Tools
Tools
Deflectra agents operate through a rich set of built-in tools that provide fine-grained capabilities for file inspection, network interaction, encoding, vulnerability reporting, and more. These tools are invoked autonomously by agents during a scan and can also be composed together for complex, multi-step attack chains.
File System
Tools for reading and exploring the project's source files.
| Tool | Description |
|---|---|
| List Files | Lists the contents of a project directory |
| Read File | Reads a full file with line numbers |
| Read File Segment | Reads a specific line range from a file |
| Find Files | Recursively searches files by name or glob pattern |
| Grep Search | Searches text within file contents |
HTTP
Tools for performing network requests against the target application.
| Tool | Description |
|---|---|
| HTTP Request | Performs a standard HTTP request (GET, POST, etc.) |
| Batch HTTP Request | Executes multiple requests in batch, in series or parallel |
| Brute Force Request | Iterates automatic payloads against an endpoint with success criteria |
| Raw HTTP Request | Sends raw bytes over TCP/TLS for full protocol control |
Encoding
Tools for encoding and decoding data in various formats.
| Tool | Description |
|---|---|
| Encode Text | Encodes text in base64, hex, URL, AES, RSA, JSFuck, PHP Filter Chain, etc. |
| Decode Text | Decodes text from base64, hex, URL, AES, RSA, etc. |
Serialization
Tools for generating insecure deserialization payloads.
| Tool | Description |
|---|---|
| Serialize Object | Generates insecure deserialization payloads in Java, PHP, Phar or Python/Pickle |
Semgrep
Tools for AI-assisted static analysis using Semgrep rules.
| Tool | Description |
|---|---|
| Semgrep Rule Generator | Generates a Semgrep rule with AI and runs it against the project |
Endpoints
Tools for discovering and registering API endpoints.
| Tool | Description |
|---|---|
| Add Endpoint | Registers a discovered API endpoint in the database |
| Add Multiple Endpoints | Registers multiple endpoints in batch efficiently |
| Semgrep Endpoint Rule | Detects endpoints with Semgrep and verifies them with AI before saving |
Vulnerabilities
Tools for reporting and correlating discovered vulnerabilities.
| Tool | Description |
|---|---|
| Report Vulnerability | Reports a vulnerability and starts the deduplication & verification pipeline |
| Search Related Vulnerabilities | Searches for a related vulnerability in DB or code for chained exploits |
Sub-Agents
Tools for delegating complex tasks to specialised sub-agents.
| Tool | Description |
|---|---|
| Dynamic Vulnerability Verifier | Launches a sub-agent that verifies the vuln by executing real attacks |
| Delegate HTTP Task | Delegates a complex HTTP task to a specialised HTTP agent |
| Delegate Code Analysis | Delegates a code question to a static analysis specialist agent |
Dynamic Placeholders
Deflectra's backend processes dynamic placeholders within tool parameters (such as URLs, headers, or HTTP request bodies). These placeholders allow agents to perform on-the-fly data transformations during a scan without needing separate tool calls.
Encryption and Encoding
Use these placeholders to encode or decode data within any text field.
Syntax: {{encode:type:text[:parameters]}} or {{decode:type:text[:parameters]}}
| Type | Description | Supported Parameters |
|---|---|---|
| base64 | Standard Base64 encoding. | - |
| jsfuck | JavaScript encoding using only 6 characters. | eval=true/false, parent=true/false |
| hex | Hexadecimal representation. | - |
| url | URL encoding (percent-encoding). | - |
| html | HTML entity encoding. | - |
| aes | AES Encryption/Decryption (128, 192, 256 bits). | key, iv, padding=true/false, iv_in_payload=true/false, key_encoding, iv_encoding |
| rsa | RSA Encryption/Decryption. | public_key, private_key |
| php_filter_chain | PHP Filter Chain generation for LFI/RCE. | prefix, suffix, resource |
| unicode | Unicode character escape (\uXXXX). | - |
| binary | Binary representation (0s and 1s). | - |
| Others | octal, decimal, ascii, utf8, unicode-binary | - |
Example: {{encode:base64:admin:admin}} → YWRtaW46YWRtaW4=
Object Serialization
Used to generate payloads for insecure deserialization exploitation.
Syntax: {{serialize:type:json_config}}
| Type | Description |
|---|---|
| java | Java Object Serialization payload. |
| python | Python pickle payload. |
| phar | PHP Phar archive payload. |
| php-string | PHP serialized string literal. |
Usage: The configuration is a JSON object defining the class and data to serialize. Deflectra will automatically calculate lengths and formats required by each specific language protocol.