v44.32.79
🔍
← Back to site Support

🔑 PhantomYerra Help Center

The world's first AI-Agentic Security Assessment Platform. Complete documentation for all scanning surfaces, tools, reports, and configuration options.

v44.32.79 — Current Release
📊 60+ security tools
🧠 AI-Agentic mode
🏆 18 attack surfaces
🚀

Quick Start Guide

Get up and running in under 5 minutes. Follow these three steps in order.

1

Activate License

Open Settings → License. Enter your license key. PhantomYerra validates against the licensing server and unlocks all modules for your tier.

2

Create Auth Token

Go to Settings → Auth Tokens. Click Generate New Token. Copy and store it securely — this token is required before any active scan can run.

3

Run Your First Scan

Click New Scan on the home screen. The Mission Control Wizard guides you through target entry, surface selection, and scan mode. Hit Launch.

PhantomYerra requires an active internet connection for license validation. Ensure your firewall allows outbound HTTPS to licensing.dastcloud.com.

🔑 License Activation

PhantomYerra uses server-validated licensing. Each license key is tied to a machine installation code generated from your hardware.

  1. Open the application. The license screen appears on first launch.
  2. Enter your license key in the field provided (format: PY-XXXX-XXXX-XXXX-XXXX).
  3. Click Activate License. The app connects to licensing.dastcloud.com to validate.
  4. On success, you'll see your license tier, expiry date, and module entitlements.
  5. Your AI API key (if bundled with your license) is automatically imported — no manual entry required.

License keys are single-seat. To transfer to a new machine, contact license@phantomyerra.com with your old installation code and new machine details.

🔒 Auth Tokens

Auth tokens are security gates that prevent accidental or unauthorized scanning. Every active scan requires a valid token.

  1. Navigate to Settings → Auth Tokens.
  2. Click Generate New Token.
  3. Optionally name the token (e.g., "Red Team Engagement Q2").
  4. Copy the token and store it in a password manager. It will not be shown again.
  5. When launching a scan, paste the token in the auth field within the Mission Control Wizard.

You can generate multiple tokens for different engagements and revoke them individually from the Settings → Auth Tokens screen.

🔎 Run Your First Scan

  1. Click New Scan (or press Ctrl N).
  2. The Mission Control Wizard opens. Enter the target URL, IP, or CIDR range.
  3. Select your scope: single host, domain + subdomains, IP range, or custom list.
  4. Choose attack surfaces: check the modules you want (Web, Network, Recon, etc.).
  5. Select scan mode: Automated AI (Claude-driven), Semi-Automated (AI-suggested, you approve), or Manual (full control).
  6. Enter your Auth Token and click Launch Scan.
  7. Watch real-time progress in the Scan Dashboard. Findings appear live as they're confirmed.

In Automated AI mode, PhantomYerra plans the attack, selects tools, chains findings, and writes professional PoC narratives — all without manual intervention.

🤖 AI Key Setup

PhantomYerra uses Claude (Anthropic) as its AI brain. Your key may be bundled with your license, or you can add your own.

  1. If your license includes an AI key, it's activated automatically — no action needed.
  2. To add a manual key: go to Settings → AI Configuration.
  3. Select provider (Anthropic Claude is default and preferred).
  4. Paste your API key. It's encrypted with AES-256-GCM and stored locally — never sent in plaintext.
  5. Click Save & Verify. The app validates the key with a minimal test call.

Without an AI key, all 60+ tools remain fully functional. AI key unlocks: AI Pentesting mode, AI-written reports, context-aware payload generation, and agentic orchestration.

For air-gapped environments, enable Air-Gapped Mode in Settings. All AI calls route to local Ollama — zero data leaves the machine.

📚

How-To Guides

Step-by-step instructions for every attack surface. Click any section to expand.

🌐 Web Application Testing Core

Full-spectrum web pentesting using Nuclei, ZAP, Nikto, WPScan, parameter discovery, TLS analysis, and fuzzing. Covers OWASP Top 10, API security, and business logic testing.

  1. In the Wizard, select target URL (e.g., https://app.example.com) and check Web Application Testing.
  2. Choose sub-modules: Nuclei templates, ZAP active scan, parameter discovery, TLS scan, fuzzing.
  3. For WordPress sites, WPScan triggers automatically when WordPress is detected via fingerprinting.
  4. Set crawl depth and authentication (cookie/bearer token) if the target requires login.
  5. Launch scan. Findings display in real-time with severity, evidence (raw HTTP), and PoC curl commands.
  6. Click any finding → Exploit tab to run automated exploitation and capture proof.
  7. Export report: Reports → Generate → PDF / DOCX / SARIF.
Pro Tip For authenticated testing, go to Settings → Auth Profiles and save a cookie/token profile. Apply it per-scan so you don't re-enter credentials each time.
🖥 Network & Infrastructure Scanning Core

Port scanning, service fingerprinting, VPN gateway CVE scanning (Pulse Secure / Citrix / Fortinet / Cisco), Active Directory pentesting, and network topology mapping.

  1. Select Network / Infrastructure in the Wizard. Enter target IP or CIDR range.
  2. Choose scan intensity: Stealth, Normal, Aggressive. Stealth uses SYN scan with timing delays.
  3. Enable VPN Gateway Scanner if the target is likely to run enterprise VPN appliances. Automatically probes for Pulse Secure CVE-2019-11510, Citrix CVE-2019-19781, Fortinet CVE-2018-13379, Cisco AnyConnect misconfigs.
  4. Enable Active Directory Pentest for internal network assessments. Runs Kerbruting, AS-REP roasting, BloodHound-compatible graph output.
  5. Topology map auto-generates showing discovered hosts, open ports, and service relationships.
  6. All CVE findings link to NVD entry, EPSS score, and known PoC exploits.
Pro Tip Use the Network Topology View to visually trace attack paths from public-facing assets through internal pivot points. Right-click any node to scope it for deeper testing.
📡 Recon & OSINT Core

Subdomain enumeration, DNS reconnaissance, ASN mapping, URL discovery, and passive OSINT. Expands attack surface before active testing begins.

  1. Select Recon in the Wizard. Enter the root domain (e.g., example.com).
  2. Choose sources: Subfinder (passive), DNS bruteforce, Certificate Transparency (crt.sh), ASN lookup, GAU (historical URLs).
  3. URL discovery mode crawls discovered subdomains with Katana, extracting all endpoints.
  4. ASN mapping identifies all IP ranges registered to the organization — useful for full-scope engagements.
  5. OSINT module queries GitHub, Shodan, and LinkedIn for credential leaks and exposed assets.
  6. All discovered assets appear in the Assets panel. Select any for deeper scanning.
Pro Tip Run Recon first on every engagement. Pass its output directly into Web, Network, and DAST modules via Import from Recon Results — no re-entry needed.
💻 SAST — Static Application Security Testing Code

Multi-language static analysis covering Python, JavaScript/TypeScript, Java, Go, Rust, Ruby, C/C++, .NET, Swift, Kotlin, COBOL, and more. Finds vulnerabilities in source code before deployment.

  1. Select SAST in the Wizard. Choose source: local directory, Git repository URL, or uploaded archive.
  2. Language auto-detection runs first. Review detected languages and confirm.
  3. Select rule sets: OWASP Top 10, CWE Top 25, custom rules, or compliance-specific (PCI-DSS, HIPAA).
  4. AI-enhanced analysis correlates findings — e.g., untrusted input at line 40 flowing into SQL query at line 87.
  5. SARIF report exports to IDE integration (VS Code, IntelliJ) for in-editor finding display.
  6. Each finding includes: file path, line number, data flow trace, severity, CWE mapping, and fix recommendation with corrected code snippet.
Pro Tip Enable Data Flow Tracing in SAST settings for taint analysis — tracks untrusted user input from entry point through all transformations to dangerous sinks.
DAST — Dynamic Application Security Testing Core

Active runtime testing of deployed applications including out-of-band (OOB) detection for blind vulnerabilities like SSRF, blind SQLi, and XXE.

  1. Select DAST in the Wizard. Provide the running application URL.
  2. Authentication setup: configure session cookies, OAuth tokens, or form-based login for full app coverage.
  3. Enable OOB Testing for out-of-band vulnerability detection. PhantomYerra generates unique OOB callback URLs per payload, capturing blind SSRF, blind SQLi, and XXE interactions.
  4. Set crawl strategy: spider, proxy-capture, or import Burp Suite state file.
  5. Active scan probes each endpoint with attack payloads. Evidence captured: request/response pairs for every finding.
  6. OOB interactions logged in real-time — shows DNS lookup, HTTP callback, or TCP connection confirming the vulnerability.
Pro Tip Use DAST's Burp Suite Import feature to proxy your manual browsing session first, then hand off the full request map to DAST for automated testing. No blind spots.
😵 Secrets Scanning High Value

Detects hardcoded secrets, API keys, passwords, tokens, and credentials using TruffleHog with entropy analysis across code repositories, environment files, and binary blobs.

  1. Select Secrets Scanning in the Wizard.
  2. Choose source: Git repository (scans full commit history, not just HEAD), local directory, or Docker image.
  3. Entropy-based detection finds secrets even without known patterns.
  4. Pattern library covers 750+ known secret formats: AWS keys, GCP service accounts, GitHub tokens, Stripe keys, Twilio SIDs, database DSNs, SSH private keys, JWT secrets, and more.
  5. Each finding shows: file path, line number, secret type, entropy score, and redacted preview.
  6. Verified secrets (e.g., active AWS key validated against AWS STS) are marked VERIFIED ACTIVE — highest priority remediation.
Pro Tip Run Secrets Scanning on the entire Git history (--since-commit optional), not just the current working tree. Developers often commit secrets and delete them — TruffleHog finds both.
🔌 IoT Firmware Analysis Embedded

Binary firmware analysis using Shannon entropy, 14 magic byte type signatures, backdoor/credential extraction, Binwalk integration, and binary diff engine to detect changes between firmware versions.

  1. Select IoT / Firmware Analysis. Upload the firmware binary (.bin, .img, .tar.gz, .zip).
  2. Automatic identification: file system type (SquashFS, JFFS2, YAFFS2, EXT4), architecture (ARM, MIPS, x86), compression.
  3. Shannon entropy analysis flags encrypted/packed sections and potential hidden payloads.
  4. Binwalk extracts file system contents. All extracted files are scanned for hardcoded credentials, default passwords, and SSH keys.
  5. BLE/Zigbee protocol probing available for connected device testing (requires supported USB adapter).
  6. For binary diff: upload two firmware versions. The engine highlights added functions, modified code sections, and newly introduced strings — especially useful for identifying backdoor injection.
Pro Tip Compare vendor firmware against the same version downloaded directly from the manufacturer. Any delta is a red flag — could indicate a supply chain compromise or unauthorized modification.
🏭 OT / ICS Protocol Scanning Critical Infra

Real industrial protocol scanning: DNP3, BACnet/IP, EtherNet/IP CIP, and Siemens S7Comm. Reads PLC firmware versions and vendor IDs unauthenticated. Maps to IEC 62443 and NERC CIP.

  1. Select OT / ICS in the Wizard. Enter target IP or range (typically the OT network segment).
  2. Select protocols: DNP3 (port 20000), BACnet/IP (UDP 47808), EtherNet/IP (port 44818), S7Comm (port 102).
  3. Device discovery phase identifies PLCs, RTUs, HMIs, and engineering workstations.
  4. Each discovered device: vendor, firmware version, hardware revision, and configured function blocks — extracted unauthenticated where protocols allow.
  5. CVE correlation runs automatically against discovered firmware versions (e.g., Siemens S7-300 firmware CVEs).
  6. Compliance mapping to IEC 62443 zones/conduits and NERC CIP critical assets included in report.

Safety Notice: OT/ICS scanning is passive-only by default. Active exploitation is disabled and requires explicit override with written authorization. Never run active probes against production OT systems without a maintenance window.

Pro Tip Run BACnet discovery first — BACnet's broadcast-based device discovery exposes the full OT topology without any targeted probing, minimizing risk to operational systems.
💊 Medical Device Security Healthcare

HL7 MLLP, DICOM, and FHIR R4 protocol scanning with 20+ vendor default credential pairs. Compliance mapping to HIPAA Security Rule, FDA cybersecurity guidance, and AAMI TIR57.

  1. Select Medical Device Security in the Wizard.
  2. Choose protocols: HL7 MLLP (port 2575), DICOM (port 104), FHIR R4 REST API.
  3. Default credential testing against 20+ vendor pairs (GE, Philips, Siemens, Cerner, Epic, etc.).
  4. HL7 scanning tests for unauthenticated message injection and PHI exposure via ADT/ORU message types.
  5. DICOM scanning queries PACS systems for patient study metadata — confirms PHI exposure scope.
  6. FHIR scanning tests for misconfigured OAuth, unauthenticated patient resource access, and bulk data export vulnerabilities.
  7. HIPAA Security Rule control mapping auto-generates in the report.

PASSIVE_ONLY interlock is always active. Medical device scanning will never attempt to write data, send commands, or modify patient records. Read-only probing only.

Pro Tip Start DICOM scanning with a C-ECHO (ping equivalent) to confirm reachability, then C-FIND for study metadata. This confirms PHI exposure with minimal network impact.
🧠 AI / LLM Security Testing Emerging

Discovers Ollama, Gradio, HuggingFace Spaces, and OpenAI-compatible APIs. Fires prompt injection payloads per endpoint. Full OWASP LLM Top 10 coverage.

  1. Select AI / LLM Security in the Wizard. Enter target domain or IP range.
  2. Discovery phase: HTTP fingerprinting finds Ollama (/api/generate), Gradio (/run/predict), HuggingFace (/models/), and OpenAI-compatible (/v1/chat/completions) endpoints.
  3. For each discovered endpoint: 5 prompt injection payloads fire automatically, testing for direct injection, indirect injection via retrieved documents, and jailbreak attempts.
  4. Unauthenticated model access is flagged (LLM01 — Prompt Injection, LLM06 — Sensitive Info Disclosure).
  5. Model metadata extraction: model name, version, and system prompt leakage attempts.
  6. Results map to OWASP LLM Top 10 (v1.1). Each finding includes payload used, response received, and exploitation impact.
Pro Tip After finding an exposed Ollama instance, use the Manual Exploit tab to craft custom prompts. Unauthenticated Ollama on an internal network can act as an AI-powered lateral movement assistant for attackers.
🚘 Automotive Security Testing Specialized

Vehicle security assessment covering ECU communication analysis, telematics interfaces, and over-the-air update validation. Supports physical CAN bus analysis via compatible hardware interfaces.

  1. Select Automotive Security in the Wizard.
  2. For telematics/OTA: provide the backend API endpoint or mobile app binary for analysis.
  3. OTA update security validation: integrity check bypass testing, rollback attack simulation, authentication mechanism review.
  4. For CAN bus analysis: connect a SocketCAN-compatible interface (e.g., PEAK PCAN-USB). PhantomYerra captures and decodes CAN frames.
  5. Diagnostic protocol testing: UDS (ISO 14229), DoIP (ISO 13400) session enumeration and security access level testing.
  6. TARA (Threat Analysis and Risk Assessment) report section generated per ISO/SAE 21434.
Pro Tip Always test OTA update endpoints for replay attacks. Capture a legitimate update request, replay it with a modified firmware payload, and verify whether the signature check actually blocks it.
📱 Mobile App Security Testing Core

iOS and Android application security testing: static analysis, dynamic analysis, API testing, and certificate pinning bypass. OWASP Mobile Top 10 coverage.

  1. Select Mobile Testing. Upload the APK (Android) or IPA (iOS).
  2. Static analysis: decompile with JADX/apktool, extract hardcoded secrets, insecure storage patterns, and exported components.
  3. Manifest/Info.plist analysis: permission overgrant, debuggable flag, backup enabled, exported activities.
  4. Dynamic analysis requires a connected device or emulator. PhantomYerra instruments the app with Frida for runtime analysis.
  5. Certificate pinning bypass: automatic Frida scripts for common pinning implementations (OkHttp, NSURLSession, custom).
  6. API traffic capture and replay: all API calls logged during dynamic session for targeted backend testing.
  7. Report maps to OWASP MASVS and MSTG verification levels (L1, L2, R).
Pro Tip After extracting API endpoints from the APK, import them directly into the Web Application Testing module for backend API fuzzing — mobile apps often have more permissive API endpoints than the web frontend.
Reverse Engineering Advanced

Binary analysis with Ghidra and radare2 integration, AI-assisted decompilation narration, function identification, and vulnerability pattern recognition in compiled code.

  1. Select Reverse Engineering. Upload the binary (ELF, PE, Mach-O, raw blob).
  2. Auto-analysis: architecture detection, import/export table parsing, string extraction, entropy map.
  3. Ghidra headless analysis generates decompiled pseudocode for all functions.
  4. AI narration: Claude reads decompiled functions and describes their purpose, identifies dangerous patterns (e.g., unbounded strcpy, format string vulnerabilities, integer overflows).
  5. Cross-reference analysis: finds all call sites for dangerous functions, traces back to user-controlled input sources.
  6. radare2 integration for shellcode analysis, ROP gadget discovery, and memory layout analysis.
Pro Tip Use the Function Search feature to quickly find authentication bypass candidates: search for functions containing strcmp, memcmp, or password/auth/login strings in the symbol table.
📄 SBOM — Software Bill of Materials Compliance

Generate CycloneDX-compliant SBOM using Syft and Grype. Identify all dependencies, their versions, licenses, and known vulnerabilities across container images, directories, and archives.

  1. Select SBOM Generation. Choose target: Docker image, local directory, archive, or OCI registry.
  2. Syft enumerates all packages: OS packages (APK, DEB, RPM), language packages (npm, pip, Maven, Go modules, Cargo), and binary signatures.
  3. Grype correlates each component against NVD, GitHub Security Advisories, and CISA KEV — flags actively exploited vulnerabilities at the top.
  4. License compliance report: flags GPL/LGPL/AGPL dependencies that may have commercial licensing implications.
  5. Export in CycloneDX 1.4 JSON or XML format (standard for NIST SSDF, EO 14028 compliance).
  6. SBOM diff: compare two SBOMs to see exactly what changed between builds — new dependencies, version bumps, removed packages.
Pro Tip Embed SBOM generation into CI/CD via PhantomYerra's Scheduled Scans feature. Configure a daily SBOM scan against your container registry — you'll get notified the same day a new CVE affects your dependencies.
📅 Scheduled Scans Automation

Cron-based scan scheduling with React UI, countdown timers, and morning briefing delivery to Slack and email. Keep continuous visibility on your attack surface.

  1. Navigate to Scheduled Scans in the left sidebar.
  2. Click New Schedule. Configure target, modules, and scan mode as in a normal scan.
  3. Set the cron schedule using the visual picker or manual cron expression (e.g., 0 6 * * 1-5 for weekdays at 6am).
  4. Enable Morning Briefing: a daily digest of new findings, EPSS score changes, and CISA KEV additions delivered to Slack and/or email.
  5. Each scheduled scan shows countdown to next run, last run status, and finding delta (new / resolved since last run).
  6. AI Audit Trail logs every Claude API call made during scheduled scans — timestamps, prompts, and responses captured for compliance.
Pro Tip Schedule a lightweight recon scan daily and a full scan weekly. Daily scans catch new subdomains and open ports. Weekly scans do the deep exploitation work. Combine both for continuous red team coverage.
🔗 Evidence Chain of Custody Legal-Grade

SHA-256 hashing and RFC 3161 DigiCert timestamping on all evidence. Blockchain-style tamper detection with per-finding VERIFIED / TAMPERED status. Legally defensible evidence.

  1. Evidence chain is automatic. Every finding's evidence is SHA-256 hashed at capture time.
  2. RFC 3161 timestamp is requested from DigiCert's TSA immediately after evidence capture. Proves the evidence existed at a specific moment in time, signed by a trusted third party.
  3. The tamper detection log forms a blockchain-style chain: each entry hashes the previous entry's hash. Any modification breaks the chain.
  4. To verify evidence integrity: open any finding → Evidence tab → click Verify Integrity. Status shows VERIFIED (green) or TAMPERED (red) with the exact entry that breaks the chain.
  5. Export chain of custody report for legal proceedings or regulatory submissions: Reports → Export → Chain of Custody PDF.
Pro Tip For legal proceedings, export the chain of custody PDF immediately after the engagement closes and store it separately from the scan database. The RFC 3161 timestamp proves evidence predates any claim of fabrication.
📊 Reports & Exports Core

Professional report generation in PDF, DOCX, XLSX, SARIF, and HTML formats. Executive summary, technical findings, evidence appendix, and remediation guidance all included.

  1. Navigate to Reports in the sidebar. Select the completed scan.
  2. Choose report template: Executive Summary, Full Technical Report, Findings-Only, Compliance Mapping, or Developer Remediation Guide.
  3. Select output format: PDF (WeasyPrint), DOCX, XLSX, SARIF 2.1 (for IDE/SIEM integration), or HTML.
  4. In AI mode: click AI-Enhance Report. Claude writes professional narrative for each finding, business impact assessment, and executive summary — all with anonymized target references to protect client confidentiality.
  5. Customize branding: add client logo and your company logo under Settings → Report Branding.
  6. For SARIF export: import directly into VS Code (SARIF Viewer extension), Azure DevOps, or GitHub Advanced Security.
Pro Tip Use the Compliance Mapping template for regulatory audits. It auto-maps findings to PCI-DSS, HIPAA, SOC 2, ISO 27001, NIST CSF, and CIS Controls — saves hours of manual mapping work.
🤖 Agentic Mode — Autonomous AI Pentesting AI

Claude drives the entire engagement autonomously. Plans the attack, selects tools, executes, adapts to results, chains findings into attack paths, and writes the final report.

  1. In the Wizard, select Automated AI Mode.
  2. Enter target, scope, and engagement type (external, internal, web app, API, etc.).
  3. Provide your Auth Token. An AI key is required — either bundled with license or manually configured.
  4. Click Launch Agentic Scan. Claude receives the engagement brief and begins planning.
  5. Watch the Agentic Activity Log in real-time — shows Claude's reasoning, tool calls made, and findings confirmed.
  6. Claude calls all 60+ tools as functions, reads their outputs, and decides next steps dynamically. No pre-programmed flow.
  7. Attack chain graph auto-builds: shows discovery → exploitation → impact → escalation path.
  8. On completion, Claude writes the full report narrative. Review and approve each finding before export.
Pro Tip Start with Semi-Automated mode to understand PhantomYerra's decision-making before going fully autonomous. Semi-Automated shows you what Claude would do next and asks for approval — great for learning and for engagements requiring human oversight.
📊

Intelligence Features

📊
CVE Intelligence
Daily sync from NVD and CISA KEV. 200,000+ CVEs with full metadata, severity, and affected versions.
📈
EPSS Scoring
Exploit Prediction Scoring System scores updated daily. Prioritizes by actual exploit likelihood, not just CVSS severity.
Threat Actor Attribution
30+ threat actor groups with TTPs, targeted sectors, and known CVE weaponization history.
🌏
MITRE ATT&CK Navigator
Export scan findings as ATT&CK Navigator JSON layer for visual technique coverage mapping.

CVE Intelligence

PhantomYerra syncs CVEs from NVD (National Vulnerability Database) and CISA KEV (Known Exploited Vulnerabilities) catalog daily on first launch. To manually trigger a sync: Settings → Intelligence → Sync Now.

During scans, discovered software versions are matched against the local CVE database. Matches are enriched with: CVSS v3.1 vector and score, EPSS probability, KEV status, and known public exploit references (Exploit-DB, GitHub, Metasploit).

EPSS Scoring

EPSS (Exploit Prediction Scoring System) assigns a probability (0–1.0) that a CVE will be exploited in the wild within the next 30 days. PhantomYerra downloads daily EPSS scores and applies them to all CVE findings.

Findings are sorted by EPSS by default, not CVSS — because a CVSS 7.5 with EPSS 0.92 is more urgent than a CVSS 9.8 with EPSS 0.001. Enable CISA KEV Auto-Escalation in Intelligence settings to auto-promote any KEV-listed finding to Critical regardless of CVSS score.

Threat Actor Attribution

PhantomYerra's threat intelligence database covers 30+ APT and criminal threat groups including APT29, Lazarus, FIN7, BlackCat, LockBit, and sector-specific actors. For each discovered vulnerability, the relevant threat actors known to exploit it are listed with campaign history and targeted industries.

Access via: Intelligence → Threat Actors. Filter by sector (Healthcare, Finance, Critical Infrastructure, etc.) to see which groups target your industry.

MITRE ATT&CK Navigator Export

After a scan completes, export findings as an ATT&CK Navigator layer:

  1. Go to Reports → Export → ATT&CK Navigator JSON.
  2. Open ATT&CK Navigator in a browser.
  3. Click Open Existing Layer → Upload from local. Select the exported JSON file.
  4. The navigator highlights all techniques observed during your engagement with color coding by severity.

Settings & Configuration

AI Key Configuration

Navigate to Settings → AI Configuration.

  • Provider: Select Anthropic (Claude), OpenAI (GPT-4o), Google (Gemini 1.5 Pro), or local Ollama.
  • API Key: Enter and save. Encrypted with AES-256-GCM at rest. Never stored in plaintext.
  • Air-Gapped Mode: Routes all AI calls to local Ollama. Zero external network calls for AI operations.
  • Key Status: Shows credit balance, last validation time, and active/invalid state.

If credits run low, a non-blocking toast notification appears. If credits are exhausted, scanning continues using template-based operations — AI narrative generation and agentic mode are paused until the key is refreshed.

Proxy / Interceptor Setup

PhantomYerra can use a local interception proxy (Burp Suite, ZAP) for web scanning:

  1. Configure your proxy to listen on 127.0.0.1:8080 (or custom port).
  2. In PhantomYerra: Settings → Proxy → Enable Proxy. Enter host and port.
  3. For HTTPS interception: export your proxy's CA certificate and import it under Settings → Proxy → Trust CA Certificate.
  4. All web scan traffic now routes through the proxy — visible in Burp's HTTP history for manual review alongside automated findings.

Notification Configuration

Set up Slack and email alerts for scan completions, critical findings, and morning briefings:

  • Slack: Create an incoming webhook in your Slack workspace. Paste the URL under Settings → Notifications → Slack Webhook. Test with the Send Test button.
  • Email: Configure SMTP under Settings → Notifications → Email. Supports Gmail, Outlook, or custom SMTP with TLS/STARTTLS.
  • Morning Briefing: Toggle under Scheduled Scans → Morning Briefing. Delivers daily: new findings delta, EPSS score changes, and KEV additions affecting your scanned assets.
  • Critical Finding Alerts: Instant notifications when a Critical or High finding is confirmed during any active scan.

Keyboard Shortcuts

Speed up your workflow with these keyboard shortcuts. Press ? anywhere in the app to show this list.

Action Shortcut
New ScanCtrl N
Open SettingsCtrl ,
Go to ReportsCtrl R
Go to FindingsCtrl F
Go to DashboardCtrl D
Go to IntelligenceCtrl I
Go to Scheduled ScansCtrl S
Show Keyboard Shortcuts?
Stop Running ScanCtrl .
Export Report (current scan)Ctrl E
Toggle SidebarCtrl B
Focus Search/
Escape / Close DialogEsc
Open Help CenterF1
Previous FindingK
Next FindingJ
Mark Finding as False PositiveF
Confirm / Exploit FindingX
Copy Finding as MarkdownCtrl C

Troubleshooting

Solutions to the most common issues. If your issue isn't listed, email support@phantomyerra.com with your logs from Help → Export Diagnostic Log.

    🖥 App won't start / Sidecar shows Offline

    The sidecar (Python/FastAPI scan engine) runs as a background process. If it shows "Offline" after 60 seconds, follow these steps:

    1. Check Windows Task Manager for python.exe processes. If none: the sidecar failed to start. Proceed to step 2.
    2. Open Help → Export Diagnostic Log and check for Python errors (look for ImportError, ModuleNotFoundError, or uvicorn startup failures).
    3. Run the app as Administrator (right-click → Run as Administrator). Some installations require elevated privileges to write to AppData.
    4. Reinstall: the installer places Python and all dependencies in %APPDATA%\PhantomYerra\. If that directory is corrupted, reinstall the app to repair it.
    5. Windows Defender or antivirus may be blocking the Python process. See the Windows Defender troubleshooting section below.
    🔑 License validation fails / "Cannot connect to license server"

    License validation requires an outbound HTTPS connection to licensing.dastcloud.com.

    1. Test connectivity: open a browser and navigate to https://licensing.dastcloud.com/health. You should see a JSON response.
    2. If blocked: check corporate proxy / firewall settings. Add licensing.dastcloud.com to the allowlist.
    3. If the license key is rejected: ensure you're using the exact key from your purchase email, including dashes (format: PY-XXXX-XXXX-XXXX-XXXX).
    4. If your machine's installation code changed (hardware change): contact license@phantomyerra.com to reset the license to your new installation code.
    5. For persistent issues: send your installation code (visible on the license screen) and purchase email to support.
    🔧 Security tools not installing / showing as missing

    PhantomYerra includes bundled security tools (Nuclei, httpx, subfinder, etc.). If tools show as missing:

    1. Go to Settings → Tools. Click Verify Tools to check which are missing.
    2. Click Download Missing Tools. Tools are downloaded from PhantomYerra's CDN.
    3. If download fails: check internet connectivity and whether your proxy/firewall blocks the CDN (tools.phantomyerra.com).
    4. For Windows Defender blocking tool binaries: see the Defender section below. Go binaries (nuclei, httpx, etc.) are commonly flagged as false positives.
    5. Manual installation: download tools from their official GitHub releases and place them in %APPDATA%\PhantomYerra\tools\.
    🛡 Windows Defender quarantines PhantomYerra or its tools

    Security tools like Nuclei, Nmap, and SQLMap trigger heuristic antivirus detection because they perform actions that look like malware (port scanning, payload injection). These are false positives.

    To add Windows Defender exclusions manually:

    1. Open Windows Security (search in Start menu).
    2. Click Virus & threat protection.
    3. Under Virus & threat protection settings, click Manage settings.
    4. Scroll to Exclusions. Click Add or remove exclusions.
    5. Click Add an exclusion → Folder.
    6. Navigate to and select: %APPDATA%\PhantomYerra\ (paste this path into the address bar).
    7. Click Select Folder. The entire PhantomYerra data directory is now excluded.
    8. Restart PhantomYerra.

    Only add exclusions for PhantomYerra's specific directory, not your entire system. These are real security tools — keep them isolated to their data directory.

    🔎 Scan stuck, no progress, or returning no findings

    If a scan appears stuck or returns zero findings after a long wait:

    1. Check the Scan Activity Log (click the log icon in the scan dashboard) for the last activity message.
    2. Verify the target is reachable: open Terminal (Ctrl+T) and ping the target. If unreachable, the scan will silently time out.
    3. Check scan timeout settings: Settings → Scan Defaults → Per-Tool Timeout. Increase for slow or high-latency targets.
    4. For web scans with no findings: the target may require authentication. Configure an auth profile under Settings → Auth Profiles and re-run.
    5. Try running a single module first (e.g., only Nuclei) to isolate which component is blocking.
    6. Stop the scan (Ctrl .), export the diagnostic log, and restart. Scans have crash recovery — partial results are preserved.
© Ravi Yerra. All Rights Reserved.  ·  PhantomYerra v44.32.79  ·  phantomyerra.com  ·  support@phantomyerra.com