GraphQL API Reference

Welcome to the Horizon3.ai GraphQL API reference! This reference includes the complete set of GraphQL types, queries, mutations, and their parameters available to users of Horizon3.ai products.

First, learn how to authenticate with the API. If you are new to GraphQL, see the Getting Started guide.

API Endpoints
https://api.horizon3ai.com/v1/graphql
Headers
Authorization: Bearer <YOUR_TOKEN_HERE>

Queries

action_logs_count

Description

Number of action log records for a given pentest.

The action log is the set of all commands executed by NodeZero across all hosts during the pentest.

Response

Returns an Int!

Arguments
Name Description
input - OpInput! Pentest to get action logs for.
page_input - PageInput Pagination of action logs.

Example

Query
query action_logs_count(
  $input: OpInput!,
  $page_input: PageInput
) {
  action_logs_count(
    input: $input,
    page_input: $page_input
  )
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{"data": {"action_logs_count": 123}}

action_logs_csv_presigned_url

Description

Generates a temporary AWS presigned URL for downloading the action log as a CSV.

The action log is the set of all commands executed by NodeZero across all hosts during the pentest.

Response

Returns a String

Arguments
Name Description
input - OpInput!

Example

Query
query action_logs_csv_presigned_url($input: OpInput!) {
  action_logs_csv_presigned_url(input: $input)
}
Variables
{"input": OpInput}
Response
{
  "data": {
    "action_logs_csv_presigned_url": "abc123"
  }
}

action_logs_page

Description

Paginated list of action log records for a given pentest.

The action log is the set of all commands executed by NodeZero across all hosts during the pentest.

Response

Returns an ActionLogsPage!

Arguments
Name Description
input - OpInput! Pentest to get action logs for.
page_input - PageInput Pagination of action logs.

Example

Query
query action_logs_page(
  $input: OpInput!,
  $page_input: PageInput
) {
  action_logs_page(
    input: $input,
    page_input: $page_input
  ) {
    page_info {
      ...PageInfoFragment
    }
    action_logs {
      ...ActionLogFragment
    }
  }
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{
  "data": {
    "action_logs_page": {
      "page_info": PageInfo,
      "action_logs": [ActionLog]
    }
  }
}

activedir_passwords_csv_url

Description

List of Active Direction passwords found during an AD Password Audit. Returns a presigned URL to the CSV file. The presigned URL expires after a short time. The CSV format is documented under ActiveDirPasswordCSV.

Response

Returns a String

Arguments
Name Description
input - OpInput!

Example

Query
query activedir_passwords_csv_url($input: OpInput!) {
  activedir_passwords_csv_url(input: $input)
}
Variables
{"input": OpInput}
Response
{
  "data": {
    "activedir_passwords_csv_url": "xyz789"
  }
}

agent

Description

Fetch the agent aka NodeZero Runner with the given uuid or name in the current user's ClientAccount

Response

Returns an Agent

Arguments
Name Description
uuid - String
name - String

Example

Query
query agent(
  $uuid: String,
  $name: String
) {
  agent(
    uuid: $uuid,
    name: $name
  ) {
    uuid
    name
    uname
    log_file
    last_heartbeat_at
    last_heartbeat_time_ago
    last_command {
      ...AgentCommandFragment
    }
    commands {
      ...AgentCommandFragment
    }
    created_at
  }
}
Variables
{
  "uuid": "xyz789",
  "name": "abc123"
}
Response
{
  "data": {
    "agent": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "name": "abc123",
      "uname": "xyz789",
      "log_file": "xyz789",
      "last_heartbeat_at": "2021-07-22T05:02:40.294996",
      "last_heartbeat_time_ago": "xyz789",
      "last_command": AgentCommand,
      "commands": [AgentCommand],
      "created_at": "2021-07-22T05:02:40.294996"
    }
  }
}

agents

Description

The list of h3-cli agents aka NodeZero Runners in the current user's ClientAccount

Response

Returns [Agent]

Example

Query
query agents {
  agents {
    uuid
    name
    uname
    log_file
    last_heartbeat_at
    last_heartbeat_time_ago
    last_command {
      ...AgentCommandFragment
    }
    commands {
      ...AgentCommandFragment
    }
    created_at
  }
}
Response
{
  "data": {
    "agents": [
      {
        "uuid": "12341234-1234-1234-1234-123412341234",
        "name": "abc123",
        "uname": "xyz789",
        "log_file": "xyz789",
        "last_heartbeat_at": "2021-07-22T05:02:40.294996",
        "last_heartbeat_time_ago": "abc123",
        "last_command": AgentCommand,
        "commands": [AgentCommand],
        "created_at": "2021-07-22T05:02:40.294996"
      }
    ]
  }
}

agents_count

Description

The count of h3-cli agents aka NodeZero Runners in the current user's ClientAccount

Response

Returns an Int!

Arguments
Name Description
page_input - PageInput

Example

Query
query agents_count($page_input: PageInput) {
  agents_count(page_input: $page_input)
}
Variables
{"page_input": PageInput}
Response
{"data": {"agents_count": 123}}

asset_group

Description

Fetch a specific asset group from this account.

Response

Returns an AssetGroup

Arguments
Name Description
uuid - String!

Example

Query
query asset_group($uuid: String!) {
  asset_group(uuid: $uuid) {
    uuid
    name
    op_template_uuid
    op_template {
      ...OpTemplateFragment
    }
    user_account_uuid
    user_account_name
    client_account_uuid
    client_account_company_name
    last_ead_etl_completed_at
    created_at
    updated_at
    op_series_uuid
    assets_count
    authorized_assets_count
    external_domain_xops_count
    authorized_external_domain_xops_count
    in_scope_host_tab_xops_count
    authorized_host_tab_xops_count
  }
}
Variables
{"uuid": "abc123"}
Response
{
  "data": {
    "asset_group": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "name": "abc123",
      "op_template_uuid": "12341234-1234-1234-1234-123412341234",
      "op_template": OpTemplate,
      "user_account_uuid": "12341234-1234-1234-1234-123412341234",
      "user_account_name": "xyz789",
      "client_account_uuid": "12341234-1234-1234-1234-123412341234",
      "client_account_company_name": "abc123",
      "last_ead_etl_completed_at": "2021-07-22T05:02:40.294996",
      "created_at": "2021-07-22T05:02:40.294996",
      "updated_at": "2021-07-22T05:02:40.294996",
      "op_series_uuid": "12341234-1234-1234-1234-123412341234",
      "assets_count": 123,
      "authorized_assets_count": 123,
      "external_domain_xops_count": 123,
      "authorized_external_domain_xops_count": 987,
      "in_scope_host_tab_xops_count": 987,
      "authorized_host_tab_xops_count": 987
    }
  }
}

asset_groups_count

Description

The number of asset groups in this account.

Response

Returns an Int!

Arguments
Name Description
page_input - PageInput

Example

Query
query asset_groups_count($page_input: PageInput) {
  asset_groups_count(page_input: $page_input)
}
Variables
{"page_input": PageInput}
Response
{"data": {"asset_groups_count": 123}}

asset_groups_page

Description

Paginated list of asset groups in this account.

Response

Returns an AssetGroupsPage!

Arguments
Name Description
page_input - PageInput

Example

Query
query asset_groups_page($page_input: PageInput) {
  asset_groups_page(page_input: $page_input) {
    page_info {
      ...PageInfoFragment
    }
    asset_groups {
      ...AssetGroupFragment
    }
  }
}
Variables
{"page_input": PageInput}
Response
{
  "data": {
    "asset_groups_page": {
      "page_info": PageInfo,
      "asset_groups": [AssetGroup]
    }
  }
}

attack_path

Description

The AttackPath with the given uuid. An AttackPath represents the steps NodeZero took to achieve an Impact.

Response

Returns an AttackPath

Arguments
Name Description
uuid - String!

Example

Query
query attack_path($uuid: String!) {
  attack_path(uuid: $uuid) {
    uuid
    impact_type
    impact_title
    impact_description
    name
    attack_path_title
    base_score
    score
    severity
    context_score_description_md
    context_score_description
    op_id
    weakness_refs
    credential_refs
    host_refs
    time_to_finding_hms
    time_to_finding_s
    created_at
    target_entity_text
    target_entity_short_text
    affected_asset_text
    affected_asset_short_text
    ip
    host_name
    host_text
  }
}
Variables
{"uuid": "abc123"}
Response
{
  "data": {
    "attack_path": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "impact_type": "AWSUserRoleCompromise",
      "impact_title": "abc123",
      "impact_description": "abc123",
      "name": "xyz789",
      "attack_path_title": "xyz789",
      "base_score": 123.45,
      "score": 987.65,
      "severity": "INFO",
      "context_score_description_md": "xyz789",
      "context_score_description": "abc123",
      "op_id": "12341234-1234-1234-1234-123412341234",
      "weakness_refs": ["abc123"],
      "credential_refs": ["abc123"],
      "host_refs": ["xyz789"],
      "time_to_finding_hms": "22:05:31",
      "time_to_finding_s": 987,
      "created_at": "2021-07-22T05:02:40.294996",
      "target_entity_text": "xyz789",
      "target_entity_short_text": "xyz789",
      "affected_asset_text": "xyz789",
      "affected_asset_short_text": "xyz789",
      "ip": "123.45.67.89",
      "host_name": "abc123",
      "host_text": "abc123"
    }
  }
}

attack_paths_count

Description

The count of AttackPaths discovered during the given op. An AttackPath represents the steps NodeZero took to achieve an Impact.

Response

Returns an Int!

Arguments
Name Description
input - OpInput!
page_input - PageInput

Example

Query
query attack_paths_count(
  $input: OpInput!,
  $page_input: PageInput
) {
  attack_paths_count(
    input: $input,
    page_input: $page_input
  )
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{"data": {"attack_paths_count": 123}}

attack_paths_csv_url

Description

The set of AttackPaths discovered during the given op. An AttackPath represents the steps NodeZero took to achieve an Impact.

Returned as a temporary presigned URL to a CSV file.

The CSV format is documented under ImpactCSV.

Response

Returns a String

Arguments
Name Description
input - OpInput!

Example

Query
query attack_paths_csv_url($input: OpInput!) {
  attack_paths_csv_url(input: $input)
}
Variables
{"input": OpInput}
Response
{"data": {"attack_paths_csv_url": "abc123"}}

attack_paths_page

Description

The set of AttackPaths discovered during the given op. An AttackPath represents the steps NodeZero took to achieve an Impact.

Response

Returns an AttackPathsPage!

Arguments
Name Description
input - OpInput!
page_input - PageInput

Example

Query
query attack_paths_page(
  $input: OpInput!,
  $page_input: PageInput
) {
  attack_paths_page(
    input: $input,
    page_input: $page_input
  ) {
    page_info {
      ...PageInfoFragment
    }
    attack_paths {
      ...AttackPathFragment
    }
  }
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{
  "data": {
    "attack_paths_page": {
      "page_info": PageInfo,
      "attack_paths": [AttackPath]
    }
  }
}

client_accounts_count

Description

Number of client accounts accessible by the current user.

Response

Returns an Int!

Arguments
Name Description
page_input - PageInput

Example

Query
query client_accounts_count($page_input: PageInput) {
  client_accounts_count(page_input: $page_input)
}
Variables
{"page_input": PageInput}
Response
{"data": {"client_accounts_count": 123}}

client_accounts_page

Description

Client accounts accessible by the current user.

Response

Returns a ClientAccountsPage!

Arguments
Name Description
page_input - PageInput

Example

Query
query client_accounts_page($page_input: PageInput) {
  client_accounts_page(page_input: $page_input) {
    page_info {
      ...PageInfoFragment
    }
    client_accounts {
      ...ClientAccountFragment
    }
  }
}
Variables
{"page_input": PageInput}
Response
{
  "data": {
    "client_accounts_page": {
      "page_info": PageInfo,
      "client_accounts": [ClientAccount]
    }
  }
}

external_domain_xop

Description

Returns the ExternalDomainXop with the given uuid.

Response

Returns an ExternalDomainXop

Arguments
Name Description
uuid - String!

Example

Query
query external_domain_xop($uuid: String!) {
  external_domain_xop(uuid: $uuid) {
    uuid
    op_series_uuid
    xop_id
    last_op_id
    current_op_id
    is_authorized
    pentestable_rules {
      ...PentestableRulesFragment
    }
    is_dynamic_ip
    excluded_domain_from_last_pentest {
      ...ExcludedDomainFragment
    }
    third_party_aliases
    third_party_certificate_subject_cns
  }
}
Variables
{"uuid": "xyz789"}
Response
{
  "data": {
    "external_domain_xop": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "op_series_uuid": "12341234-1234-1234-1234-123412341234",
      "xop_id": "xyz789",
      "last_op_id": "xyz789",
      "current_op_id": "xyz789",
      "is_authorized": true,
      "pentestable_rules": PentestableRules,
      "is_dynamic_ip": "123.45.67.89",
      "excluded_domain_from_last_pentest": ExcludedDomain,
      "third_party_aliases": ["xyz789"],
      "third_party_certificate_subject_cns": [
        "abc123"
      ]
    }
  }
}

external_domain_xops_count

Description

Count of domains in the given AssetGroup.op_series_uuid

Response

Returns an Int!

Arguments
Name Description
op_series_uuid - String!
page_input - PageInput

Example

Query
query external_domain_xops_count(
  $op_series_uuid: String!,
  $page_input: PageInput
) {
  external_domain_xops_count(
    op_series_uuid: $op_series_uuid,
    page_input: $page_input
  )
}
Variables
{
  "op_series_uuid": "abc123",
  "page_input": PageInput
}
Response
{"data": {"external_domain_xops_count": 123}}

hello

Description

Hello world example.

Response

Returns a String!

Example

Query
query hello {
  hello
}
Response
{"data": {"hello": "xyz789"}}

host_tab_xop

Description

Returns the HostTabXop with the given uuid.

Response

Returns a HostTabXop

Arguments
Name Description
uuid - String!

Example

Query
query host_tab_xop($uuid: String!) {
  host_tab_xop(uuid: $uuid) {
    uuid
    op_series_uuid
    xop_id
    ip
    last_op_id
    current_op_id
    is_authorized
    excluded_ip_from_last_pentest {
      ...ExcludedIPFragment
    }
    pentestable_rules {
      ...PentestableRulesFragment
    }
    third_party_aliases
    third_party_certificate_subject_cns
  }
}
Variables
{"uuid": "abc123"}
Response
{
  "data": {
    "host_tab_xop": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "op_series_uuid": "12341234-1234-1234-1234-123412341234",
      "xop_id": "abc123",
      "ip": "123.45.67.89",
      "last_op_id": "xyz789",
      "current_op_id": "abc123",
      "is_authorized": false,
      "excluded_ip_from_last_pentest": ExcludedIP,
      "pentestable_rules": PentestableRules,
      "third_party_aliases": ["abc123"],
      "third_party_certificate_subject_cns": [
        "xyz789"
      ]
    }
  }
}

host_tab_xops_count

Description

Count of IPs in the given AssetGroup.op_series_uuid

Response

Returns an Int!

Arguments
Name Description
op_series_uuid - String!
page_input - PageInput

Example

Query
query host_tab_xops_count(
  $op_series_uuid: String!,
  $page_input: PageInput
) {
  host_tab_xops_count(
    op_series_uuid: $op_series_uuid,
    page_input: $page_input
  )
}
Variables
{
  "op_series_uuid": "xyz789",
  "page_input": PageInput
}
Response
{"data": {"host_tab_xops_count": 123}}

hosts_csv

use Query.hosts_csv_url
Description

List of hosts found during a pentest. Returned as an array of comma-separated values, with each element in the array representing a row. Each element in array represents a single host, with the first element containing the column names.

Response

Returns [HostCSV]

Arguments
Name Description
input - OpInput! Pentest to get hosts data for.

Example

Query
query hosts_csv($input: OpInput!) {
  hosts_csv(input: $input)
}
Variables
{"input": OpInput}
Response
{"data": {"hosts_csv": [HostCSV]}}

hosts_csv_url

Description

List of hosts found during a pentest. Returns a presigned URL to the CSV file. The presigned URL expires after a short time. The CSV format is documented under HostCSV.

Response

Returns a String

Arguments
Name Description
input - OpInput!

Example

Query
query hosts_csv_url($input: OpInput!) {
  hosts_csv_url(input: $input)
}
Variables
{"input": OpInput}
Response
{"data": {"hosts_csv_url": "xyz789"}}

op

Description

Get pentest data.

Response

Returns an Op

Arguments
Name Description
op_id - String! ID of pentest.

Example

Query
query op($op_id: String!) {
  op(op_id: $op_id) {
    op_id
    op_type
    op_state
    op_name
    scheduled_timestamp_iso
    scheduled_at
    scheduled_at_date
    completed_timestamp_iso
    launched_timestamp_iso
    confirmed_credentials_count
    weaknesses_count
    weaknesses_page {
      ...WeaknessesPageFragment
    }
    in_scope_hosts_count
    feature_flags {
      ...FeatureFlagFragment
    }
    nodezero_script_url
    duration_hms
    duration_humanize
    op_template_uuid
    op_template_name
    impact_paths_count
    attack_paths_count
    attack_paths_page {
      ...AttackPathsPageFragment
    }
    phished_impact_paths_count
    phished_attack_paths_count
    runner_name
    runner {
      ...AgentFragment
    }
    schedule_uuid
    schedule_name
  }
}
Variables
{"op_id": "xyz789"}
Response
{
  "data": {
    "op": {
      "op_id": "12341234-1234-1234-1234-123412341234",
      "op_type": "NodeZero",
      "op_state": "running",
      "op_name": "your op name",
      "scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
      "scheduled_at": "2021-07-22T05:02:40.294996",
      "scheduled_at_date": "2024-07-29T23:01:03.432Z",
      "completed_timestamp_iso": "2021-07-22T05:02:40.294996",
      "launched_timestamp_iso": "2021-07-22T05:02:40.294996",
      "confirmed_credentials_count": 123,
      "weaknesses_count": 123,
      "weaknesses_page": WeaknessesPage,
      "in_scope_hosts_count": 987,
      "feature_flags": [FeatureFlag],
      "nodezero_script_url": "https://example.com/example",
      "duration_hms": "22:05:21",
      "duration_humanize": "2 hours, 23 minutes",
      "op_template_uuid": "12341234-1234-1234-1234-123412341234",
      "op_template_name": "xyz789",
      "impact_paths_count": 123,
      "attack_paths_count": 987,
      "attack_paths_page": AttackPathsPage,
      "phished_impact_paths_count": 987,
      "phished_attack_paths_count": 987,
      "runner_name": "xyz789",
      "runner": Agent,
      "schedule_uuid": "12341234-1234-1234-1234-123412341234",
      "schedule_name": "abc123"
    }
  }
}

op_tabs_page

Description

Get a list of pentests for client accounts accessible by the current user.

Response

Returns an OpTabsPage!

Arguments
Name Description
page_input - PageInput Pagination of pentests.
exclude_sample_ops - Boolean Exclude sample pentests from the result.

Example

Query
query op_tabs_page(
  $page_input: PageInput,
  $exclude_sample_ops: Boolean
) {
  op_tabs_page(
    page_input: $page_input,
    exclude_sample_ops: $exclude_sample_ops
  ) {
    page_info {
      ...PageInfoFragment
    }
    op_tabs {
      ...OpTabFragment
    }
  }
}
Variables
{"page_input": PageInput, "exclude_sample_ops": true}
Response
{
  "data": {
    "op_tabs_page": {
      "page_info": PageInfo,
      "op_tabs": [OpTab]
    }
  }
}

op_template

Description

Get an op template.

Response

Returns an OpTemplate

Arguments
Name Description
op_template_uuid - String! The uuid of the op template

Example

Query
query op_template($op_template_uuid: String!) {
  op_template(op_template_uuid: $op_template_uuid) {
    uuid
    user_account_uuid
    client_account_uuid
    op_template_name
    op_type
    schedule_op_form {
      ...ScheduleOpFormFragment
    }
    row_created_at
    row_updated_at
  }
}
Variables
{"op_template_uuid": "xyz789"}
Response
{
  "data": {
    "op_template": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "user_account_uuid": "12341234-1234-1234-1234-123412341234",
      "client_account_uuid": "12341234-1234-1234-1234-123412341234",
      "op_template_name": "abc123",
      "op_type": "NodeZero",
      "schedule_op_form": ScheduleOpForm,
      "row_created_at": "2021-07-22T05:02:40.294996",
      "row_updated_at": "2021-07-22T05:02:40.294996"
    }
  }
}

op_templates

Description

List of op templates, of a specified op type, for the current client account. Includes default templates provided by Horizon3.ai.

Response

Returns [OpTemplate]

Arguments
Name Description
op_type - String Optional. Must be either "NodeZero" (for internal pentests) or "ExternalAttack" (for external pentests). Defaults to "NodeZero".

Example

Query
query op_templates($op_type: String) {
  op_templates(op_type: $op_type) {
    uuid
    user_account_uuid
    client_account_uuid
    op_template_name
    op_type
    schedule_op_form {
      ...ScheduleOpFormFragment
    }
    row_created_at
    row_updated_at
  }
}
Variables
{"op_type": "abc123"}
Response
{
  "data": {
    "op_templates": [
      {
        "uuid": "12341234-1234-1234-1234-123412341234",
        "user_account_uuid": "12341234-1234-1234-1234-123412341234",
        "client_account_uuid": "12341234-1234-1234-1234-123412341234",
        "op_template_name": "xyz789",
        "op_type": "NodeZero",
        "schedule_op_form": ScheduleOpForm,
        "row_created_at": "2021-07-22T05:02:40.294996",
        "row_updated_at": "2021-07-22T05:02:40.294996"
      }
    ]
  }
}

op_templates_count

Description

Count of op templates for the current client account. Does not include default templates provided by Horizon3.ai.

Response

Returns an Int!

Arguments
Name Description
page_input - PageInput

Example

Query
query op_templates_count($page_input: PageInput) {
  op_templates_count(page_input: $page_input)
}
Variables
{"page_input": PageInput}
Response
{"data": {"op_templates_count": 123}}

op_templates_page

Description

List of op templates for the current client account. Does not include default templates provided by Horizon3.ai.

Response

Returns an OpTemplatesPage!

Arguments
Name Description
page_input - PageInput

Example

Query
query op_templates_page($page_input: PageInput) {
  op_templates_page(page_input: $page_input) {
    page_info {
      ...PageInfoFragment
    }
    op_templates {
      ...OpTemplateFragment
    }
  }
}
Variables
{"page_input": PageInput}
Response
{
  "data": {
    "op_templates_page": {
      "page_info": PageInfo,
      "op_templates": [OpTemplate]
    }
  }
}

op_templates_page_count

use Query.op_templates_count
Description

Count of op templates for the current client account. Does not include default templates provided by Horizon3.ai.

Response

Returns an Int!

Arguments
Name Description
page_input - PageInput

Example

Query
query op_templates_page_count($page_input: PageInput) {
  op_templates_page_count(page_input: $page_input)
}
Variables
{"page_input": PageInput}
Response
{"data": {"op_templates_page_count": 123}}

pentest

Description

Get pentest data.

Response

Returns a Pentest

Arguments
Name Description
op_id - String! ID of pentest.

Example

Query
query pentest($op_id: String!) {
  pentest(op_id: $op_id) {
    op_id
    op_type
    name
    state
    user_name
    client_name
    min_scope
    max_scope
    exclude_scope
    git_accounts {
      ...GitAccountFragment
    }
    aws_account_ids
    feature_flags {
      ...FeatureFlagFragment
    }
    scheduled_at
    launched_at
    completed_at
    canceled_at
    etl_completed_at
    duration_s
    impacts_count
    impact_paths_count
    attack_paths_count
    attack_paths_page {
      ...AttackPathsPageFragment
    }
    phished_impact_paths_count
    phished_attack_paths_count
    weakness_types_count
    weaknesses_count
    weaknesses_page {
      ...WeaknessesPageFragment
    }
    hosts_count
    out_of_scope_hosts_count
    external_domains_count
    services_count
    credentials_count
    users_count
    cred_access_count
    data_stores_count
    websites_count
    data_resources_count
    nodezero_script_url
    nodezero_ip
    runner {
      ...AgentFragment
    }
  }
}
Variables
{"op_id": "abc123"}
Response
{
  "data": {
    "pentest": {
      "op_id": "12341234-1234-1234-1234-123412341234",
      "op_type": "NodeZero",
      "name": "xyz789",
      "state": "done",
      "user_name": "xyz789",
      "client_name": "abc123",
      "min_scope": ["xyz789"],
      "max_scope": ["xyz789"],
      "exclude_scope": ["xyz789"],
      "git_accounts": [GitAccount],
      "aws_account_ids": [AWSAccountId],
      "feature_flags": [FeatureFlag],
      "scheduled_at": "2021-07-22T05:02:40.294996",
      "launched_at": "2021-07-22T05:02:40.294996",
      "completed_at": "2021-07-22T05:02:40.294996",
      "canceled_at": "2021-07-22T05:02:40.294996",
      "etl_completed_at": "2021-07-22T05:02:40.294996",
      "duration_s": 123,
      "impacts_count": 123,
      "impact_paths_count": 123,
      "attack_paths_count": 123,
      "attack_paths_page": AttackPathsPage,
      "phished_impact_paths_count": 123,
      "phished_attack_paths_count": 987,
      "weakness_types_count": 123,
      "weaknesses_count": 123,
      "weaknesses_page": WeaknessesPage,
      "hosts_count": 987,
      "out_of_scope_hosts_count": 123,
      "external_domains_count": 987,
      "services_count": 987,
      "credentials_count": 123,
      "users_count": 987,
      "cred_access_count": 123,
      "data_stores_count": 123,
      "websites_count": 123,
      "data_resources_count": Long,
      "nodezero_script_url": "https://example.com/example",
      "nodezero_ip": "123.45.67.89",
      "runner": Agent
    }
  }
}

pentest_reports_zip_url

Description

Returns a URL to a zip file containing all CSVs and PDFs for the given op_id.

The CSVs along with their schema types are listed below:

Note: for pentests prior to Sep 2022, the zip file is generated "lazily"; ie. on demand, when the user first request it. The first request will receive a response saying the zip file is being generated. An email will be sent to the requesting user with a link to the zip file when it is ready. Subsequent requests will download the already-built zip file.

Response

Returns a String

Arguments
Name Description
input - OpInput!

Example

Query
query pentest_reports_zip_url($input: OpInput!) {
  pentest_reports_zip_url(input: $input)
}
Variables
{"input": OpInput}
Response
{
  "data": {
    "pentest_reports_zip_url": "xyz789"
  }
}

pentests_count

Description

Counts the number of pentests in the current client account, after applying any filters in page_input. By default archived pentests are excluded.

Response

Returns an Int!

Arguments
Name Description
page_input - PageInput Pagination of pentests.

Example

Query
query pentests_count($page_input: PageInput) {
  pentests_count(page_input: $page_input)
}
Variables
{"page_input": PageInput}
Response
{"data": {"pentests_count": 123}}

pentests_page

Description

Paginated list of pentests in the current client account. By default archived pentests are excluded.

Response

Returns a PentestsPage!

Arguments
Name Description
page_input - PageInput Pagination of pentests.

Example

Query
query pentests_page($page_input: PageInput) {
  pentests_page(page_input: $page_input) {
    page_info {
      ...PageInfoFragment
    }
    pentests {
      ...PentestFragment
    }
  }
}
Variables
{"page_input": PageInput}
Response
{
  "data": {
    "pentests_page": {
      "page_info": PageInfo,
      "pentests": [Pentest]
    }
  }
}

sample_op_tabs

Description

Get a list of sample pentests for the current client account.

Response

Returns [OpTab!]

Example

Query
query sample_op_tabs {
  sample_op_tabs {
    uuid
    op_id
    op_state
    op_name
    scheduled_timestamp
    scheduled_at
    scheduled_at_date
    scheduled_timestamp_iso
    create_timestamp
    create_timestamp_iso
    launched_timestamp
    launched_timestamp_iso
    launched_at
    completed_at
    completed_timestamp
    completed_timestamp_iso
    canceled_at
    canceled_timestamp
    canceled_timestamp_iso
    duration_hms
    duration_humanize
    op_type
    weakness_types_count
    weaknesses_count
    host_tabs_count
    domain_controllers_count
    credentials_count
    proven_credentials_count
    confirmed_credentials_count
    unproven_credentials_count
    activedir_passwords_count
    enabled_activedir_passwords_count
    disabled_activedir_passwords_count
    feature_flags {
      ...FeatureFlagFragment
    }
    impacts_headline_count
    impact_paths_count
    attack_paths_count
    phished_impact_paths_count
    phished_attack_paths_count
    nodezero_script_url
    nodezero_ip
    etl_completed_at
    start_paused
    minimum_run_time
    maximum_run_time
    paused_at
    paused_by_user_account_uuid
    paused_by_user_account {
      ...UserAccountFragment
    }
    op_template_uuid
    op_template_name
    excluded_ips {
      ...ExcludedIPFragment
    }
    excluded_domains {
      ...ExcludedDomainFragment
    }
    runner_name
    runner {
      ...AgentFragment
    }
    run_nodezero_command {
      ...AgentCommandFragment
    }
    schedule_uuid
    schedule_name
    auto_injected_credential_uuids
  }
}
Response
{
  "data": {
    "sample_op_tabs": [
      {
        "uuid": "12341234-1234-1234-1234-123412341234",
        "op_id": "12341234-1234-1234-1234-123412341234",
        "op_state": "running",
        "op_name": "your op name",
        "scheduled_timestamp": "1600793100.0",
        "scheduled_at": "2021-07-22T05:02:40.294996",
        "scheduled_at_date": "2024-07-29T23:01:03.432Z",
        "scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
        "create_timestamp": "1600793100.0",
        "create_timestamp_iso": "2021-07-22T05:02:40.294996",
        "launched_timestamp": "1600793100.0",
        "launched_timestamp_iso": "2021-07-22T05:02:40.294996",
        "launched_at": "2021-07-22T05:02:40.294996",
        "completed_at": "2021-07-22T05:02:40.294996",
        "completed_timestamp": "1600793100.0",
        "completed_timestamp_iso": "2021-07-22T05:02:40.294996",
        "canceled_at": "2021-07-22T05:02:40.294996",
        "canceled_timestamp": "1600793100.0",
        "canceled_timestamp_iso": "2021-07-22T05:02:40.294996",
        "duration_hms": "22:35:09",
        "duration_humanize": "2 hours, 23 minutes",
        "op_type": "NodeZero",
        "weakness_types_count": 123,
        "weaknesses_count": 123,
        "host_tabs_count": 987,
        "domain_controllers_count": 987,
        "credentials_count": 123,
        "proven_credentials_count": 123,
        "confirmed_credentials_count": 987,
        "unproven_credentials_count": 987,
        "activedir_passwords_count": 123,
        "enabled_activedir_passwords_count": 987,
        "disabled_activedir_passwords_count": 123,
        "feature_flags": [FeatureFlag],
        "impacts_headline_count": 987,
        "impact_paths_count": 987,
        "attack_paths_count": 123,
        "phished_impact_paths_count": 987,
        "phished_attack_paths_count": 123,
        "nodezero_script_url": "https://example.com/example",
        "nodezero_ip": "123.45.67.89",
        "etl_completed_at": "2021-07-22T05:02:40.294996",
        "start_paused": true,
        "minimum_run_time": 987,
        "maximum_run_time": 987,
        "paused_at": "2021-07-22T05:02:40.294996",
        "paused_by_user_account_uuid": "12341234-1234-1234-1234-123412341234",
        "paused_by_user_account": UserAccount,
        "op_template_uuid": "12341234-1234-1234-1234-123412341234",
        "op_template_name": "xyz789",
        "excluded_ips": [ExcludedIP],
        "excluded_domains": [ExcludedDomain],
        "runner_name": "abc123",
        "runner": Agent,
        "run_nodezero_command": AgentCommand,
        "schedule_uuid": "12341234-1234-1234-1234-123412341234",
        "schedule_name": "xyz789",
        "auto_injected_credential_uuids": [
          "abc123"
        ]
      }
    ]
  }
}

session_user_account

Description

Current user account.

Response

Returns a UserAccount

Example

Query
query session_user_account {
  session_user_account {
    uuid
    email
    name
    user_role_id
    sign_in_type
    last_signed_in_at
  }
}
Response
{
  "data": {
    "session_user_account": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "email": "john.smith@example.com",
      "name": "John Smith",
      "user_role_id": "USER",
      "sign_in_type": "BASIC",
      "last_signed_in_at": "2021-07-22T05:02:40.294996"
    }
  }
}

weakness

Description

The Weakness with the given uuid.

Response

Returns a Weakness

Arguments
Name Description
uuid - String!

Example

Query
query weakness($uuid: String!) {
  weakness(uuid: $uuid) {
    uuid
    created_at
    vuln_id
    vuln_aliases
    vuln_category
    vuln_name
    vuln_short_name
    vuln_cisa_kev
    vuln_known_ransomware_campaign_use
    op_id
    ip
    has_proof
    proof_failure_code
    proof_failure_reason
    score
    severity
    base_score
    base_severity
    context_score
    context_severity
    context_score_description_md
    context_score_description
    time_to_finding_hms
    time_to_finding_s
    affected_asset_text
    affected_asset_short_text
    downstream_impact_types
    downstream_impact_types_and_counts
    impact_paths_count
    attack_paths_count
    diff_status
  }
}
Variables
{"uuid": "xyz789"}
Response
{
  "data": {
    "weakness": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "created_at": "2021-07-22T05:02:40.294996",
      "vuln_id": "abc123",
      "vuln_aliases": ["abc123"],
      "vuln_category": "SECURITY_MISCONFIGURATION",
      "vuln_name": "xyz789",
      "vuln_short_name": "abc123",
      "vuln_cisa_kev": false,
      "vuln_known_ransomware_campaign_use": true,
      "op_id": "12341234-1234-1234-1234-123412341234",
      "ip": "123.45.67.89",
      "has_proof": false,
      "proof_failure_code": "abc123",
      "proof_failure_reason": "abc123",
      "score": 987.65,
      "severity": "INFO",
      "base_score": 123.45,
      "base_severity": "INFO",
      "context_score": 123.45,
      "context_severity": "INFO",
      "context_score_description_md": "abc123",
      "context_score_description": "xyz789",
      "time_to_finding_hms": "22:05:31",
      "time_to_finding_s": 987,
      "affected_asset_text": "xyz789",
      "affected_asset_short_text": "abc123",
      "downstream_impact_types": ["AWSUserRoleCompromise"],
      "downstream_impact_types_and_counts": [
        "abc123"
      ],
      "impact_paths_count": 123,
      "attack_paths_count": 123,
      "diff_status": "ADDED"
    }
  }
}

weaknesses_count

Description

The count of Weaknesses observed during the given op.

A Weakness record represents an observed vulnerability on an affected asset; ie. there is one Weakness record per unique vuln_id + affected asset combination.

Response

Returns an Int!

Arguments
Name Description
input - OpInput!
page_input - PageInput

Example

Query
query weaknesses_count(
  $input: OpInput!,
  $page_input: PageInput
) {
  weaknesses_count(
    input: $input,
    page_input: $page_input
  )
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{"data": {"weaknesses_count": 123}}

weaknesses_csv

Use Query.weaknesses_csv_url
Description

The set of Weaknesses observed during the given op, as a set of CSV records.

A Weakness record represents an observed vulnerability on an affected asset; ie. there is one Weakness record per unique vuln_id + affected asset combination.

Returned as an array of strings, with each string being a single record of comma-separated values. Eah string is equivalent to a line in a CSV file.

The CSV format is documented under WeaknessCSV.

The first string contains the header line, with the list of column names.

DEPRECATED: this API will eventually be removed, in favor of Query.weaknesses_csv_url.

Response

Returns [WeaknessCSV]

Arguments
Name Description
input - OpInput! Pentest to get weakness data for.

Example

Query
query weaknesses_csv($input: OpInput!) {
  weaknesses_csv(input: $input)
}
Variables
{"input": OpInput}
Response
{"data": {"weaknesses_csv": [WeaknessCSV]}}

weaknesses_csv_url

Description

The set of Weaknesses observed during the given op, as a set of CSV records.

A Weakness record represents an observed vulnerability on an affected asset; ie. there is one Weakness record per unique vuln_id + affected asset combination.

Returned as a temporary presigned URL to a CSV file.

The CSV format is documented under WeaknessCSV.

Response

Returns a String

Arguments
Name Description
input - OpInput!

Example

Query
query weaknesses_csv_url($input: OpInput!) {
  weaknesses_csv_url(input: $input)
}
Variables
{"input": OpInput}
Response
{"data": {"weaknesses_csv_url": "abc123"}}

weaknesses_diff_csv_url

Description

Returns a temporary, presigned URL to a CSV for a diff of weaknesses between two pentests. See Query.weaknesses_diff_page for more info.

Response

Returns a String

Arguments
Name Description
op_diff_input - OpDiffInput!

Example

Query
query weaknesses_diff_csv_url($op_diff_input: OpDiffInput!) {
  weaknesses_diff_csv_url(op_diff_input: $op_diff_input)
}
Variables
{"op_diff_input": OpDiffInput}
Response
{
  "data": {
    "weaknesses_diff_csv_url": "xyz789"
  }
}

weaknesses_diff_page

Description

Returns a "diff" of weaknesses between two pentests.

The diff contains only those weaknesses that are different between the two pentests. A weakness is "different" if it is present in one pentest but not the other.

The field Weakness.diff_status will be set to either ADDED or REMOVED in each record.

If a weakness was present in the first op (op_diff_input.op_id_1), but not the second op (op_diff_input.op_id_2), its diff_status will be set to REMOVED.

If a weakness was present in the second op, but not the first op, its diff_status will be set to ADDED.

Response

Returns a WeaknessesDiffPage!

Arguments
Name Description
op_diff_input - OpDiffInput!
page_input - PageInput

Example

Query
query weaknesses_diff_page(
  $op_diff_input: OpDiffInput!,
  $page_input: PageInput
) {
  weaknesses_diff_page(
    op_diff_input: $op_diff_input,
    page_input: $page_input
  ) {
    page_info {
      ...PageInfoFragment
    }
    weaknesses {
      ...WeaknessFragment
    }
  }
}
Variables
{
  "op_diff_input": OpDiffInput,
  "page_input": PageInput
}
Response
{
  "data": {
    "weaknesses_diff_page": {
      "page_info": PageInfo,
      "weaknesses": [Weakness]
    }
  }
}

weaknesses_diff_stats

Description

Returns aggregate stats related to a diff of weaknesses between two pentests. See Query.weaknesses_diff_page for more info.

Response

Returns a DiffStats!

Arguments
Name Description
op_diff_input - OpDiffInput!
page_input - PageInput

Example

Query
query weaknesses_diff_stats(
  $op_diff_input: OpDiffInput!,
  $page_input: PageInput
) {
  weaknesses_diff_stats(
    op_diff_input: $op_diff_input,
    page_input: $page_input
  ) {
    added_count
    removed_count
    unchanged_count
  }
}
Variables
{
  "op_diff_input": OpDiffInput,
  "page_input": PageInput
}
Response
{
  "data": {
    "weaknesses_diff_stats": {
      "added_count": 123,
      "removed_count": 123,
      "unchanged_count": 987
    }
  }
}

weaknesses_page

Description

The set of Weaknesses observed during the given op.

A Weakness record represents an observed vulnerability on an affected asset; ie. there is one Weakness record per unique vuln_id + affected asset combination.

Response

Returns a WeaknessesPage!

Arguments
Name Description
input - OpInput!
page_input - PageInput

Example

Query
query weaknesses_page(
  $input: OpInput!,
  $page_input: PageInput
) {
  weaknesses_page(
    input: $input,
    page_input: $page_input
  ) {
    page_info {
      ...PageInfoFragment
    }
    weaknesses {
      ...WeaknessFragment
    }
  }
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{
  "data": {
    "weaknesses_page": {
      "page_info": PageInfo,
      "weaknesses": [Weakness]
    }
  }
}

Mutations

add_domains_to_asset_group

Description

Update an asset group with additional domains.

Response

Returns an AssetGroupOutput!

Arguments
Name Description
asset_group_uuid - String! ID of asset group to update.
domains - [StringNotEmpty]! List of domains to add to the asset group's scope.

Example

Query
mutation add_domains_to_asset_group(
  $asset_group_uuid: String!,
  $domains: [StringNotEmpty]!
) {
  add_domains_to_asset_group(
    asset_group_uuid: $asset_group_uuid,
    domains: $domains
  ) {
    asset_group {
      ...AssetGroupFragment
    }
  }
}
Variables
{
  "asset_group_uuid": "abc123",
  "domains": [StringNotEmpty]
}
Response
{
  "data": {
    "add_domains_to_asset_group": {
      "asset_group": AssetGroup
    }
  }
}

authorize_domains

Description

Authorize the given AssetGroup domains for external pentesting.

Response

Returns a PentestableEntitiesOutput!

Arguments
Name Description
external_domain_xop_uuids - [String!]!

Example

Query
mutation authorize_domains($external_domain_xop_uuids: [String!]!) {
  authorize_domains(external_domain_xop_uuids: $external_domain_xop_uuids) {
    pentestable_entities {
      ...PentestableEntityFragment
    }
    blocked_pentestable_entities {
      ...BlockedPentestableEntityFragment
    }
  }
}
Variables
{"external_domain_xop_uuids": ["xyz789"]}
Response
{
  "data": {
    "authorize_domains": {
      "pentestable_entities": [PentestableEntity],
      "blocked_pentestable_entities": [
        BlockedPentestableEntity
      ]
    }
  }
}

authorize_ips

Description

Authorize the given AssetGroup IPs for external pentesting.

Response

Returns a PentestableEntitiesOutput!

Arguments
Name Description
host_tab_xop_uuids - [String!]!

Example

Query
mutation authorize_ips($host_tab_xop_uuids: [String!]!) {
  authorize_ips(host_tab_xop_uuids: $host_tab_xop_uuids) {
    pentestable_entities {
      ...PentestableEntityFragment
    }
    blocked_pentestable_entities {
      ...BlockedPentestableEntityFragment
    }
  }
}
Variables
{"host_tab_xop_uuids": ["abc123"]}
Response
{
  "data": {
    "authorize_ips": {
      "pentestable_entities": [PentestableEntity],
      "blocked_pentestable_entities": [
        BlockedPentestableEntity
      ]
    }
  }
}

bulk_authorize_domains

Description

Bulk authorize AssetGroup domains for external pentesting.

Response

Returns a PentestableEntitiesBulkOutput!

Arguments
Name Description
op_series_uuid - String! ID of op series.
configured_domains_only - Boolean If true, only domains configured in the AssetGroup's scope will be authorized. Default is false.
page_input - PageInput If filters are provided, only domains that match the filters will be authorized.

Example

Query
mutation bulk_authorize_domains(
  $op_series_uuid: String!,
  $configured_domains_only: Boolean,
  $page_input: PageInput
) {
  bulk_authorize_domains(
    op_series_uuid: $op_series_uuid,
    configured_domains_only: $configured_domains_only,
    page_input: $page_input
  ) {
    pentestable_entities_count
  }
}
Variables
{
  "op_series_uuid": "xyz789",
  "configured_domains_only": false,
  "page_input": PageInput
}
Response
{"data": {"bulk_authorize_domains": {"pentestable_entities_count": 123}}}

bulk_authorize_ips

Description

Bulk authorize AssetGroup IPs for external pentesting.

Response

Returns a PentestableEntitiesBulkOutput!

Arguments
Name Description
op_series_uuid - String! ID of op series.
page_input - PageInput If filters are provided, only IPs that match the filters will be authorized.

Example

Query
mutation bulk_authorize_ips(
  $op_series_uuid: String!,
  $page_input: PageInput
) {
  bulk_authorize_ips(
    op_series_uuid: $op_series_uuid,
    page_input: $page_input
  ) {
    pentestable_entities_count
  }
}
Variables
{
  "op_series_uuid": "abc123",
  "page_input": PageInput
}
Response
{"data": {"bulk_authorize_ips": {"pentestable_entities_count": 123}}}

bulk_deauthorize_domains

Description

Bulk DE-authorize AssetGroup domains for external pentesting.

Response

Returns a PentestableEntitiesBulkOutput!

Arguments
Name Description
op_series_uuid - String! ID of op series.
page_input - PageInput If filters are provided, only domains that match the filters will be de-authorized.

Example

Query
mutation bulk_deauthorize_domains(
  $op_series_uuid: String!,
  $page_input: PageInput
) {
  bulk_deauthorize_domains(
    op_series_uuid: $op_series_uuid,
    page_input: $page_input
  ) {
    pentestable_entities_count
  }
}
Variables
{
  "op_series_uuid": "abc123",
  "page_input": PageInput
}
Response
{"data": {"bulk_deauthorize_domains": {"pentestable_entities_count": 123}}}

bulk_deauthorize_ips

Description

Bulk DE-authorize AssetGroup IPs for external pentesting.

Response

Returns a PentestableEntitiesBulkOutput!

Arguments
Name Description
op_series_uuid - String! ID of op series.
page_input - PageInput If filters are provided, only IPs that match the filters will be de-authorized.

Example

Query
mutation bulk_deauthorize_ips(
  $op_series_uuid: String!,
  $page_input: PageInput
) {
  bulk_deauthorize_ips(
    op_series_uuid: $op_series_uuid,
    page_input: $page_input
  ) {
    pentestable_entities_count
  }
}
Variables
{
  "op_series_uuid": "xyz789",
  "page_input": PageInput
}
Response
{"data": {"bulk_deauthorize_ips": {"pentestable_entities_count": 123}}}

cancel_op

Description

Cancel a pentest, if its current state allows it.

Response

Returns an OpTab!

Arguments
Name Description
op_id - String!

Example

Query
mutation cancel_op($op_id: String!) {
  cancel_op(op_id: $op_id) {
    uuid
    op_id
    op_state
    op_name
    scheduled_timestamp
    scheduled_at
    scheduled_at_date
    scheduled_timestamp_iso
    create_timestamp
    create_timestamp_iso
    launched_timestamp
    launched_timestamp_iso
    launched_at
    completed_at
    completed_timestamp
    completed_timestamp_iso
    canceled_at
    canceled_timestamp
    canceled_timestamp_iso
    duration_hms
    duration_humanize
    op_type
    weakness_types_count
    weaknesses_count
    host_tabs_count
    domain_controllers_count
    credentials_count
    proven_credentials_count
    confirmed_credentials_count
    unproven_credentials_count
    activedir_passwords_count
    enabled_activedir_passwords_count
    disabled_activedir_passwords_count
    feature_flags {
      ...FeatureFlagFragment
    }
    impacts_headline_count
    impact_paths_count
    attack_paths_count
    phished_impact_paths_count
    phished_attack_paths_count
    nodezero_script_url
    nodezero_ip
    etl_completed_at
    start_paused
    minimum_run_time
    maximum_run_time
    paused_at
    paused_by_user_account_uuid
    paused_by_user_account {
      ...UserAccountFragment
    }
    op_template_uuid
    op_template_name
    excluded_ips {
      ...ExcludedIPFragment
    }
    excluded_domains {
      ...ExcludedDomainFragment
    }
    runner_name
    runner {
      ...AgentFragment
    }
    run_nodezero_command {
      ...AgentCommandFragment
    }
    schedule_uuid
    schedule_name
    auto_injected_credential_uuids
  }
}
Variables
{"op_id": "xyz789"}
Response
{
  "data": {
    "cancel_op": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "op_id": "12341234-1234-1234-1234-123412341234",
      "op_state": "running",
      "op_name": "your op name",
      "scheduled_timestamp": "1600793100.0",
      "scheduled_at": "2021-07-22T05:02:40.294996",
      "scheduled_at_date": "2024-07-29T23:01:03.432Z",
      "scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
      "create_timestamp": "1600793100.0",
      "create_timestamp_iso": "2021-07-22T05:02:40.294996",
      "launched_timestamp": "1600793100.0",
      "launched_timestamp_iso": "2021-07-22T05:02:40.294996",
      "launched_at": "2021-07-22T05:02:40.294996",
      "completed_at": "2021-07-22T05:02:40.294996",
      "completed_timestamp": "1600793100.0",
      "completed_timestamp_iso": "2021-07-22T05:02:40.294996",
      "canceled_at": "2021-07-22T05:02:40.294996",
      "canceled_timestamp": "1600793100.0",
      "canceled_timestamp_iso": "2021-07-22T05:02:40.294996",
      "duration_hms": "22:35:09",
      "duration_humanize": "2 hours, 23 minutes",
      "op_type": "NodeZero",
      "weakness_types_count": 123,
      "weaknesses_count": 123,
      "host_tabs_count": 987,
      "domain_controllers_count": 123,
      "credentials_count": 123,
      "proven_credentials_count": 987,
      "confirmed_credentials_count": 987,
      "unproven_credentials_count": 123,
      "activedir_passwords_count": 987,
      "enabled_activedir_passwords_count": 987,
      "disabled_activedir_passwords_count": 987,
      "feature_flags": [FeatureFlag],
      "impacts_headline_count": 123,
      "impact_paths_count": 123,
      "attack_paths_count": 987,
      "phished_impact_paths_count": 123,
      "phished_attack_paths_count": 123,
      "nodezero_script_url": "https://example.com/example",
      "nodezero_ip": "123.45.67.89",
      "etl_completed_at": "2021-07-22T05:02:40.294996",
      "start_paused": false,
      "minimum_run_time": 987,
      "maximum_run_time": 123,
      "paused_at": "2021-07-22T05:02:40.294996",
      "paused_by_user_account_uuid": "12341234-1234-1234-1234-123412341234",
      "paused_by_user_account": UserAccount,
      "op_template_uuid": "12341234-1234-1234-1234-123412341234",
      "op_template_name": "abc123",
      "excluded_ips": [ExcludedIP],
      "excluded_domains": [ExcludedDomain],
      "runner_name": "abc123",
      "runner": Agent,
      "run_nodezero_command": AgentCommand,
      "schedule_uuid": "12341234-1234-1234-1234-123412341234",
      "schedule_name": "xyz789",
      "auto_injected_credential_uuids": [
        "abc123"
      ]
    }
  }
}

create_asset_group

Description

Create an asset group.
The asset group uses the scope configured in the given schedule_op_form to discover assets.

Response

Returns an AssetGroupOutput!

Arguments
Name Description
schedule_op_form - ScheduleOpFormInput! Scope for discovering assets.

Example

Query
mutation create_asset_group($schedule_op_form: ScheduleOpFormInput!) {
  create_asset_group(schedule_op_form: $schedule_op_form) {
    asset_group {
      ...AssetGroupFragment
    }
  }
}
Variables
{"schedule_op_form": ScheduleOpFormInput}
Response
{
  "data": {
    "create_asset_group": {"asset_group": AssetGroup}
  }
}

create_client_account

Description

Create a client account and grant the current user access.

Response

Returns a ClientAccountOutput!

Arguments
Name Description
client_account_input - ClientAccountInput!

Example

Query
mutation create_client_account($client_account_input: ClientAccountInput!) {
  create_client_account(client_account_input: $client_account_input) {
    client_account {
      ...ClientAccountFragment
    }
  }
}
Variables
{"client_account_input": ClientAccountInput}
Response
{
  "data": {
    "create_client_account": {
      "client_account": ClientAccount
    }
  }
}

create_op_template

Description

Create a pentest (aka "op") template.

Response

Returns a SaveOpTemplateOutput!

Arguments
Name Description
op_template_name - String! Name of pentest template. The name uniquely identifies the template in the client account.
schedule_op_form - ScheduleOpFormInput! Input data for scheduling pentest.

Example

Query
mutation create_op_template(
  $op_template_name: String!,
  $schedule_op_form: ScheduleOpFormInput!
) {
  create_op_template(
    op_template_name: $op_template_name,
    schedule_op_form: $schedule_op_form
  ) {
    op_template {
      ...OpTemplateFragment
    }
  }
}
Variables
{
  "op_template_name": "xyz789",
  "schedule_op_form": ScheduleOpFormInput
}
Response
{
  "data": {
    "create_op_template": {"op_template": OpTemplate}
  }
}

create_user_account

Description

Add a user to a given client account. The user will receive an invitation email along with temporary login credentials, if needed.

Response

Returns a UserAccount

Arguments
Name Description
input - CreateUserAccountInput! Input data for creating user.

Example

Query
mutation create_user_account($input: CreateUserAccountInput!) {
  create_user_account(input: $input) {
    uuid
    email
    name
    user_role_id
    sign_in_type
    last_signed_in_at
  }
}
Variables
{"input": CreateUserAccountInput}
Response
{
  "data": {
    "create_user_account": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "email": "john.smith@example.com",
      "name": "John Smith",
      "user_role_id": "USER",
      "sign_in_type": "BASIC",
      "last_signed_in_at": "2021-07-22T05:02:40.294996"
    }
  }
}

deauthorize_domains

Description

DE-authorize the given AssetGroup domains for external pentesting.

Response

Returns a PentestableEntitiesOutput!

Arguments
Name Description
external_domain_xop_uuids - [String!]!

Example

Query
mutation deauthorize_domains($external_domain_xop_uuids: [String!]!) {
  deauthorize_domains(external_domain_xop_uuids: $external_domain_xop_uuids) {
    pentestable_entities {
      ...PentestableEntityFragment
    }
    blocked_pentestable_entities {
      ...BlockedPentestableEntityFragment
    }
  }
}
Variables
{"external_domain_xop_uuids": ["abc123"]}
Response
{
  "data": {
    "deauthorize_domains": {
      "pentestable_entities": [PentestableEntity],
      "blocked_pentestable_entities": [
        BlockedPentestableEntity
      ]
    }
  }
}

deauthorize_ips

Description

DE-authorize the given AssetGroup IPs for external pentesting.

Response

Returns a PentestableEntitiesOutput!

Arguments
Name Description
host_tab_xop_uuids - [String!]!

Example

Query
mutation deauthorize_ips($host_tab_xop_uuids: [String!]!) {
  deauthorize_ips(host_tab_xop_uuids: $host_tab_xop_uuids) {
    pentestable_entities {
      ...PentestableEntityFragment
    }
    blocked_pentestable_entities {
      ...BlockedPentestableEntityFragment
    }
  }
}
Variables
{"host_tab_xop_uuids": ["xyz789"]}
Response
{
  "data": {
    "deauthorize_ips": {
      "pentestable_entities": [PentestableEntity],
      "blocked_pentestable_entities": [
        BlockedPentestableEntity
      ]
    }
  }
}

delete_client_account

Description

Delete a client account.

Response

Returns a Deleted!

Arguments
Name Description
client_account_uuid - String! Client account to delete.

Example

Query
mutation delete_client_account($client_account_uuid: String!) {
  delete_client_account(client_account_uuid: $client_account_uuid) {
    success
  }
}
Variables
{"client_account_uuid": "xyz789"}
Response
{"data": {"delete_client_account": {"success": false}}}

delete_op_template

Description

Delete a pentest (aka "op") template by name.

Response

Returns a DeleteOpTemplateOutput!

Arguments
Name Description
op_template_name - String! Name of pentest template.
op_type - String Type of pentest, see OpType for options.
also_delete_schedules - Boolean Also delete any schedules assigned to the template.

Example

Query
mutation delete_op_template(
  $op_template_name: String!,
  $op_type: String,
  $also_delete_schedules: Boolean
) {
  delete_op_template(
    op_template_name: $op_template_name,
    op_type: $op_type,
    also_delete_schedules: $also_delete_schedules
  ) {
    op_template {
      ...OpTemplateFragment
    }
  }
}
Variables
{
  "op_template_name": "xyz789",
  "op_type": "abc123",
  "also_delete_schedules": true
}
Response
{
  "data": {
    "delete_op_template": {"op_template": OpTemplate}
  }
}

delete_op_template_by_uuid

Description

Delete a pentest (aka "op") template by uuid.

Response

Returns a DeleteOpTemplateOutput!

Arguments
Name Description
uuid - String! ID of pentest template.
also_delete_schedules - Boolean Also delete any schedules assigned to the template.

Example

Query
mutation delete_op_template_by_uuid(
  $uuid: String!,
  $also_delete_schedules: Boolean
) {
  delete_op_template_by_uuid(
    uuid: $uuid,
    also_delete_schedules: $also_delete_schedules
  ) {
    op_template {
      ...OpTemplateFragment
    }
  }
}
Variables
{
  "uuid": "abc123",
  "also_delete_schedules": true
}
Response
{
  "data": {
    "delete_op_template_by_uuid": {
      "op_template": OpTemplate
    }
  }
}

delete_user_account

Description

Delete a user from a given client account.

Response

Returns a UserAccount

Arguments
Name Description
email - EmailAddress! Email address of user to delete.
client_account_uuid - String ID of client account to delete the user from. Defaults to the caller's client account.

Example

Query
mutation delete_user_account(
  $email: EmailAddress!,
  $client_account_uuid: String
) {
  delete_user_account(
    email: $email,
    client_account_uuid: $client_account_uuid
  ) {
    uuid
    email
    name
    user_role_id
    sign_in_type
    last_signed_in_at
  }
}
Variables
{
  "email": EmailAddress,
  "client_account_uuid": "xyz789"
}
Response
{
  "data": {
    "delete_user_account": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "email": "john.smith@example.com",
      "name": "John Smith",
      "user_role_id": "USER",
      "sign_in_type": "BASIC",
      "last_signed_in_at": "2021-07-22T05:02:40.294996"
    }
  }
}

pause_op

Description

Pause a pentest, if its current state allows it.

Response

Returns an OpTab!

Arguments
Name Description
op_id - String!

Example

Query
mutation pause_op($op_id: String!) {
  pause_op(op_id: $op_id) {
    uuid
    op_id
    op_state
    op_name
    scheduled_timestamp
    scheduled_at
    scheduled_at_date
    scheduled_timestamp_iso
    create_timestamp
    create_timestamp_iso
    launched_timestamp
    launched_timestamp_iso
    launched_at
    completed_at
    completed_timestamp
    completed_timestamp_iso
    canceled_at
    canceled_timestamp
    canceled_timestamp_iso
    duration_hms
    duration_humanize
    op_type
    weakness_types_count
    weaknesses_count
    host_tabs_count
    domain_controllers_count
    credentials_count
    proven_credentials_count
    confirmed_credentials_count
    unproven_credentials_count
    activedir_passwords_count
    enabled_activedir_passwords_count
    disabled_activedir_passwords_count
    feature_flags {
      ...FeatureFlagFragment
    }
    impacts_headline_count
    impact_paths_count
    attack_paths_count
    phished_impact_paths_count
    phished_attack_paths_count
    nodezero_script_url
    nodezero_ip
    etl_completed_at
    start_paused
    minimum_run_time
    maximum_run_time
    paused_at
    paused_by_user_account_uuid
    paused_by_user_account {
      ...UserAccountFragment
    }
    op_template_uuid
    op_template_name
    excluded_ips {
      ...ExcludedIPFragment
    }
    excluded_domains {
      ...ExcludedDomainFragment
    }
    runner_name
    runner {
      ...AgentFragment
    }
    run_nodezero_command {
      ...AgentCommandFragment
    }
    schedule_uuid
    schedule_name
    auto_injected_credential_uuids
  }
}
Variables
{"op_id": "abc123"}
Response
{
  "data": {
    "pause_op": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "op_id": "12341234-1234-1234-1234-123412341234",
      "op_state": "running",
      "op_name": "your op name",
      "scheduled_timestamp": "1600793100.0",
      "scheduled_at": "2021-07-22T05:02:40.294996",
      "scheduled_at_date": "2024-01-30T00:01:03.432Z",
      "scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
      "create_timestamp": "1600793100.0",
      "create_timestamp_iso": "2021-07-22T05:02:40.294996",
      "launched_timestamp": "1600793100.0",
      "launched_timestamp_iso": "2021-07-22T05:02:40.294996",
      "launched_at": "2021-07-22T05:02:40.294996",
      "completed_at": "2021-07-22T05:02:40.294996",
      "completed_timestamp": "1600793100.0",
      "completed_timestamp_iso": "2021-07-22T05:02:40.294996",
      "canceled_at": "2021-07-22T05:02:40.294996",
      "canceled_timestamp": "1600793100.0",
      "canceled_timestamp_iso": "2021-07-22T05:02:40.294996",
      "duration_hms": "22:35:09",
      "duration_humanize": "2 hours, 23 minutes",
      "op_type": "NodeZero",
      "weakness_types_count": 987,
      "weaknesses_count": 987,
      "host_tabs_count": 987,
      "domain_controllers_count": 987,
      "credentials_count": 123,
      "proven_credentials_count": 123,
      "confirmed_credentials_count": 123,
      "unproven_credentials_count": 123,
      "activedir_passwords_count": 123,
      "enabled_activedir_passwords_count": 123,
      "disabled_activedir_passwords_count": 987,
      "feature_flags": [FeatureFlag],
      "impacts_headline_count": 987,
      "impact_paths_count": 987,
      "attack_paths_count": 123,
      "phished_impact_paths_count": 123,
      "phished_attack_paths_count": 987,
      "nodezero_script_url": "https://example.com/example",
      "nodezero_ip": "123.45.67.89",
      "etl_completed_at": "2021-07-22T05:02:40.294996",
      "start_paused": false,
      "minimum_run_time": 987,
      "maximum_run_time": 987,
      "paused_at": "2021-07-22T05:02:40.294996",
      "paused_by_user_account_uuid": "12341234-1234-1234-1234-123412341234",
      "paused_by_user_account": UserAccount,
      "op_template_uuid": "12341234-1234-1234-1234-123412341234",
      "op_template_name": "abc123",
      "excluded_ips": [ExcludedIP],
      "excluded_domains": [ExcludedDomain],
      "runner_name": "abc123",
      "runner": Agent,
      "run_nodezero_command": AgentCommand,
      "schedule_uuid": "12341234-1234-1234-1234-123412341234",
      "schedule_name": "abc123",
      "auto_injected_credential_uuids": [
        "abc123"
      ]
    }
  }
}

remove_domains_from_asset_group

Description

Remove domains from an asset group.

Response

Returns an AssetGroupOutput!

Arguments
Name Description
asset_group_uuid - String! ID of asset group to update.
domains - [StringNotEmpty]! List of domains to remove from the asset group's scope.

Example

Query
mutation remove_domains_from_asset_group(
  $asset_group_uuid: String!,
  $domains: [StringNotEmpty]!
) {
  remove_domains_from_asset_group(
    asset_group_uuid: $asset_group_uuid,
    domains: $domains
  ) {
    asset_group {
      ...AssetGroupFragment
    }
  }
}
Variables
{
  "asset_group_uuid": "xyz789",
  "domains": [StringNotEmpty]
}
Response
{
  "data": {
    "remove_domains_from_asset_group": {
      "asset_group": AssetGroup
    }
  }
}

resume_op

Description

Resume a pentest, if its current state allows it.

Response

Returns an OpTab!

Arguments
Name Description
op_id - String!

Example

Query
mutation resume_op($op_id: String!) {
  resume_op(op_id: $op_id) {
    uuid
    op_id
    op_state
    op_name
    scheduled_timestamp
    scheduled_at
    scheduled_at_date
    scheduled_timestamp_iso
    create_timestamp
    create_timestamp_iso
    launched_timestamp
    launched_timestamp_iso
    launched_at
    completed_at
    completed_timestamp
    completed_timestamp_iso
    canceled_at
    canceled_timestamp
    canceled_timestamp_iso
    duration_hms
    duration_humanize
    op_type
    weakness_types_count
    weaknesses_count
    host_tabs_count
    domain_controllers_count
    credentials_count
    proven_credentials_count
    confirmed_credentials_count
    unproven_credentials_count
    activedir_passwords_count
    enabled_activedir_passwords_count
    disabled_activedir_passwords_count
    feature_flags {
      ...FeatureFlagFragment
    }
    impacts_headline_count
    impact_paths_count
    attack_paths_count
    phished_impact_paths_count
    phished_attack_paths_count
    nodezero_script_url
    nodezero_ip
    etl_completed_at
    start_paused
    minimum_run_time
    maximum_run_time
    paused_at
    paused_by_user_account_uuid
    paused_by_user_account {
      ...UserAccountFragment
    }
    op_template_uuid
    op_template_name
    excluded_ips {
      ...ExcludedIPFragment
    }
    excluded_domains {
      ...ExcludedDomainFragment
    }
    runner_name
    runner {
      ...AgentFragment
    }
    run_nodezero_command {
      ...AgentCommandFragment
    }
    schedule_uuid
    schedule_name
    auto_injected_credential_uuids
  }
}
Variables
{"op_id": "abc123"}
Response
{
  "data": {
    "resume_op": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "op_id": "12341234-1234-1234-1234-123412341234",
      "op_state": "running",
      "op_name": "your op name",
      "scheduled_timestamp": "1600793100.0",
      "scheduled_at": "2021-07-22T05:02:40.294996",
      "scheduled_at_date": "2024-01-30T00:01:03.432Z",
      "scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
      "create_timestamp": "1600793100.0",
      "create_timestamp_iso": "2021-07-22T05:02:40.294996",
      "launched_timestamp": "1600793100.0",
      "launched_timestamp_iso": "2021-07-22T05:02:40.294996",
      "launched_at": "2021-07-22T05:02:40.294996",
      "completed_at": "2021-07-22T05:02:40.294996",
      "completed_timestamp": "1600793100.0",
      "completed_timestamp_iso": "2021-07-22T05:02:40.294996",
      "canceled_at": "2021-07-22T05:02:40.294996",
      "canceled_timestamp": "1600793100.0",
      "canceled_timestamp_iso": "2021-07-22T05:02:40.294996",
      "duration_hms": "22:35:09",
      "duration_humanize": "2 hours, 23 minutes",
      "op_type": "NodeZero",
      "weakness_types_count": 987,
      "weaknesses_count": 123,
      "host_tabs_count": 987,
      "domain_controllers_count": 123,
      "credentials_count": 123,
      "proven_credentials_count": 123,
      "confirmed_credentials_count": 123,
      "unproven_credentials_count": 123,
      "activedir_passwords_count": 123,
      "enabled_activedir_passwords_count": 987,
      "disabled_activedir_passwords_count": 987,
      "feature_flags": [FeatureFlag],
      "impacts_headline_count": 123,
      "impact_paths_count": 987,
      "attack_paths_count": 123,
      "phished_impact_paths_count": 123,
      "phished_attack_paths_count": 987,
      "nodezero_script_url": "https://example.com/example",
      "nodezero_ip": "123.45.67.89",
      "etl_completed_at": "2021-07-22T05:02:40.294996",
      "start_paused": true,
      "minimum_run_time": 987,
      "maximum_run_time": 123,
      "paused_at": "2021-07-22T05:02:40.294996",
      "paused_by_user_account_uuid": "12341234-1234-1234-1234-123412341234",
      "paused_by_user_account": UserAccount,
      "op_template_uuid": "12341234-1234-1234-1234-123412341234",
      "op_template_name": "xyz789",
      "excluded_ips": [ExcludedIP],
      "excluded_domains": [ExcludedDomain],
      "runner_name": "xyz789",
      "runner": Agent,
      "run_nodezero_command": AgentCommand,
      "schedule_uuid": "12341234-1234-1234-1234-123412341234",
      "schedule_name": "xyz789",
      "auto_injected_credential_uuids": [
        "xyz789"
      ]
    }
  }
}

save_op_template

Use create_op_template and update_op_template instead.
Description

Create or update a pentest (aka "op") template.

Response

Returns a SaveOpTemplateOutput!

Arguments
Name Description
op_template_name - String! Name of pentest template. The name uniquely identifies the template in the client account.
schedule_op_form - ScheduleOpFormInput! Input data for scheduling pentest.

Example

Query
mutation save_op_template(
  $op_template_name: String!,
  $schedule_op_form: ScheduleOpFormInput!
) {
  save_op_template(
    op_template_name: $op_template_name,
    schedule_op_form: $schedule_op_form
  ) {
    op_template {
      ...OpTemplateFragment
    }
  }
}
Variables
{
  "op_template_name": "abc123",
  "schedule_op_form": ScheduleOpFormInput
}
Response
{
  "data": {
    "save_op_template": {"op_template": OpTemplate}
  }
}

schedule_op_template

Description

Schedule a pentest from a template.

Response

Returns a ScheduleOpOutput!

Arguments
Name Description
op_template_name - String @deprecated - use op_template_uuid instead. Name of pentest template. If not specified, defaults to the default template for the op_type specified in schedule_op_form.op_type, which in turn defaults to NodeZero.
op_template_uuid - String ID of pentest template. If not specified, defaults to the default template for the op_type specified in schedule_op_form.op_type, which in turn defaults to NodeZero.
op_name - String Name of the pentest, defaults to the name in pentest template.
schedule_op_form - ScheduleOpFormInput Optional parameters that, if set, override the corresponding parameters in the pentest template.
agent_name - String Assign an h3-cli agent to automatically launch NodeZero for this pentest
schedule_name - String The automated schedule to which this pentest is assigned. This is used internally by automated scheduling.

Example

Query
mutation schedule_op_template(
  $op_template_name: String,
  $op_template_uuid: String,
  $op_name: String,
  $schedule_op_form: ScheduleOpFormInput,
  $agent_name: String,
  $schedule_name: String
) {
  schedule_op_template(
    op_template_name: $op_template_name,
    op_template_uuid: $op_template_uuid,
    op_name: $op_name,
    schedule_op_form: $schedule_op_form,
    agent_name: $agent_name,
    schedule_name: $schedule_name
  ) {
    op {
      ...OpFragment
    }
  }
}
Variables
{
  "op_template_name": "abc123",
  "op_template_uuid": "xyz789",
  "op_name": "xyz789",
  "schedule_op_form": ScheduleOpFormInput,
  "agent_name": "abc123",
  "schedule_name": "abc123"
}
Response
{"data": {"schedule_op_template": {"op": Op}}}

update_asset_group_template

Description

Update an asset group's configuration.

Response

Returns a SaveOpTemplateOutput!

Arguments
Name Description
asset_group_uuid - String! ID of asset group.
schedule_op_form - ScheduleOpFormInput! Scope for discovering assets.

Example

Query
mutation update_asset_group_template(
  $asset_group_uuid: String!,
  $schedule_op_form: ScheduleOpFormInput!
) {
  update_asset_group_template(
    asset_group_uuid: $asset_group_uuid,
    schedule_op_form: $schedule_op_form
  ) {
    op_template {
      ...OpTemplateFragment
    }
  }
}
Variables
{
  "asset_group_uuid": "xyz789",
  "schedule_op_form": ScheduleOpFormInput
}
Response
{
  "data": {
    "update_asset_group_template": {
      "op_template": OpTemplate
    }
  }
}

update_client_account

Description

Update a client account.

Response

Returns a ClientAccount!

Arguments
Name Description
client_account_input - ClientAccountUpdateInput!

Example

Query
mutation update_client_account($client_account_input: ClientAccountUpdateInput!) {
  update_client_account(client_account_input: $client_account_input) {
    uuid
    parent_uuid
    child_client_accounts {
      ...ClientAccountFragment
    }
    company_name
    company_short_name
    company_logo_url
    secondary_company_logo_url
    company_colors {
      ...BrandColorFragment
    }
    white_label_reports_enabled
    white_label_reports_cascade
    row_created_at
    session_user_role_id
  }
}
Variables
{"client_account_input": ClientAccountUpdateInput}
Response
{
  "data": {
    "update_client_account": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "parent_uuid": "12341234-1234-1234-1234-123412341234",
      "child_client_accounts": [ClientAccount],
      "company_name": "Horizon3 AI, Inc",
      "company_short_name": "H3",
      "company_logo_url": "https://example.com/example",
      "secondary_company_logo_url": "https://example.com/example",
      "company_colors": [BrandColor],
      "white_label_reports_enabled": true,
      "white_label_reports_cascade": false,
      "row_created_at": "2021-07-22T05:02:40.294996",
      "session_user_role_id": "USER"
    }
  }
}

update_op_template

Description

Update a pentest (aka "op") template by uuid. Allows for template renaming.

Response

Returns an UpdateOpTemplateOutput!

Example

Query
mutation update_op_template {
  update_op_template {
    op_template {
      ...OpTemplateFragment
    }
  }
}
Response
{
  "data": {
    "update_op_template": {"op_template": OpTemplate}
  }
}

update_user_account

Description

Update a user and their role for a given client account.

Response

Returns a UserAccount!

Arguments
Name Description
input - UpdateUserAccountInput! Input data for updating user.

Example

Query
mutation update_user_account($input: UpdateUserAccountInput!) {
  update_user_account(input: $input) {
    uuid
    email
    name
    user_role_id
    sign_in_type
    last_signed_in_at
  }
}
Variables
{"input": UpdateUserAccountInput}
Response
{
  "data": {
    "update_user_account": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "email": "john.smith@example.com",
      "name": "John Smith",
      "user_role_id": "USER",
      "sign_in_type": "BASIC",
      "last_signed_in_at": "2021-07-22T05:02:40.294996"
    }
  }
}

Types

AWSAccountId

Description

String scalar type with AWS Account ID format required (a 12-digit number).

Example
AWSAccountId

AccessLevel

Description

Client account access level.

Values
Enum Value Description

FREE_TRIAL

Free trial access with certain limitations.

READONLY

Read-only access.

FULL

Full access.

POV

Proof-of-value access

C_PLUS

Consulting+ access.

MSP

Managed Service Provider
Example
"FREE_TRIAL"

ActionLog

Description

Action log data that represents an entry in the pentest audit log. Each log entry represents an action taken against a host during a pentest.

Fields
Field Name Description
uuid - String! ID of action log.
start_time - Datetime! Timestamp at the start of action, in ISO format (UTC).
endpoint_uuid - String ID of host targeted by action.
endpoint_ip - String IP address of host targeted by action.
end_time - Datetime! Timestamp at the end of action, in ISO format (UTC).
cmd - String! Attack command run in action.
module_id - String Name of attack module used in action.
module_name - String Title name of attack module used in action.
module_description - String Description of attack module used in action.
module_meta - ModuleMeta Metadata for the attack module used in action.
target_h3_names - [String] List of assets and weaknesses associated with action. Assets include the IP, service, application, URL, or data store being targeted.
exit_code - String! Exit code from attack command run in action.
op_id - String! ID of pentest associated with action.
op_snapshot_id - String! ID of pentest snapshot associated with action.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "start_time": Datetime,
  "endpoint_uuid": "12341234-1234-1234-1234-123412341234",
  "endpoint_ip": "123.45.67.89",
  "end_time": Datetime,
  "cmd": "xyz789",
  "module_id": "xyz789",
  "module_name": "xyz789",
  "module_description": "xyz789",
  "module_meta": ModuleMeta,
  "target_h3_names": ["abc123"],
  "exit_code": "abc123",
  "op_id": "12341234-1234-1234-1234-123412341234",
  "op_snapshot_id": "abc123"
}

ActionLogsPage

Description

Paginated data of action logs.

Fields
Field Name Description
page_info - PageInfo Pagination of response.
action_logs - [ActionLog!]! List of action logs.
Example
{
  "page_info": PageInfo,
  "action_logs": [ActionLog]
}

Agent

Description

Represents an Agent aka NodeZero Runner.

Fields
Field Name Description
uuid - String! Unique identifier
name - String! The name of the agent. The name is used when assigning scheduled ops to an agent.
uname - String The output of uname on the agent machine
log_file - String The file the agent is logging to on the local machine
last_heartbeat_at - Datetime! The last time the agent made contact with H3 (via GQL)
last_heartbeat_time_ago - String! last_heartbeat_at as a human-friendly "time ago" statement, eg. "3 minutes ago"
last_command - AgentCommand The last (or next) command for the agent.
commands - [AgentCommand] The last n command for the agent.
Arguments
last_n - Int
created_at - Datetime! When the agent was first created
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "name": "xyz789",
  "uname": "xyz789",
  "log_file": "abc123",
  "last_heartbeat_at": "2021-07-22T05:02:40.294996",
  "last_heartbeat_time_ago": "abc123",
  "last_command": AgentCommand,
  "commands": [AgentCommand],
  "created_at": "2021-07-22T05:02:40.294996"
}

AgentCommand

Description

Represents a command run by an Agent aka NodeZero Runner (see Agent).

Fields
Field Name Description
uuid - String! Unique identifier
agent_uuid - String! The agent to run the command.
command - String! The command to run
received_at - Datetime When the agent received the command.
completed_at - Datetime When the agent completed the command.
exit_status - String The exit status/return code from the command process.
log - String The stdout+stderr log from the command process.
created_at - Datetime! When the command was created
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "agent_uuid": "12341234-1234-1234-1234-123412341234",
  "command": "xyz789",
  "received_at": "2021-07-22T05:02:40.294996",
  "completed_at": "2021-07-22T05:02:40.294996",
  "exit_status": "abc123",
  "log": "xyz789",
  "created_at": "2021-07-22T05:02:40.294996"
}

AssetGroup

Description

An AssetGroup represents a set of assets in a pentest environment. Assets are discovered by scanning the environment using the scope defined in the associated op template.

Fields
Field Name Description
uuid - String! ID of asset group
name - String! Name of asset group.
op_template_uuid - String! ID of pentest template for asset group.
op_template - OpTemplate! Data of pentest template for asset group.
user_account_uuid - String! ID of user that created the asset group.
user_account_name - String! Name of user account that created the asset group.
client_account_uuid - String! ID of client account that created the asset group.
client_account_company_name - String! Company name on the client account that created the asset group.
last_ead_etl_completed_at - Datetime Timestamp when the last asset discovery completed for this asset group.
created_at - Datetime! Timestamp when the asset group was created.
updated_at - Datetime Timestamp when the asset group was last updated.
op_series_uuid - String! ID of the ExternalAssetDiscovery op series associated with the asset group.
assets_count - Int! The number of domain and IP assets in this asset group.
authorized_assets_count - Int! The number of authorized domain and IP assets in this asset group.
external_domain_xops_count - Int! The number of domains in this asset group.
authorized_external_domain_xops_count - Int! The number of authorized domains in this asset group.
in_scope_host_tab_xops_count - Int! The number of in-scope IPs in this asset group.
authorized_host_tab_xops_count - Int! The number of authorized IPs in this asset group.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "name": "abc123",
  "op_template_uuid": "12341234-1234-1234-1234-123412341234",
  "op_template": OpTemplate,
  "user_account_uuid": "12341234-1234-1234-1234-123412341234",
  "user_account_name": "xyz789",
  "client_account_uuid": "12341234-1234-1234-1234-123412341234",
  "client_account_company_name": "abc123",
  "last_ead_etl_completed_at": "2021-07-22T05:02:40.294996",
  "created_at": "2021-07-22T05:02:40.294996",
  "updated_at": "2021-07-22T05:02:40.294996",
  "op_series_uuid": "12341234-1234-1234-1234-123412341234",
  "assets_count": 123,
  "authorized_assets_count": 987,
  "external_domain_xops_count": 123,
  "authorized_external_domain_xops_count": 987,
  "in_scope_host_tab_xops_count": 987,
  "authorized_host_tab_xops_count": 123
}

AssetGroupOutput

Description

Asset group return type.

Fields
Field Name Description
asset_group - AssetGroup! The asset group.
Example
{"asset_group": AssetGroup}

AssetGroupsPage

Fields
Field Name Description
page_info - PageInfo Pagination of response.
asset_groups - [AssetGroup!]! List of asset groups.
Example
{
  "page_info": PageInfo,
  "asset_groups": [AssetGroup]
}

AttackPath

Description

An AttackPath represents the steps NodeZero took to achieve an Impact.
The path includes exploited weaknesses, compromised credentials, and other findings that led to the Impact.

Fields
Field Name Description
uuid - String! Unique ID for this AttackPath.
impact_type - ImpactType! The type of impact.
impact_title - String! The impact type's title.
impact_description - String! The impact type's description.
name - String! The attack path's name/title.
attack_path_title - String! The attack path's name/title.
base_score - Float The impact type's base score.
score - Float The impact severity score. An impact's score is primarily dependent on its type.
severity - Severity The impact severity.
context_score_description_md - String Description of the impact, spelling out overall impact along with the weaknesses, credentials, and hosts involved in its attack path. In markdown format.
context_score_description - String Description of the impact, spelling out overall impact along with the weaknesses, credentials, and hosts involved in its attack path.
op_id - String! The op.
weakness_refs - [String] The weaknesses that appear in this attack path. Refs are formatted as {weakness_uuid},{weakness-id},{asset-name}
credential_refs - [String] The credentials that appear in this attack path. Refs are formatted as {credential_tab_uuid},{user_or_role_name},{asset-name}
host_refs - [String] The hosts that appear in this attack path. Refs are formatted as {host_tab_uuid},{ip}
time_to_finding_hms - String Time-to-finding in hh:mm:ss format
time_to_finding_s - Int Time-to-finding in seconds
created_at - Datetime When the impact occurred (ie. when the target_entity was found)
target_entity_text - String The name of the target entity that is the direct cause of this impact
target_entity_short_text - String The short-name of the target entity that is the direct cause of this impact
affected_asset_text - String The name of the asset affected by this impact.
affected_asset_short_text - String The short-name of the asset affected by this impact.
ip - String The host IP where this impact occurred.
host_name - String The host host_name where this impact occurred.
host_text - String The name of the host affected by this impact.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "impact_type": "AWSUserRoleCompromise",
  "impact_title": "abc123",
  "impact_description": "xyz789",
  "name": "xyz789",
  "attack_path_title": "xyz789",
  "base_score": 123.45,
  "score": 123.45,
  "severity": "INFO",
  "context_score_description_md": "xyz789",
  "context_score_description": "xyz789",
  "op_id": "12341234-1234-1234-1234-123412341234",
  "weakness_refs": ["xyz789"],
  "credential_refs": ["abc123"],
  "host_refs": ["xyz789"],
  "time_to_finding_hms": "22:05:31",
  "time_to_finding_s": 987,
  "created_at": "2021-07-22T05:02:40.294996",
  "target_entity_text": "xyz789",
  "target_entity_short_text": "xyz789",
  "affected_asset_text": "abc123",
  "affected_asset_short_text": "abc123",
  "ip": "123.45.67.89",
  "host_name": "xyz789",
  "host_text": "abc123"
}

AttackPathsPage

Description

Contains a page of AttackPath records, as fetched via Query.attack_paths_page.

Fields
Field Name Description
page_info - PageInfo Pagination of response.
attack_paths - [AttackPath!]! List of attack paths.
Example
{
  "page_info": PageInfo,
  "attack_paths": [AttackPath]
}

AuthzRole

Description

Authorization role of a user within a client account. A user's role may change with the client account.

Values
Enum Value Description

USER

User has non-admin access in the client account.

READONLY

User has read-only access in the client account.

ORG_ADMIN

User has organizational admin access in the client account.

NODEZERO_RUNNER

This role is used with the h3-cli for configuring an automated runner for NodeZero.

PHISHER

This role is used for pentests in which phishing is conducted, enable POSTing of phished credentials.
Example
"USER"

BlockedPentestableEntity

Description

A BlockedPentestableEntity links an external domain or IP asset (the PentestableEntity) with its PentestableRules.
The PentestableRules determine whether or not we allow external pentesting of the asset. Assets are blocked if we determine they are owned by providers that do not permit pentesting.

Fields
Field Name Description
pentestable_entity - PentestableEntity The pentestable entity that was blocked.
pentestable_rules - PentestableRules Then rules that determined why we blocked the asset from external pentesting.
Example
{
  "pentestable_entity": PentestableEntity,
  "pentestable_rules": PentestableRules
}

Boolean

Description

The Boolean scalar type represents true or false.

BrandColor

Fields
Field Name Description
type - BrandColorType! Primary or Secondary.
color - HexColor! The color in hex notation.
Example
{"type": "primary", "color": "#bb032d"}

BrandColorInput

Fields
Input Field Description
type - BrandColorType! Primary or Secondary.
color - HexColor! The color in hex notation.
Example
{"type": "primary", "color": "#bb032d"}

BrandColorType

Values
Enum Value Description

primary

Primary color.

secondary

Secondary color.
Example
"primary"

ClientAccount

Description

Represents a client account.

Fields
Field Name Description
uuid - String! ID of client account.
parent_uuid - String ID of parent client account.
child_client_accounts - [ClientAccount!]! List of child client accounts, also known as sub-client accounts.
company_name - String! Full company name.
company_short_name - String! Short name of company.
company_logo_url - String Company logo URL.
secondary_company_logo_url - String Secondary company logo URL.
company_colors - [BrandColor!] Company color scheme.
white_label_reports_enabled - Boolean Flag to enable co-branded reports.
white_label_reports_cascade - Boolean Flag to cascade co-branded reports to child accounts, if applicable.
row_created_at - Datetime Timestamp when the account was created, in ISO format (UTC).
session_user_role_id - AuthzRole Role of the current user in this client account.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "parent_uuid": "12341234-1234-1234-1234-123412341234",
  "child_client_accounts": [ClientAccount],
  "company_name": "Horizon3 AI, Inc",
  "company_short_name": "H3",
  "company_logo_url": "https://example.com/example",
  "secondary_company_logo_url": "https://example.com/example",
  "company_colors": [BrandColor],
  "white_label_reports_enabled": false,
  "white_label_reports_cascade": true,
  "row_created_at": "2021-07-22T05:02:40.294996",
  "session_user_role_id": "USER"
}

ClientAccountInput

Description

Arguments to create client account.

Fields
Input Field Description
CompanyName - StringNotEmpty! Full company name.
company_short_name - StringNotEmpty Short company name.
access_level - AccessLevel! Access level of client account.
parent_uuid - String ID of client account to assign as parent.
Example
{
  "CompanyName": StringNotEmpty,
  "company_short_name": StringNotEmpty,
  "access_level": "FREE_TRIAL",
  "parent_uuid": "12341234-1234-1234-1234-123412341234"
}

ClientAccountOutput

Description

Client account data wrapper.

Fields
Field Name Description
client_account - ClientAccount The client account.
Example
{"client_account": ClientAccount}

ClientAccountUpdateInput

Description

Arguments to update client account.

Fields
Input Field Description
uuid - String! Client account to update.
CompanyName - StringNotEmpty Full company name.
company_short_name - StringNotEmpty Short company name.
company_colors - [BrandColorInput!] Company color scheme.
white_label_reports_enabled - Boolean Flag to enable co-branded reports.
white_label_reports_cascade - Boolean Flag to cascade co-branded reports to child accounts, if applicable.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "CompanyName": StringNotEmpty,
  "company_short_name": StringNotEmpty,
  "company_colors": [BrandColorInput],
  "white_label_reports_enabled": true,
  "white_label_reports_cascade": false
}

ClientAccountsPage

Fields
Field Name Description
page_info - PageInfo Pagination of response.
client_accounts - [ClientAccount!]! List of client accounts.
Example
{
  "page_info": PageInfo,
  "client_accounts": [ClientAccount]
}

CreateUserAccountInput

Description

Arguments to create user account.

Fields
Input Field Description
name - String! Name of user.
email - EmailAddress! Email of user.
client_account_uuid - String ID of client account to add the user to. Defaults to the current user client account.
user_role_id - AuthzRole! Role of user in the given client account.
is_sso - Boolean If set, a BASIC auth username/password account will not be created for the user.
Example
{
  "name": "John Smith",
  "email": "john.smith@example.com",
  "client_account_uuid": "12341234-1234-1234-1234-123412341234",
  "user_role_id": "USER",
  "is_sso": true
}

Date

Description

String scalar type with date ISO format serialization, eg. 2021-07-22.

Example
"2024-07-29T23:01:03.432Z"

Datetime

Description

String scalar type with datetime ISO format serialization, eg. 2021-07-22T05:02:40.294996.

Example
Datetime

DeleteOpTemplateOutput

Fields
Field Name Description
op_template - OpTemplate The deleted op template
Example
{"op_template": OpTemplate}

Deleted

Fields
Field Name Description
success - Boolean! The result of the operation.
Example
{"success": true}

DiffStats

Description

Aggregate stats used with diff-related APIs, for example Query.weaknesses_diff_stats.

Fields
Field Name Description
added_count - Int The number of records with diff_status: ADDED.
removed_count - Int The number of records with diff_status: REMOVED.
unchanged_count - Int The number of records that are the same between the two sets being compared.
Example
{"added_count": 987, "removed_count": 123, "unchanged_count": 987}

DiffStatus

Description

Used with diff-related APIs, for example Query.weaknesses_diff_page.

Values
Enum Value Description

ADDED

Indicates the record is NOT present in the first set, but is present in the second set.

REMOVED

Indicates the record is present in the first set, but is NOT present in the second set.
Example
"ADDED"

EmailAddress

Description

String scalar type with email address format required.

Example
EmailAddress

ExcludedDomain

Description

Represents an external domain that was excluded from a pentest due to the given reason.

Fields
Field Name Description
op_id - String! The op that excluded the domain.
domain - String! The external domain that was excluded.
Example
{
  "op_id": "12341234-1234-1234-1234-123412341234",
  "domain": "abc123"
}

ExcludedIP

Description

Represents an IP address that was excluded from a pentest due to the given reason.

Fields
Field Name Description
op_id - String! The op that excluded the IP.
ip - String! The IP that was excluded.
Example
{"op_id": "12341234-1234-1234-1234-123412341234", "ip": "123.45.67.89"}

ExternalDomainXop

Description

This type is an abstraction over the ExternalDomain type representing a uniquely identified ExternalDomain asset across an OpSeries of ops. The asset is id'ed via the xop_id field. The xop_id field is set to the domain name.

Fields
Field Name Description
uuid - String! {op_series_uuid}/{xop_id}
op_series_uuid - String! This ExternalDomainXop type represents an asset being tracked across this OpSeries.
xop_id - String! The durable xop identity. Always derived from the data itself (ie. not an arbitrary uuid) For ExternalDomainXop, the xop_id is the domain name.
last_op_id - String The last op this domain name appeared in.
current_op_id - String The most recently run op in the OpSeries.
is_authorized - Boolean Indicates whether or not the domain has been marked "authorized for pentesting" by the user.
pentestable_rules - PentestableRules Apply rules to determine whether we allow the user to authorizie this ExternalDomain for pentesting.
is_dynamic_ip - Boolean Indicates whether the xop has been marked as "uses dynamic IPs" by the user
excluded_domain_from_last_pentest - ExcludedDomain The ExcludedDomain record from the LAST ExternalAttack pentest against this AssetGroup/OpSeries. This will be non-null if the asset was authorized for pentesting, but was excluded (moved out of scope) in the last ExternalAttack pentest, due to drift or unreachability.
third_party_aliases - [String] Full list of 3rd-party aliases. Includes all subdomains NOT covered by a TLD in the AssetGroup config. Aliases include CNAMEs (ExternalDomain.cname_chain) and DNS Reverse-Lookup Names (ExternalDomain.endpoint_dns_hostnames).
third_party_certificate_subject_cns - [String] 3rd-party certificate subject CNs. Includes all CNs NOT covered by a TLD in the AssetGroup config.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "op_series_uuid": "12341234-1234-1234-1234-123412341234",
  "xop_id": "xyz789",
  "last_op_id": "xyz789",
  "current_op_id": "xyz789",
  "is_authorized": true,
  "pentestable_rules": PentestableRules,
  "is_dynamic_ip": "123.45.67.89",
  "excluded_domain_from_last_pentest": ExcludedDomain,
  "third_party_aliases": ["xyz789"],
  "third_party_certificate_subject_cns": [
    "xyz789"
  ]
}

FeatureFlag

Description

Represents Advanced Configuration settings.

Fields
Field Name Description
name - String! The name of the advanced configuration option.
value - Boolean! Indicates whether the option is enabled or disabled.
property_name - String Human-friendly name for this advanced configuration option.
property_description - String Description for this advanced configuration option.
category_name - String Category of this advanced configuration option.
category_description - String Category description.
risk - FeatureFlagRiskType The disruption risk associated with this advanced configuration option.
enables_min_runtime - Boolean Indicates whether this advanced configuration option should be used in conjunction with ScheduleOpFormInput.minimum_run_time.
enables_password_spray - Boolean Indicates whether this advanced configuration option should be used in conjunction with ScheduleOpFormInput.passwords_to_spray.
is_new - Boolean! Indicates the FeatureFlag was introduced after the last time the containing OpTemplate was saved. This helps alert the user about new Attack Config options available in their OpTemplate.
Once the OpTemplate is re-saved with the new options, the is_new field is reset.
Example
{
  "name": "abc123",
  "value": false,
  "property_name": "xyz789",
  "property_description": "xyz789",
  "category_name": "abc123",
  "category_description": "xyz789",
  "risk": "none",
  "enables_min_runtime": false,
  "enables_password_spray": false,
  "is_new": false
}

FeatureFlagInput

Description

Represents Advanced Configuration input.

Fields
Input Field Description
name - String! The name of the advanced configuration option.
value - Boolean! Indicates whether the option is enabled or disabled.
Example
{"name": "abc123", "value": false}

FeatureFlagRiskType

Values
Enum Value Description

none

The feature has no risk of disruption to your environment.

low

The feature has low risk of disruption to your environment.

moderate

The feature has moderate risk of disruption to your environment.

high

The feature has high risk of disruption to your environment.
Example
"none"

FilterBy

Description

Filtering of response data. Corresponding type for FilterByInput.

Fields
Field Name Description
field_name - StringNoWhitespace! Name of parameter being filtered by.
values - [String] Values to filter for. See FilterByInput.
not_values - [String] Values to filter out. See FilterByInput.
less_than - String The field value is strictly less than this value. See FilterByInput.
less_than_or_equal - String The field value is less than OR equal to this value. See FilterByInput.
greater_than - String The field value is strictly greater than this value. See FilterByInput.
greater_than_or_equal - String The field value is strictly greater than this value. See FilterByInput.
Example
{
  "field_name": StringNoWhitespace,
  "values": ["abc123"],
  "not_values": ["abc123"],
  "less_than": "xyz789",
  "less_than_or_equal": "abc123",
  "greater_than": "xyz789",
  "greater_than_or_equal": "xyz789"
}

FilterByInput

Description

Filter by parameter, e.g. fetch results where field_name in values.

Fields
Input Field Description
field_name - StringNoWhitespace! Name of parameter to filter by.
values - [String] Values to filter for. Cannot be combined with not_values input.
Can be combined with greater_than* or less_than* inputs. Combined inputs are AND'ed together.
not_values - [String] Values to filter out.
Cannot be combined with values input.
Can be combined with greater_than* or less_than* inputs. Combined inputs are AND'ed together.
greater_than - String The field value is strictly greater than this value.
Cannot be combined with greater_than_or_equal input.
Can be combined with less_than* inputs and values, not_values inputs. Combined inputs are AND'ed together.
greater_than_or_equal - String The field value is strictly greater than this value.
Cannot be combined with greater_than input.
Can be combined with less_than* inputs and values, not_values inputs. Combined inputs are AND'ed together.
less_than - String The field value is strictly less than this value.
Cannot be combined with less_than_or_equal input.
Can be combined with greater_than* inputs and values, not_values inputs. Combined inputs are AND'ed together.
less_than_or_equal - String The field value is less than OR equal to this value.
Cannot be combined with less_than input.
Can be combined with greater_than* inputs and values, not_values inputs. Combined inputs are AND'ed together.
Example
{
  "field_name": StringNoWhitespace,
  "values": ["abc123"],
  "not_values": ["xyz789"],
  "greater_than": "xyz789",
  "greater_than_or_equal": "xyz789",
  "less_than": "xyz789",
  "less_than_or_equal": "xyz789"
}

Float

Description

The Float scalar type represents signed double-precision fractional values as specified by IEEE 754.

Example
987.65

GitAccount

Description

Corresponding (non-input) type. Note that GitAccounts are also created by the op.

Fields
Field Name Description
name - String! Name of the git account.
source - GitAccountSource! The git service associated with this git account.
Example
{"name": "abc123", "source": "GitLab"}

GitAccountInput

Description

git input type

Fields
Input Field Description
name - StringNoWhitespace! Name of the git account.
source - GitAccountSource! The git service associated with this git account.
Example
{"name": StringNoWhitespace, "source": "GitLab"}

GitAccountSource

Values
Enum Value Description

GitLab

The git account is associated with GitLab

GitHub

The git account is associated with GitHub

Bitbucket

The git account is associated with BitBucket.
Example
"GitLab"

HexColor

Description

Hex color string, eg. #def or #bb032b.

Example
HexColor

HostCSV

Description

String scalar type representing a HostCSV row with columns:

  • FirstSeen: Datetime
  • Subnet: String
  • SubnetSource: String
  • IP: String
  • Hostname: String
  • DNSHostnames: String
  • LDAPHostname: String
  • InScope: Boolean
  • OS: String
  • Hardware: String
  • Device: String
  • NumWeaknesses: Int
  • NumConfirmedWeaknesses: Int
  • NumDataResources: Int
  • NumCredentials: Int
  • NumConfirmedCredentials: Int
  • NumServices: Int
  • NumWebShares: Int
  • RiskScore: Float
  • RiskScoreDescription: String
  • OpID: String
Example
HostCSV

HostTabXop

Description

This type is an abstraction over the HostTab type representing a uniquely identified HostTab asset across an OpSeries of ops. The asset is ID'ed via the xop_id field. A HostTab's xop_id is set to its ip.

Fields
Field Name Description
uuid - String! {op_series_uuid}/{xop_id}
op_series_uuid - String! This HostTabXop type represents an asset being tracked across this OpSeries.
xop_id - String! The durable xop identity. Always derived from the data itself (ie. not an arbitrary uuid). For HostTabXops that represent AssetGroup IPs, the xop_id is the IP.
ip - String! The ip of this host.
last_op_id - String The last op this IP appeared in.
current_op_id - String The most recently run op in the OpSeries.
is_authorized - Boolean
Indicates whether or not this IP has been marked "authorized for pentest" by the user.
excluded_ip_from_last_pentest - ExcludedIP The ExcludedIP record from the LAST ExternalAttack pentest against this AssetGroup/OpSeries. This will be non-null if the asset was authorized for pentesting, but was excluded (moved out of scope) in the last ExternalAttack pentest, due to drift or unreachability.
pentestable_rules - PentestableRules Apply rules to determine whether we allow the user to authorize this IP for pentesting.
third_party_aliases - [String] Full list of 3rd-party aliases. Includes all subdomains NOT covered by a TLD in the AssetGroup config. Aliases include CNAMEs (ExternalDomain.cname_chain) and DNS Reverse-Lookup Names (ExternalDomain.endpoint_dns_hostnames).
third_party_certificate_subject_cns - [String] 3rd-party certificate subject CNs. Includes all CNs NOT covered by a TLD in the AssetGroup config.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "op_series_uuid": "12341234-1234-1234-1234-123412341234",
  "xop_id": "xyz789",
  "ip": "123.45.67.89",
  "last_op_id": "xyz789",
  "current_op_id": "abc123",
  "is_authorized": true,
  "excluded_ip_from_last_pentest": ExcludedIP,
  "pentestable_rules": PentestableRules,
  "third_party_aliases": ["xyz789"],
  "third_party_certificate_subject_cns": [
    "abc123"
  ]
}

ImpactType

Description

Impact types.

Values
Enum Value Description

AWSUserRoleCompromise

Once an AWS user or role is compromised, anything that user or role has access to including cloud resources, cloud services, and data should be considered compromised.

AWSAccountCompromise

Once an AWS account is fully compromised, all cloud resources, cloud services, and data that exists in that AWS account should be considered fully compromised.

AzureADUserCompromise

DEPRECATED.

MicrosoftEntraUserCompromise

Once a Microsoft Entra user is compromised, anything that user has access to should be considered compromised. This could include access to the Microsoft Entra tenant, Microsoft 365, and even access to Azure subscriptions.

MicrosoftEntraAccountCompromise

Once an Entra (AzureAD) tenant is fully compromised, any application, service, or resource that utilizes the Entra Entra tenant for Identity and Access Management (IAM) should be considered compromised. This includes cloud services such as Microsoft 365 and Azure-hosted resources such as virtual machines or databases.

MicrosoftEntraFullTenantCompromise

DEPRECATED

BrandCompromise

Brand compromise covers ways in which an attacker can harm your company's reputation by, for instance, defacing the company's website, hosting malware off the company's domain, or carrying out phishing attacks that appear to originate from the company.

BusinessEmailCompromise

Business email compromise allows attackers to send and receive emails under the guise of that user. Attackers commonly leverage email access to conduct business accounting fraud, conduct highly targeted phishing attacks, gain access to sensitive information, and elicit trusting coworkers to perform actions on their behalf.

CloudCompromise

DEPRECATED.

CloudServiceCompromise

DEPRECATED.

CriticalInfrastructureCompromise

Critical infrastructure consists of key devices and applications that provide attackers a privileged position in the network from which they can access a wealth of sensitive data and launch further attacks.

DomainCompromise

Once a domain is fully compromised, all hosts, domain user accounts, data, infrastructure and applications tied to that domain should be considered fully compromised. Additionally, applications running on a domain-joined machine or any application that uses Active Directory integration to authenticate users should be considered fully compromised.

DomainUserCompromise

Once a domain user is compromised, anything that user account has access to should be considered compromised.

HostCompromise

Host compromise can lead to attackers gaining access to sensitive information, maintaining persistence within your network, and obtaining lateral movement within your networks.

PerimeterBreach

Perimeter breach can lead to attackers gaining access to your internal network from the public internet.

RansomwareExposure

Ransomware exposures can be used by attackers to obtain access to business-critical data stores, encrypt them with a secret key, and demand a ransom payment from your company before releasing the decryption key. Ransomware attacks can cause severe disruption to your business operations, even after the ransom is paid, as data stores must be decrypted and affected services restored.

SensitiveDataExposure

Sensitive data exposures can be used by attackers to obtain user credentials, PII (Personally identifiable information), financial account data, and other business-critical information to further exploit or gain profit.
Example
"AWSUserRoleCompromise"

Int

Description

The Int scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1.

Example
987

Long

Description

Int scalar type alias.

Example
Long

MitreMapping

Description

A MitreMapping consists of a specific combination of a MITRE Tactic, Technique, and optionally a Subtechnique. MitreMappings are associated with attack modules via ModuleMeta.

Fields
Field Name Description
mitre_tactic_id - String! The MITRE Tactic ID
mitre_tactic - MitreTactic The MITRE Tactic
mitre_technique_id - String! The MITRE Technique ID
mitre_technique - MitreTechnique The MITRE Technique
mitre_subtechnique_id - String The MITRE Subtechnique ID
mitre_subtechnique - MitreSubtechnique The MITRE Subtechnique
Example
{
  "mitre_tactic_id": "TA0043",
  "mitre_tactic": MitreTactic,
  "mitre_technique_id": "T1595",
  "mitre_technique": MitreTechnique,
  "mitre_subtechnique_id": "T1595.002",
  "mitre_subtechnique": MitreSubtechnique
}

MitreSubtechnique

Description

Represents a MITRE Subtechnique

Fields
Field Name Description
id - String! The MITRE Subtechnique ID
mitre_technique_id - String The MITRE Technique ID that is the parent of this Subtechnique
name - String The MITRE Subtechnique name
description - String The MITRE Subtechnique description
url - String The documentation URL for the MITRE Subtechnique
Example
{
  "id": "T1595.001",
  "mitre_technique_id": "T1595",
  "name": "Scanning IP Blocks",
  "description": "Adversaries may scan victim IP blocks...",
  "url": "https://attack.mitre.org/techniques/T1595/001/"
}

MitreTactic

Description

Represents a MITRE Tactic

Fields
Field Name Description
id - String! The MITRE Tactic ID
name - String The MITRE Tactic name
description - String The MITRE Tactic description
url - String The documentation URL for the MITRE Tactic
Example
{
  "id": "TA0043",
  "name": "Reconnaissance",
  "description": "The adversary is trying to gather information...",
  "url": "https://attack.mitre.org/tactics/TA0043/"
}

MitreTechnique

Description

Represents a MITRE Technique

Fields
Field Name Description
id - String! The MITRE Technique ID
name - String The MITRE Technique name
description - String The MITRE Technique description
url - String The documentation URL for the MITRE Technique
Example
{
  "id": "T1595",
  "name": "Active Scanning",
  "description": "Adversaries may execute active reconnaissance scans...",
  "url": "https://attack.mitre.org/techniques/T1595/"
}

ModuleMeta

Description

Attack module metadata.

Fields
Field Name Description
id - String! ID of attack module.
name - String Name of attack module.
description - String Description of attack module.
mitre_mappings - [MitreMapping] MITRE Tactics, Techniques, and Subtechniques associated with this attack module
Example
{
  "id": "host_discovery",
  "name": "Host Discovery",
  "description": "The Host Discovery module finds assets on the network...",
  "mitre_mappings": [MitreMapping]
}

Op

Description

Pentest data.

Fields
Field Name Description
op_id - String ID of pentest.
op_type - OpType Type of pentest.
op_state - String! State of pentest.
op_name - String! Name of pentest.
scheduled_timestamp_iso - String! Timestamp of pentest scheduling, in ISO format (UTC).
scheduled_at - Datetime! Timestamp of pentest scheduling
scheduled_at_date - Date! Date of pentest scheduling
completed_timestamp_iso - String Timestamp of pentest completion, in ISO format (UTC).
launched_timestamp_iso - String Timestamp of pentest launch, in ISO format (UTC).
confirmed_credentials_count - Int Number of confirmed credentials found.
weaknesses_count - Int Number of weaknesses found (weakness INSTANCEs, not unique weakness IDs).
weaknesses_page - WeaknessesPage! Returns the list of weaknesses found in this op.
Arguments
page_input - PageInput
in_scope_hosts_count - Int Number of hosts found in scope.
feature_flags - [FeatureFlag] Advanced configuration settings for this pentest.
nodezero_script_url - String URL of the script that downloads and launches NodeZero.
duration_hms - String Pentest duration in HH:MM:SS format.
duration_humanize - String Pentest duration in "humanized" format .
op_template_uuid - String ID of OpTemplate used for this pentest.
op_template_name - String Name of OpTemplate used for this pentest.
impact_paths_count - Int Number of impact paths in the pentest. Alias of attack_paths_count.
attack_paths_count - Int Number of attack paths in the pentest. Alias of impact_paths_count.
attack_paths_page - AttackPathsPage! Returns the list of attack paths for this op.
Arguments
page_input - PageInput
phished_impact_paths_count - Int! Number of impact paths downstream of phished credentials in the pentest. Alias of phished_attack_paths_count
phished_attack_paths_count - Int! Number of attack paths downstream of phished credentials in the pentest. Alias of phished_impact_paths_count.
runner_name - String The NodeZero Runner the op is assigned to.
runner - Agent The NodeZero Runner the op is assigned to.
schedule_uuid - String ID of schedule the op is associated with.
schedule_name - String Name of schedule the op is associated with.
Example
{
  "op_id": "12341234-1234-1234-1234-123412341234",
  "op_type": "NodeZero",
  "op_state": "running",
  "op_name": "your op name",
  "scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
  "scheduled_at": "2021-07-22T05:02:40.294996",
  "scheduled_at_date": "2024-01-30T00:01:03.432Z",
  "completed_timestamp_iso": "2021-07-22T05:02:40.294996",
  "launched_timestamp_iso": "2021-07-22T05:02:40.294996",
  "confirmed_credentials_count": 123,
  "weaknesses_count": 987,
  "weaknesses_page": WeaknessesPage,
  "in_scope_hosts_count": 123,
  "feature_flags": [FeatureFlag],
  "nodezero_script_url": "https://example.com/example",
  "duration_hms": "22:05:21",
  "duration_humanize": "2 hours, 23 minutes",
  "op_template_uuid": "12341234-1234-1234-1234-123412341234",
  "op_template_name": "abc123",
  "impact_paths_count": 123,
  "attack_paths_count": 987,
  "attack_paths_page": AttackPathsPage,
  "phished_impact_paths_count": 123,
  "phished_attack_paths_count": 123,
  "runner_name": "xyz789",
  "runner": Agent,
  "schedule_uuid": "12341234-1234-1234-1234-123412341234",
  "schedule_name": "abc123"
}

OpDiffInput

Description

Input for Query.weaknesses_diff_page and other diff-related APIs.

Fields
Input Field Description
op_id_1 - String! The first op of the diff. This is normally the older op.
op_id_2 - String! The second op of the diff. This is normally the newer op.
Example
{
  "op_id_1": "abc123",
  "op_id_2": "abc123"
}

OpInput

Description

Pentest input arguments.

Fields
Input Field Description
op_id - String! ID of pentest.
Example
{"op_id": "12341234-1234-1234-1234-123412341234"}

OpTab

Description

Pentest data.

Fields
Field Name Description
uuid - String ID of pentest.
op_id - String ID of pentest. Same as uuid.
op_state - String!

State of pentest:

  • scheduled
  • provisioning
  • ready
  • running
  • complete
  • post-processing
  • done
  • cancelling
  • canceled
  • paused
  • error
op_name - String! Name of pentest.
scheduled_timestamp - Float! Timestamp of pentest scheduling, in epoch seconds.
scheduled_at - Datetime! Timestamp of pentest scheduling
scheduled_at_date - Date! Date of pentest scheduling
scheduled_timestamp_iso - String! Timestamp of pentest scheduling, in ISO format (UTC).
create_timestamp - Int! Timestamp of pentest creation, in epoch seconds.
create_timestamp_iso - String! Timestamp of pentest creation, in ISO format (UTC).
launched_timestamp - Int Timestamp of pentest launching, in epoch seconds.
launched_timestamp_iso - String Timestamp of pentest launching, in ISO format (UTC).
launched_at - Datetime Timestamp of pentest launching
completed_at - Datetime Timestamp of pentest completion.
completed_timestamp - Float Timestamp of pentest completion, in epoch seconds.
completed_timestamp_iso - String Timestamp of pentest completion, in ISO format (UTC).
canceled_at - Datetime Timestamp of pentest cancellation.
canceled_timestamp - Int Timestamp of pentest cancellation, in epoch seconds.
canceled_timestamp_iso - String Timestamp of pentest cancellation, in ISO format (UTC).
duration_hms - String Pentest duration in HH:MM:SS format .
duration_humanize - String Pentest duration in "humanized" format .
op_type - OpType Type of pentest.
weakness_types_count - Int Number of unique weakness IDs found.
weaknesses_count - Int Number of weaknesses found (weakness INSTANCEs, not unique weakness IDs).
host_tabs_count - Int Number of hosts found in scope. Same as in_scope_endpoints_count.
domain_controllers_count - Int Number of domain controllers found in scope.
credentials_count - Int Number of credentials and potential credentials found.
proven_credentials_count - Int Number of credentials and potential credentials found with proof.
confirmed_credentials_count - Int Number of credentials with proof. Alias of proven_credentials_count.
unproven_credentials_count - Int Number of credentials without proof.
activedir_passwords_count - Int Number of credentials found in Active Directory Password Audit(s).
enabled_activedir_passwords_count - Int Number of enabled credentials found in Active Directory Password Audit(s).
disabled_activedir_passwords_count - Int Number of disabled credentials found in Active Directory Password Audit(s).
feature_flags - [FeatureFlag] Advanced configuration settings for this pentest.
impacts_headline_count - Int Number of impacts in the pentest, which generally refers to the number of assets affected by an impact.
impact_paths_count - Int Number of impact paths in the pentest. Alias of attack_paths_count.
attack_paths_count - Int Number of attack paths in the pentest. Alias of impact_paths_count.
phished_impact_paths_count - Int! Number of impact paths downstream of phished credentials in the pentest. Alias of phished_attack_paths_count
phished_attack_paths_count - Int! Number of attack paths downstream of phished credentials in the pentest. Alias of phished_impact_paths_count.
nodezero_script_url - String URL of the script that downloads and launches NodeZero.
nodezero_ip - String The IP address where NodeZero was launched.
etl_completed_at - Datetime Timestamp of pentest post-processing completion, in ISO format (UTC).
start_paused - Boolean Start paused.
minimum_run_time - Int Op minimum run-time, in minutes.
maximum_run_time - Int Op maximum run-time, in minutes.
paused_at - Datetime Time when the pentest was most recently paused.
paused_by_user_account_uuid - String ID of the user that most recently paused the pentest.
paused_by_user_account - UserAccount Data of user account that most recently paused the pentest.
op_template_uuid - String ID of OpTemplate used for this pentest.
op_template_name - String Name of OpTemplate used for this pentest.
excluded_ips - [ExcludedIP] IPs that were excluded from the pentest scope. Applies to external pentests only.
excluded_domains - [ExcludedDomain] Domains that were excluded from the pentest scope. Applies to external pentests only.
runner_name - String The NodeZero Runner the op is assigned to.
runner - Agent The NodeZero Runner the op is assigned to.
run_nodezero_command - AgentCommand The run-nodezero command sent to the NodeZero Runner. This field can be used to track status.
schedule_uuid - String ID of schedule the op is associated with.
schedule_name - String Name of schedule the op is associated with.
auto_injected_credential_uuids - [String] The set of credentials to be auto-injected (by a NodeZero Runner) into the op.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "op_id": "12341234-1234-1234-1234-123412341234",
  "op_state": "running",
  "op_name": "your op name",
  "scheduled_timestamp": "1600793100.0",
  "scheduled_at": "2021-07-22T05:02:40.294996",
  "scheduled_at_date": "2024-07-29T23:01:03.432Z",
  "scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
  "create_timestamp": "1600793100.0",
  "create_timestamp_iso": "2021-07-22T05:02:40.294996",
  "launched_timestamp": "1600793100.0",
  "launched_timestamp_iso": "2021-07-22T05:02:40.294996",
  "launched_at": "2021-07-22T05:02:40.294996",
  "completed_at": "2021-07-22T05:02:40.294996",
  "completed_timestamp": "1600793100.0",
  "completed_timestamp_iso": "2021-07-22T05:02:40.294996",
  "canceled_at": "2021-07-22T05:02:40.294996",
  "canceled_timestamp": "1600793100.0",
  "canceled_timestamp_iso": "2021-07-22T05:02:40.294996",
  "duration_hms": "22:35:09",
  "duration_humanize": "2 hours, 23 minutes",
  "op_type": "NodeZero",
  "weakness_types_count": 123,
  "weaknesses_count": 123,
  "host_tabs_count": 987,
  "domain_controllers_count": 123,
  "credentials_count": 123,
  "proven_credentials_count": 123,
  "confirmed_credentials_count": 987,
  "unproven_credentials_count": 987,
  "activedir_passwords_count": 987,
  "enabled_activedir_passwords_count": 123,
  "disabled_activedir_passwords_count": 987,
  "feature_flags": [FeatureFlag],
  "impacts_headline_count": 123,
  "impact_paths_count": 123,
  "attack_paths_count": 123,
  "phished_impact_paths_count": 987,
  "phished_attack_paths_count": 987,
  "nodezero_script_url": "https://example.com/example",
  "nodezero_ip": "123.45.67.89",
  "etl_completed_at": "2021-07-22T05:02:40.294996",
  "start_paused": true,
  "minimum_run_time": 987,
  "maximum_run_time": 987,
  "paused_at": "2021-07-22T05:02:40.294996",
  "paused_by_user_account_uuid": "12341234-1234-1234-1234-123412341234",
  "paused_by_user_account": UserAccount,
  "op_template_uuid": "12341234-1234-1234-1234-123412341234",
  "op_template_name": "xyz789",
  "excluded_ips": [ExcludedIP],
  "excluded_domains": [ExcludedDomain],
  "runner_name": "abc123",
  "runner": Agent,
  "run_nodezero_command": AgentCommand,
  "schedule_uuid": "12341234-1234-1234-1234-123412341234",
  "schedule_name": "abc123",
  "auto_injected_credential_uuids": [
    "abc123"
  ]
}

OpTabsPage

Description

Paginated data of pentests.

Fields
Field Name Description
page_info - PageInfo Pagination of response.
op_tabs - [OpTab!]! List of pentests.
Example
{
  "page_info": PageInfo,
  "op_tabs": [OpTab]
}

OpTemplate

Description

Pentest (aka "Op") template information.

Fields
Field Name Description
uuid - String! ID of pentest template.
user_account_uuid - String! ID of user account that created the pentest template.
client_account_uuid - String! ID of client account that created pentest template.
op_template_name - String! Name of template.
op_type - OpType! Type of pentest this template applies to. "NodeZero" for internal pentests; "ExternalAttack" for external pentests.
schedule_op_form - ScheduleOpForm! Template data for scheduling pentests.
row_created_at - Datetime! Timestamp when the template was created.
row_updated_at - Datetime Timestamp when the template was last updated.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "user_account_uuid": "12341234-1234-1234-1234-123412341234",
  "client_account_uuid": "12341234-1234-1234-1234-123412341234",
  "op_template_name": "abc123",
  "op_type": "NodeZero",
  "schedule_op_form": ScheduleOpForm,
  "row_created_at": "2021-07-22T05:02:40.294996",
  "row_updated_at": "2021-07-22T05:02:40.294996"
}

OpTemplatesPage

Fields
Field Name Description
page_info - PageInfo Information about the page.
op_templates - [OpTemplate!]! List of pentest templates.
Example
{
  "page_info": PageInfo,
  "op_templates": [OpTemplate]
}

OpType

Description

Operation type.

Values
Enum Value Description

NodeZero

Internal pentest.

ExternalAssetDiscovery

External asset discovery.

ExternalAttack

External pentest.

NetworkEnumeration

Network Enumeration.

ADPasswordAudit

AD Password Audit.

Phishing

Phishing.
Example
"NodeZero"

PageInfo

Description

Pagination of response data.

Fields
Field Name Description
page_num - Int Page number returned by query.
page_size - Int Maximum number of items in page.
text_search - String Text searched across all text columns in the target table.
filter_by_inputs - [FilterBy] List of filters used with AND condition.
Example
{
  "page_num": 1,
  "page_size": 20,
  "text_search": "abc123",
  "filter_by_inputs": [FilterBy]
}

PageInput

Description

Pagination inputs.

Fields
Input Field Description
page_num - Int Page number to query.
page_size - Int Maximum number of items per page.
order_by - String Name of parameter to order by.
sort_order - SortOrder Method to order by.
sort_inputs - [SortInput] List of parameters to sort by.
filter_by_inputs - [FilterByInput] List of filters to use with AND condition.
text_search - String Searches across all text columns in the target table.
Example
{
  "page_num": 1,
  "page_size": 10,
  "order_by": "name",
  "sort_order": "ASC",
  "sort_inputs": [SortInput],
  "filter_by_inputs": [FilterByInput],
  "text_search": "abc123"
}

Pentest

Description

Pentest data.

Fields
Field Name Description
op_id - String! ID of pentest.
op_type - OpType Type of pentest.
name - String! Name assigned to the pentest.
state - PortalOpState! op state used exclusively in portal
user_name - String! The user who scheduled the pentest.
client_name - String! The client account that owns the pentest.
min_scope - [String] The "minimum" scope is used in combination with "auto-expand scope" to specify the set of IPs and CIDR ranges that positively should be scanned, in addition to whatever other IPs are discovered during the pentest (up to and including the max_scope, if defined).
max_scope - [String] The "maximum" scope specifies the full range of IPs and CIDR ranges that are allowed to be discovered and scanned during the pentest.
exclude_scope - [String] IPs and CIDR ranges that are excluded from the pentest.
git_accounts - [GitAccount] List of Git accounts to include in pentest.
aws_account_ids - [AWSAccountId] List of AWS accounts to include in pentest.
feature_flags - [FeatureFlag] Advanced configuration options.
scheduled_at - Datetime! Timestamp of pentest scheduling.
launched_at - Datetime Timestamp of pentest launching.
completed_at - Datetime Timestamp of pentest completion.
canceled_at - Datetime Timestamp of pentest cancellation.
etl_completed_at - Datetime Timestamp of pentest ETL completion.
duration_s - Int Pentest duration in seconds.
impacts_count - Int Number of impacts found. Technically counts up the number of unique impact type + affected asset combinations.
impact_paths_count - Int Number of impact paths found. Alias of `attack_paths_count.
attack_paths_count - Int Number of attack paths found. Alias of `impact_paths_count.
attack_paths_page - AttackPathsPage! Returns the list of attack paths for this op.
Arguments
page_input - PageInput
phished_impact_paths_count - Int! Number of impact paths found downstream of phished credentials. Alias of phished_attack_paths_count
phished_attack_paths_count - Int! Number of attack paths found downstream of phished credentials. Alias of phished_impact_paths_count.
weakness_types_count - Int Number of unique weakness IDs found.
weaknesses_count - Int Number of weaknesses found.
weaknesses_page - WeaknessesPage! Returns the list of weaknesses for this op.
Arguments
page_input - PageInput
hosts_count - Int Number of in-scope hosts (IPs) scanned during the pentest
out_of_scope_hosts_count - Int Number of out-of-scope hosts (IPs) found during the pentest.
external_domains_count - Int Number of domains found.
services_count - Int Number of services found.
credentials_count - Int Number of credentials found, both discovered and confirmed.
users_count - Int Number of users found.
cred_access_count - Int Counts the number of unique combinations of credential + accessed asset.
data_stores_count - Int Number of data stores found, eg FileShares, DatabaseRepos, S3Buckets, GitRepos, etc. Excludes websites.
websites_count - Int Number of websites found.
data_resources_count - Long Count of all data resources (files, DB records, etc) across all data stores.
nodezero_script_url - String URL of the script that downloads and launches NodeZero.
nodezero_ip - String IP address of NodeZero.
runner - Agent The NodeZero Runner the op is assigned to.
Example
{
  "op_id": "12341234-1234-1234-1234-123412341234",
  "op_type": "NodeZero",
  "name": "abc123",
  "state": "done",
  "user_name": "xyz789",
  "client_name": "abc123",
  "min_scope": ["xyz789"],
  "max_scope": ["xyz789"],
  "exclude_scope": ["abc123"],
  "git_accounts": [GitAccount],
  "aws_account_ids": [AWSAccountId],
  "feature_flags": [FeatureFlag],
  "scheduled_at": "2021-07-22T05:02:40.294996",
  "launched_at": "2021-07-22T05:02:40.294996",
  "completed_at": "2021-07-22T05:02:40.294996",
  "canceled_at": "2021-07-22T05:02:40.294996",
  "etl_completed_at": "2021-07-22T05:02:40.294996",
  "duration_s": 123,
  "impacts_count": 123,
  "impact_paths_count": 987,
  "attack_paths_count": 123,
  "attack_paths_page": AttackPathsPage,
  "phished_impact_paths_count": 987,
  "phished_attack_paths_count": 123,
  "weakness_types_count": 987,
  "weaknesses_count": 123,
  "weaknesses_page": WeaknessesPage,
  "hosts_count": 123,
  "out_of_scope_hosts_count": 987,
  "external_domains_count": 123,
  "services_count": 123,
  "credentials_count": 987,
  "users_count": 123,
  "cred_access_count": 987,
  "data_stores_count": 987,
  "websites_count": 123,
  "data_resources_count": Long,
  "nodezero_script_url": "https://example.com/example",
  "nodezero_ip": "123.45.67.89",
  "runner": Agent
}

PentestableEntitiesBulkOutput

Description

Output type for several Mutations that authorize assets for external pentesting.

Fields
Field Name Description
pentestable_entities_count - Int! Number of domain and IP assets that were updated by this request.
Example
{"pentestable_entities_count": 123}

PentestableEntitiesOutput

Description

Output type for several Mutations that authorize assets for external pentesting.

Fields
Field Name Description
pentestable_entities - [PentestableEntity] List of domain and IP assets, along with their authorization status, that were modified by this request.
blocked_pentestable_entities - [BlockedPentestableEntity] List of domain and IP assets that were BLOCKED from authorization.
Assets are blocked if we determine they are owned by providers that do not permit pentesting. See BlockedPentestableEntity.pentestable_rules.authz_warning for more details.
Example
{
  "pentestable_entities": [PentestableEntity],
  "blocked_pentestable_entities": [
    BlockedPentestableEntity
  ]
}

PentestableEntity

Description

A PentestableEntity links a domain (ExternalDomainXop) or IP (HostTabXop) to its authorization status for external pentesting.

Fields
Field Name Description
uuid - String! ID of pentestable entity.
is_authorized - Boolean! Flag to indicate if entity is pentestable.
Example
{"uuid": "12341234-1234-1234-1234-123412341234", "is_authorized": false}

PentestableRules

Description

The result of applying the rules for allowing ExternalDomains/HostTabs to be pentested via ExternalAttack.

Fields
Field Name Description
action_tooltip - String Tooltip text explaining why an asset was BLOCKED.
authz_warning - String Tooltip text warning the user about authorizing this asset and extra vetting of asset ownership that may be required.
authz_warning_label - String Label for auth_warning
is_allowed - Boolean! The final, ultimate result of applying the authz rules.
Example
{
  "action_tooltip": "abc123",
  "authz_warning": "abc123",
  "authz_warning_label": "xyz789",
  "is_allowed": false
}

PentestsPage

Fields
Field Name Description
page_info - PageInfo Pagination of response.
pentests - [Pentest!]! List of asset groups.
Example
{
  "page_info": PageInfo,
  "pentests": [Pentest]
}

PortalOpState

Description

Op states used in portal

Values
Enum Value Description

done

The pentest is fully complete and results are available in Portal.

ended

The pentest was ended early by the user. Results are available in Portal.

error

The pentest suffered an error. The H3 team is working on it!

installation_needed

The pentest is waiting for NodeZero to be launched.

start_paused

The pentest was configured to start in a paused state.

user_paused

The pentest is paused by a user.

paused

The pentest is paused, possibly due to connectivity issues with NodeZero.

pausing

The pentest is in the process of pausing.

preparing

Resources are being provisioned for the pentest.

preparing_start_paused

Resources are being provisioned for the pentest. Once provisioning is complete, the pentest will start in a paused state.

processing

The pentest results are being processed.

resuming

The pentest is resuming from a paused state.

running

The pentest is live and running.

scheduled

The pentest has been queued up and will begin provisioning resources shortly.

queued

The pentest has been queued up and will begin provisioning resources shortly.

unknown

The pentest is in an unknown state.
Example
"done"

SaveOpTemplateOutput

Fields
Field Name Description
op_template - OpTemplate! The saved op template
Example
{"op_template": OpTemplate}

ScheduleOpForm

Description

Data to schedule pentest.

Fields
Field Name Description
op_name - String! Name of pentest.
op_type - OpType Type of pentest. Defaults to NodeZero.
op_param_blacklist - String This scope is EXCLUDED from the pentest. Hosts and subnets that fall within this scope will NOT be pentested. Scope is defined as comma-separated values. Accepts CIDR ranges or plain IP addresses.
op_param_min_scope - String Minimum scope is used in combination with Intelligent Scope and Auto-Expand Scope. It specifies the scope that will be explicitly pentested, in addition to any other hosts and subnets that are organically discovered by NodeZero during the pentest. Scope is specified as comma-separated values. Accepts CIDR ranges or plain IP addresses.
op_param_max_scope - String Maximum scope of pentest. This represents the upper limits of the pentest scope. Only hosts and subnets that fall within the maximum scope will be pentested. If not defined, the pentest will default to Intelligent Scope. Scope is specified as comma-separated values. Accepts CIDR ranges or plain IP addresses.
feature_flags - [FeatureFlag] Advanced configuration settings that control the types of attacks conducted during the pentest.
osint_domains - [String] List of company domains that will be scanned for OSINT (open-source intelligence).
osint_company_names - [String] List of company names that will be used for discovering OSINT (open-source intelligence).
passwords_to_spray - [String] A set of passwords to use for password spraying.
git_accounts - [GitAccount] List of Git accounts to scan during the pentest.
aws_account_ids - [AWSAccountId] List of AWS accounts to scan during the pentest.
asset_group_uuid - String ID of asset group containing authorized assets that will be pentested. Applies to external pentests only (op_type=ExternalAttack).
start_paused - Boolean Start the pentest in paused state. This option is useful for external pentests when NodeZero's IP address must first be known in order to open up firewalls.
minimum_run_time - Int Op minimum run-time, in minutes. This option is useful to give extra time for password spraying and/or man-in-the-middle relay attacks.
maximum_run_time - Int Op maximum run-time, in minutes.
runner_name - String The NodeZero Runner that will launch the op.
auto_injected_credential_uuids - [String!] The set of credentials to be auto-injected (by a NodeZero Runner) into the op.
targeted_test_id - String ID of the targeted test to use for the pentest.
Example
{
  "op_name": "your op name",
  "op_type": "NodeZero",
  "op_param_blacklist": "123.45.67.89, 12.3.4.56",
  "op_param_min_scope": "123.45.67.89, 12.3.4.56",
  "op_param_max_scope": "123.45.67.89, 12.3.4.56",
  "feature_flags": [FeatureFlag],
  "osint_domains": ["example.com"],
  "osint_company_names": ["Horizon3"],
  "passwords_to_spray": ["passw0rd!"],
  "git_accounts": [GitAccount],
  "aws_account_ids": [AWSAccountId],
  "asset_group_uuid": "12341234-1234-1234-1234-123412341234",
  "start_paused": true,
  "minimum_run_time": 987,
  "maximum_run_time": 987,
  "runner_name": "xyz789",
  "auto_injected_credential_uuids": [
    "xyz789"
  ],
  "targeted_test_id": "xyz789"
}

ScheduleOpFormInput

Description

Inputs to schedule pentest.

Fields
Input Field Description
op_name - String Name of pentest.
op_type - OpType Type of pentest. Defaults to NodeZero.
op_param_blacklist - String This scope is EXCLUDED from the pentest. Hosts and subnets that fall within this scope will NOT be pentested. Scope is defined as comma-separated values. Accepts CIDR ranges or plain IP addresses.
op_param_min_scope - String Minimum scope is used in combination with Intelligent Scope and Auto-Expand Scope. It specifies the scope that will be explicitly pentested, in addition to any other hosts and subnets that are organically discovered by NodeZero during the pentest. Scope is specified as comma-separated values. Accepts CIDR ranges or plain IP addresses.
op_param_max_scope - String Maximum scope of pentest. This represents the upper limits of the pentest scope. Only hosts and subnets that fall within the maximum scope will be pentested. If not defined, the pentest will default to Intelligent Scope. Scope is specified as comma-separated values. Accepts CIDR ranges or plain IP addresses.
feature_flags - [FeatureFlagInput] Advanced configuration settings that control the types of attacks conducted during the pentest.
osint_domains - [String] List of company domains that will be scanned for OSINT (open-source intelligence).
osint_company_names - [String] List of company names that will be used for discovering OSINT (open-source intelligence).
passwords_to_spray - [String] A set of passwords to use for password spraying.
git_accounts - [GitAccountInput] List of Git accounts to scan during the pentest.
aws_account_ids - [AWSAccountId] List of AWS accounts to scan during the pentest.
asset_group_uuid - String ID of asset group containing authorized assets that will be pentested. Applies to external pentests only (op_type=ExternalAttack).
start_paused - Boolean Start the pentest in paused state. This option is useful for external pentests when NodeZero's IP address must first be known in order to open up firewalls.
minimum_run_time - Int Op minimum run-time, in minutes. This option is useful to give extra time for password spraying and/or man-in-the-middle relay attacks.
maximum_run_time - Int Op maximum run-time, in minutes.
runner_name - String The NodeZero Runner that will launch the op.
auto_injected_credential_uuids - [String!] The set of credentials to be auto-injected (by a NodeZero Runner) into the op.
targeted_test_id - String ID of the targeted test to use for the pentest.
Example
{
  "op_name": "your op name",
  "op_type": "NodeZero",
  "op_param_blacklist": "123.45.67.89, 12.3.4.56",
  "op_param_min_scope": "123.45.67.89, 12.3.4.56",
  "op_param_max_scope": "123.45.67.89, 12.3.4.56",
  "feature_flags": [FeatureFlagInput],
  "osint_domains": ["example.com"],
  "osint_company_names": ["xyz789"],
  "passwords_to_spray": ["abc123"],
  "git_accounts": [GitAccountInput],
  "aws_account_ids": [AWSAccountId],
  "asset_group_uuid": "12341234-1234-1234-1234-123412341234",
  "start_paused": false,
  "minimum_run_time": 987,
  "maximum_run_time": 987,
  "runner_name": "xyz789",
  "auto_injected_credential_uuids": [
    "abc123"
  ],
  "targeted_test_id": "xyz789"
}

ScheduleOpOutput

Description

Scheduled pentest data.

Fields
Field Name Description
op - Op! Data for a pentest.
Example
{"op": Op}

Severity

Description

Severity levels associated with a finding's risk score.

       score <= 0  : INFO
0   <  score <  4.0: LOW
4.0 <= score <  7.0: MEDIUM
7.0 <= score <  9.0: HIGH
9.0 <= score       : CRITICAL
Values
Enum Value Description

INFO

score <= 0

LOW

0 < score < 4.0

MEDIUM

4.0 <= score < 7.0

HIGH

7.0 <= score < 9.0

CRITICAL

9.0 <= score
Example
"INFO"

SignInType

Values
Enum Value Description

BASIC

Basic authentiation using username and password.

GOOGLE

Federated authentication via Google.

LINKED_IN

Federated authentication via LinkedIn.

MICROSOFT

Federated authentication via Microsoft.

SSO

Private SSO.
Example
"BASIC"

SortInput

Description

Parameter to sort by.

Fields
Input Field Description
order_by - StringNoWhitespace! Name of parameter to order by.
sort_order - SortOrder Method to order by.
nulls_first - Boolean Flag to control if nulls are ordered first or last.
Example
{"order_by": "name", "sort_order": "ASC", "nulls_first": false}

SortOrder

Description

Method to order by.

Values
Enum Value Description

ASC

Ascending order.

DESC

Descending order.
Example
"ASC"

String

Description

The String scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.

Example
"abc123"

StringNoWhitespace

Description

String scalar type that cannot be an empty string or contain whitespace.

Example
StringNoWhitespace

StringNotEmpty

Description

String scalar type that cannot be an empty string.

Example
StringNotEmpty

UpdateOpTemplateOutput

Fields
Field Name Description
op_template - OpTemplate! The updated op template
Example
{"op_template": OpTemplate}

UpdateUserAccountInput

Description

Arguments to update user account.

Fields
Input Field Description
email - EmailAddress! Email of user to update.
client_account_uuid - String ID of client account to update the user for, when applicable. Defaults to the current user client account.
user_role_id - AuthzRole! Role of user in the given client account.
name - String! Name of user.
Example
{
  "email": "john.smith@example.com",
  "client_account_uuid": "12341234-1234-1234-1234-123412341234",
  "user_role_id": "USER",
  "name": "John Smith"
}

UserAccount

Description

User account data.

Fields
Field Name Description
uuid - String ID of user account.
email - EmailAddress User email address.
name - String User name.
user_role_id - AuthzRole Role of this user in the calling user's ClientAccount.
sign_in_type - SignInType Indicates the type of sign-in credentials used by this specific UserAccount
last_signed_in_at - Datetime Timestamp of last time this user signed in under the current user's ClientAccount.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "email": "john.smith@example.com",
  "name": "John Smith",
  "user_role_id": "USER",
  "sign_in_type": "BASIC",
  "last_signed_in_at": "2021-07-22T05:02:40.294996"
}

VulnCategory

Description

Vuln categories.

Values
Enum Value Description

SECURITY_MISCONFIGURATION

The vuln is related to a security misconfiguration of an asset.

VULNERABILITY

A product/asset vulnerability.

POLICY

The vuln is related to ineffective or insufficient security policies.

SECURITY_CONTROLS

The vuln is related to ineffective or insufficient security controls or policies.

CREDENTIALS

The vuln is related to credential management or policies.
Example
"SECURITY_MISCONFIGURATION"

Weakness

Description

A Weakness record represents an observed vulnerability on an affected asset; ie. there is one Weakness record per unique vuln_id + affected asset combination.

Fields
Field Name Description
uuid - String! Unique ID for this Weakness instance.
created_at - Datetime! When this Weakness was observed.
vuln_id - String! The Weakness's vuln ID.
vuln_aliases - [String!] Well-known aliases for this vuln.
vuln_category - VulnCategory The vuln's category
vuln_name - String The vuln's official name.
vuln_short_name - String A convenient short name for the vuln.
vuln_cisa_kev - Boolean True if the vuln is a CISA Known Exploited Vulnerability
vuln_known_ransomware_campaign_use - Boolean True if the vuln is a CISA Known to be Used in Ransomware Campaigns.
op_id - String! The op_id for the Op in which this Weakness was observed.
ip - String The IP address where this Weakness was observed.
has_proof - Boolean Indicates whether or not we captured proof of the Weakness.
proof_failure_code - String The reason why we failed to capture proof, if applicable. One of: exploit_failed, not_configured, no_exploit, timeout.
proof_failure_reason - String The reason why we failed to capture proof, if applicable.
score - Float The risk score for this Weakness (equal to context_score if set, otherwise base_score).
severity - Severity Severity level associated with the score.
base_score - Float Base risk score associated with the vuln ID.
base_severity - Severity Severity level associated with the base risk score.
context_score - Float Risk score based on the weakness's total impact on the environment.
context_severity - Severity Severity level associated with the context score.
context_score_description_md - String Description explaining the context score/downstream impact for this weakness (in markdown format).
context_score_description - String Description explaining the context score/downstream impact for this weakness.
time_to_finding_hms - String Time-to-finding in hh:mm:ss format
time_to_finding_s - Int Time-to-finding in seconds
affected_asset_text - String The display name of the asset directly affected by this weakness.
affected_asset_short_text - String The short name of the asset directly affected by this weakness.
downstream_impact_types - [ImpactType!] List of ImpactTypes found downstream of this weakness, equivalent to related impacts.
downstream_impact_types_and_counts - [String!] List of ImpactTypes and associated counts found downstream of this weakness, equivalent to related impacts. Each array element is formatted as ImpactType,count, e.g. ["RansomwareExposure,2", "SensitiveDataExposure,2"]
impact_paths_count - Int! The number of Impact paths the weakness is included in. This should sum up to downstream_impact_types_and_counts. Alias of attack_paths_count.
attack_paths_count - Int! The number of attack paths the weakness is included in. This should sum up to downstream_impact_types_and_counts. Alias of impact_paths_count.
diff_status - DiffStatus

This field is only used when performing a diff between ops, for example via Query.weaknesses_diff_page.

If a weakness was present in the first op, but not the second op, its diff_status will be set to REMOVED.

If a weakness was present in the second op, but not the first op, its diff_status will be set to ADDED.

Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "created_at": "2021-07-22T05:02:40.294996",
  "vuln_id": "abc123",
  "vuln_aliases": ["abc123"],
  "vuln_category": "SECURITY_MISCONFIGURATION",
  "vuln_name": "abc123",
  "vuln_short_name": "abc123",
  "vuln_cisa_kev": false,
  "vuln_known_ransomware_campaign_use": true,
  "op_id": "12341234-1234-1234-1234-123412341234",
  "ip": "123.45.67.89",
  "has_proof": true,
  "proof_failure_code": "xyz789",
  "proof_failure_reason": "xyz789",
  "score": 123.45,
  "severity": "INFO",
  "base_score": 123.45,
  "base_severity": "INFO",
  "context_score": 123.45,
  "context_severity": "INFO",
  "context_score_description_md": "abc123",
  "context_score_description": "abc123",
  "time_to_finding_hms": "22:05:31",
  "time_to_finding_s": 987,
  "affected_asset_text": "abc123",
  "affected_asset_short_text": "abc123",
  "downstream_impact_types": ["AWSUserRoleCompromise"],
  "downstream_impact_types_and_counts": [
    "abc123"
  ],
  "impact_paths_count": 987,
  "attack_paths_count": 987,
  "diff_status": "ADDED"
}

WeaknessCSV

Description

String scalar type representing a WeaknessCSV row with columns:

  • WeaknessID: String
  • FirstSeen: Datetime
  • Name: String
  • RootCause: String
  • Severity: String
  • ContextScore: Float
  • ContextScoreDescription: String
  • Confirmed: Boolean
  • Hostname: String
  • CNAME: String
  • OS: String
  • IP: String
  • Port: Int
  • Protocol: String
  • ProtocolPort: String
  • Service: String
  • ServiceType: String
  • Product: String
  • OpID: String
  • Description: String
  • AssetID: String
  • AllHostnames: String
  • Repo: String
  • Vhost: String
  • ResourceUri: String
  • UserName: String
  • UserDomainName: String
  • ProvenEntityEid: String
Example
WeaknessCSV

WeaknessesDiffPage

Description

Contains a page of Weakness records, as fetched via Query.weaknesses_diff_page.

Fields
Field Name Description
page_info - PageInfo Information about the current page.
weaknesses - [Weakness!]! List of weaknesses for the current page.
Example
{
  "page_info": PageInfo,
  "weaknesses": [Weakness]
}

WeaknessesPage

Description

Contains a page of Weakness records, as fetched via Query.weaknesses_page.

Fields
Field Name Description
page_info - PageInfo Information about the current page.
weaknesses - [Weakness!]! List of weaknesses for the current page.
Example
{
  "page_info": PageInfo,
  "weaknesses": [Weakness]
}