Skip to content

Runbooks & Attack Trees#

Hive allows you to define reusable scan workflows as runbooks and visual attack paths as attack trees, then execute them via APHIDS CLI.

Runbooks#

A runbook is a pre-configured set of scan modules stored in Hive. Instead of maintaining options files, you define scan workflows in the Hive UI and execute them by ID.

Execute a Runbook#

aphids-cli -r RUNBOOK_ID --target-url https://example.com

The CLI fetches the runbook configuration from Hive, substitutes your target, and executes all defined modules.

Create Runbooks#

Runbooks are created in the Hive UI under Attack Platform > Runbooks:

  1. Name and describe the runbook
  2. Select modules and configure arguments
  3. Set parameter templates with variable substitution
  4. Save and version the runbook

Runbook Use Cases#

  • Standard external pentest: nmap + whatweb + nuclei + nikto + gobuster
  • Web application assessment: zap + wapiti + sqlmap + dalfox + commix
  • Subdomain recon: amass + subfinder + httpx + katana
  • SAST pipeline: semgrep + bandit + gitleaks + trufflehog + safety
  • WordPress audit: wpscan + nuclei (wp templates) + gobuster

Attack Trees#

Attack trees are visual, conditional scan workflows where each node represents a tool or decision point. Results from one node can influence subsequent nodes.

Execute an Attack Tree#

# Basic execution
aphids-cli -at ATTACK_TREE_ID --target-domain example.com

# With scope restrictions
aphids-cli -at ATTACK_TREE_ID \
  --target-domain example.com \
  --attack-tree-scope "example.com,*.example.com,10.0.0.0/24"

Scope Restrictions#

Attack trees support scope enforcement to prevent out-of-scope scanning:

Format Example Description
IP 10.0.0.1 Single IP address
CIDR 10.0.0.0/24 IP range
Domain example.com Exact domain
Wildcard *.example.com All subdomains

Multiple scope entries are comma-separated:

--attack-tree-scope "example.com,*.example.com,10.0.0.0/24"

Build Attack Trees#

Attack trees are built in the Hive UI under Attack Platform > Attack Trees:

  1. Create a visual tree with tool nodes
  2. Define parameter mappings between nodes
  3. Configure conditional logic (e.g., only run SQLMap if forms are found)
  4. Set scope restrictions
  5. Execute from UI or CLI

Example Attack Tree Flow#

Subdomain Enumeration (subfinder)
    ├── HTTP Probing (httpx)
    │       │
    │       ├── Web Fingerprint (whatweb)
    │       │
    │       ├── Vulnerability Scan (nuclei)
    │       │
    │       └── Directory Discovery (gobuster)
    └── Port Scanning (nmap)
            └── Service-specific scans

Scan Executions#

Scan executions are pre-configured scan jobs created in the Hive UI that can be triggered from the CLI:

aphids-cli -se EXECUTION_ID

Executions store the complete scan configuration including target, modules, and parameters. They can be re-executed, tracked, and compared over time.

Create Scan Executions#

  1. Navigate to Attack Platform > Scan Executions in Hive
  2. Select a runbook or attack tree
  3. Configure parameters and targets
  4. Save the execution configuration
  5. Run from UI or CLI with -se

Fileless Execution#

For quick one-off scans without config files, combine runbooks with inline targeting:

# Web scan via runbook
aphids-cli -r RUNBOOK_ID --target-url https://example.com

# Network scan via attack tree
aphids-cli -at TREE_ID --target-host 10.0.0.0/24

# With engagement tracking
aphids-cli -r RUNBOOK_ID \
  --target-url https://example.com \
  -e ENGAGEMENT_ID

No options.yaml or config.yaml needed — just the API key and a runbook/tree ID.