SaintScan — Active Validation
SaintScan is BleedWatch's attack validation module. It goes beyond passive scanning by actively testing whether discovered exposures are genuinely exploitable, producing proof-of-concept evidence and penetration test reports.
What Is Active Validation?
Traditional security scanners report potential vulnerabilities. SaintScan confirms them. When you run a SaintScan scan, AI agents attempt to exploit discovered weaknesses against your target — then an independent validator agent re-executes every confirmed finding to eliminate false positives.
Only validated findings appear in your final report. This means every finding you see has been confirmed exploitable at least twice.
Passive scanning tells you "this might be vulnerable." Active validation tells you "this is exploitable — here's the proof."
How a Scan Works
Every SaintScan scan progresses through seven phases:
| Phase | What Happens |
|---|---|
| 1. Recon | Discovers your target's technology stack, subdomains, open ports, and endpoints |
| 2. API Discovery | Maps REST endpoints, GraphQL schemas, WebSocket endpoints, and undocumented routes |
| 3. Analysis | AI agents analyze for SQL injection, XSS, IDOR, SSRF, command injection, and prompt injection |
| 4. Exploitation | Attempts to confirm vulnerabilities with test payloads and captures evidence |
| 5. Validation | An independent agent re-executes every finding's reproduction steps — failures are dropped |
| 6. Correlation | Cross-references with CVE databases, EASM exposures, and CI/CD findings to build kill chains |
| 7. Reporting | Generates the final penetration test report with remediation priorities |
You can monitor each phase in real time from the scan progress page, including live findings as they are discovered.
Running a Scan
Step 1: Configure the Scan
Navigate to SaintScan in the dashboard sidebar and click New Scan. Configure:
- Target URL — The primary URL to scan
- Scope Mode — Choose how the scan determines what to test:
- Manual — Scans only the specified target URL
- EASM — Automatically includes assets discovered by BleedWatch's surface monitoring
- Delta — Scans only changed endpoints (useful for CI/CD-triggered scans)
- Budget Limit — A hard cost cap in USD (default $50, typical scan costs $8–15)
- Authentication — Optional credentials for authenticated scanning (Bearer token, Cookie, or Basic Auth)
- Scope Restrictions — Include or exclude URL patterns (e.g.,
/api/*to include,!/api/admin/*to exclude)
Step 2: Monitor Progress
After launching, the scan progress page shows:
- A 7-phase progress bar with the active phase highlighted
- Running cost vs. your budget cap
- Live findings as they are discovered
- Filterable agent logs
Step 3: Review Results
Once complete, navigate to the Findings tab or open the full Pentest Report.
Interpreting Results
Finding Severities
| Severity | Meaning |
|---|---|
| Critical | Immediately exploitable with severe impact |
| High | Exploitable with significant impact |
| Medium | Exploitable under certain conditions |
| Low | Minor security concern |
| Info | Informational, no direct exploit |
Finding Statuses
| Status | Meaning |
|---|---|
| Open | Confirmed and unaddressed |
| Fixed | Verified as remediated |
| Accepted | Acknowledged risk, no fix planned |
| False Positive | Marked as not a real vulnerability |
Validation Status
- Validated — The independent validator successfully reproduced the exploit. Only validated findings appear in the final report.
- Unverified — Not yet validated (e.g., due to budget limits reached before validation phase).
Findings that fail validation are automatically dropped and do not appear in the report.
Kill Chains
SaintScan's correlation engine links related findings into kill chains — narrative attack paths showing how multiple vulnerabilities combine to create compound risk.
For example: an exposed database credential in a Docker image + an open database port + an SQL injection endpoint = three independent paths to database compromise.
Each kill chain includes:
- A narrative description of the attack scenario
- An impact score (0–10)
- Cross-references to EASM, CI/CD, and pentest findings
- A visual attack graph showing how findings connect
Pentest Report
Each completed scan produces a full penetration test report with seven sections:
- Executive Summary — Overall risk level, urgency, and timeline recommendation
- Risk Dashboard — Findings by severity, top kill chains, compliance gaps
- Kill Chain Analysis — Detailed narratives with cross-references
- Detailed Findings — Each finding with evidence, reproduction steps, remediation, and compliance mapping
- Remediation Priority Matrix — Ranked by exploitability, business impact, EASM exposure, and estimated fix effort
- Compliance Mapping — Tables for ISO 27001, SOC 2, PCI DSS 4.0, and OWASP Top 10
- SBOM Summary — Dependency inventory with known CVEs and exploitability status
Budget Management
SaintScan tracks AI token usage and cost in real time:
- Default budget cap is $50 per scan (configurable from $5 to $500)
- Typical scans cost $8–15
- If the budget is exceeded, the pipeline skips remaining phases and proceeds directly to reporting with whatever findings exist so far
- The scan progress page shows running cost vs. cap in real time
Troubleshooting
Scan Stuck in a Phase
If a scan appears stuck, check the agent logs on the scan progress page. Common causes:
- Target is rate-limiting requests — The scan will slow down but should complete. Consider increasing the budget to allow more time.
- Authentication expired — If using authenticated scanning, verify your credentials are still valid.
Budget Exhausted Early
If scans consistently exhaust the budget before completing all phases, increase the budget cap or narrow the scope using URL restrictions.
No Findings
A scan with zero findings means no exploitable vulnerabilities were confirmed. This is a good result — your attack surface passed active validation.