageInput) {
  notifications_page(unread: $unread, page_input: $page_input) {
    notifications {
      type
      data {
        tripwire {
          uuid
          external_id
          type
          state
        }
        trip {
          tripped_at
          detected_at
          is_test
        }
      }
    }
  }
}

Examples may not include all available fields for a type.

Platform Features: Rapid Response

notifications_count

Description

Returns the total count of Notifications for the authenticated user. Use the unread parameter to count only unread notifications.

Response

Returns an Int!

Arguments
unread - Boolean
page_input - PageInput 
query NotificationsCount($unread: Boolean) {
  notifications_count(unread: $unread)
}

Examples may not include all available fields for a type.

Platform Features: Rapid Response

notification

Description

Retrieves a single Notification by its UUID. Returns null if the notification does not exist or does not belong to the authenticated user. For TripwireTripped notifications, accessing this query also records a view event.

Response

Returns a Notification

Arguments
notification_uuid - String! 
query GetNotification($notification_uuid: String!) {
  notification(notification_uuid: $notification_uuid) {
    type
    data {
      tripwire {
        uuid
        external_id
        type
        state
      }
      trip {
        tripped_at
        detected_at
        is_test
      }
    }
  }
}

Examples may not include all available fields for a type.

Platform Features: Rapid Response

Notification

Description

Represents an alert generated by Rapid Response exploit testing or Tripwire activity detection. Notifications are scoped to a specific user (by email) within a client account and can be queried via notifications_page.

Fields
data - NotificationData!
Detailed payload of the notification. The populated fields vary based on the notification type. See NotificationData.
type - NotificationType!
Category of the notification, indicating whether it relates to a Rapid Response finding or tripwire activity. See NotificationType. 
fragment NotificationFragment on Notification {
  type
  data {
    tripwire {
      uuid
      external_id
      type
      state
    }
    trip {
      tripped_at
      detected_at
      is_test
    }
  }
}

Examples may not include all available fields for a type.

Platform Features: Rapid Response

NotificationData

Description

Contains the detailed payload of a Notification. The populated fields vary depending on the NotificationType: Rapid Response notifications include vulnerability context and affected entities, while Tripwire notifications include the associated tripwire and trip activity records.

Fields
tripwire - Tripwire
The Tripwire associated with this notification. Present when the notification type is TripwireTripped.
trip - Trip
The Trip activity record associated with this notification. Present when the notification type is TripwireTripped, containing details about the detected activity. 
fragment NotificationDataFragment on NotificationData {
  tripwire {
    uuid
    external_id
    type
    state
    deployment_asset_name
  }
  trip {
    tripped_at
    detected_at
    is_test
  }
}

Examples may not include all available fields for a type.

Platform Features: Rapid Response

NotificationType

Description

Classifies the type of a Notification, indicating the event category that triggered the alert. Public values cover confirmed Rapid Response findings and tripwire activity detections.

Values
EvidenceOfWeakness
Indicates that confirmed evidence of a breaking vulnerability was found during Rapid Response exploit testing. Recipients should take immediate action to assess whether the vulnerability is still present, such as by running a targeted Rapid Response test if one is available.
PossibleEvidenceOfWeakness
Possible Evidence of Weakness Found, but not confirmable
NoEvidenceOfWeakness
No Evidence of Weakness Found
TripwireTripped
Indicates that activity was detected on an active Tripwire deployed in the recipient's environment. Recipients should urgently review the associated Trip details and take appropriate remedial action, such as quarantining the affected asset or deactivating the alerting tripwire if warranted.
Example
"EvidenceOfWeakness"
Platform Features: Rapid Response

NotificationsPage

Description

Contains a page of Notification records returned by notifications_page.

Fields
page_info - PageInfo
Pagination metadata for the current page of results.
notifications - [Notification!]!
The list of Notification records in the current page. 
fragment NotificationsPageFragment on NotificationsPage {
  page_info {
    page_num
    page_size
  }
  notifications {
    type
    data {
      tripwire {
        uuid
        external_id
        type
        state
      }
      trip {
        tripped_at
        detected_at
        is_test
      }
    }
  }
}

Examples may not include all available fields for a type.

Platform Features: Tripwires

Deploy honeypot credentials and deception assets (tripwires) to detect unauthorized access in your environment. Monitor tripwire triggers to identify active attackers and insider threats.

tripwires_page

Description

Returns a paginated list of Tripwires deployed for the authenticated user's client account. Includes tripwires in all lifecycle states (ACTIVE, PENDING, INACTIVE, ERROR). Supports standard pagination, filtering, and sorting via page_input.

Response

Returns a TripwiresPage!

Arguments
page_input - PageInput 
query TripwiresPage($page_input: PageInput) {
  tripwires_page(page_input: $page_input) {
    tripwires {
      ...TripwireFragment
    }
  }
}

fragment TripwireFragment on Tripwire {
  uuid
  external_id
  type
  op_id
  deployment_asset_name
  file_attributes {
    name
    path
    sha1
  }
  processes
  state
  active_at
  inactive_at
  last_tested_at
}

Examples may not include all available fields for a type.

Platform Features: Tripwires

tripwires_count

Description

Returns the total count of Tripwires for the authenticated user's client account. Supports filtering via page_input to match the criteria used with tripwires_page.

Response

Returns an Int!

Arguments
page_input - PageInput 
query TripwiresCount($page_input: PageInput) {
  tripwires_count(page_input: $page_input)
}

Examples may not include all available fields for a type.

Platform Features: Tripwires

tripwire_jobs_page

Description

Returns a paginated list of tripwire jobs (TripwireInternal operations) for the authenticated user's client account. Each job represents an operation that deployed one or more Tripwires. Results are returned as OpTab records. Supports standard pagination, filtering, and sorting via page_input.

Response

Returns an OpTabsPage!

Arguments
page_input - PageInput 
query TripwireJobsPage($page_input: PageInput) {
  tripwire_jobs_page(page_input: $page_input) {
    op_tabs {
      uuid
      op_id
      op_name
      op_state
      portal_op_state
      op_type
      scheduled_at
      launched_at
      completed_at
      duration_hms
      tripwires_count
    }
  }
}

Examples may not include all available fields for a type.

Platform Features: Tripwires

tripwire_jobs_count

Description

Returns the total count of tripwire jobs (TripwireInternal operations) for the authenticated user's client account. Supports filtering via page_input to match the criteria used with tripwire_jobs_page.

Response

Returns an Int!

Arguments
page_input - PageInput 
query TripwireJobsCount($page_input: PageInput) {
  tripwire_jobs_count(page_input: $page_input)
}

Examples may not include all available fields for a type.

Platform Features: Tripwires

test_tripwire

Description

Triggers an on-demand test of the specified Tripwire to verify that its detection mechanism is operational. The resulting Trip event will have is_test set to true. Returns the tested tripwire with updated state.

Response

Returns a Tripwire

Arguments
uuid - String! 
mutation TestTripwire($uuid: String!) {
  test_tripwire(uuid: $uuid) {
    uuid
    external_id
    type
    state
    deployment_asset_name
    last_tested_at
  }
}

Examples may not include all available fields for a type.

Platform Features: Tripwires

Tripwire

Description

A persistent detection mechanism deployed during a pentest or tripwire job to detect unauthorized access or lateral movement within the target environment. Tripwires are placed on hosts, data stores, or within Active Directory and generate Trip events when triggered. Each tripwire has a type that determines the detection channel (e.g., cloud credential monitoring, DNS callbacks, or Windows security events) and a lifecycle state tracking its operational status. Tripwires can be tested on demand via test_tripwire.

Fields
uuid - ID!
Unique identifier for the tripwire.
external_id - String!
External identifier for the tripwire, typically used as the display name. The format varies by tripwire type: for AWS_ACCESS_KEY tripwires this is the AWS access key ID; for WINDOWS_SUSPICIOUS_PROCESS and MYSQL_DUMP tripwires this is the DNS subdomain embedded within the tripwire; and for Active Directory tripwires (KERBEROAST, AS_REP_ROAST, EXPOSED_PASSWORD) this is the fully qualified user name of the tripwire account.
op_id - String
Op ID of the pentest or tripwire job during which this tripwire was deployed, if applicable.
op - OpTab
Operation details for the pentest or tripwire job during which this tripwire was deployed, if applicable. See OpTab.
deployment_asset_name - String!
Human-readable name describing the host and/or data store where the tripwire was deployed, as determined at deployment time.
file_attributes - [FileAttributes!]
List of FileAttributes for each file deployed as part of the tripwire, including the file name, file system path, and SHA1 hash.
processes - [String!]
List of process names monitored by the tripwire. Only populated for WINDOWS_SUSPICIOUS_PROCESS tripwires.
active_at - Date
Timestamp when the tripwire transitioned to the ACTIVE state, or null if not yet activated.
inactive_at - Date
Timestamp when the tripwire transitioned to the INACTIVE state, or null if still active.
last_tested_at - Date
Timestamp when the tripwire was last tested via test_tripwire, or null if never tested.
data_store - DataStore
The DataStore in which the tripwire was deployed, if applicable. Contains details collected during the deploying operation. 
fragment TripwireFragment on Tripwire {
  uuid
  external_id
  type
  op_id
  deployment_asset_name
  file_attributes {
    name
    path
    sha1
  }
  processes
  state
  active_at
  inactive_at
  last_tested_at
}

Examples may not include all available fields for a type.

Platform Features: Tripwires

FileAttributes

Description

Metadata about a file deployed as part of a Tripwire. Each entry describes one file placed on the target system during tripwire deployment, including its location and integrity hash.

Fields
name - String!
Name of the deployed file.
path - String!
Full file system path where the file was deployed.
sha1 - String
SHA1 hash of the file contents, used for integrity verification. 
fragment FileAttributesFragment on FileAttributes {
  name
  path
  sha1
}

Examples may not include all available fields for a type.

Platform Features: Tripwires

Trip

Description

Represents a single activity detection event recorded by a Tripwire. Each Trip captures when unauthorized or suspicious activity triggered the tripwire, when the event was detected, and detailed forensic attributes about the source of the activity.

Fields
tripped_at - Date!
Timestamp when the trip event occurred (i.e., when the unauthorized or suspicious activity took place).
detected_at - Date!
Timestamp when the trip event was detected by the monitoring system.
is_test - Boolean!
Indicates whether this trip event was caused by an on-demand test of the tripwire (via test_tripwire) rather than real activity.
attributes - TripAttributes!
Detailed forensic attributes of the trip event. The populated fields vary by tripwire type. See TripAttributes. 
fragment TripFragment on Trip {
  tripped_at
  detected_at
  is_test
  attributes {
    trip_time
    geoip
    source_hostname
    source_ip_address
    source_edns_client_subnet
    source_process_name
    source_username
    event_id
    source_ip_port
    dc_hostname
  }
}

Examples may not include all available fields for a type.

Platform Features: Tripwires

TripAttributes

Description

Detailed forensic attributes of a Trip event. The populated fields vary depending on the TripwireType: DNS callback-based tripwires (WINDOWS_SUSPICIOUS_PROCESS, MYSQL_DUMP) populate DNS and subnet fields; AWS_ACCESS_KEY tripwires populate CloudTrail-derived fields; and Active Directory tripwires (KERBEROAST, AS_REP_ROAST, EXPOSED_PASSWORD) populate Windows security event fields.

Fields
trip_time - String
Timestamp when the trip event occurred.
geoip - JSONObject
Geographic location information derived from the source IP address of the trip event, returned as a JSON object.
source_hostname - String
The hostname of the source machine where the triggering activity occurred. For WINDOWS_SUSPICIOUS_PROCESS tripwires, this is the computer where the process was run. For MYSQL_DUMP tripwires, this is the machine where the dump file was loaded. For Active Directory tripwires, this is the machine that generated the security event.
source_ip_address - String
Source IP address from which the trip event originated.
source_edns_client_subnet - String
EDNS Client Subnet (ECS) from the DNS query that triggered the trip event. Applicable to DNS callback-based tripwires (WINDOWS_SUSPICIOUS_PROCESS, MYSQL_DUMP). Often more accurate than source_ip_address for identifying the originating network.
source_process_name - String
Name of the process that triggered the trip event. Applicable to WINDOWS_SUSPICIOUS_PROCESS tripwires.
source_username - String
Username of the account that ran the process triggering the trip event. Applicable to WINDOWS_SUSPICIOUS_PROCESS tripwires.
event_id - Int
Windows Security Event ID associated with the trip event. Applicable to Active Directory tripwires (KERBEROAST, AS_REP_ROAST, EXPOSED_PASSWORD).
source_ip_port - String
Source IP port from which the authentication attempt originated. Applicable to Active Directory tripwires.
dc_hostname - String
Hostname of the domain controller that logged the security event. Applicable to Active Directory tripwires. 
fragment TripAttributesFragment on TripAttributes {
  trip_time
  geoip
  source_hostname
  source_ip_address
  source_edns_client_subnet
  source_process_name
  source_username
  event_id
  source_ip_port
  dc_hostname
}

Examples may not include all available fields for a type.

Platform Features: Tripwires

TripwiresPage

Description

Contains a page of Tripwire records returned by tripwires_page.

Fields
page_info - PageInfo
Pagination metadata for the current page of results.
tripwires - [Tripwire!]!
The list of Tripwire records in the current page. 
fragment TripwiresPageFragment on TripwiresPage {
  tripwires {
    uuid
    external_id
    type
    state
    deployment_asset_name
    op_id
    active_at
    inactive_at
    last_tested_at
    file_attributes {
      name
      path
      sha1
    }
    processes
  }
  page_info {
    page_num
    page_size
  }
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

Import vulnerability scan data from third-party scanners and enrich findings with NodeZero's exploit validation and risk intelligence. Prioritize scanner findings based on actual exploitability demonstrated by autonomous pentesting.

scanner_files_page

Description

Returns a paginated list of ScannerFile records for the current user's client account. Use PageInput to control pagination, sorting, and filtering.

Response

Returns a ScannerFilesPage!

Arguments
page_input - PageInput 
query ScannerFilesPage($page_input: PageInput) {
  scanner_files_page(page_input: $page_input) {
    scanner_files {
      ...ScannerFileFragment
    }
  }
}

fragment ScannerFileFragment on ScannerFile {
  uuid
  vendor
  file_name
  file_size_bytes
  file_size_formatted
  format
  status
  status_message
  status_progress
  uploading_started_at
  uploading_ended_at
  processing_started_at
  processing_ended_at
  expires_at
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

scanner_files_count

Description

Returns the total count of vulnerability scanner files for the current user's client account. Accepts an optional PageInput to apply filters before counting.

Response

Returns an Int!

Arguments
page_input - PageInput 
query ScannerFilesCount($page_input: PageInput) {
  scanner_files_count(page_input: $page_input)
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

scanner_file

Description

Returns a single ScannerFile by its unique identifier. The file must belong to the current user's client account.

Response

Returns a ScannerFile

Arguments
uuid - String! 
query ScannerFile($uuid: String!) {
  scanner_file(uuid: $uuid) {
    ...ScannerFileFragment
  }
}

fragment ScannerFileFragment on ScannerFile {
  uuid
  vendor
  file_name
  file_size_bytes
  file_size_formatted
  format
  status
  status_message
  status_progress
  uploading_started_at
  uploading_ended_at
  processing_started_at
  processing_ended_at
  expires_at
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

scanner_classifications_csv_presigned_url

Description

Generates or retrieves a CSV export of scanner classifications for the specified scanner file and returns a presigned URL to download it. The CSV contains risk intelligence data produced by correlating scanner findings with NodeZero pentest results. If a pre-generated CSV exists from the ETL pipeline, its URL is returned directly; otherwise the CSV is generated on demand.

Response

Returns a String

Arguments
scanner_file_uuid - String!
page_input - PageInput 
query ScannerClassificationsCsvPresignedUrl($scanner_file_uuid: String!) {
  scanner_classifications_csv_presigned_url(scanner_file_uuid: $scanner_file_uuid)
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

upload_scanner_file

Description

Initiates the upload of a vulnerability scanner file. Returns a UploadScannerFileOutput containing a presigned URL. Use the presigned URL with an HTTP PUT request to upload the file content. After upload completes, call process_scanner_file to begin risk intelligence analysis.

Response

Returns an UploadScannerFileOutput!

Arguments
input - UploadScannerFileInput! 
mutation UploadScannerFile($input: UploadScannerFileInput!) {
  upload_scanner_file(input: $input) {
    scanner_file_uuid
    upload_url
  }
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

delete_scanner_files

Description

Permanently deletes one or more vulnerability scanner files and their associated data from both storage and the database. Returns the count of files successfully deleted.

Response

Returns a DeleteScannerFilesOutput!

Arguments
input - DeleteScannerFilesInput! 
mutation DeleteScannerFiles($input: DeleteScannerFilesInput!) {
  delete_scanner_files(input: $input) {
    deleted_count
  }
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

process_scanner_file

Description

Triggers risk intelligence processing for a vulnerability scanner file. Processing imports the scanner data and cross-references it with your NodeZero pentest results to produce ScannerClassification records. The file must be in PENDING or FAILED status, or in COMPLETED status with the force flag set to true for reprocessing. Returns an error if the file is currently being processed or has expired.

Response

Returns a ProcessScannerFileOutput!

Arguments
input - ProcessScannerFileInput! 
mutation ProcessScannerFile($input: ProcessScannerFileInput!) {
  process_scanner_file(input: $input) {
    success
  }
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

update_scanner_file

Description

Updates the metadata of a vulnerability scanner file, such as its display name. Returns the updated ScannerFile.

Response

Returns an UpdateScannerFileOutput!

Arguments
input - UpdateScannerFileInput! 
mutation UpdateScannerFile($input: UpdateScannerFileInput!) {
  update_scanner_file(input: $input) {
    success
    scanner_file {
      ...ScannerFileFragment
    }
  }
}

fragment ScannerFileFragment on ScannerFile {
  uuid
  vendor
  file_name
  file_size_bytes
  file_size_formatted
  format
  status
  status_message
  uploading_started_at
  processing_started_at
  processing_ended_at
  expires_at
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

DeleteScannerFilesInput

Description

Input for the delete_scanner_files mutation.

Fields
scanner_file_uuids - [String!]!
List of scanner file UUIDs to delete. Files that are currently processing or belong to another client account are skipped. 
mutation DeleteScannerFilesExample(
  $input: DeleteScannerFilesInput = {
    scanner_file_uuids: [
      "1234abcd-1234-abcd-1234-abcd1234abcd"
      "5678abcd-5678-abcd-5678-abcd5678abcd"
    ]
  }
) {
  delete_scanner_files(input: $input) {
    deleted_count
  }
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

DeleteScannerFilesOutput

Description

Output from the delete_scanner_files mutation.

Fields
deleted_count - Int!
The number of scanner files that were successfully deleted. 
fragment DeleteScannerFilesOutputFragment on DeleteScannerFilesOutput {
  deleted_count
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

ProcessScannerFileInput

Description

Input for the process_scanner_file mutation.

Fields
scanner_file_uuid - String!
UUID of the scanner file to process.
force - Boolean
Set to true to reprocess a file that has already completed processing. Required when the file status is COMPLETED. 
mutation ProcessScannerFileExample(
  $input: ProcessScannerFileInput = {
    scanner_file_uuid: "1234abcd-1234-abcd-1234-abcd1234abcd"
    force: false
  }
) {
  process_scanner_file(input: $input) {
    success
  }
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

ProcessScannerFileOutput

Description

Output from the process_scanner_file mutation.

Fields
success - Boolean!
True if the processing request was successfully submitted. The file transitions to PROCESSING status while risk intelligence analysis runs asynchronously. 
fragment ProcessScannerFileOutputFragment on ProcessScannerFileOutput {
  success
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

ScannerCategory

Description

Raw classification categories assigned to vulnerability scanner findings. A single classification may have multiple categories. See ScannerDisplayCategory for the prioritized display version used in UI presentation.

Values
CONFIRMED_EXPLOITABLE
NodeZero confirmed exploitation of this vulnerability during a pentest.
CONTEXTUALLY_EXPLOITABLE
NodeZero did not directly exploit this vulnerability, but achieved remote code execution on the target asset. Informational-severity vulnerabilities are excluded.
DETECTED_ON_HIGH_VALUE_TARGET
The vulnerability was detected on a high-value target asset (e.g. domain controller, database server).
THREAT_ACTOR_DETECTED
The vulnerability is associated with known threat actors.
VULNERABLE_NOT_EXPLOITED
The scanner reported this vulnerability but NodeZero did not exploit it during pentesting.
ASSET_NOT_DISCOVERED
The scanner found this vulnerability on an asset that NodeZero did not discover.
MITIGATED
The vulnerability was previously exploited by NodeZero but was found to be remediated in a subsequent pentest.
Example
"CONFIRMED_EXPLOITABLE"
Platform Features: Vuln Risk Intelligence

ScannerCategoryBreakdown

Description

Aggregate classification counts grouped by composite risk categories. These categories combine multiple ScannerDisplayCategory values for higher-level analysis.

Fields
exploitable - Int!
Total classifications that are confirmed or contextually exploitable.
not_exploitable - Int!
Total classifications that are not confirmed or contextually exploitable.
hvt_or_threat_actor_not_exploitable - Int!
Classifications on high-value targets or with threat actor association that are not exploitable (NOT_EXPLOITED_ON_HVT or NOT_EXPLOITED_THREAT_ACTOR).
scanner_confirmed_exploitable - Int!
Classifications confirmed exploitable that were also reported by the scanner. Excludes vulnerabilities found only by NodeZero.
priority - Int!
Total priority classifications: exploitable, on a high-value target, or associated with a threat actor. 
fragment ScannerCategoryBreakdownFragment on ScannerCategoryBreakdown {
  exploitable
  not_exploitable
  hvt_or_threat_actor_not_exploitable
  scanner_confirmed_exploitable
  priority
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

ScannerCategoryCount

Description

The number of classifications assigned to a specific ScannerCategory. Since classifications may belong to multiple categories, these counts may not sum to the total.

Fields
category - ScannerCategory!
The raw category being counted.
count - Int!
Number of classifications that include this category. 
fragment ScannerCategoryCountFragment on ScannerCategoryCount {
  category
  count
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

ScannerClassification

Description

Represents a single vulnerability classification produced by cross-referencing a third-party scanner finding with NodeZero pentest results. Each classification captures the correlation between what the scanner reported and what NodeZero discovered, enabling prioritized remediation based on confirmed exploitability, high-value target exposure, and threat actor association.

Fields
uuid - ID!
Unique identifier for this classification.
vuln_scanner_file_uuid - ID!
UUID of the ScannerFile this classification belongs to.
vuln_scanner_file_data_uuid - ID
UUID of the underlying scanner file data record. Null if this vulnerability was only found by NodeZero.
vuln_scanner_asset_uuid - ID
UUID of the scanner-reported asset. Null if this vulnerability was only found by NodeZero.
finding_evidence_edge_tab_uuid - ID
UUID of the matched NodeZero finding. Null if not found by NodeZero.
categories - [ScannerCategory!]!
All applicable ScannerCategory values for this classification. A classification may belong to multiple categories.
display_category - ScannerDisplayCategory!
The single highest-priority ScannerDisplayCategory for this classification, suitable for UI display.
weakness_name - String
Name of the vulnerability, sourced from NodeZero findings when available, otherwise from the scanner data.
weakness_id - String
Vulnerability identifier such as a CVE ID, NodeZero vulnerability ID, or vendor-specific ID.
risk_score - Float
Risk score on a 0-10 scale. Uses the NodeZero context score when available; falls back to the scanner-reported CVSS score.
risk_severity - String
Severity label derived from the risk_score: CRITICAL, HIGH, MEDIUM, LOW, or INFO.
is_reported_by_scanner - Boolean!
True if the third-party vulnerability scanner reported this finding.
is_reported_by_nodezero - Boolean!
True if NodeZero discovered this vulnerability during a pentest.
weakness_series_uuid - ID
UUID of the associated weakness series for cross-operation tracking. Null if not matched to a NodeZero finding.
host_tab_uuid - ID
UUID of the host where this vulnerability was identified.
asset_uuid - ID
UUID of the asset for cross-operation tracking.
scanned_ip - String!
IP address of the asset as reported by the vulnerability scanner.
scanned_host - String
Hostname of the asset as reported by the vulnerability scanner.
is_high_value_target - Boolean!
True if this vulnerability was detected on a high-value target asset (e.g. domain controller, database server).
threat_actor_ids - [String!]
IDs of threat actors known to exploit this vulnerability.
threat_actors - [ThreatActor!]
Threat actor records associated with this vulnerability.
downstream_impact_types - [String!]
Types of downstream impacts that could result from this vulnerability (e.g. data exfiltration, lateral movement).
downstream_impact_types_and_counts - [String!]
Downstream impact types with associated counts, formatted as Type: N.
business_risks - [String!]
Business risk categories associated with this vulnerability.
nodezero_asset - Asset
The NodeZero asset (tracked across operations) matched to this scanner-reported asset.
weakness_series - WeaknessSeries
The NodeZero weakness series this classification was correlated with, or that was found only by NodeZero on the scanned asset. 
fragment ScannerClassificationFragment on ScannerClassification {
  uuid
  vuln_scanner_file_uuid
  categories
  display_category
  weakness_name
  weakness_id
  risk_score
  risk_severity
  is_reported_by_scanner
  is_reported_by_nodezero
  scanned_ip
  scanned_host
  is_high_value_target
  host_tab_uuid
  asset_uuid
  weakness_series_uuid
  downstream_impact_types
  business_risks
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

ScannerClassificationFacets

Description

Faceted filter values for scanner classifications. Each facet provides the distinct values present in the current (optionally filtered) dataset along with counts, enabling dynamic filter UIs. See FacetValue.

Fields
page_info - PageInfo
Pagination metadata reflecting any filters applied to the facet query. See PageInfo.
threat_actor_names - [FacetValue]
Distinct threat actor names present in the current dataset, with counts. Each FacetValue includes a prebuilt filter for direct use with PageInput.
business_risk_names - [FacetValue]
Distinct business risk names present in the current dataset, with counts. Each FacetValue includes a prebuilt filter for direct use with PageInput. 
fragment ScannerClassificationFacetsFragment on ScannerClassificationFacets {
  threat_actor_names {
    label
    value
    value_count
  }
  business_risk_names {
    label
    value
    value_count
  }
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

ScannerClassificationPage

Description

Paginated response containing ScannerClassification records.

Fields
classifications - [ScannerClassification!]!
The list of scanner classification records for the current page.
page_info - PageInfo!
Pagination metadata for the current page. See PageInfo. 
fragment ScannerClassificationPageFragment on ScannerClassificationPage {
  classifications {
    uuid
    display_category
    weakness_name
    weakness_id
    risk_score
    risk_severity
    is_reported_by_scanner
    is_reported_by_nodezero
    scanned_ip
    scanned_host
    is_high_value_target
  }
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

ScannerClassificationsSummary

Description

Aggregate statistics and breakdowns for scanner classifications within a ScannerFile. Provides multiple views into the data for building dashboards and summary reports.

Fields
counts_by_display_category - [ScannerDisplayCategoryCount!]!
Classification counts grouped by ScannerDisplayCategory. These counts are mutually exclusive and sum to the total.
counts_by_category - [ScannerCategoryCount!]!
Classification counts grouped by raw ScannerCategory. Since a classification can have multiple categories, these counts may exceed the total.
counts_by_severity - [ScannerSeverityCount!]!
Classification counts grouped by ScannerSeverity. These counts are mutually exclusive and sum to the total.
source_breakdown - ScannerSourceBreakdown!
Breakdown showing overlap between scanner and NodeZero findings. See ScannerSourceBreakdown.
category_breakdown - ScannerCategoryBreakdown!
Breakdown by composite risk categories (exploitable, priority, etc.). See ScannerCategoryBreakdown.
counts_by_downstream_impact - [ScannerDownstreamImpactCount!]!
Classification counts grouped by downstream impact type. 
fragment ScannerClassificationsSummaryFragment on ScannerClassificationsSummary {
  counts_by_display_category {
    display_category
    count
  }
  counts_by_severity {
    severity
    count
  }
  source_breakdown {
    found_by_scanner
    found_by_nodezero
    found_by_both
    found_by_scanner_only
    found_by_nodezero_only
  }
  category_breakdown {
    exploitable
    not_exploitable
    priority
  }
  counts_by_downstream_impact {
    impact_type
    count
  }
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

ScannerDisplayCategory

Description

Priority-ordered display category for scanner classifications. Each classification is assigned exactly one display category (the highest-priority one that applies), making this suitable for mutually exclusive UI presentation. Ordered from highest to lowest severity.

Values
CONFIRMED_EXPLOITABLE
NodeZero confirmed exploitation of this vulnerability during a pentest.
CONTEXTUALLY_EXPLOITABLE
NodeZero achieved remote code execution on the target asset without directly exploiting this vulnerability. Informational-severity vulnerabilities are excluded.
NOT_EXPLOITED_ON_HVT
Not exploited by NodeZero, but detected on a high-value target asset.
NOT_EXPLOITED_THREAT_ACTOR
Not exploited by NodeZero, but associated with known threat actor activity.
ASSET_NOT_DISCOVERED
The scanner found this vulnerability on an asset that NodeZero did not discover.
VULNERABLE_NOT_EXPLOITED
The scanner reported this vulnerability but NodeZero did not exploit it.
MITIGATED
The vulnerability was previously exploited by NodeZero but was found to be remediated in a subsequent pentest.
Example
"CONFIRMED_EXPLOITABLE"
Platform Features: Vuln Risk Intelligence

ScannerDisplayCategoryCount

Description

The number of classifications assigned to a specific ScannerDisplayCategory.

Fields
display_category - ScannerDisplayCategory!
The display category being counted.
count - Int!
Number of classifications in this display category. 
fragment ScannerDisplayCategoryCountFragment on ScannerDisplayCategoryCount {
  display_category
  count
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

ScannerDownstreamImpactCount

Description

The number of distinct classifications associated with a specific downstream impact type (e.g. data exfiltration, lateral movement).

Fields
impact_type - String!
The downstream impact type name.
count - Int!
Number of distinct classifications associated with this downstream impact type. 
fragment ScannerDownstreamImpactCountFragment on ScannerDownstreamImpactCount {
  impact_type
  count
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

ScannerFile

Description

Represents an uploaded vulnerability scanner file from a third-party vendor (Qualys, Tenable, or Rapid7). After upload and processing, the file's scanner findings are cross-referenced with NodeZero pentest results to produce ScannerClassification records for risk intelligence analysis.

Fields
uuid - String!
Unique identifier for this scanner file.
vendor - String!
The vulnerability scanner vendor that produced this file (e.g. Qualys, Tenable, Rapid7). See ScannerFileVendor.
file_name - String!
The display name of the scanner file. Defaults to a generated name based on vendor and upload timestamp if not specified during upload.
file_size_bytes - Float
The raw file size in bytes.
file_size_formatted - String
Human-readable file size (e.g. 2.4 MB).
format - ScannerFileFormat
The detected file format. See ScannerFileFormat.
status - ScannerFileStatus!
Current processing status of the scanner file. See ScannerFileStatus.
status_message - String
A detailed message providing additional context about the current status, such as error details for FAILED files.
status_progress - Float
Processing progress indicator from 0 to 100. Only populated when the file is in PROCESSING status.
uploading_started_at - Datetime!
Timestamp when the file upload was initiated.
uploading_ended_at - Datetime
Timestamp when the file upload completed.
processing_started_at - Datetime
Timestamp when risk intelligence processing began.
processing_ended_at - Datetime
Timestamp when risk intelligence processing completed.
expires_at - Datetime
Timestamp when this scanner file expires and can no longer be processed.
classifications_count - Int!
Total count of ScannerClassification records for this file. Accepts an optional PageInput to apply filters before counting.
Arguments
page_input - PageInput
classifications_page - ScannerClassificationPage!
Paginated list of ScannerClassification records for this file.
Arguments
page_input - PageInput
classifications_summary - ScannerClassificationsSummary!
Aggregate statistics and breakdowns for the classifications in this file. See ScannerClassificationsSummary.
Arguments
page_input - PageInput
classifications_facets - ScannerClassificationFacets!
Available filter values with counts for classification faceted navigation. See ScannerClassificationFacets.
Arguments
page_input - PageInput 
fragment ScannerFileFragment on ScannerFile {
  uuid
  vendor
  file_name
  file_size_bytes
  file_size_formatted
  format
  status
  status_message
  status_progress
  uploading_started_at
  uploading_ended_at
  processing_started_at
  processing_ended_at
  expires_at
  classifications_count
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

ScannerFileFormat

Description

Supported file formats for uploaded vulnerability scanner files.

Values
CSV
Comma-separated values format.
XML
Extensible Markup Language format.
Example
"CSV"
Platform Features: Vuln Risk Intelligence

ScannerFileStatus

Description

Lifecycle status of a vulnerability scanner file as it progresses through upload and risk intelligence processing.

Values
PENDING
The file has been uploaded but risk intelligence processing has not yet been initiated. Call process_scanner_file to begin.
PROCESSING
Risk intelligence processing is currently in progress.
FAILED
Risk intelligence processing encountered an error. The file can be reprocessed.
COMPLETED
Risk intelligence processing completed successfully. Classifications are available.
EXPIRED
The file has passed its expiration date and can no longer be processed.
DUPLICATE
The file was identified as a duplicate of an existing upload.
Example
"PENDING"
Platform Features: Vuln Risk Intelligence

ScannerFileVendor

Description

Supported third-party vulnerability scanner vendors for BYO Scanner file uploads.

Values
Qualys
Qualys vulnerability scanner.
Tenable
Tenable vulnerability scanner.
Rapid7
Rapid7 vulnerability scanner.
Example
"Qualys"
Platform Features: Vuln Risk Intelligence

ScannerFilesPage

Description

Paginated response containing ScannerFile records.

Fields
page_info - PageInfo
Pagination metadata for the current page. See PageInfo.
scanner_files - [ScannerFile!]!
The list of scanner files for the current page. 
fragment ScannerFilesPageFragment on ScannerFilesPage {
  scanner_files {
    uuid
    vendor
    file_name
    file_size_formatted
    format
    status
    status_message
    uploading_started_at
    processing_ended_at
    expires_at
  }
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

ScannerSeverity

Description

Severity levels for scanner classification risk scores, based on standard CVSS score ranges.

Values
CRITICAL
Critical severity. Risk score is 9.0 or higher.
HIGH
High severity. Risk score is between 7.0 and 8.9.
MEDIUM
Medium severity. Risk score is between 4.0 and 6.9.
LOW
Low severity. Risk score is between 0.1 and 3.9.
INFO
Informational. Risk score is 0 or below.
UNKNOWN
Unknown severity. No risk score is available.
Example
"CRITICAL"
Platform Features: Vuln Risk Intelligence

ScannerSeverityCount

Description

The number of classifications at a specific ScannerSeverity level.

Fields
severity - ScannerSeverity!
The severity level being counted.
count - Int!
Number of classifications at this severity level. 
fragment ScannerSeverityCountFragment on ScannerSeverityCount {
  severity
  count
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

ScannerSourceBreakdown

Description

Breakdown of classification counts by detection source, showing the overlap between the third-party vulnerability scanner and NodeZero pentest findings.

Fields
found_by_scanner - Int!
Total classifications found by the scanner, including those also found by NodeZero.
found_by_nodezero - Int!
Total classifications found by NodeZero, including those also found by the scanner.
found_by_both - Int!
Classifications found by both the scanner and NodeZero.
found_by_scanner_only - Int!
Classifications found exclusively by the scanner and not by NodeZero.
found_by_nodezero_only - Int!
Classifications found exclusively by NodeZero and not by the scanner. 
fragment ScannerSourceBreakdownFragment on ScannerSourceBreakdown {
  found_by_scanner
  found_by_nodezero
  found_by_both
  found_by_scanner_only
  found_by_nodezero_only
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

UpdateScannerFileInput

Description

Input for the update_scanner_file mutation.

Fields
scanner_file_uuid - String!
UUID of the scanner file to update.
file_name - String
New display name to assign to the scanner file. 
mutation UpdateScannerFileExample(
  $input: UpdateScannerFileInput = {
    scanner_file_uuid: "1234abcd-1234-abcd-1234-abcd1234abcd"
    file_name: "qualys-scan-2024-01-renamed.csv"
  }
) {
  update_scanner_file(input: $input) {
    success
    scanner_file {
      uuid
      file_name
    }
  }
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

UpdateScannerFileOutput

Description

Output from the update_scanner_file mutation.

Fields
success - Boolean!
True if the scanner file was successfully updated.
scanner_file - ScannerFile!
The updated ScannerFile with the new metadata applied. 
fragment UpdateScannerFileOutputFragment on UpdateScannerFileOutput {
  success
  scanner_file {
    uuid
    vendor
    file_name
    status
  }
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

UploadScannerFileInput

Description

Input for the upload_scanner_file mutation.

Fields
vendor - ScannerFileVendor!
The vendor that produced the scanner file. See ScannerFileVendor.
file_name - String
Optional display name for the file. If omitted, a name is generated from the vendor and upload timestamp.
file_size_in_bytes - Float
The file size in bytes. Used for display purposes. 
mutation UploadScannerFileExample(
  $input: UploadScannerFileInput = {
    vendor: Qualys
    file_name: "qualys-scan-2024-01.csv"
    file_size_in_bytes: 2048576
  }
) {
  upload_scanner_file(input: $input) {
    scanner_file_uuid
    upload_url
  }
}

Examples may not include all available fields for a type.

Platform Features: Vuln Risk Intelligence

UploadScannerFileOutput

Description

Output from the upload_scanner_file mutation.

Fields
scanner_file_uuid - String!
Unique identifier assigned to the newly created scanner file record.
upload_url - String!
Presigned URL for uploading the file content. Issue an HTTP PUT request to this URL with the file data in the request body. 
fragment UploadScannerFileOutputFragment on UploadScannerFileOutput {
  scanner_file_uuid
  upload_url
}

Examples may not include all available fields for a type.

Platform Features: CSV Format

These types document the format of CSV exports available from various queries in the API.

ActionLogCSV

Description

String scalar type representing a ActionLogCSV row with columns:

  • IP: String
  • ModuleName: String
  • Cmd: String
  • StartTime: String
  • EndTime: String
  • Targets: String
  • MitreTactics: String
  • OpID: String
Example
ActionLogCSV
Platform Features: CSV Format

ActiveDirPasswordCSV

Description

String scalar type representing a ActiveDirPasswordCSV row with columns:

  • Score: Float
  • Severity: String
  • Username: String
  • UserStatus: String
  • HashMasked: String
  • CleartextMasked: String
  • PasswordLength: String
  • Cracked: Boolean
  • CrackMethod: String
  • CrackMethodLabel: String
  • PasswordRank: String
  • PasswordRankLabel: String
  • UsersWithSimilarPassword: String
  • NumSimilarPassword: Int
  • PwdLastSet: String
  • LDAPDomainName: String
  • Hostname: String
  • IP: String
  • OpID: String
Example
ActiveDirPasswordCSV
Platform Features: CSV Format

CertificateCSV

Description

String scalar type representing a CertificateCSV row with columns:

  • FirstSeen: Datetime
  • Vhost: String
  • IP: String
  • Port: Int
  • Expiration: String
  • Issuer: String
  • CommonName: String
  • AltNames: String
  • AltNamesList: String
  • Signed: String
  • OpID: String
Example
CertificateCSV
Platform Features: CSV Format

CredentialCSV

Description

String scalar type representing a CredentialCSV row with columns:

  • FirstSeen: Datetime
  • CredType: String
  • CredSource: String
  • UserName: String
  • Cleartext: String
  • Role: String
  • Confirmed: Boolean
  • Hostname: String
  • VhostName: String
  • IP: String
  • Port: Int
  • Protocol: String
  • IPAddresses: String
  • ServiceType: String
  • Service: String
  • LDAPDomain: String
  • AzureDomain: String
  • UserGroups: String
  • UserCloudRoles: String
  • LoginFormUrl: String
  • OS: String
  • Hardware: String
  • Device: String
  • Product: String
  • Permissions: String
  • Injected: String
  • Cracked: Boolean
  • Anon: Boolean
  • Hash: String
  • HashType: String
  • RiskScore: Float
  • RiskScoreDescription: String
  • OpID: String
  • ProvenEntityEid: String
  • BusinessRisks: String
Example
CredentialCSV
Platform Features: CSV Format

DatabaseRepoCSV

Description

String scalar type representing a DatabaseRepoCSV row with columns:

  • UUID: String
  • EntityType: String
  • FirstSeen: Datetime
  • Name: String
  • Service: String
  • ServiceType: String
  • Product: String
  • IP: String
  • Uri: String
  • Hostname: String
  • ProtocolPort: String
  • NumDataResources: Int
  • PermissionsList: String
  • Permissions: String
  • Authenticated: Boolean
  • Score: Float
  • Severity: String
  • ContextScoreDescription: String
  • OpID: String
Example
DatabaseRepoCSV
Platform Features: CSV Format

DockerRegistryCSV

Description

String scalar type representing a DockerRegistryCSV row with columns:

  • UUID: String
  • EntityType: String
  • FirstSeen: Datetime
  • Name: String
  • Service: String
  • ServiceType: String
  • Product: String
  • IP: String
  • Hostname: String
  • ProtocolPort: String
  • NumDataResources: Int
  • PermissionsList: String
  • Permissions: String
  • Authenticated: Boolean
  • Score: Float
  • Severity: String
  • ContextScoreDescription: String
  • OpID: String
Example
DockerRegistryCSV
Platform Features: CSV Format

EDROverviewHostCSV

Description

String scalar type representing a EDROverviewHostCSV row with columns:

  • UUID: String
  • Score: Float
  • Severity: String
  • IP: String
  • HostNames: String
  • EDRVendors: String
  • UnblockedEvents: Int
  • MitreAttackTactics: String
  • DownstreamImpacts: String
  • IsDomainController: Boolean
  • IsPublic: Boolean
  • IsDatabaseServer: Boolean
  • IsLoadBalancer: Boolean
  • IsMailServer: Boolean
  • IsVPN: Boolean
  • IsWAF: Boolean
  • IsK8sNode: Boolean
  • IsK8sService: Boolean
  • IsK8sPod: Boolean
Example
EDROverviewHostCSV
Platform Features: CSV Format

ExternalDomainCSV

Description

String scalar type representing a ExternalDomainCSV row with columns:

  • Name: String
  • TldName: String
  • Reachable: Boolean
  • InScope: String
  • CNAMEs: String
  • CnamesList: String
  • Ips: String
  • IpsList: String
  • CloudProviders: String
  • CloudProvidersList: String
  • CloudServices: String
  • CloudServicesList: String
  • CloudRegions: String
  • CloudRegionsList: String
  • Organizations: String
  • OrganizationsList: String
  • Isps: String
  • IspsList: String
  • Asns: String
  • AsnsList: String
  • Countries: String
  • CountriesList: String
  • DNSHostnames: String
  • DNSHostnamesList: String
  • CertificateIssuers: String
  • CertificateIssuersList: String
  • OpID: String
Example
ExternalDomainCSV
Platform Features: CSV Format

ExternalDomainXopCSV

Description

String scalar type representing a ExternalDomainXopCSV row with columns:

  • Name: String
  • IP: String
  • Status: String
  • IpType: String
  • Reachable: Boolean
  • Isp: String
  • Organization: String
  • LastSeen: String
  • FirstSeen: String
  • AssetType: String
  • Aliases: String
  • Ips: String
  • TldInScope: Boolean
Example
ExternalDomainXopCSV
Platform Features: CSV Format

FileShareCSV

Description

String scalar type representing a FileShareCSV row with columns:

  • UUID: String
  • EntityType: String
  • FirstSeen: Datetime
  • Name: String
  • Service: String
  • ServiceType: String
  • Product: String
  • IP: String
  • Hostname: String
  • ProtocolPort: String
  • NumDataResources: Int
  • PermissionsList: String
  • Permissions: String
  • Authenticated: Boolean
  • Score: Float
  • Severity: String
  • ContextScoreDescription: String
  • OpID: String
Example
FileShareCSV
Platform Features: CSV Format

GitRepoCSV

Description

String scalar type representing a GitRepoCSV row with columns:

  • UUID: String
  • EntityType: String
  • Name: String
  • GitAccountName: String
  • GitAccountType: String
  • GitAccountSource: String
  • NumGitRepoSensitiveFindings: Int
  • Score: Float
  • Severity: String
  • OpID: String
Example
GitRepoCSV
Platform Features: CSV Format

HostCSV

Description

String scalar type representing a HostCSV row with columns:

  • FirstSeen: Datetime
  • Subnet: String
  • SubnetSource: String
  • IP: String
  • Hostname: String
  • DNSHostnames: String
  • LDAPHostname: String
  • InScope: Boolean
  • OS: String
  • Hardware: String
  • Device: String
  • NumWeaknesses: Int
  • NumConfirmedWeaknesses: Int
  • NumDataResources: Int
  • NumCredentials: Int
  • NumConfirmedCredentials: Int
  • NumServices: Int
  • NumWebShares: Int
  • RiskScore: Float
  • RiskScoreDescription: String
  • OpID: String
  • BusinessRisks: String
Example
HostCSV
Platform Features: CSV Format

HostXopCSV

Description

String scalar type representing a HostXopCSV row with columns:

  • IP: String
  • Status: String
  • Domains: String
  • ThirdPartyAliases: String
  • AssetType: String
  • Isp: String
  • Organization: String
  • LastSeen: Datetime
  • FirstSeen: String
  • Asn: String
  • OpID: String
Example
HostXopCSV
Platform Features: CSV Format

ImpactCSV

Description

String scalar type representing a ImpactCSV row with columns:

  • Score: Float
  • Severity: String
  • ImpactType: String
  • Name: String
  • AffectedAsset: String
  • IP: String
  • Hostname: String
  • TimeToCompromise: String
  • BusinessRisks: String
Example
ImpactCSV
Platform Features: CSV Format

S3BucketCSV

Description

String scalar type representing a S3BucketCSV row with columns:

  • UUID: String
  • EntityType: String
  • Name: String
  • AwsAccountID: String
  • CloudServiceName: String
  • CloudProviderName: String
  • ServiceType: String
  • NumDataResources: Int
  • PermissionsList: String
  • AwsAnonymousUserPermissionsList: String
  • AwsCrossAccountUserPermissionsList: String
  • Score: Float
  • Severity: String
  • OpID: String
Example
S3BucketCSV
Platform Features: CSV Format

ScannerClassificationCSV

Description

String scalar type representing a ScannerClassificationCSV row with columns:

  • UUID: String
  • WeaknessName: String
  • WeaknessID: String
  • RiskScore: Float
  • RiskSeverity: String
  • Categories: String
  • IP: String
  • Host: String
  • Status: String
  • MarkedAs: String
  • DownstreamImpactTypes: String
  • BusinessRisks: String
  • AttackPath: Int
  • ThreatActors: String
  • Mitigations: String
  • References: String
Example
ScannerClassificationCSV
Platform Features: CSV Format

ServiceCSV

Description

String scalar type representing a ServiceCSV row with columns:

  • FirstSeen: Datetime
  • Hostname: String
  • IP: String
  • Port: Int
  • Protocol: String
  • Service: String
  • ServiceType: String
  • Product: String
  • OS: String
  • Hardware: String
  • Device: String
  • LDAPHostname: String
  • VhostNames: String
  • NumWeaknesses: Int
  • NumCredentials: Int
  • NumDataResources: Int
  • RiskScore: Float
  • RiskScoreDescription: String
  • NonStandardPort: Boolean
  • Enumerated: Boolean
  • DNSServer: Boolean
  • DomainController: Boolean
  • MailServer: Boolean
  • OpID: String
Example
ServiceCSV
Platform Features: CSV Format

ShareCSV

Description

String scalar type representing a ShareCSV row with columns:

  • Score: Float
  • Severity: String
  • DataStoreType: String
  • ServiceType: String
  • Address: String
  • Account: String
  • IP: String
  • Port: Int
  • Protocol: String
  • Hostname: String
  • DNSAddress: String
  • ARN: String
  • Permissions: String
  • NumDataResources: Int
  • NumSensitiveResources: Int
  • NumSensitiveDataItem: Int
  • SensitiveDataItemTypes: String
  • Authenticated: Boolean
  • CreatedAt: Datetime
  • OpID: String
  • BusinessRisks: String
Example
ShareCSV
Platform Features: CSV Format

TicketCSV

Description

String scalar type representing a TicketCSV row with columns:

  • UUID: String
  • AssignedBy: String
  • Status: String
  • Severity: String
  • TicketName: String
  • WeaknessID: String
  • WeaknessName: String
  • AssetCount: Int
  • CreatedAt: Datetime
  • LastUpdated: Datetime
  • SyncSystem: String
  • SyncDate: Datetime
  • ExternalID: String
Example
TicketCSV
Platform Features: CSV Format

UserCSV

Description

String scalar type representing a UserCSV row with columns:

  • Name: String
  • Compromised: Boolean
  • Source: String
  • Hostname: String
  • VhostName: String
  • IP: String
  • Role: String
  • LocalAdmin: Boolean
  • DomainAdmin: Boolean
  • LDAPDomainName: String
  • AzureDomainName: String
  • GroupNames: String
  • CloudRoleNames: String
  • OpID: String
Example
UserCSV
Platform Features: CSV Format

WeaknessCSV

Description

String scalar type representing a WeaknessCSV row with columns:

  • WeaknessID: String
  • FirstSeen: Datetime
  • Name: String
  • RootCause: String
  • Severity: String
  • ContextScore: Float
  • ContextScoreDescription: String
  • Confirmed: Boolean
  • Hostname: String
  • CNAME: String
  • OS: String
  • IP: String
  • Port: Int
  • Protocol: String
  • ProtocolPort: String
  • Service: String
  • ServiceType: String
  • Product: String
  • OpID: String
  • Description: String
  • AssetID: String
  • AllHostnames: String
  • Repo: String
  • Vhost: String
  • ResourceUri: String
  • UserName: String
  • UserDomainName: String
  • ProvenEntityEid: String
  • Impact: String
  • Mitigations: String
  • References: String
  • ThreatActors: String
  • BusinessRisks: String
Example
WeaknessCSV
Platform Features: CSV Format

WeaknessSeriesCSV

Description

String scalar type representing a WeaknessSeriesCSV row with columns:

  • UUID: String
  • WeaknessName: String
  • WeaknessID: String
  • AffectedAsset: String
  • WeaknessCategory: String
  • Status: String
  • NoteStatus: String
  • NoteText: String
  • Severity: String
  • Verifiable: Boolean
  • LatestOpID: String
  • IP: String
  • FirstSeen: Datetime
  • LastSeen: String
Example
WeaknessSeriesCSV
Platform Features: CSV Format

WebShareCSV

Description

String scalar type representing a WebShareCSV row with columns:

  • FirstSeen: Datetime
  • Vhost: String
  • IP: String
  • Port: Int
  • Protocol: String
  • Hostname: String
  • OS: String
  • Service: String
  • ServiceType: String
  • Product: String
  • NumDataResources: Int
  • OpID: String
Example
WebShareCSV

Admin

Administrative APIs for your Horizon3.ai account. View your account settings and the client accounts you have access to. For Managed Service Providers (MSPs), view aggregated data across your subclient accounts.

Admin: Account Management

View account settings and organizational configuration.

session_user_account

Description

Returns the UserAccount for the currently authenticated user, including their profile information and role within the current ClientAccount.

Response

Returns a UserAccount 

query SessionUserAccount {
  session_user_account {
    ...UserAccountFragment
  }
}

fragment UserAccountFragment on UserAccount {
  uuid
  email
  name
  user_role_id
  sign_in_type
  last_signed_in_at
  has_tripwires_access
  has_rapid_response_access
  has_unread_notifications_by_type
}

Examples may not include all available fields for a type.

Admin: Account Management

client_accounts_count

Description

Returns the number of ClientAccount records accessible by the currently authenticated user. Supports filtering via page_input.

Response

Returns an Int!

Arguments
page_input - PageInput 
query ClientAccountsCount($page_input: PageInput) {
  client_accounts_count(page_input: $page_input)
}

Examples may not include all available fields for a type.

Admin: Account Management

client_accounts_page

Description

Returns a paginated list of ClientAccount records that the currently authenticated user has access to. Use exclude_user_roles to omit accounts where the user holds a specific role (e.g., exclude accounts where the user is READONLY).

Response

Returns a ClientAccountsPage!

Arguments
page_input - PageInput
exclude_user_roles - [AuthzRole] 
query ClientAccountsPage($page_input: PageInput) {
  client_accounts_page(page_input: $page_input) {
    client_accounts {
      ...ClientAccountFragment
    }
  }
}

fragment ClientAccountFragment on ClientAccount {
  uuid
  company_name
  company_short_name
  session_user_role_id
  company_logo_url
  tripwires_enabled
  assets_count
  internal_assets_count
  external_assets_count
  row_created_at
}

Examples may not include all available fields for a type.

Admin: Account Management

ClientAccount

Description

Represents an organization (tenant) on the platform. Each client account has an isolated database for security data. Accounts may be organized in parent-child hierarchies for MSP and Consulting+ (C_PLUS) deployments, where a parent account manages multiple subclient accounts.

Fields
uuid - String!
Unique identifier of the client account.
parent_uuid - String
Unique identifier of the parent client account, if this is a subclient account. Returns null for top-level accounts.
child_client_accounts - [ClientAccount!]!
List of subclient accounts managed by this parent account. Requires multi-tenancy to be enabled; returns an empty list otherwise. Only subclient accounts the current user has access to are included.
child_client_accounts_page - ClientAccountsPage!
Paginated list of subclient accounts managed by this parent account. Requires multi-tenancy to be enabled. Returns a ClientAccountsPage.
Arguments
page_input - PageInput
child_client_accounts_count - Int!
Number of subclient accounts managed by this parent account. Requires multi-tenancy to be enabled; returns 0 otherwise.
Arguments
page_input - PageInput
company_name - String!
Full legal name of the company associated with this client account.
company_short_name - String!
Abbreviated name of the company, typically used in reports and dashboard labels.
company_logo_url - String
Pre-signed URL for the company's primary logo image. The URL expires after one hour.
secondary_company_logo_url - String
Pre-signed URL for the company's secondary logo image. The URL expires after one hour.
company_colors - [BrandColor!]
The white-label BrandColor scheme for this account, containing primary and secondary brand colors used in co-branded reports.
white_label_reports_enabled - Boolean
Whether co-branded (white-label) reports are enabled for this client account.
white_label_reports_cascade - Boolean
Whether the co-branded report settings from this account are cascaded to its subclient accounts.
row_created_at - Datetime
Timestamp when the client account was created, in ISO 8601 format (UTC).
session_user_role_id - AuthzRole
The AuthzRole of the currently authenticated user in this client account. Returns null if the user does not have access to this specific account.
tripwires_enabled - Boolean!
Whether NodeZero Tripwires is enabled for this client account. When enabled, the account can deploy and monitor tripwires to detect attacker activity.
assets_count - Int
Total number of tracked assets for this client account. Does not include assets from subclient accounts.
internal_assets_count - Int
Number of internal (on-premises / LAN) assets tracked for this client account. Does not include assets from subclient accounts.
external_assets_count - Int
Number of external (internet-facing) assets tracked for this client account. Does not include assets from subclient accounts. 
fragment ClientAccountFragment on ClientAccount {
  uuid
  parent_uuid
  company_name
  company_short_name
  company_logo_url
  secondary_company_logo_url
  company_colors {
    type
    color
  }
  white_label_reports_enabled
  white_label_reports_cascade
  session_user_role_id
  tripwires_enabled
  assets_count
  internal_assets_count
  external_assets_count
  row_created_at
}

Examples may not include all available fields for a type.

Admin: Account Management

UserAccount

Description

A user's identity and profile on the platform. Users are identified by their email address and may have access to multiple ClientAccounts with different AuthzRoles in each. A user may also have multiple SignInTypes configured (e.g., BASIC, GOOGLE, SSO).

Fields
uuid - String
Unique identifier of the user account.
email - EmailAddress
The user's email address, which serves as their unique login identifier across the platform.
name - String
Full name of the user.
user_role_id - AuthzRole
The AuthzRole assigned to this user within the calling user's ClientAccount.
sign_in_type - SignInType
The SignInType (authentication method) used by this specific user account, such as BASIC, GOOGLE, MICROSOFT, or SSO.
last_signed_in_at - Datetime
Timestamp of the most recent sign-in by this user within the calling user's ClientAccount, in ISO 8601 format (UTC).
has_unread_notifications_by_type - [NotificationType]!
Returns the list of notification types that have unread notifications for this user in their current client account. An empty list indicates all notifications have been read.
has_tripwires_access - Boolean!
Whether this user has access to the Tripwires product in their current ClientAccount. Users with Tripwires access can query tripwire data and receive notifications when tripwires detect activity.
has_rapid_response_access - Boolean!
Whether this user is authorized to receive Rapid Response notifications about evidence of breaking vulnerabilities in their current ClientAccount. 
fragment UserAccountFragment on UserAccount {
  uuid
  email
  name
  user_role_id
  sign_in_type
  last_signed_in_at
  has_tripwires_access
  has_rapid_response_access
  has_unread_notifications_by_type
}

Examples may not include all available fields for a type.

Admin: Account Management

APIKey

Description

An API key used for programmatic access to the GraphQL API. API keys are associated with a specific ClientAccount and UserAccount, and carry the permissions of the assigned role.

Fields
uuid - String!
Unique identifier for the API key.
api_key - String
The full API key value (base64-encoded). This field is only populated in the response when the API key is first created. It cannot be retrieved again after creation.
h3_cli_install_command - String

A shell command that installs the h3-cli and configures it to use this API key. Only populated when the API key is first created.

starts_with - String!
The leading characters of the API key, useful for identifying a specific key without exposing the full value.
created_at - Datetime!
Timestamp when the API key was created, in ISO 8601 format (UTC).
last_accessed_at - Datetime
Timestamp of the most recent API request made with this key, in ISO 8601 format (UTC). Returns null if the key has never been used. 
fragment APIKeyFragment on APIKey {
  uuid
  api_key
  h3_cli_install_command
  starts_with
  created_at
  last_accessed_at
}

Examples may not include all available fields for a type.

Admin: Account Management

AccessLevel

Description

The access level of a ClientAccount, which determines the tier of features and capabilities available to the organization.

Values
FREE_TRIAL
Free trial access. New accounts start at this level, which provides limited access for 30 days before transitioning to READONLY.
READONLY
Read-only access. The account can view existing data but cannot initiate new pentests or modify configurations.
FULL
Full access with all standard platform features enabled.
POV
Proof-of-value access. Similar to FULL but intended for managed clients evaluating the product. Transitions to READONLY after 30 days.
C_PLUS
Consulting+ access. Includes full platform features with licensing limits and support for subclient account hierarchies.
MSP
Managed Service Provider access. Designed for MSPs managing multiple subclient accounts, with asset-based billing and no limit on concurrent pentests.
FLEX
Flexible access with asset-based billing. Supports on-demand pentests with cumulative asset counting across operations.
Example
"FREE_TRIAL"
Admin: Account Management

AuthzRole

Description

The authorization role assigned to a user within a specific ClientAccount. A user's role determines their permissions and may differ across client accounts they have access to.

Values
USER
Standard user role with permissions to run pentests, view results, and manage configurations within the client account. Cannot manage other users or account settings.
READONLY
Read-only user role. Can view pentest results and account data but cannot initiate pentests, modify configurations, or manage users.
ORG_ADMIN
Organizational administrator role with full permissions within the client account, including user management, account configuration, and subclient management for MSP accounts.
NODEZERO_RUNNER
Role used by the h3-cli to configure and manage an automated Runner for NodeZero. Grants permissions to register runners and execute pentest deployments.
NODEZERO_OPERATOR
Role used by the NodeZero Kubernetes Operator to access the API when provisioning Runners or pentests within a Kubernetes cluster.
PHISHER
Role used for pentests that include phishing scenarios, enabling the submission of phished credentials to the platform.
Example
"USER"
Admin: Account Management

BrandColor

Description

A brand color in a ClientAccount's white-label color scheme. Used for co-branded reports and portal customization.

Fields
type - BrandColorType!
Whether this is the primary or secondary brand color.
color - HexColor!
The color value in hexadecimal notation. 
fragment BrandColorFragment on BrandColor {
  type
  color
}

Examples may not include all available fields for a type.

Admin: Account Management

BrandColorType

Description

Identifies a brand color as either the primary or secondary color in a ClientAccount's white-label color scheme.

Values
primary
The primary brand color, used as the main accent color in co-branded reports and portal elements.
secondary
The secondary brand color, used as a complementary color in co-branded reports and portal elements.
Example
"primary"
Admin: Account Management

ClientAccountsPage

Description

A paginated list of ClientAccount records. Returned by client_accounts_page.

Fields
page_info - PageInfo
Pagination metadata including total count and cursor information.
client_accounts - [ClientAccount!]!
The list of ClientAccount records for the current page. 
fragment ClientAccountsPageFragment on ClientAccountsPage {
  page_info {
    page_num
    page_size
  }
  client_accounts {
    uuid
    company_name
    company_short_name
    session_user_role_id
    row_created_at
  }
}

Examples may not include all available fields for a type.

Admin: Account Management

HexColor

Description

A string representing a color in hexadecimal notation (e.g., #def or #bb032d). Used for white-label BrandColor customization.

Example
"#bb032d"
Admin: Account Management

SignInType

Description

The authentication method used by a UserAccount to sign in to the platform. A single user (identified by email) may have multiple sign-in types available.

Values
BASIC
Standard authentication using a username (email) and password managed by the platform.
GOOGLE
Federated authentication via Google identity provider.
LINKED_IN
Federated authentication via LinkedIn identity provider.
MICROSOFT
Federated authentication via Microsoft identity provider.
SSO
Single Sign-On authentication through a customer-configured identity provider (e.g., Okta, Azure AD).
Example
"BASIC"

Admin: MSP

For Managed Service Providers (MSPs), view aggregated data across your subclient accounts.

subclient_account_summaries

Description

Returns a list of SubclientAccountSummary records containing all-time usage metrics (ops count, sign-in counts, user counts, etc.) for each subclient under the current user's parent account. Set include_parent to true to include the parent account's own metrics. Requires multi-tenancy to be enabled; returns an empty list otherwise.

Response

Returns [SubclientAccountSummary!]!

Arguments
include_parent - Boolean
page_input - PageInput 
query SubclientAccountSummaries($include_parent: Boolean, $page_input: PageInput) {
  subclient_account_summaries(include_parent: $include_parent, page_input: $page_input) {
    ...SubclientAccountSummaryFragment
  }
}

fragment SubclientAccountSummaryFragment on SubclientAccountSummary {
  client_account_uuid
  company_name
  enrolled_date
  ops_count
  successfully_launched_ops_count
  first_op_date
  last_op_date
  uniq_ips_count
  users_count
  user_sign_ins_count
  first_sign_in_date
  last_sign_in_date
}

Examples may not include all available fields for a type.

Admin: MSP

user_summaries_for_subclient_accounts

Description

Returns a list of ClientAccountUserSummary records showing per-user sign-in activity for each subclient account. Set include_parent to true to include users from the parent account. Requires multi-tenancy to be enabled; returns an empty list otherwise.

Response

Returns [ClientAccountUserSummary!]!

Arguments
include_parent - Boolean
page_input - PageInput 
query UserSummariesForSubclientAccounts($include_parent: Boolean, $page_input: PageInput) {
  user_summaries_for_subclient_accounts(include_parent: $include_parent, page_input: $page_input) {
    ...ClientAccountUserSummaryFragment
  }
}

fragment ClientAccountUserSummaryFragment on ClientAccountUserSummary {
  company_name
  user_email
  company_linkedin_url
  sign_in_count
  first_sign_in_date
  last_sign_in_date
}

Examples may not include all available fields for a type.

Admin: MSP

impact_summaries_for_subclient_accounts

Description

Returns a list of ClientAccountImpactSummary records aggregating attack path impacts by type for each subclient account. Each record shows how many pentests observed the impact and the total count of attack paths. Set include_parent to true to include the parent account. Requires multi-tenancy to be enabled; returns an empty list otherwise.

Response

Returns [ClientAccountImpactSummary!]!

Arguments
include_parent - Boolean
page_input - PageInput 
query ImpactSummariesForSubclientAccounts($include_parent: Boolean, $page_input: PageInput) {
  impact_summaries_for_subclient_accounts(include_parent: $include_parent, page_input: $page_input) {
    ...ClientAccountImpactSummaryFragment
  }
}

fragment ClientAccountImpactSummaryFragment on ClientAccountImpactSummary {
  client_account_uuid
  impact_type
  first_seen_date
  last_seen_date
  ops_count
  impact_paths_count
}

Examples may not include all available fields for a type.

Admin: MSP

weakness_summaries_for_subclient_accounts

Description

Returns a list of ClientAccountWeaknessSummary records aggregating weakness occurrences by vulnerability ID for each subclient account. Set include_parent to true to include the parent account. Requires multi-tenancy to be enabled; returns an empty list otherwise.

Response

Returns [ClientAccountWeaknessSummary!]!

Arguments
include_parent - Boolean
page_input - PageInput 
query WeaknessSummariesForSubclientAccounts($include_parent: Boolean, $page_input: PageInput) {
  weakness_summaries_for_subclient_accounts(include_parent: $include_parent, page_input: $page_input) {
    ...ClientAccountWeaknessSummaryFragment
  }
}

fragment ClientAccountWeaknessSummaryFragment on ClientAccountWeaknessSummary {
  company_name
  vuln_id
  first_seen_date
  last_seen_date
  first_op_id
  last_op_id
  ops_count
  weaknesses_count
}

Examples may not include all available fields for a type.

Admin: MSP

cpe_strings_for_subclient_accounts

Description

Returns a list of ClientAccountCPEString records containing Common Platform Enumeration (CPE) data for each endpoint discovered across subclient accounts. CPE strings provide standardized identification of hardware, operating systems, and software on network endpoints. Set include_parent to true to include the parent account. Requires multi-tenancy to be enabled; returns an empty list otherwise.

Response

Returns [ClientAccountCPEString!]!

Arguments
include_parent - Boolean
page_input - PageInput 
query CPEStringsForSubclientAccounts($include_parent: Boolean, $page_input: PageInput) {
  cpe_strings_for_subclient_accounts(include_parent: $include_parent, page_input: $page_input) {
    ...ClientAccountCPEStringFragment
  }
}

fragment ClientAccountCPEStringFragment on ClientAccountCPEString {
  client_account_company_name
  op_id
  endpoint_created_at_date
  ip
  cpe
  os_vendors
  os_products
  os_versions
}

Examples may not include all available fields for a type.

Admin: MSP

overall_summary_for_subclient_accounts

Description

Returns an OverallSummarySubclientAccounts record with high-level aggregated metrics (total ops, weaknesses, attack paths, etc.) across all subclient accounts. Set include_parent to true to include the parent account's own metrics. Requires multi-tenancy to be enabled; returns an empty list otherwise.

Response

Returns an OverallSummarySubclientAccounts

Arguments
include_parent - Boolean 
query OverallSummaryForSubclientAccounts($include_parent: Boolean) {
  overall_summary_for_subclient_accounts(include_parent: $include_parent) {
    ...OverallSummarySubclientAccountsFragment
  }
}

fragment OverallSummarySubclientAccountsFragment on OverallSummarySubclientAccounts {
  enrolled_clients_count
  non_empty_ops_count
  ops_count
  hosts_or_unique_ips_scanned_count
  impact_paths_count
  weaknesses_count
  weaknesses_mitigated_count
  total_duration_of_ops_seconds
}

Examples may not include all available fields for a type.

Admin: MSP

ClientAccountCPEString

Description

Common Platform Enumeration (CPE) data for an endpoint discovered in a subclient account's pentest. CPE is a standardized naming scheme for identifying hardware and software. Returned by cpe_strings_for_subclient_accounts.

Fields
client_account_company_name - String
Company name of the subclient account where this endpoint was discovered.
op_id - String
Identifier of the pentest (op) in which this endpoint was observed.
endpoint_created_at_date - Date
Date when this endpoint record was created.
ip - String
IP address of the endpoint.
cpe - String
Full CPE string identifying the endpoint's software or hardware stack.
hw_vendors - [String]
Hardware vendor names extracted from the CPE.
hw_products - [String]
Hardware product names extracted from the CPE.
hw_devices - [String]
Hardware device types extracted from the CPE.
hw_versions - [String]
Hardware version strings extracted from the CPE.
hw_models - [String]
Hardware model identifiers extracted from the CPE.
hw_families - [String]
Hardware family classifications extracted from the CPE.
hw_cpes - [String]
Full hardware CPE strings for this endpoint.
os_vendors - [String]
Operating system vendor names extracted from the CPE.
os_architectures - [String]
Operating system CPU architectures extracted from the CPE (e.g., x86_64, ARM).
os_products - [String]
Operating system product names extracted from the CPE.
os_versions - [String]
Operating system version strings extracted from the CPE.
os_editions - [String]
Operating system edition identifiers extracted from the CPE.
os_builds - [String]
Operating system build numbers extracted from the CPE.
os_families - [String]
Operating system family classifications extracted from the CPE (e.g., Linux, Windows).
os_devices - [String]
Operating system device types extracted from the CPE.
os_languages - [String]
Operating system language identifiers extracted from the CPE.
os_cpes - [String]
Full operating system CPE strings for this endpoint. 
fragment ClientAccountCPEStringFragment on ClientAccountCPEString {
  client_account_company_name
  op_id
  endpoint_created_at_date
  ip
  cpe
  os_vendors
  os_products
  os_versions
}

Examples may not include all available fields for a type.

Admin: MSP

ClientAccountImpactSummary

Description

Aggregated summary of attack path impacts for a subclient account, grouped by impact type. Each record represents a unique combination of subclient and impact type. Returned by impact_summaries_for_subclient_accounts.

Fields
client_account_uuid - String
Unique identifier of the subclient ClientAccount.
impact_type - String
The category of impact observed (e.g., data exfiltration, lateral movement).
first_seen_date - Date
Date when this impact type was first observed in a pentest for the subclient.
last_seen_date - Date
Date when this impact type was most recently observed in a pentest for the subclient.
ops_count - Int
Number of pentests in which this impact type was observed.
impact_paths_count - Int
Total number of attack paths associated with this impact type across all pentests. 
fragment ClientAccountImpactSummaryFragment on ClientAccountImpactSummary {
  client_account_uuid
  impact_type
  first_seen_date
  last_seen_date
  ops_count
  impact_paths_count
}

Examples may not include all available fields for a type.

Admin: MSP

ClientAccountUserSummary

Description

Per-user activity summary for a subclient account, showing sign-in frequency and recency. Each record represents a unique user within a specific subclient. Returned by user_summaries_for_subclient_accounts.

Fields
company_name - String!
Company name of the subclient account this user belongs to.
user_email - String
Email address of the user.
company_linkedin_url - String
LinkedIn URL of the subclient's company.
sign_in_count - Int
Total number of times this user has signed in to the subclient account, all-time.
first_sign_in_date - Datetime
Timestamp of this user's first sign-in to the subclient account, in ISO 8601 format (UTC).
last_sign_in_date - Datetime
Timestamp of this user's most recent sign-in to the subclient account, in ISO 8601 format (UTC). 
fragment ClientAccountUserSummaryFragment on ClientAccountUserSummary {
  company_name
  user_email
  company_linkedin_url
  sign_in_count
  first_sign_in_date
  last_sign_in_date
}

Examples may not include all available fields for a type.

Admin: MSP

ClientAccountWeaknessSummary

Description

Aggregated summary of weakness occurrences for a subclient account, grouped by vulnerability identifier. Each record represents a unique combination of subclient and vulnerability. Returned by weakness_summaries_for_subclient_accounts.

Fields
company_name - String
Company name of the subclient account where this weakness was observed.
vuln_id - String
Vulnerability identifier (e.g., a CVE ID such as CVE-2021-44228) for this weakness.
first_seen_date - Date
Date when this weakness was first discovered in a pentest for the subclient.
last_seen_date - Date
Date when this weakness was most recently observed in a pentest for the subclient.
first_op_id - String
Identifier of the pentest where this weakness was first observed.
last_op_id - String
Identifier of the pentest where this weakness was most recently observed.
ops_count - Int
Number of distinct pentests in which this weakness was detected.
weaknesses_count - Int
Total number of times this weakness was observed across all pentests (may exceed ops_count if the weakness appears multiple times within a single pentest). 
fragment ClientAccountWeaknessSummaryFragment on ClientAccountWeaknessSummary {
  company_name
  vuln_id
  first_seen_date
  last_seen_date
  first_op_id
  last_op_id
  ops_count
  weaknesses_count
}

Examples may not include all available fields for a type.

Admin: MSP

OverallSummarySubclientAccounts

Description

High-level aggregated metrics across all subclient accounts under a parent MSP account. Provides a single-row summary of total activity and findings. Returned by overall_summary_for_subclient_accounts.

Fields
enrolled_clients_count - Int
Total number of subclient accounts enrolled under the parent account.
non_empty_ops_count - Int
Number of pentests that discovered at least one endpoint (non-empty results).
ops_count - Int
Total number of pentests and ops executed across all subclient accounts.
hosts_or_unique_ips_scanned_count - Int
Total number of unique hosts or IP addresses scanned across all subclient pentests.
impact_paths_count - Int
Total number of attack paths identified across all subclient pentests.
weaknesses_count - Int
Total number of weaknesses discovered across all subclient pentests.
weaknesses_mitigated_count - Int
Total number of weaknesses that have been remediated or mitigated across all subclients.
total_duration_of_ops_seconds - Long
Cumulative duration of all pentests across all subclients, measured in seconds. 
fragment OverallSummarySubclientAccountsFragment on OverallSummarySubclientAccounts {
  enrolled_clients_count
  non_empty_ops_count
  ops_count
  hosts_or_unique_ips_scanned_count
  impact_paths_count
  weaknesses_count
  weaknesses_mitigated_count
  total_duration_of_ops_seconds
}

Examples may not include all available fields for a type.

Admin: MSP

SubclientAccountSummary

Description

All-time summary metrics for a subclient account, including pentest counts, user activity, and enrollment status. Returned by subclient_account_summaries. Requires multi-tenancy to be enabled on the parent account; returns an empty list otherwise.

Fields
client_account_uuid - String!
Unique identifier of the subclient ClientAccount.
company_name - String!
Company name of the subclient account.
enrolled_date - Date
Date when the subclient account was enrolled (created) on the platform.
ops_count - Int
Total number of pentests and other ops run by the subclient, all-time.
successfully_launched_ops_count - Int
Number of ops that were successfully launched and executed.
failed_or_autocanceled_ops_count - Int
Number of ops that were initiated but either failed to launch or were automatically canceled.
auto_canceled_ops_count - Int
Number of ops that were initiated but automatically canceled before launch.
failed_ops_count - Int
Number of ops that failed to provision or launch due to platform errors.
empty_ops_count - Int
Number of ops that completed but discovered no endpoints in scope.
first_op_date - Date
Date when the subclient ran their first op.
last_op_date - Date
Date of the most recent op run by the subclient.
uniq_ips_count - Int
Number of unique IP addresses observed across all pentests for this subclient.
users_count - Int
Number of active users with access to the subclient account.
user_sign_ins_count - Int
Total number of user sign-ins across all users, all-time.
first_sign_in_date - Date
Date of the first user sign-in for this subclient account.
last_sign_in_date - Date
Date of the most recent user sign-in for this subclient account. 
fragment SubclientAccountSummaryFragment on SubclientAccountSummary {
  client_account_uuid
  company_name
  enrolled_date
  ops_count
  successfully_launched_ops_count
  first_op_date
  last_op_date
  uniq_ips_count
  users_count
  user_sign_ins_count
  first_sign_in_date
  last_sign_in_date
}

Examples may not include all available fields for a type.

Boolean

Description

The Boolean scalar type represents true or false.

Types

Date

Description

String scalar type with date ISO format serialization, eg. 2021-07-22.

Example
"2021-07-22"
Types

Datetime

Description

String scalar type with datetime ISO format serialization, eg. 2021-07-22T05:02:40.294996 .

Example
"2021-07-22T05:02:40.294996"
Types

EmailAddress

Description

String scalar type with email address format required.

Example
"user@example.com"
Types

Float

Description

The Float scalar type represents signed double-precision fractional values as specified by IEEE 754.

Example
123.45
Types

ID

Description

The ID scalar type represents a unique identifier, often used to refetch an object or as key for a cache. The ID type appears in a JSON response as a String; however, it is not intended to be human-readable. When expected as an input type, any string (such as "4") or integer (such as 4) input value will be accepted as an ID.

Example
4
Types

Int

Description

The Int scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1.

Example
123
Types

JSONObject

Description

String scalar type with JSON serialization.

Example
"{\"hello\": \"world\"}"
Types

Long

Description

Int scalar type alias.

Example
5234
Types

String

Description

The String scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.

Example
"xyz789"
Types

StringNoWhitespace

Description

String scalar type that cannot be an empty string or contain whitespace.

Example
"non-empty-string"
Types

StringNotEmpty

Description

String scalar type that cannot be an empty string.

Example
"non empty string"