Overview
Vigolium’s agent mode uses AI to drive vulnerability scanning. There are three execution modes with increasing autonomy: Query for single-shot analysis, Swarm for AI-planned targeted scanning, and Autopilot for fully autonomous multi-class assessments. A fourth command, Pipeline, is a convenience alias forswarm --discover.
Prerequisites
Agent mode requires an AI backend. The default backend is Claude (via the Agent SDK). Verify it’s available:--agent <name> (e.g., --agent gemini, --agent opencode).
Query: Single-Shot Analysis
Query runs a single AI prompt and returns structured output. No network scanning — useful for code review, endpoint discovery, and secret detection.With a Built-in Template
With an Inline Prompt
With Specific Files
Saving Output
Swarm: AI-Planned Targeted Scanning
Swarm is the primary agentic scan mode. A master AI agent analyzes your input, selects scanner modules, generates custom JavaScript extensions, and executes the scan.Scanning a Specific Request
Pass a target request via--input (accepts URLs, curl commands, raw HTTP, Burp XML, or base64):
Full-Scope Scanning with Discovery
Add--discover to run content discovery and spidering before the AI planning phase:
pipeline command:
Source-Aware Scanning
Provide application source code for deeper analysis. The AI agent analyzes routes, auth flows, and generates targeted extensions:Focusing on a Vulnerability Type
Enabling Triage
By default, swarm outputs raw findings. Add--triage for AI-powered true/false positive classification with automatic rescan:
Swarm Phases
The swarm pipeline runs these phases in order:| Phase | Type | Description |
|---|---|---|
native-normalize | Native | Parse and normalize input |
source-analysis | AI | Route extraction from source code (if --source) |
code-audit | AI | Deep security code audit (if --code-audit) |
native-sast | Native | Static analysis (if --source) |
sast-review | AI | Validate SAST findings |
native-discover | Native | Discovery + spidering (if --discover) |
plan | AI | Master agent plans the attack |
native-extension | Native | Write generated JS extensions |
native-scan | Native | Execute the planned scan |
triage | AI | Classify findings (if --triage) |
native-rescan | Native | Targeted rescan on follow-ups |
Pipeline: Full-Scope Alias
Pipeline is a backward-compatible alias forswarm --discover. Use it when you want a full-scope agentic scan:
Autopilot: Autonomous Multi-Class Assessment
Autopilot runs a 5-phase specialist pipeline that autonomously scans for multiple vulnerability classes in parallel:Phases
- Recon - map the attack surface (endpoints, tech stack, auth flows)
- Vulnerability Analysis - parallel specialists identify potential vulns per class
- Native Scan - execute targeted scans based on analysis
- Exploit Verification - confirm findings with proof-of-concept attempts
- Report - generate a structured security report
Selecting Specialists
By default, autopilot runs all specialists. Focus on specific vulnerability classes:injection, xss, auth, ssrf, authz.
With Source Code
With a Focus Area
Resuming a Session
Autopilot supports checkpointing. If interrupted, resume from where it left off:Timeout and Limits
Session Management
All agent runs create session directories under~/.vigolium/agent-sessions/. Browse past sessions:
Custom Instructions
Append custom guidance to any agent prompt:Dry Run and Prompt Inspection
Preview the rendered prompt without executing:Choosing the Right Mode
| Mode | AI Calls | Best For |
|---|---|---|
| Query | 1 | Code review, endpoint discovery, CI checks |
| Swarm | 2-4+ | Targeted request scanning, focused testing |
| Pipeline | 5-6+ | Full-scope structured scanning |
| Autopilot | Many (parallel) | Deep autonomous assessment, multi-class testing |