— Built on CAVET

The Ethical Hackers' Notebook

Stop forcing checklists onto targets. Nimbus is a deterministic reasoning engine that maps components, tracks behaviors, and surfaces attack paths based on confirmed context.

See how it works
01

Map The Context

Build a structured inventory of every target.

02

Encode Your Knowledge

Turn techniques into reusable playbooks.

03

Execute The Logic

Surface what applies and exactly why.

The methodology gap is real.
Nimbus closes it.

Most hunters approach targets with a checklist in their head, trying to force vulnerabilities onto an app. The smarter move is to map the target's context first—its technologies, functionalities, behaviors—and let that context dictate the attacks.

This is CAVET (Component Analysis & Vulnerability Enumeration Technique). Nimbus Vault operationalizes this into a working tool. It's not an AI that guesses; it's a deterministic engine that reasons.

  • Technologies & Functionalities: Define the possibility space.
  • Vectors & Gadgets: The paths and primitives for exploitation.
  • Quirks: The observable behaviors that determine actual exploitability.
Read the Contextual Hacking manifesto

Component

Technology

Component

Functionality

Observation

Quirk Identified

No State Param

Nexus Engine

Surfaces Playbook: OAuth CSRF

The Workflow

Three movements.
One cycle.

Map what exists, encode what you know, and let the engine surface what applies — every session, every target.

01

Map the context

Break down every target into the five CAVET components. Technologies, functionalities, vectors, gadgets, and quirks — each one is a structured data point, not a folder label. The quality of your mapping determines the quality of every suggestion you get back.

  • Technologies — frameworks, languages, platforms
  • Functionalities — features like File Upload, OAuth
  • Gadgets, Vectors & Quirks — primitives, paths & behaviors
Playbook vault
02

Encode your knowledge

Turn techniques, write-ups, and confirmed exploits into playbooks. Each playbook declares what components it needs and what it produces. Write it once — it activates against every matching target in your workspace, including ones you mapped months ago and forgot about.

  • Deterministic trigger conditions, not AI guesses
  • Category, tag, and combo assignments
  • Knowledge compounds across your entire workspace
03

Execute the logic

The Nexus Engine cross-references every component you've ever mapped against every playbook you've ever encoded. Confidence-scored suggestions, proactive guidance for what you haven't checked yet, and full transparency into why something was surfaced.

  • Real-time confidence scoring with full traceability
  • Proactive checklist for missing observations
  • Deterministic — every suggestion has a chain of evidence

Beyond the core

Capabilities that compound.

The workflow handles the cycle. These features handle everything around it — discovery, coverage, collaboration, and speed.

Get guided into discovering exploitable conditions on your target.

The Nexus Engine constantly analyzes your observations. When it recognizes you're close to confirming a viable attack path — it surfaces exactly what to check next, ranked by what gives you the most new ground. Instead of wondering where to go, you get a live feed of what's worth investigating.

Proactive Checklist

Start free. Scale when it clicks.

The free tier is enough to run the methodology on a real target and feel whether it works for you.

Free

$0

10 assets and 50 playbooks. Enough to validate the methodology on a real target.

10 assets, 50 playbooks

Starter Playbook & Component Library

1 workspace

Exports

Program logs

Co-Op

$50/mo

Everything in Pro plus unlimited workspaces and seat-based pricing for your organization.

Everything in Pro

Unlimited workspaces

15 seats included

$1/seat beyond 15

Invite free users into workspace

Every technique you've learned is a playbook waiting to be written.

Join the waitlist

FAQ

Frequently asked questions.

No. The Nexus Engine is deterministic — it matches your asset observations against your playbook conditions using explicit rules, not a language model. Every suggestion comes with a confidence score and a clear reason. You always know why a playbook was surfaced.
Bug bounty hunters, pentesters, and security researchers who want their accumulated knowledge to work systematically on every target — not just when they happen to remember it. Solo hunters and teams both benefit, but in different ways.
No. Nimbus surfaces what your knowledge says is worth testing on a given target. Whether a bug exists and how to confirm it is still on you. The engine reduces what you miss — it doesn't replace the work of exploitation.
Yes. You build your own playbook library from scratch — every write-up you've studied, every technique you've confirmed, encoded on your terms. The quality of what the engine surfaces is directly proportional to the quality of what you put in.
Component Analysis and Vulnerability Enumeration Technique. It's the taxonomy Nimbus uses to describe both targets and techniques in the same language — five component types: Technology, Functionality, Vector, Gadget, and Quirk. When a target and a playbook share components, the engine produces a match.
Yes, but the honest answer is that you get out what you put in. A new hunter with a small playbook library will get limited suggestions. The value compounds as your knowledge base grows — or if you have access to a workspace that someone else has already built out.
No. The Nexus Engine is deterministic — it matches your asset observations against your playbook conditions using explicit rules, not a language model. Every suggestion comes with a confidence score and a clear reason. You always know why a playbook was surfaced.