— Built on CAVET

The Knowledge Infrastructure For Ethical Hackers

Build a structured inventory of your targets. Encode attack patterns into playbooks & let the Nexus Engine match what you observe to what you know and surface exactly what applies.

See how it works
01

Map The Context

Build a structured inventory of every target.

02

Encode Your Knowledge

Turn techniques into reusable playbooks.

03

Execute The Logic

Surface what applies and exactly why.

Your knowledge is only as useful as your ability to apply it at the right moment.

Four failure modes

The gap between knowing and doing.

Sometimes it is a knowledge gap. More often it is a connection gap. Either way, these are the four ways it costs you bugs.

The problem

A technique you learned months ago fits this target perfectly, but it never crosses your mind. You move on. The bug stays there.

How Nimbus fixes it

Surfacing every relevant playbook from your library in real time, including ones you have not consciously thought about since the day you learned them.

The Nimbus Core

Not a set of features
An operating system.

Four integrated layers that turn raw observation into structured, actionable intelligence. Plus a browser extension that brings it all to any page.

See everything at once

Platforms, programs, assets, playbooks — all in one view. Track your attack coverage, surface blind spots across targets, and see engine activity over time. Every metric is live from your workspace.

  • Platform & program overview
  • Attack coverage and blind spots
  • Engine activity sparkline and trends
Dashboard

The Taxonomy

CAVET: one language
for targets and attacks.

When both a target and a technique speak the same language, pattern recognition gets automated.

Technology

What it is built on

Frameworks, databases, servers, libraries. Defines the possibility space: which vulnerability classes can exist and which cannot.Node.js, MySQL, AWS S3, Cloudflare

Functionality

What users can do

Discrete features the application exposes. Trust boundaries where input is accepted and promises are made.File Upload, Password Reset, OAuth Login, Search

Vector

How input flows in

The transport mechanisms through which data moves through the application. Different vectors carry different levels of implicit trust.URL Params, HTTP Headers, WebSocket, Cookies

Gadget

What makes it land

An existing primitive that makes an attack viable. What turns this might be a bug into this is definitely exploitable.innerHTML sink, postMessage, open redirect

Quirk

How it actually behaves

Observable behaviors confirmed through testing. What decides whether an attack is exploitable in this specific context.Input Reflection, CSRF Token, MIME check

You do not need to know a technique exists
to benefit from it being known.

Team

Division of labor. Multiplication of results.

Nimbus decouples the three core activities of bug hunting, making genuine role specialisation possible. Each role makes the others more effective.

The Architect

Advanced

Builds and maintains the knowledge base. Researches techniques, studies write-ups, and encodes everything into structured playbooks. May never touch a live target—their output is the intellectual infrastructure the whole team operates on.

The Recon Specialist

Beginner — Advanced

Maps the attack surface. Documents every asset using CAVET components and builds rich, structured target profiles. The quality of what the engine surfaces is directly proportional to the quality of their observations.

The Hunter

Intermediate — Advanced

Executes. Receives high-confidence playbook matches against mapped assets and turns them into confirmed vulnerabilities. The feedback layer that closes the loop, relaying new intelligence back to the Architect.

Architect workspace
Recon workspace
Hunter workspace

Start free. Scale when it clicks.

The free tier is enough to run the methodology on a real target and feel whether it works for you.

Free

$0/mo

10 assets and 50 playbooks. Enough to validate the methodology on a real target.

10 assets, 50 playbooks

Full CAVET component library

1 workspace

Exports

Program logs

Pro

Recommended
$10/mo

Unlimited assets and playbooks. Full command center, reports, and browser extension.

Unlimited assets and playbooks

5 workspaces

Unlimited paying workspace members

Imports & exports

Command Center

Program analytics & logs

Report generation

Browser extension

Team

$30/mo

Everything in Pro plus unlimited workspaces and seat-based pricing for your organization.

Everything in Pro

Unlimited workspaces

15 seats included

$1/seat beyond 15

Invite free users into workspace

Every bug you've found is a playbook waiting to be written.

Join the waitlist

FAQ

Frequently asked questions.

No. The Nexus Engine is deterministic — it matches your asset observations against your playbook conditions using explicit rules, not a language model. Every suggestion comes with a confidence score and a clear reason. You always know why a playbook was surfaced.
Bug bounty hunters, pentesters, and security researchers who want their accumulated knowledge to work systematically on every target — not just when they happen to remember it. Solo hunters and teams both benefit, but in different ways.
No. Nimbus surfaces what your knowledge says is worth testing on a given target. Whether a bug exists and how to confirm it is still on you. The engine reduces what you miss — it doesn't replace the work of exploitation.
Yes. You build your own playbook library from scratch — every write-up you've studied, every technique you've confirmed, encoded on your terms. The quality of what the engine surfaces is directly proportional to the quality of what you put in.
Component Analysis and Vulnerability Enumeration Technique. It's the taxonomy Nimbus uses to describe both targets and techniques in the same language — five component types: Technology, Functionality, Vector, Gadget, and Quirk. When a target and a playbook share components, the engine produces a match.
Yes, but the honest answer is that you get out what you put in. A new hunter with a small playbook library will get limited suggestions. The value compounds as your knowledge base grows — or if you have access to a workspace that someone else has already built out.
No. The Nexus Engine is deterministic — it matches your asset observations against your playbook conditions using explicit rules, not a language model. Every suggestion comes with a confidence score and a clear reason. You always know why a playbook was surfaced.