GraphQL API Reference

Welcome to the Horizon3.ai GraphQL API reference! This reference includes the complete set of GraphQL types, queries, mutations, and their parameters available to users of Horizon3.ai products.

First, learn how to authenticate with the API. If you are new to GraphQL, see the Getting Started guide.

API Endpoints
https://api.horizon3ai.com/v1/graphql
Headers
Authorization: Bearer <YOUR_TOKEN_HERE>

Queries

action_logs_count

Description

Number of action log records for a given pentest.

The action log is the set of all commands executed by NodeZero across all hosts during the pentest.

Response

Returns an Int!

Arguments
Name Description
input - OpInput! Pentest to get action logs for.
page_input - PageInput Pagination of action logs.

Example

Query
query action_logs_count(
  $input: OpInput!,
  $page_input: PageInput
) {
  action_logs_count(
    input: $input,
    page_input: $page_input
  )
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{"data": {"action_logs_count": 123}}

action_logs_csv_presigned_url

Description

Generates a temporary AWS presigned URL for downloading the action log as a CSV.

The action log is the set of all commands executed by NodeZero across all hosts during the pentest.

Response

Returns a String

Arguments
Name Description
input - OpInput!

Example

Query
query action_logs_csv_presigned_url($input: OpInput!) {
  action_logs_csv_presigned_url(input: $input)
}
Variables
{"input": OpInput}
Response
{
  "data": {
    "action_logs_csv_presigned_url": "xyz789"
  }
}

action_logs_page

Description

Paginated list of action log records for a given pentest.

The action log is the set of all commands executed by NodeZero across all hosts during the pentest.

Response

Returns an ActionLogsPage!

Arguments
Name Description
input - OpInput! Pentest to get action logs for.
page_input - PageInput Pagination of action logs.

Example

Query
query action_logs_page(
  $input: OpInput!,
  $page_input: PageInput
) {
  action_logs_page(
    input: $input,
    page_input: $page_input
  ) {
    page_info {
      ...PageInfoFragment
    }
    action_logs {
      ...ActionLogFragment
    }
  }
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{
  "data": {
    "action_logs_page": {
      "page_info": PageInfo,
      "action_logs": [ActionLog]
    }
  }
}

activedir_passwords_csv_url

Description

List of Active Directory passwords found during an AD Password Audit. Returns a presigned URL to the CSV file. The presigned URL expires after a short time. The CSV format is documented under ActiveDirPasswordCSV.

Response

Returns a String

Arguments
Name Description
input - OpInput!

Example

Query
query activedir_passwords_csv_url($input: OpInput!) {
  activedir_passwords_csv_url(input: $input)
}
Variables
{"input": OpInput}
Response
{
  "data": {
    "activedir_passwords_csv_url": "xyz789"
  }
}

agent

Description

Fetch the agent aka NodeZero Runner with the given uuid or name in the current user's ClientAccount

Response

Returns an Agent

Arguments
Name Description
uuid - String The uuid of the NodeZero Runner to fetch. Either uuid or name must be provided.
name - String The name of the NodeZero Runner to fetch. Either uuid or name must be provided.

Example

Query
query agent(
  $uuid: String,
  $name: String
) {
  agent(
    uuid: $uuid,
    name: $name
  ) {
    uuid
    name
    api_key_uuid
    api_key {
      ...APIKeyFragment
    }
    uname
    log_file
    last_heartbeat_at
    last_heartbeat_time_ago
    last_command {
      ...AgentCommandFragment
    }
    commands {
      ...AgentCommandFragment
    }
    created_at
    h3_cli_version
    is_kubernetes
    kubernetes_namespace
  }
}
Variables
{
  "uuid": "xyz789",
  "name": "abc123"
}
Response
{
  "data": {
    "agent": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "name": "xyz789",
      "api_key_uuid": "12341234-1234-1234-1234-123412341234",
      "api_key": APIKey,
      "uname": "xyz789",
      "log_file": "xyz789",
      "last_heartbeat_at": "2021-07-22T05:02:40.294996",
      "last_heartbeat_time_ago": "xyz789",
      "last_command": AgentCommand,
      "commands": [AgentCommand],
      "created_at": "2021-07-22T05:02:40.294996",
      "h3_cli_version": "abc123",
      "is_kubernetes": true,
      "kubernetes_namespace": "xyz789"
    }
  }
}

agents

Description

The list of h3-cli agents aka NodeZero Runners in the current user's ClientAccount

Response

Returns [Agent]

Example

Query
query agents {
  agents {
    uuid
    name
    api_key_uuid
    api_key {
      ...APIKeyFragment
    }
    uname
    log_file
    last_heartbeat_at
    last_heartbeat_time_ago
    last_command {
      ...AgentCommandFragment
    }
    commands {
      ...AgentCommandFragment
    }
    created_at
    h3_cli_version
    is_kubernetes
    kubernetes_namespace
  }
}
Response
{
  "data": {
    "agents": [
      {
        "uuid": "12341234-1234-1234-1234-123412341234",
        "name": "abc123",
        "api_key_uuid": "12341234-1234-1234-1234-123412341234",
        "api_key": APIKey,
        "uname": "xyz789",
        "log_file": "abc123",
        "last_heartbeat_at": "2021-07-22T05:02:40.294996",
        "last_heartbeat_time_ago": "xyz789",
        "last_command": AgentCommand,
        "commands": [AgentCommand],
        "created_at": "2021-07-22T05:02:40.294996",
        "h3_cli_version": "xyz789",
        "is_kubernetes": true,
        "kubernetes_namespace": "abc123"
      }
    ]
  }
}

agents_count

Description

The count of h3-cli agents aka NodeZero Runners in the current user's ClientAccount

Response

Returns an Int!

Arguments
Name Description
page_input - PageInput
include_sub_client_agents - Boolean

Example

Query
query agents_count(
  $page_input: PageInput,
  $include_sub_client_agents: Boolean
) {
  agents_count(
    page_input: $page_input,
    include_sub_client_agents: $include_sub_client_agents
  )
}
Variables
{
  "page_input": PageInput,
  "include_sub_client_agents": true
}
Response
{"data": {"agents_count": 987}}

asset_group

Description

Fetch a specific asset group from this account.

Response

Returns an AssetGroup

Arguments
Name Description
uuid - String!

Example

Query
query asset_group($uuid: String!) {
  asset_group(uuid: $uuid) {
    uuid
    name
    op_template_uuid
    op_template {
      ...OpTemplateFragment
    }
    user_account_uuid
    user_account_name
    client_account_uuid
    client_account_company_name
    last_ead_etl_completed_at
    created_at
    updated_at
    op_series_uuid
    assets_count
    authorized_assets_count
    external_domain_xops_count
    authorized_external_domain_xops_count
    in_scope_host_tab_xops_count
    authorized_host_tab_xops_count
  }
}
Variables
{"uuid": "xyz789"}
Response
{
  "data": {
    "asset_group": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "name": "xyz789",
      "op_template_uuid": "12341234-1234-1234-1234-123412341234",
      "op_template": OpTemplate,
      "user_account_uuid": "12341234-1234-1234-1234-123412341234",
      "user_account_name": "abc123",
      "client_account_uuid": "12341234-1234-1234-1234-123412341234",
      "client_account_company_name": "xyz789",
      "last_ead_etl_completed_at": "2021-07-22T05:02:40.294996",
      "created_at": "2021-07-22T05:02:40.294996",
      "updated_at": "2021-07-22T05:02:40.294996",
      "op_series_uuid": "12341234-1234-1234-1234-123412341234",
      "assets_count": 123,
      "authorized_assets_count": 987,
      "external_domain_xops_count": 987,
      "authorized_external_domain_xops_count": 123,
      "in_scope_host_tab_xops_count": 987,
      "authorized_host_tab_xops_count": 123
    }
  }
}

asset_groups_count

Description

The number of asset groups in this account.

Response

Returns an Int!

Arguments
Name Description
page_input - PageInput

Example

Query
query asset_groups_count($page_input: PageInput) {
  asset_groups_count(page_input: $page_input)
}
Variables
{"page_input": PageInput}
Response
{"data": {"asset_groups_count": 123}}

asset_groups_page

Description

Paginated list of asset groups in this account.

The AssetGroup.uuid field can be used to fetch more details about a specific AssetGroup using Query.asset_group.

Response

Returns an AssetGroupsPage!

Arguments
Name Description
page_input - PageInput

Example

Query
query asset_groups_page($page_input: PageInput) {
  asset_groups_page(page_input: $page_input) {
    page_info {
      ...PageInfoFragment
    }
    asset_groups {
      ...AssetGroupFragment
    }
  }
}
Variables
{"page_input": PageInput}
Response
{
  "data": {
    "asset_groups_page": {
      "page_info": PageInfo,
      "asset_groups": [AssetGroup]
    }
  }
}

attack_path

Description

The AttackPath with the given uuid. An AttackPath represents the steps NodeZero took to achieve an Impact.

Response

Returns an AttackPath

Arguments
Name Description
uuid - String!

Example

Query
query attack_path($uuid: String!) {
  attack_path(uuid: $uuid) {
    uuid
    impact_type
    impact_title
    impact_description
    name
    attack_path_title
    score
    severity
    context_score_description_md
    context_score_description
    attack_vector {
      ...AttackVectorFragment
    }
    op_id
    weakness_refs
    credential_refs
    host_refs
    time_to_finding_hms
    time_to_finding_s
    created_at
    target_entity_text
    target_entity_short_text
    affected_asset_text
    affected_asset_short_text
    ip
    host_name
    host_text
    affected_host {
      ...HostFragment
    }
    proofs_count
    proofs {
      ...ProofFragment
    }
  }
}
Variables
{"uuid": "xyz789"}
Response
{
  "data": {
    "attack_path": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "impact_type": "AWSUserRoleCompromise",
      "impact_title": "xyz789",
      "impact_description": "xyz789",
      "name": "xyz789",
      "attack_path_title": "abc123",
      "score": 123.45,
      "severity": "INFO",
      "context_score_description_md": "abc123",
      "context_score_description": "xyz789",
      "attack_vector": AttackVector,
      "op_id": "12341234-1234-1234-1234-123412341234",
      "weakness_refs": ["xyz789"],
      "credential_refs": ["xyz789"],
      "host_refs": ["abc123"],
      "time_to_finding_hms": "22:05:31",
      "time_to_finding_s": 987,
      "created_at": "2021-07-22T05:02:40.294996",
      "target_entity_text": "abc123",
      "target_entity_short_text": "abc123",
      "affected_asset_text": "xyz789",
      "affected_asset_short_text": "abc123",
      "ip": "123.45.67.89",
      "host_name": "xyz789",
      "host_text": "xyz789",
      "affected_host": Host,
      "proofs_count": 987,
      "proofs": [Proof]
    }
  }
}

attack_paths_count

Description

The count of AttackPaths discovered during the given op. An AttackPath represents the steps NodeZero took to achieve an Impact.

Response

Returns an Int!

Arguments
Name Description
input - OpInput!
page_input - PageInput

Example

Query
query attack_paths_count(
  $input: OpInput!,
  $page_input: PageInput
) {
  attack_paths_count(
    input: $input,
    page_input: $page_input
  )
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{"data": {"attack_paths_count": 987}}

attack_paths_csv_url

Description

The set of AttackPaths discovered during the given op. An AttackPath represents the steps NodeZero took to achieve an Impact.

Returned as a temporary presigned URL to a CSV file.

The CSV format is documented under ImpactCSV.

Response

Returns a String

Arguments
Name Description
input - OpInput!

Example

Query
query attack_paths_csv_url($input: OpInput!) {
  attack_paths_csv_url(input: $input)
}
Variables
{"input": OpInput}
Response
{"data": {"attack_paths_csv_url": "abc123"}}

attack_paths_page

Description

The set of AttackPaths discovered during the given op. An AttackPath represents the steps NodeZero took to achieve an Impact.

The AttackPath.uuid field can be used to fetch more details about a specific AttackPath via Query.attack_path.

Response

Returns an AttackPathsPage!

Arguments
Name Description
input - OpInput!
page_input - PageInput

Example

Query
query attack_paths_page(
  $input: OpInput!,
  $page_input: PageInput
) {
  attack_paths_page(
    input: $input,
    page_input: $page_input
  ) {
    page_info {
      ...PageInfoFragment
    }
    attack_paths {
      ...AttackPathFragment
    }
  }
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{
  "data": {
    "attack_paths_page": {
      "page_info": PageInfo,
      "attack_paths": [AttackPath]
    }
  }
}

campaign

Description

Get a campaign by UUID

Response

Returns a Campaign

Arguments
Name Description
uuid - String!

Example

Query
query campaign($uuid: String!) {
  campaign(uuid: $uuid) {
    uuid
    name
    description
    client_account_uuid
    is_deleted
    deleted_at
    row_created_at
    row_updated_at
    perspective_uuids
    perspectives_count
  }
}
Variables
{"uuid": "abc123"}
Response
{
  "data": {
    "campaign": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "name": "xyz789",
      "description": "xyz789",
      "client_account_uuid": "12341234-1234-1234-1234-123412341234",
      "is_deleted": false,
      "deleted_at": "2021-07-22T05:02:40.294996",
      "row_created_at": "2021-07-22T05:02:40.294996",
      "row_updated_at": "2021-07-22T05:02:40.294996",
      "perspective_uuids": ["abc123"],
      "perspectives_count": 987
    }
  }
}

campaign_available_perspectives_count

Description

Returns count of available perspectives that can be added to a campaign

Response

Returns an Int!

Arguments
Name Description
page_input - PageInput
campaign_uuid - String Optional campaign UUID to exclude already associated perspectives
client_account_uuid - String Optional subclient uuid (for MSSPs). Defaults to current client account.

Example

Query
query campaign_available_perspectives_count(
  $page_input: PageInput,
  $campaign_uuid: String,
  $client_account_uuid: String
) {
  campaign_available_perspectives_count(
    page_input: $page_input,
    campaign_uuid: $campaign_uuid,
    client_account_uuid: $client_account_uuid
  )
}
Variables
{
  "page_input": PageInput,
  "campaign_uuid": "xyz789",
  "client_account_uuid": "abc123"
}
Response
{"data": {"campaign_available_perspectives_count": 987}}

campaigns

Description

List campaigns for the current client account

Response

Returns [Campaign!]!

Example

Query
query campaigns {
  campaigns {
    uuid
    name
    description
    client_account_uuid
    is_deleted
    deleted_at
    row_created_at
    row_updated_at
    perspective_uuids
    perspectives_count
  }
}
Response
{
  "data": {
    "campaigns": [
      {
        "uuid": "12341234-1234-1234-1234-123412341234",
        "name": "xyz789",
        "description": "xyz789",
        "client_account_uuid": "12341234-1234-1234-1234-123412341234",
        "is_deleted": false,
        "deleted_at": "2021-07-22T05:02:40.294996",
        "row_created_at": "2021-07-22T05:02:40.294996",
        "row_updated_at": "2021-07-22T05:02:40.294996",
        "perspective_uuids": ["abc123"],
        "perspectives_count": 987
      }
    ]
  }
}

client_accounts_count

Description

Number of client accounts accessible by the current user.

Response

Returns an Int!

Arguments
Name Description
page_input - PageInput

Example

Query
query client_accounts_count($page_input: PageInput) {
  client_accounts_count(page_input: $page_input)
}
Variables
{"page_input": PageInput}
Response
{"data": {"client_accounts_count": 987}}

client_accounts_page

Description

Client accounts accessible by the current user.

Response

Returns a ClientAccountsPage!

Arguments
Name Description
page_input - PageInput
exclude_user_roles - [AuthzRole]

Example

Query
query client_accounts_page(
  $page_input: PageInput,
  $exclude_user_roles: [AuthzRole]
) {
  client_accounts_page(
    page_input: $page_input,
    exclude_user_roles: $exclude_user_roles
  ) {
    page_info {
      ...PageInfoFragment
    }
    client_accounts {
      ...ClientAccountFragment
    }
  }
}
Variables
{"page_input": PageInput, "exclude_user_roles": ["USER"]}
Response
{
  "data": {
    "client_accounts_page": {
      "page_info": PageInfo,
      "client_accounts": [ClientAccount]
    }
  }
}

credential

Description

Fetch the Credential with the given uuid.

Response

Returns a Credential

Arguments
Name Description
uuid - String!

Example

Query
query credential($uuid: String!) {
  credential(uuid: $uuid) {
    uuid
    created_at
    cred_type
    user_name
    k8s_identity_name
    cloud_role_name
    cloud_account_id
    ip
    ips
    sockets
    product
    permissions_list
    api_key_id
    api_secret_key
    api_session_token
    cleartext
    hash
    has_proof
    proofs {
      ...ProofFragment
    }
    is_validated
    hosts {
      ...HostFragment
    }
    is_injected
    is_cracked
    is_local_admin
    is_domain_admin
    is_entra_global_admin
    role_name
    context_score_description
    score
    severity
    weaknesses_count
    weaknesses_page {
      ...WeaknessesPageFragment
    }
    services_count
    data_stores_count
    op_id
    op {
      ...OpFragment
    }
    downstream_impact_types
    attack_paths_count
    attack_paths_page {
      ...AttackPathsPageFragment
    }
    time_to_finding_hms
    time_to_finding_s
    display_name
  }
}
Variables
{"uuid": "abc123"}
Response
{
  "data": {
    "credential": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "created_at": "2021-07-22T05:02:40.294996",
      "cred_type": "abc123",
      "user_name": "xyz789",
      "k8s_identity_name": "abc123",
      "cloud_role_name": "xyz789",
      "cloud_account_id": "abc123",
      "ip": "123.45.67.89",
      "ips": ["abc123"],
      "sockets": ["abc123"],
      "product": "abc123",
      "permissions_list": ["xyz789"],
      "api_key_id": "xyz789",
      "api_secret_key": "xyz789",
      "api_session_token": "abc123",
      "cleartext": "abc123",
      "hash": "abc123",
      "has_proof": false,
      "proofs": [Proof],
      "is_validated": true,
      "hosts": [Host],
      "is_injected": true,
      "is_cracked": false,
      "is_local_admin": true,
      "is_domain_admin": true,
      "is_entra_global_admin": true,
      "role_name": "abc123",
      "context_score_description": "xyz789",
      "score": 123.45,
      "severity": "INFO",
      "weaknesses_count": 987,
      "weaknesses_page": WeaknessesPage,
      "services_count": 987,
      "data_stores_count": 987,
      "op_id": "12341234-1234-1234-1234-123412341234",
      "op": Op,
      "downstream_impact_types": ["AWSUserRoleCompromise"],
      "attack_paths_count": 123,
      "attack_paths_page": AttackPathsPage,
      "time_to_finding_hms": "22:05:31",
      "time_to_finding_s": 987,
      "display_name": "abc123"
    }
  }
}

credentials_count

Description

The number of Credentials associated with the given Op. Filters out anonymous creds UNLESS they were used in an AttackPath and have a high risk score.

Response

Returns an Int!

Arguments
Name Description
input - OpInput!
page_input - PageInput

Example

Query
query credentials_count(
  $input: OpInput!,
  $page_input: PageInput
) {
  credentials_count(
    input: $input,
    page_input: $page_input
  )
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{"data": {"credentials_count": 123}}

credentials_csv_url

Description

The list of Credentials found during the given Op. Returns a presigned URL to the CSV file. The presigned URL expires after a short time. The CSV format is documented under CredentialCSV.

Response

Returns a String

Arguments
Name Description
input - OpInput!

Example

Query
query credentials_csv_url($input: OpInput!) {
  credentials_csv_url(input: $input)
}
Variables
{"input": OpInput}
Response
{"data": {"credentials_csv_url": "abc123"}}

credentials_page

Description

The list of Credentials associated with the given Op. Filters out anonymous creds UNLESS they were used in an AttackPath and have a high risk score.

Response

Returns a CredentialsPage!

Arguments
Name Description
input - OpInput!
page_input - PageInput

Example

Query
query credentials_page(
  $input: OpInput!,
  $page_input: PageInput
) {
  credentials_page(
    input: $input,
    page_input: $page_input
  ) {
    page_info {
      ...PageInfoFragment
    }
    credentials {
      ...CredentialFragment
    }
  }
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{
  "data": {
    "credentials_page": {
      "page_info": PageInfo,
      "credentials": [Credential]
    }
  }
}

data_store

Description

The DataStore with the given uuid.

Response

Returns a DataStore

Arguments
Name Description
uuid - String!

Example

Query
query data_store($uuid: String!) {
  data_store(uuid: $uuid) {
    uuid
    created_at
    name
    name_and_account
    title
    ip
    port
    host_name
    service_type
    account
    address
    data_resources_count
    data_resources_label
    sensitive_resources_count
    is_authenticated
    cloud_resource_arn
    cloud_service_name
    cloud_provider_name
    permissions_list
    aws_anonymous_user_permissions_list
    aws_cross_account_user_permissions_list
    op_id
    score
    severity
    base_score
    base_severity
    context_score
    context_severity
    sensitive_data_item_count
    sensitive_data_item_types_and_counts
    sensitive_data_item_titles_and_counts
    downstream_impact_types
    downstream_impact_types_and_counts
    impact_paths_count
    attack_paths_count
    weaknesses_count
  }
}
Variables
{"uuid": "xyz789"}
Response
{
  "data": {
    "data_store": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "created_at": "2021-07-22T05:02:40.294996",
      "name": "abc123",
      "name_and_account": "abc123",
      "title": "abc123",
      "ip": "123.45.67.89",
      "port": 123,
      "host_name": "xyz789",
      "service_type": "xyz789",
      "account": "xyz789",
      "address": "xyz789",
      "data_resources_count": Long,
      "data_resources_label": "abc123",
      "sensitive_resources_count": 987,
      "is_authenticated": true,
      "cloud_resource_arn": "abc123",
      "cloud_service_name": "xyz789",
      "cloud_provider_name": "xyz789",
      "permissions_list": ["xyz789"],
      "aws_anonymous_user_permissions_list": [
        "abc123"
      ],
      "aws_cross_account_user_permissions_list": [
        "xyz789"
      ],
      "op_id": "12341234-1234-1234-1234-123412341234",
      "score": 123.45,
      "severity": "INFO",
      "base_score": 987.65,
      "base_severity": "INFO",
      "context_score": 123.45,
      "context_severity": "INFO",
      "sensitive_data_item_count": 987,
      "sensitive_data_item_types_and_counts": [
        "xyz789"
      ],
      "sensitive_data_item_titles_and_counts": [
        "xyz789"
      ],
      "downstream_impact_types": ["AWSUserRoleCompromise"],
      "downstream_impact_types_and_counts": [
        "abc123"
      ],
      "impact_paths_count": 987,
      "attack_paths_count": 123,
      "weaknesses_count": 987
    }
  }
}

data_stores_count

Description

The count of DataStores observed during the given op.

Response

Returns an Int!

Arguments
Name Description
input - OpInput!
page_input - PageInput

Example

Query
query data_stores_count(
  $input: OpInput!,
  $page_input: PageInput
) {
  data_stores_count(
    input: $input,
    page_input: $page_input
  )
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{"data": {"data_stores_count": 123}}

data_stores_csv_url

Description

The set of DataStores observed during the given op, as a set of CSV records.

Returns a temporary presigned URL to a CSV file.

The CSV format is documented under ShareCSV.

Response

Returns a String

Arguments
Name Description
input - OpInput!

Example

Query
query data_stores_csv_url($input: OpInput!) {
  data_stores_csv_url(input: $input)
}
Variables
{"input": OpInput}
Response
{"data": {"data_stores_csv_url": "abc123"}}

edr_overview_hosts_csv_presigned_url

Description

List of hosts with EDR-specific data found during a pentest. Returns a presigned URL to the CSV file. The presigned URL expires after a short time. The CSV includes security control events, agent detection data, and host classification fields.

Response

Returns a String

Arguments
Name Description
input - OpInput!
page_input - PageInput

Example

Query
query edr_overview_hosts_csv_presigned_url(
  $input: OpInput!,
  $page_input: PageInput
) {
  edr_overview_hosts_csv_presigned_url(
    input: $input,
    page_input: $page_input
  )
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{
  "data": {
    "edr_overview_hosts_csv_presigned_url": "xyz789"
  }
}

external_domain_xop

Description

Returns the ExternalDomainXop with the given uuid.

Response

Returns an ExternalDomainXop

Arguments
Name Description
uuid - String!

Example

Query
query external_domain_xop($uuid: String!) {
  external_domain_xop(uuid: $uuid) {
    uuid
    op_series_uuid
    xop_id
    last_external_domain {
      ...ExternalDomainFragment
    }
    last_external_domains {
      ...ExternalDomainFragment
    }
    last_op_id
    current_op_id
    is_authorized
    pentestable_rules {
      ...PentestableRulesFragment
    }
    is_dynamic_ip
    excluded_domain_from_last_pentest {
      ...ExcludedDomainFragment
    }
    third_party_aliases
    third_party_certificate_subject_cns
  }
}
Variables
{"uuid": "abc123"}
Response
{
  "data": {
    "external_domain_xop": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "op_series_uuid": "12341234-1234-1234-1234-123412341234",
      "xop_id": "xyz789",
      "last_external_domain": ExternalDomain,
      "last_external_domains": [ExternalDomain],
      "last_op_id": "xyz789",
      "current_op_id": "xyz789",
      "is_authorized": true,
      "pentestable_rules": PentestableRules,
      "is_dynamic_ip": "123.45.67.89",
      "excluded_domain_from_last_pentest": ExcludedDomain,
      "third_party_aliases": ["xyz789"],
      "third_party_certificate_subject_cns": [
        "xyz789"
      ]
    }
  }
}

external_domain_xops_count

Description

Count of domains in the given AssetGroup.op_series_uuid

Response

Returns an Int!

Arguments
Name Description
op_series_uuid - String!
page_input - PageInput

Example

Query
query external_domain_xops_count(
  $op_series_uuid: String!,
  $page_input: PageInput
) {
  external_domain_xops_count(
    op_series_uuid: $op_series_uuid,
    page_input: $page_input
  )
}
Variables
{
  "op_series_uuid": "xyz789",
  "page_input": PageInput
}
Response
{"data": {"external_domain_xops_count": 987}}

graphql_def

Description

Returns the schema definition of a single schema element in the GraphQL API. The schema element is identified by the given id. The id can be one of:

  • a type name, eg. Query, Mutation, Weakness, etc.
  • a field name, eg. Query.pentests_page, Mutation.run_pentest, etc.
  • an enum name, eg. AuthzRole, PortalOpState, etc.
  • an enum value, eg. AuthzRole.ORG_ADMIN, PortalOpState.running, etc.
Response

Returns an GraphQLDef!

Arguments
Name Description
id - String!

Example

Query
query graphql_def($id: String!) {
  graphql_def(id: $id) {
    id
    description
    declaration
    name
    type
    type_name
    parent_id
    default_value
    related_type_ids
    related_types {
      ...GraphQLDefFragment
    }
    args
    fields {
      ...GraphQLDefFragment
    }
  }
}
Variables
{"id": "xyz789"}
Response
{
  "data": {
    "graphql_def": {
      "id": "abc123",
      "description": "xyz789",
      "declaration": "abc123",
      "name": "abc123",
      "type": "xyz789",
      "type_name": "abc123",
      "parent_id": "xyz789",
      "default_value": "abc123",
      "related_type_ids": ["abc123"],
      "related_types": [GraphQLDef],
      "args": [JSONObject],
      "fields": [GraphQLDef]
    }
  }
}

hello

Description

Hello world example.

Response

Returns a String!

Example

Query
query hello {
  hello
}
Response
{"data": {"hello": "abc123"}}

host

Description

The Host with the given uuid.

Response

Returns a Host

Arguments
Name Description
uuid - String!

Example

Query
query host($uuid: String!) {
  host(uuid: $uuid) {
    uuid
    created_at
    ip
    mac
    cname_chains
    host_name
    host_names
    is_in_scope
    is_domain_controller
    is_database_server
    is_load_balancer
    is_mail_server
    is_vpn
    is_waf
    os_fingerprints
    hardware_fingerprints
    device_fingerprints
    op_id
    data_stores_count
    credentials_count
    credentials_page {
      ...CredentialsPageFragment
    }
    data_resources_count
    web_resources_count
    services_count
    context_score_description
    score
    severity
    subnet
    cloud_provider
    cloud_region
    cloud_arns
    is_public
    action_logs_count
    action_logs_page {
      ...ActionLogsPageFragment
    }
    action_logs_csv_url
    downstream_impact_types
    os_names
    attack_paths_count
    attack_paths_page {
      ...AttackPathsPageFragment
    }
    display_name
    weaknesses_count
    weaknesses_page {
      ...WeaknessesPageFragment
    }
    op {
      ...OpFragment
    }
  }
}
Variables
{"uuid": "xyz789"}
Response
{
  "data": {
    "host": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "created_at": "2021-07-22T05:02:40.294996",
      "ip": "123.45.67.89",
      "mac": "abc123",
      "cname_chains": ["abc123"],
      "host_name": "abc123",
      "host_names": ["xyz789"],
      "is_in_scope": false,
      "is_domain_controller": false,
      "is_database_server": true,
      "is_load_balancer": false,
      "is_mail_server": true,
      "is_vpn": false,
      "is_waf": true,
      "os_fingerprints": ["xyz789"],
      "hardware_fingerprints": ["xyz789"],
      "device_fingerprints": ["abc123"],
      "op_id": "12341234-1234-1234-1234-123412341234",
      "data_stores_count": 987,
      "credentials_count": 987,
      "credentials_page": CredentialsPage,
      "data_resources_count": Long,
      "web_resources_count": Long,
      "services_count": 987,
      "context_score_description": "abc123",
      "score": 987.65,
      "severity": "INFO",
      "subnet": "abc123",
      "cloud_provider": "abc123",
      "cloud_region": "xyz789",
      "cloud_arns": ["abc123"],
      "is_public": false,
      "action_logs_count": 123,
      "action_logs_page": ActionLogsPage,
      "action_logs_csv_url": "https://example.com/example",
      "downstream_impact_types": ["AWSUserRoleCompromise"],
      "os_names": ["xyz789"],
      "attack_paths_count": 987,
      "attack_paths_page": AttackPathsPage,
      "display_name": "xyz789",
      "weaknesses_count": 987,
      "weaknesses_page": WeaknessesPage,
      "op": Op
    }
  }
}

host_tab_xop

Description

Returns the HostTabXop with the given uuid.

Response

Returns a HostTabXop

Arguments
Name Description
uuid - String!

Example

Query
query host_tab_xop($uuid: String!) {
  host_tab_xop(uuid: $uuid) {
    uuid
    op_series_uuid
    xop_id
    ip
    last_op_id
    current_op_id
    is_authorized
    excluded_ip_from_last_pentest {
      ...ExcludedIPFragment
    }
    pentestable_rules {
      ...PentestableRulesFragment
    }
    third_party_aliases
    third_party_certificate_subject_cns
  }
}
Variables
{"uuid": "xyz789"}
Response
{
  "data": {
    "host_tab_xop": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "op_series_uuid": "12341234-1234-1234-1234-123412341234",
      "xop_id": "abc123",
      "ip": "123.45.67.89",
      "last_op_id": "abc123",
      "current_op_id": "xyz789",
      "is_authorized": false,
      "excluded_ip_from_last_pentest": ExcludedIP,
      "pentestable_rules": PentestableRules,
      "third_party_aliases": ["xyz789"],
      "third_party_certificate_subject_cns": [
        "xyz789"
      ]
    }
  }
}

host_tab_xops_count

Description

Count of IPs in the given AssetGroup.op_series_uuid

Response

Returns an Int!

Arguments
Name Description
op_series_uuid - String!
page_input - PageInput

Example

Query
query host_tab_xops_count(
  $op_series_uuid: String!,
  $page_input: PageInput
) {
  host_tab_xops_count(
    op_series_uuid: $op_series_uuid,
    page_input: $page_input
  )
}
Variables
{
  "op_series_uuid": "xyz789",
  "page_input": PageInput
}
Response
{"data": {"host_tab_xops_count": 987}}

hosts_count

Description

The number of in-scope Hosts for during the given Op.

Response

Returns an Int!

Arguments
Name Description
input - OpInput!
page_input - PageInput

Example

Query
query hosts_count(
  $input: OpInput!,
  $page_input: PageInput
) {
  hosts_count(
    input: $input,
    page_input: $page_input
  )
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{"data": {"hosts_count": 123}}

hosts_csv

use Query.hosts_csv_url
Description

List of hosts found during a pentest. Returned as an array of comma-separated values, with each element in the array representing a row. Each element in array represents a single host, with the first element containing the column names.

Response

Returns [HostCSV]

Arguments
Name Description
input - OpInput! Pentest to get hosts data for.

Example

Query
query hosts_csv($input: OpInput!) {
  hosts_csv(input: $input)
}
Variables
{"input": OpInput}
Response
{"data": {"hosts_csv": [HostCSV]}}

hosts_csv_url

Description

List of hosts found during a pentest. Returns a presigned URL to the CSV file. The presigned URL expires after a short time. The CSV format is documented under HostCSV.

Response

Returns a String

Arguments
Name Description
input - OpInput!

Example

Query
query hosts_csv_url($input: OpInput!) {
  hosts_csv_url(input: $input)
}
Variables
{"input": OpInput}
Response
{"data": {"hosts_csv_url": "xyz789"}}

hosts_page

Description

The list of in-scope Hosts found during the given Op.

Response

Returns a HostsPage!

Arguments
Name Description
input - OpInput!
page_input - PageInput

Example

Query
query hosts_page(
  $input: OpInput!,
  $page_input: PageInput
) {
  hosts_page(
    input: $input,
    page_input: $page_input
  ) {
    page_info {
      ...PageInfoFragment
    }
    hosts {
      ...HostFragment
    }
  }
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{
  "data": {
    "hosts_page": {
      "page_info": PageInfo,
      "hosts": [Host]
    }
  }
}

notifications_count

Description

Returns the number of Notifications for users with access to the Rapid Response and/or Tripwires products.

Response

Returns an Int!

Arguments
Name Description
unread - Boolean
page_input - PageInput

Example

Query
query notifications_count(
  $unread: Boolean,
  $page_input: PageInput
) {
  notifications_count(
    unread: $unread,
    page_input: $page_input
  )
}
Variables
{"unread": false, "page_input": PageInput}
Response
{"data": {"notifications_count": 987}}

op

Description

Get pentest data.

Response

Returns an Op

Arguments
Name Description
op_id - String! ID of pentest.

Example

Query
query op($op_id: String!) {
  op(op_id: $op_id) {
    op_id
    op_type
    op_state
    portal_op_state
    op_name
    op_param_min_scope
    op_param_max_scope
    op_param_blacklist
    scheduled_timestamp
    scheduled_timestamp_iso
    scheduled_at
    scheduled_at_date
    created_at
    completed_timestamp_iso
    completed_at
    canceled_at
    launched_timestamp_iso
    launched_at
    etl_completed_at
    duration_s
    confirmed_credentials_count
    weaknesses_count
    weaknesses_page {
      ...WeaknessesPageFragment
    }
    in_scope_hosts_count
    feature_flags {
      ...FeatureFlagFragment
    }
    nodezero_script_url
    duration_hms
    duration_humanize
    op_template_uuid
    op_template_name
    impact_paths_count
    attack_paths_count
    attack_paths_page {
      ...AttackPathsPageFragment
    }
    phished_impact_paths_count
    phished_attack_paths_count
    runner_uuid
    runner_name
    schedule_uuid
    schedule_name
    schedule {
      ...ScheduleFragment
    }
    schedule_op_form {
      ...ScheduleOpFormFragment
    }
    asset_group_uuid
    asset_group {
      ...AssetGroupFragment
    }
  }
}
Variables
{"op_id": "abc123"}
Response
{
  "data": {
    "op": {
      "op_id": "12341234-1234-1234-1234-123412341234",
      "op_type": "NodeZero",
      "op_state": "running",
      "portal_op_state": "done",
      "op_name": "your op name",
      "op_param_min_scope": ["123.45.67.89, 12.3.4.56"],
      "op_param_max_scope": ["123.45.67.89, 12.3.4.56"],
      "op_param_blacklist": "123.45.67.89, 12.3.4.56",
      "scheduled_timestamp": "1600793100.0",
      "scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
      "scheduled_at": "2021-07-22T05:02:40.294996",
      "scheduled_at_date": "2025-04-03T15:50:42.673Z",
      "created_at": "2021-07-22T05:02:40.294996",
      "completed_timestamp_iso": "2021-07-22T05:02:40.294996",
      "completed_at": "2021-07-22T05:02:40.294996",
      "canceled_at": "2021-07-22T05:02:40.294996",
      "launched_timestamp_iso": "2021-07-22T05:02:40.294996",
      "launched_at": "2021-07-22T05:02:40.294996",
      "etl_completed_at": "2021-07-22T05:02:40.294996",
      "duration_s": 987,
      "confirmed_credentials_count": 987,
      "weaknesses_count": 987,
      "weaknesses_page": WeaknessesPage,
      "in_scope_hosts_count": 123,
      "feature_flags": [FeatureFlag],
      "nodezero_script_url": "https://example.com/example",
      "duration_hms": "22:05:21",
      "duration_humanize": "2 hours, 23 minutes",
      "op_template_uuid": "12341234-1234-1234-1234-123412341234",
      "op_template_name": "xyz789",
      "impact_paths_count": 123,
      "attack_paths_count": 987,
      "attack_paths_page": AttackPathsPage,
      "phished_impact_paths_count": 123,
      "phished_attack_paths_count": 123,
      "runner_uuid": "12341234-1234-1234-1234-123412341234",
      "runner_name": "abc123",
      "schedule_uuid": "12341234-1234-1234-1234-123412341234",
      "schedule_name": "abc123",
      "schedule": Schedule,
      "schedule_op_form": ScheduleOpForm,
      "asset_group_uuid": "12341234-1234-1234-1234-123412341234",
      "asset_group": AssetGroup
    }
  }
}

op_tabs_page

Description

Get a list of pentests for client accounts accessible by the current user.

Response

Returns an OpTabsPage!

Arguments
Name Description
page_input - PageInput Pagination of pentests.
exclude_sample_ops - Boolean Exclude sample pentests from the result.

Example

Query
query op_tabs_page(
  $page_input: PageInput,
  $exclude_sample_ops: Boolean
) {
  op_tabs_page(
    page_input: $page_input,
    exclude_sample_ops: $exclude_sample_ops
  ) {
    page_info {
      ...PageInfoFragment
    }
    op_tabs {
      ...OpTabFragment
    }
  }
}
Variables
{"page_input": PageInput, "exclude_sample_ops": false}
Response
{
  "data": {
    "op_tabs_page": {
      "page_info": PageInfo,
      "op_tabs": [OpTab]
    }
  }
}

op_template

Description

Fetch the op template for the given op_template_uuid or op_template_name.

Response

Returns an OpTemplate

Arguments
Name Description
op_template_uuid - String The uuid of the op template to fetch. Either op_template_uuid or op_template_name must be provided.
op_template_name - String The name of the op template to fetch. Either op_template_uuid or op_template_name must be provided.

Example

Query
query op_template(
  $op_template_uuid: String,
  $op_template_name: String
) {
  op_template(
    op_template_uuid: $op_template_uuid,
    op_template_name: $op_template_name
  ) {
    uuid
    user_account_uuid
    client_account_uuid
    client_account {
      ...ClientAccountFragment
    }
    op_template_name
    name
    op_type
    schedule_op_form {
      ...ScheduleOpFormFragment
    }
    schedules {
      ...ScheduleFragment
    }
    row_created_at
    row_updated_at
  }
}
Variables
{
  "op_template_uuid": "abc123",
  "op_template_name": "xyz789"
}
Response
{
  "data": {
    "op_template": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "user_account_uuid": "12341234-1234-1234-1234-123412341234",
      "client_account_uuid": "12341234-1234-1234-1234-123412341234",
      "client_account": ClientAccount,
      "op_template_name": "abc123",
      "name": "xyz789",
      "op_type": "NodeZero",
      "schedule_op_form": ScheduleOpForm,
      "schedules": [Schedule],
      "row_created_at": "2021-07-22T05:02:40.294996",
      "row_updated_at": "2021-07-22T05:02:40.294996"
    }
  }
}

op_templates

Description

List of op templates, of a specified op type, for the current client account. Includes default templates provided by Horizon3.ai.

Response

Returns [OpTemplate]

Arguments
Name Description
op_type - String Optional. Must be either "NodeZero" (for internal pentests) or "ExternalAttack" (for external pentests). Defaults to "NodeZero".

Example

Query
query op_templates($op_type: String) {
  op_templates(op_type: $op_type) {
    uuid
    user_account_uuid
    client_account_uuid
    client_account {
      ...ClientAccountFragment
    }
    op_template_name
    name
    op_type
    schedule_op_form {
      ...ScheduleOpFormFragment
    }
    schedules {
      ...ScheduleFragment
    }
    row_created_at
    row_updated_at
  }
}
Variables
{"op_type": "abc123"}
Response
{
  "data": {
    "op_templates": [
      {
        "uuid": "12341234-1234-1234-1234-123412341234",
        "user_account_uuid": "12341234-1234-1234-1234-123412341234",
        "client_account_uuid": "12341234-1234-1234-1234-123412341234",
        "client_account": ClientAccount,
        "op_template_name": "xyz789",
        "name": "abc123",
        "op_type": "NodeZero",
        "schedule_op_form": ScheduleOpForm,
        "schedules": [Schedule],
        "row_created_at": "2021-07-22T05:02:40.294996",
        "row_updated_at": "2021-07-22T05:02:40.294996"
      }
    ]
  }
}

op_templates_count

Description

Count of op templates for the current client account. Does not include default templates provided by Horizon3.ai.

Response

Returns an Int!

Arguments
Name Description
page_input - PageInput

Example

Query
query op_templates_count($page_input: PageInput) {
  op_templates_count(page_input: $page_input)
}
Variables
{"page_input": PageInput}
Response
{"data": {"op_templates_count": 987}}

op_templates_page

Description

List of op templates for the current client account. Does not include default templates provided by Horizon3.ai.

The OpTemplate.uuid or OpTemplate.op_template_name fields can be used to fetch more details about a specific OpTemplate via Query.op_template.

Response

Returns an OpTemplatesPage!

Arguments
Name Description
page_input - PageInput

Example

Query
query op_templates_page($page_input: PageInput) {
  op_templates_page(page_input: $page_input) {
    page_info {
      ...PageInfoFragment
    }
    op_templates {
      ...OpTemplateFragment
    }
  }
}
Variables
{"page_input": PageInput}
Response
{
  "data": {
    "op_templates_page": {
      "page_info": PageInfo,
      "op_templates": [OpTemplate]
    }
  }
}

operators_count

Description

The count of NodeZero Operators in the current user's ClientAccount

Response

Returns an Int!

Arguments
Name Description
page_input - PageInput
include_sub_client_operators - Boolean

Example

Query
query operators_count(
  $page_input: PageInput,
  $include_sub_client_operators: Boolean
) {
  operators_count(
    page_input: $page_input,
    include_sub_client_operators: $include_sub_client_operators
  )
}
Variables
{
  "page_input": PageInput,
  "include_sub_client_operators": true
}
Response
{"data": {"operators_count": 987}}

ops_count

Description

Get the number of ops run by the client. Includes all op types, including non-pentest types like ExternalAssetDiscovery. Includes archived ops.

Response

Returns an Int!

Arguments
Name Description
client_account_uuid - String Optional subclient uuid (for MSSPs). Defaults to current client account.
page_input - PageInput

Example

Query
query ops_count(
  $client_account_uuid: String,
  $page_input: PageInput
) {
  ops_count(
    client_account_uuid: $client_account_uuid,
    page_input: $page_input
  )
}
Variables
{
  "client_account_uuid": "abc123",
  "page_input": PageInput
}
Response
{"data": {"ops_count": 123}}

ops_page

Description

Get a list of ops for the current client account. Includes all op types.

Response

Returns an OpsPage!

Arguments
Name Description
page_input - PageInput

Example

Query
query ops_page($page_input: PageInput) {
  ops_page(page_input: $page_input) {
    ops {
      ...OpFragment
    }
  }
}
Variables
{"page_input": PageInput}
Response
{"data": {"ops_page": {"ops": [Op]}}}

pentest

Description

Get pentest data.

Response

Returns a Pentest

Arguments
Name Description
op_id - String! ID of pentest.

Example

Query
query pentest($op_id: String!) {
  pentest(op_id: $op_id) {
    op_id
    op_type
    name
    state
    user_name
    client_name
    min_scope
    max_scope
    exclude_scope
    git_accounts {
      ...GitAccountFragment
    }
    aws_account_ids
    feature_flags {
      ...FeatureFlagFragment
    }
    scheduled_at
    launched_at
    completed_at
    canceled_at
    etl_completed_at
    duration_s
    impacts_count
    impact_paths_count
    attack_paths_count
    attack_paths_page {
      ...AttackPathsPageFragment
    }
    phished_impact_paths_count
    phished_attack_paths_count
    weakness_types_count
    weaknesses_count
    weaknesses_page {
      ...WeaknessesPageFragment
    }
    hosts_count
    out_of_scope_hosts_count
    external_domains_count
    services_count
    credentials_count
    users_count
    cred_access_count
    data_stores_count
    websites_count
    data_resources_count
    nodezero_script_url
    nodezero_ip
    schedule {
      ...ScheduleFragment
    }
  }
}
Variables
{"op_id": "abc123"}
Response
{
  "data": {
    "pentest": {
      "op_id": "12341234-1234-1234-1234-123412341234",
      "op_type": "NodeZero",
      "name": "xyz789",
      "state": "done",
      "user_name": "xyz789",
      "client_name": "xyz789",
      "min_scope": ["xyz789"],
      "max_scope": ["xyz789"],
      "exclude_scope": ["xyz789"],
      "git_accounts": [GitAccount],
      "aws_account_ids": [AWSAccountId],
      "feature_flags": [FeatureFlag],
      "scheduled_at": "2021-07-22T05:02:40.294996",
      "launched_at": "2021-07-22T05:02:40.294996",
      "completed_at": "2021-07-22T05:02:40.294996",
      "canceled_at": "2021-07-22T05:02:40.294996",
      "etl_completed_at": "2021-07-22T05:02:40.294996",
      "duration_s": 987,
      "impacts_count": 987,
      "impact_paths_count": 987,
      "attack_paths_count": 123,
      "attack_paths_page": AttackPathsPage,
      "phished_impact_paths_count": 987,
      "phished_attack_paths_count": 987,
      "weakness_types_count": 123,
      "weaknesses_count": 987,
      "weaknesses_page": WeaknessesPage,
      "hosts_count": 987,
      "out_of_scope_hosts_count": 987,
      "external_domains_count": 123,
      "services_count": 123,
      "credentials_count": 123,
      "users_count": 987,
      "cred_access_count": 987,
      "data_stores_count": 123,
      "websites_count": 123,
      "data_resources_count": Long,
      "nodezero_script_url": "https://example.com/example",
      "nodezero_ip": "123.45.67.89",
      "schedule": Schedule
    }
  }
}

pentest_reports_zip_url

Description

Returns a URL to a zip file containing all CSVs and PDFs for the given op_id.

The CSVs along with their schema types are listed below:

Note: for pentests prior to Sep 2022, the zip file is generated "lazily"; ie. on demand, when the user first request it. The first request will receive a response saying the zip file is being generated. An email will be sent to the requesting user with a link to the zip file when it is ready. Subsequent requests will download the already-built zip file.

Response

Returns a String

Arguments
Name Description
input - OpInput!

Example

Query
query pentest_reports_zip_url($input: OpInput!) {
  pentest_reports_zip_url(input: $input)
}
Variables
{"input": OpInput}
Response
{
  "data": {
    "pentest_reports_zip_url": "xyz789"
  }
}

pentests_count

Description

Counts the number of pentests in the current client account, after applying any filters in page_input. By default archived pentests are excluded.

Response

Returns an Int!

Arguments
Name Description
page_input - PageInput Pagination of pentests.

Example

Query
query pentests_count($page_input: PageInput) {
  pentests_count(page_input: $page_input)
}
Variables
{"page_input": PageInput}
Response
{"data": {"pentests_count": 123}}

pentests_page

Description

Paginated list of pentests in the current client account. By default archived pentests are excluded.

The Pentest.op_id field can be used to fetch more details about a specific pentest using Query.pentest.

Response

Returns a PentestsPage!

Arguments
Name Description
page_input - PageInput Pagination of pentests.

Example

Query
query pentests_page($page_input: PageInput) {
  pentests_page(page_input: $page_input) {
    page_info {
      ...PageInfoFragment
    }
    pentests {
      ...PentestFragment
    }
  }
}
Variables
{"page_input": PageInput}
Response
{
  "data": {
    "pentests_page": {
      "page_info": PageInfo,
      "pentests": [Pentest]
    }
  }
}

perspectives_count

Description

Returns the number of perspectives in the client's account

Response

Returns an Int!

Arguments
Name Description
page_input - PageInput
client_account_uuid - String Optional subclient uuid (for MSSPs). Defaults to current client account.

Example

Query
query perspectives_count(
  $page_input: PageInput,
  $client_account_uuid: String
) {
  perspectives_count(
    page_input: $page_input,
    client_account_uuid: $client_account_uuid
  )
}
Variables
{
  "page_input": PageInput,
  "client_account_uuid": "xyz789"
}
Response
{"data": {"perspectives_count": 123}}

sample_op_tabs

Description

Get a list of sample pentests for the current client account.

Response

Returns [OpTab!]

Example

Query
query sample_op_tabs {
  sample_op_tabs {
    uuid
    op_id
    op_state
    portal_op_state
    op_name
    scheduled_timestamp
    scheduled_at
    scheduled_at_date
    scheduled_timestamp_iso
    create_timestamp
    create_timestamp_iso
    launched_timestamp
    launched_timestamp_iso
    launched_at
    completed_at
    completed_timestamp
    completed_timestamp_iso
    canceled_at
    canceled_timestamp
    canceled_timestamp_iso
    duration_hms
    duration_humanize
    op_type
    weakness_types_count
    weaknesses_count
    host_tabs_count
    domain_controllers_count
    credentials_count
    proven_credentials_count
    confirmed_credentials_count
    unproven_credentials_count
    activedir_passwords_count
    enabled_activedir_passwords_count
    disabled_activedir_passwords_count
    feature_flags {
      ...FeatureFlagFragment
    }
    impacts_headline_count
    impact_paths_count
    attack_paths_count
    phished_impact_paths_count
    phished_attack_paths_count
    nodezero_script_url
    nodezero_ip
    etl_completed_at
    start_paused
    minimum_run_time
    maximum_run_time
    paused_at
    paused_by_user_account_uuid
    paused_by_user_account {
      ...UserAccountFragment
    }
    op_template_uuid
    op_template_name
    excluded_ips {
      ...ExcludedIPFragment
    }
    excluded_domains {
      ...ExcludedDomainFragment
    }
    runner_uuid
    runner_name
    schedule_uuid
    schedule_name
    schedule {
      ...ScheduleFragment
    }
    auto_injected_credential_uuids
    tripwires_count
  }
}
Response
{
  "data": {
    "sample_op_tabs": [
      {
        "uuid": "12341234-1234-1234-1234-123412341234",
        "op_id": "12341234-1234-1234-1234-123412341234",
        "op_state": "running",
        "portal_op_state": "done",
        "op_name": "your op name",
        "scheduled_timestamp": "1600793100.0",
        "scheduled_at": "2021-07-22T05:02:40.294996",
        "scheduled_at_date": "2025-04-03T15:50:42.673Z",
        "scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
        "create_timestamp": "1600793100.0",
        "create_timestamp_iso": "2021-07-22T05:02:40.294996",
        "launched_timestamp": "1600793100.0",
        "launched_timestamp_iso": "2021-07-22T05:02:40.294996",
        "launched_at": "2021-07-22T05:02:40.294996",
        "completed_at": "2021-07-22T05:02:40.294996",
        "completed_timestamp": "1600793100.0",
        "completed_timestamp_iso": "2021-07-22T05:02:40.294996",
        "canceled_at": "2021-07-22T05:02:40.294996",
        "canceled_timestamp": "1600793100.0",
        "canceled_timestamp_iso": "2021-07-22T05:02:40.294996",
        "duration_hms": "22:35:09",
        "duration_humanize": "2 hours, 23 minutes",
        "op_type": "NodeZero",
        "weakness_types_count": 123,
        "weaknesses_count": 987,
        "host_tabs_count": 987,
        "domain_controllers_count": 987,
        "credentials_count": 987,
        "proven_credentials_count": 987,
        "confirmed_credentials_count": 123,
        "unproven_credentials_count": 987,
        "activedir_passwords_count": 987,
        "enabled_activedir_passwords_count": 987,
        "disabled_activedir_passwords_count": 123,
        "feature_flags": [FeatureFlag],
        "impacts_headline_count": 123,
        "impact_paths_count": 123,
        "attack_paths_count": 987,
        "phished_impact_paths_count": 987,
        "phished_attack_paths_count": 987,
        "nodezero_script_url": "https://example.com/example",
        "nodezero_ip": "123.45.67.89",
        "etl_completed_at": "2021-07-22T05:02:40.294996",
        "start_paused": false,
        "minimum_run_time": 123,
        "maximum_run_time": 123,
        "paused_at": "2021-07-22T05:02:40.294996",
        "paused_by_user_account_uuid": "12341234-1234-1234-1234-123412341234",
        "paused_by_user_account": UserAccount,
        "op_template_uuid": "12341234-1234-1234-1234-123412341234",
        "op_template_name": "xyz789",
        "excluded_ips": [ExcludedIP],
        "excluded_domains": [ExcludedDomain],
        "runner_uuid": "12341234-1234-1234-1234-123412341234",
        "runner_name": "abc123",
        "schedule_uuid": "12341234-1234-1234-1234-123412341234",
        "schedule_name": "abc123",
        "schedule": Schedule,
        "auto_injected_credential_uuids": [
          "xyz789"
        ],
        "tripwires_count": 123
      }
    ]
  }
}

schedule

Description

Get the Schedule with the given uuid or name.

Response

Returns a Schedule

Arguments
Name Description
uuid - String The uuid of the Schedule to fetch.
name - String The name of the Schedule to fetch.

Example

Query
query schedule(
  $uuid: String,
  $name: String
) {
  schedule(
    uuid: $uuid,
    name: $name
  ) {
    uuid
    name
    actions {
      ...ScheduledActionFragment
    }
    created_at
    last_updated_at
    is_disabled
    state
    ops_count
    ops_page {
      ...OpsPageFragment
    }
    run_pentest_action {
      ...ScheduledActionFragment
    }
    last_op {
      ...OpFragment
    }
    total_triggers
  }
}
Variables
{
  "uuid": "abc123",
  "name": "abc123"
}
Response
{
  "data": {
    "schedule": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "name": "abc123",
      "actions": [ScheduledAction],
      "created_at": "2021-07-22T05:02:40.294996",
      "last_updated_at": "2021-07-22T05:02:40.294996",
      "is_disabled": false,
      "state": "abc123",
      "ops_count": 987,
      "ops_page": OpsPage,
      "run_pentest_action": ScheduledAction,
      "last_op": Op,
      "total_triggers": 987
    }
  }
}

schedules_count

Description

Count of Schedules in the current account.

Response

Returns an Int!

Arguments
Name Description
page_input - PageInput

Example

Query
query schedules_count($page_input: PageInput) {
  schedules_count(page_input: $page_input)
}
Variables
{"page_input": PageInput}
Response
{"data": {"schedules_count": 987}}

schedules_page

Description

List of Schedules and ScheduledActions in the current account.

The Schedule.uuid field can be used to fetch more details about a specific Schedule via Query.schedule.

Response

Returns a SchedulesPage!

Arguments
Name Description
page_input - PageInput

Example

Query
query schedules_page($page_input: PageInput) {
  schedules_page(page_input: $page_input) {
    page_info {
      ...PageInfoFragment
    }
    schedules {
      ...ScheduleFragment
    }
  }
}
Variables
{"page_input": PageInput}
Response
{
  "data": {
    "schedules_page": {
      "page_info": PageInfo,
      "schedules": [Schedule]
    }
  }
}

session_user_account

Description

Current user account.

Response

Returns a UserAccount

Example

Query
query session_user_account {
  session_user_account {
    uuid
    email
    name
    user_role_id
    sign_in_type
    last_signed_in_at
    has_unread_notifications_by_type
    has_tripwires_access
    has_rapid_response_access
  }
}
Response
{
  "data": {
    "session_user_account": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "email": "john.smith@example.com",
      "name": "John Smith",
      "user_role_id": "USER",
      "sign_in_type": "BASIC",
      "last_signed_in_at": "2021-07-22T05:02:40.294996",
      "has_unread_notifications_by_type": ["EvidenceOfWeakness"],
      "has_tripwires_access": true,
      "has_rapid_response_access": true
    }
  }
}

tickets_csv

Description

List of tickets found across all pentests for the current client account. Returns the ticket data as an array of CSV records.

The CSV format is documented under TicketCSV.

Response

Returns [TicketCSV]

Arguments
Name Description
page_input - PageInput

Example

Query
query tickets_csv($page_input: PageInput) {
  tickets_csv(page_input: $page_input)
}
Variables
{"page_input": PageInput}
Response
{"data": {"tickets_csv": [TicketCSV]}}

tickets_csv_presigned_url

Description

List of tickets found across all pentests for the current client account. Returns a presigned URL to the CSV file. The presigned URL expires after a short time.

The CSV format is documented under TicketCSV.

Response

Returns a String

Arguments
Name Description
page_input - PageInput

Example

Query
query tickets_csv_presigned_url($page_input: PageInput) {
  tickets_csv_presigned_url(page_input: $page_input)
}
Variables
{"page_input": PageInput}
Response
{
  "data": {
    "tickets_csv_presigned_url": "abc123"
  }
}

tripwire_jobs_count

Description

Returns the number of tripwire jobs (i.e. TripwireInternal ops) for the current client account.

Response

Returns an Int!

Arguments
Name Description
page_input - PageInput

Example

Query
query tripwire_jobs_count($page_input: PageInput) {
  tripwire_jobs_count(page_input: $page_input)
}
Variables
{"page_input": PageInput}
Response
{"data": {"tripwire_jobs_count": 123}}

tripwire_jobs_page

Description

Retrieves a paginated list of tripwire jobs (i.e. TripwireInternal ops) for the current client account.

Response

Returns an OpTabsPage!

Arguments
Name Description
page_input - PageInput

Example

Query
query tripwire_jobs_page($page_input: PageInput) {
  tripwire_jobs_page(page_input: $page_input) {
    page_info {
      ...PageInfoFragment
    }
    op_tabs {
      ...OpTabFragment
    }
  }
}
Variables
{"page_input": PageInput}
Response
{
  "data": {
    "tripwire_jobs_page": {
      "page_info": PageInfo,
      "op_tabs": [OpTab]
    }
  }
}

tripwires_count

Description

Returns a total count of Tripwires for the current client account that may be accessed via the tripwire_page query

Response

Returns an Int!

Arguments
Name Description
page_input - PageInput

Example

Query
query tripwires_count($page_input: PageInput) {
  tripwires_count(page_input: $page_input)
}
Variables
{"page_input": PageInput}
Response
{"data": {"tripwires_count": 123}}

weakness

Description

The Weakness with the given uuid.

Response

Returns a Weakness

Arguments
Name Description
uuid - String!

Example

Query
query weakness($uuid: String!) {
  weakness(uuid: $uuid) {
    uuid
    created_at
    vuln_id
    vuln {
      ...VulnFragment
    }
    vuln_aliases
    vuln_category
    vuln_name
    vuln_short_name
    vuln_cisa_kev
    vuln_known_ransomware_campaign_use
    op_id
    ip
    has_proof
    proof_failure_code
    proof_failure_reason
    score
    severity
    base_score
    base_severity
    context_score
    context_severity
    context_score_description_md
    context_score_description
    time_to_finding_hms
    time_to_finding_s
    affected_asset_display_name
    affected_asset_short_name
    downstream_impact_types
    attack_paths_count
    attack_paths_page {
      ...AttackPathsPageFragment
    }
    proofs {
      ...ProofFragment
    }
    affected_host {
      ...HostFragment
    }
    diff_status
    mitre_mappings {
      ...MitreMappingFragment
    }
    affected_credentials_count
    affected_credentials_page {
      ...CredentialsPageFragment
    }
    affected_service {
      ...ServiceFragment
    }
    affected_application {
      ...ApplicationFragment
    }
    affected_cloud_resource {
      ...CloudResourceFragment
    }
    affected_cloud_role {
      ...CloudRoleFragment
    }
    affected_external_domain {
      ...ExternalDomainFragment
    }
    affected_interesting_resource {
      ...InterestingResourceFragment
    }
    affected_ldap_domain {
      ...LDAPDomainFragment
    }
    affected_data_store {
      ...DataStoreFragment
    }
  }
}
Variables
{"uuid": "abc123"}
Response
{
  "data": {
    "weakness": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "created_at": "2021-07-22T05:02:40.294996",
      "vuln_id": "xyz789",
      "vuln": Vuln,
      "vuln_aliases": ["xyz789"],
      "vuln_category": "SECURITY_MISCONFIGURATION",
      "vuln_name": "abc123",
      "vuln_short_name": "xyz789",
      "vuln_cisa_kev": true,
      "vuln_known_ransomware_campaign_use": false,
      "op_id": "12341234-1234-1234-1234-123412341234",
      "ip": "123.45.67.89",
      "has_proof": true,
      "proof_failure_code": "abc123",
      "proof_failure_reason": "xyz789",
      "score": 987.65,
      "severity": "INFO",
      "base_score": 987.65,
      "base_severity": "INFO",
      "context_score": 123.45,
      "context_severity": "INFO",
      "context_score_description_md": "abc123",
      "context_score_description": "xyz789",
      "time_to_finding_hms": "22:05:31",
      "time_to_finding_s": 123,
      "affected_asset_display_name": "xyz789",
      "affected_asset_short_name": "xyz789",
      "downstream_impact_types": ["AWSUserRoleCompromise"],
      "attack_paths_count": 987,
      "attack_paths_page": AttackPathsPage,
      "proofs": [Proof],
      "affected_host": Host,
      "diff_status": "ADDED",
      "mitre_mappings": [MitreMapping],
      "affected_credentials_count": 123,
      "affected_credentials_page": CredentialsPage,
      "affected_service": Service,
      "affected_application": Application,
      "affected_cloud_resource": CloudResource,
      "affected_cloud_role": CloudRole,
      "affected_external_domain": ExternalDomain,
      "affected_interesting_resource": InterestingResource,
      "affected_ldap_domain": LDAPDomain,
      "affected_data_store": DataStore
    }
  }
}

weaknesses_count

Description

The count of Weaknesses observed during the given op.

A Weakness record represents an observed vulnerability on an affected asset; ie. there is one Weakness record per unique vuln_id + affected asset combination.

Response

Returns an Int!

Arguments
Name Description
input - OpInput!
page_input - PageInput

Example

Query
query weaknesses_count(
  $input: OpInput!,
  $page_input: PageInput
) {
  weaknesses_count(
    input: $input,
    page_input: $page_input
  )
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{"data": {"weaknesses_count": 987}}

weaknesses_csv

Use Query.weaknesses_csv_url
Description

The set of Weaknesses observed during the given op, as a set of CSV records.

A Weakness record represents an observed vulnerability on an affected asset; ie. there is one Weakness record per unique vuln_id + affected asset combination.

Returned as an array of strings, with each string being a single record of comma-separated values. Eah string is equivalent to a line in a CSV file.

The CSV format is documented under WeaknessCSV.

The first string contains the header line, with the list of column names.

DEPRECATED: this API will eventually be removed, in favor of Query.weaknesses_csv_url.

Response

Returns [WeaknessCSV]

Arguments
Name Description
input - OpInput! Pentest to get weakness data for.

Example

Query
query weaknesses_csv($input: OpInput!) {
  weaknesses_csv(input: $input)
}
Variables
{"input": OpInput}
Response
{"data": {"weaknesses_csv": [WeaknessCSV]}}

weaknesses_csv_url

Description

The set of Weaknesses observed during the given op, as a set of CSV records.

A Weakness record represents an observed vulnerability on an affected asset; ie. there is one Weakness record per unique vuln_id + affected asset combination.

Returned as a temporary presigned URL to a CSV file.

The CSV format is documented under WeaknessCSV.

Response

Returns a String

Arguments
Name Description
input - OpInput!

Example

Query
query weaknesses_csv_url($input: OpInput!) {
  weaknesses_csv_url(input: $input)
}
Variables
{"input": OpInput}
Response
{"data": {"weaknesses_csv_url": "xyz789"}}

weaknesses_diff_csv_url

Description

Returns a temporary, presigned URL to a CSV for a diff of weaknesses between two pentests. See Query.weaknesses_diff_page for more info.

Response

Returns a String

Arguments
Name Description
op_diff_input - OpDiffInput!

Example

Query
query weaknesses_diff_csv_url($op_diff_input: OpDiffInput!) {
  weaknesses_diff_csv_url(op_diff_input: $op_diff_input)
}
Variables
{"op_diff_input": OpDiffInput}
Response
{
  "data": {
    "weaknesses_diff_csv_url": "xyz789"
  }
}

weaknesses_diff_page

Description

Returns a "diff" of weaknesses between two pentests.

The diff contains only those weaknesses that are different between the two pentests. A weakness is "different" if it is present in one pentest but not the other.

The field Weakness.diff_status will be set to either ADDED or REMOVED in each record.

If a weakness was present in the first op (op_diff_input.op_id_1), but not the second op (op_diff_input.op_id_2), its diff_status will be set to REMOVED.

If a weakness was present in the second op, but not the first op, its diff_status will be set to ADDED.

Response

Returns a WeaknessesDiffPage!

Arguments
Name Description
op_diff_input - OpDiffInput!
page_input - PageInput

Example

Query
query weaknesses_diff_page(
  $op_diff_input: OpDiffInput!,
  $page_input: PageInput
) {
  weaknesses_diff_page(
    op_diff_input: $op_diff_input,
    page_input: $page_input
  ) {
    page_info {
      ...PageInfoFragment
    }
    weaknesses {
      ...WeaknessFragment
    }
  }
}
Variables
{
  "op_diff_input": OpDiffInput,
  "page_input": PageInput
}
Response
{
  "data": {
    "weaknesses_diff_page": {
      "page_info": PageInfo,
      "weaknesses": [Weakness]
    }
  }
}

weaknesses_diff_stats

Description

Returns aggregate stats related to a diff of weaknesses between two pentests. See Query.weaknesses_diff_page for more info.

Response

Returns a DiffStats!

Arguments
Name Description
op_diff_input - OpDiffInput!
page_input - PageInput

Example

Query
query weaknesses_diff_stats(
  $op_diff_input: OpDiffInput!,
  $page_input: PageInput
) {
  weaknesses_diff_stats(
    op_diff_input: $op_diff_input,
    page_input: $page_input
  ) {
    added_count
    removed_count
    unchanged_count
  }
}
Variables
{
  "op_diff_input": OpDiffInput,
  "page_input": PageInput
}
Response
{
  "data": {
    "weaknesses_diff_stats": {
      "added_count": 123,
      "removed_count": 123,
      "unchanged_count": 123
    }
  }
}

weaknesses_page

Description

The set of Weaknesses observed during the given op.

A Weakness record represents an observed vulnerability on an affected asset; ie. there is one Weakness record per unique vuln_id + affected asset combination.

The Weakness.uuid field can be used to fetch more details about a specific Weakness via Query.weakness.

Response

Returns a WeaknessesPage!

Arguments
Name Description
input - OpInput!
page_input - PageInput

Example

Query
query weaknesses_page(
  $input: OpInput!,
  $page_input: PageInput
) {
  weaknesses_page(
    input: $input,
    page_input: $page_input
  ) {
    page_info {
      ...PageInfoFragment
    }
    weaknesses {
      ...WeaknessFragment
    }
  }
}
Variables
{
  "input": OpInput,
  "page_input": PageInput
}
Response
{
  "data": {
    "weaknesses_page": {
      "page_info": PageInfo,
      "weaknesses": [Weakness]
    }
  }
}

Mutations

add_domains_to_asset_group

Description

Update an asset group with additional domains.

Response

Returns an AssetGroupOutput!

Arguments
Name Description
asset_group_uuid - String! ID of asset group to update.
domains - [StringNotEmpty]! List of domains to add to the asset group's scope.

Example

Query
mutation add_domains_to_asset_group(
  $asset_group_uuid: String!,
  $domains: [StringNotEmpty]!
) {
  add_domains_to_asset_group(
    asset_group_uuid: $asset_group_uuid,
    domains: $domains
  ) {
    asset_group {
      ...AssetGroupFragment
    }
  }
}
Variables
{
  "asset_group_uuid": "xyz789",
  "domains": [StringNotEmpty]
}
Response
{
  "data": {
    "add_domains_to_asset_group": {
      "asset_group": AssetGroup
    }
  }
}

authorize_domains

Description

Authorize the given AssetGroup domains for external pentesting.

Response

Returns a PentestableEntitiesOutput!

Arguments
Name Description
external_domain_xop_uuids - [String!]!

Example

Query
mutation authorize_domains($external_domain_xop_uuids: [String!]!) {
  authorize_domains(external_domain_xop_uuids: $external_domain_xop_uuids) {
    pentestable_entities {
      ...PentestableEntityFragment
    }
    blocked_pentestable_entities {
      ...BlockedPentestableEntityFragment
    }
  }
}
Variables
{"external_domain_xop_uuids": ["xyz789"]}
Response
{
  "data": {
    "authorize_domains": {
      "pentestable_entities": [PentestableEntity],
      "blocked_pentestable_entities": [
        BlockedPentestableEntity
      ]
    }
  }
}

authorize_ips

Description

Authorize the given AssetGroup IPs for external pentesting.

Response

Returns a PentestableEntitiesOutput!

Arguments
Name Description
host_tab_xop_uuids - [String!]!

Example

Query
mutation authorize_ips($host_tab_xop_uuids: [String!]!) {
  authorize_ips(host_tab_xop_uuids: $host_tab_xop_uuids) {
    pentestable_entities {
      ...PentestableEntityFragment
    }
    blocked_pentestable_entities {
      ...BlockedPentestableEntityFragment
    }
  }
}
Variables
{"host_tab_xop_uuids": ["abc123"]}
Response
{
  "data": {
    "authorize_ips": {
      "pentestable_entities": [PentestableEntity],
      "blocked_pentestable_entities": [
        BlockedPentestableEntity
      ]
    }
  }
}

bulk_authorize_domains

Description

Bulk authorize AssetGroup domains for external pentesting.

Response

Returns a PentestableEntitiesBulkOutput!

Arguments
Name Description
op_series_uuid - String! ID of op series.
configured_domains_only - Boolean If true, only domains configured in the AssetGroup's scope will be authorized. Default is false.
page_input - PageInput If filters are provided, only domains that match the filters will be authorized.

Example

Query
mutation bulk_authorize_domains(
  $op_series_uuid: String!,
  $configured_domains_only: Boolean,
  $page_input: PageInput
) {
  bulk_authorize_domains(
    op_series_uuid: $op_series_uuid,
    configured_domains_only: $configured_domains_only,
    page_input: $page_input
  ) {
    pentestable_entities_count
  }
}
Variables
{
  "op_series_uuid": "xyz789",
  "configured_domains_only": false,
  "page_input": PageInput
}
Response
{"data": {"bulk_authorize_domains": {"pentestable_entities_count": 987}}}

bulk_authorize_ips

Description

Bulk authorize AssetGroup IPs for external pentesting.

Response

Returns a PentestableEntitiesBulkOutput!

Arguments
Name Description
op_series_uuid - String! ID of op series.
page_input - PageInput If filters are provided, only IPs that match the filters will be authorized.

Example

Query
mutation bulk_authorize_ips(
  $op_series_uuid: String!,
  $page_input: PageInput
) {
  bulk_authorize_ips(
    op_series_uuid: $op_series_uuid,
    page_input: $page_input
  ) {
    pentestable_entities_count
  }
}
Variables
{
  "op_series_uuid": "xyz789",
  "page_input": PageInput
}
Response
{"data": {"bulk_authorize_ips": {"pentestable_entities_count": 123}}}

bulk_deauthorize_domains

Description

Bulk DE-authorize AssetGroup domains for external pentesting.

Response

Returns a PentestableEntitiesBulkOutput!

Arguments
Name Description
op_series_uuid - String! ID of op series.
page_input - PageInput If filters are provided, only domains that match the filters will be de-authorized.

Example

Query
mutation bulk_deauthorize_domains(
  $op_series_uuid: String!,
  $page_input: PageInput
) {
  bulk_deauthorize_domains(
    op_series_uuid: $op_series_uuid,
    page_input: $page_input
  ) {
    pentestable_entities_count
  }
}
Variables
{
  "op_series_uuid": "xyz789",
  "page_input": PageInput
}
Response
{"data": {"bulk_deauthorize_domains": {"pentestable_entities_count": 123}}}

bulk_deauthorize_ips

Description

Bulk DE-authorize AssetGroup IPs for external pentesting.

Response

Returns a PentestableEntitiesBulkOutput!

Arguments
Name Description
op_series_uuid - String! ID of op series.
page_input - PageInput If filters are provided, only IPs that match the filters will be de-authorized.

Example

Query
mutation bulk_deauthorize_ips(
  $op_series_uuid: String!,
  $page_input: PageInput
) {
  bulk_deauthorize_ips(
    op_series_uuid: $op_series_uuid,
    page_input: $page_input
  ) {
    pentestable_entities_count
  }
}
Variables
{
  "op_series_uuid": "abc123",
  "page_input": PageInput
}
Response
{"data": {"bulk_deauthorize_ips": {"pentestable_entities_count": 123}}}

cancel_op

Description

Cancel a pentest, if its current state allows it.

Response

Returns an OpTab!

Arguments
Name Description
op_id - String!

Example

Query
mutation cancel_op($op_id: String!) {
  cancel_op(op_id: $op_id) {
    uuid
    op_id
    op_state
    portal_op_state
    op_name
    scheduled_timestamp
    scheduled_at
    scheduled_at_date
    scheduled_timestamp_iso
    create_timestamp
    create_timestamp_iso
    launched_timestamp
    launched_timestamp_iso
    launched_at
    completed_at
    completed_timestamp
    completed_timestamp_iso
    canceled_at
    canceled_timestamp
    canceled_timestamp_iso
    duration_hms
    duration_humanize
    op_type
    weakness_types_count
    weaknesses_count
    host_tabs_count
    domain_controllers_count
    credentials_count
    proven_credentials_count
    confirmed_credentials_count
    unproven_credentials_count
    activedir_passwords_count
    enabled_activedir_passwords_count
    disabled_activedir_passwords_count
    feature_flags {
      ...FeatureFlagFragment
    }
    impacts_headline_count
    impact_paths_count
    attack_paths_count
    phished_impact_paths_count
    phished_attack_paths_count
    nodezero_script_url
    nodezero_ip
    etl_completed_at
    start_paused
    minimum_run_time
    maximum_run_time
    paused_at
    paused_by_user_account_uuid
    paused_by_user_account {
      ...UserAccountFragment
    }
    op_template_uuid
    op_template_name
    excluded_ips {
      ...ExcludedIPFragment
    }
    excluded_domains {
      ...ExcludedDomainFragment
    }
    runner_uuid
    runner_name
    schedule_uuid
    schedule_name
    schedule {
      ...ScheduleFragment
    }
    auto_injected_credential_uuids
    tripwires_count
  }
}
Variables
{"op_id": "abc123"}
Response
{
  "data": {
    "cancel_op": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "op_id": "12341234-1234-1234-1234-123412341234",
      "op_state": "running",
      "portal_op_state": "done",
      "op_name": "your op name",
      "scheduled_timestamp": "1600793100.0",
      "scheduled_at": "2021-07-22T05:02:40.294996",
      "scheduled_at_date": "2025-10-03T15:50:42.673Z",
      "scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
      "create_timestamp": "1600793100.0",
      "create_timestamp_iso": "2021-07-22T05:02:40.294996",
      "launched_timestamp": "1600793100.0",
      "launched_timestamp_iso": "2021-07-22T05:02:40.294996",
      "launched_at": "2021-07-22T05:02:40.294996",
      "completed_at": "2021-07-22T05:02:40.294996",
      "completed_timestamp": "1600793100.0",
      "completed_timestamp_iso": "2021-07-22T05:02:40.294996",
      "canceled_at": "2021-07-22T05:02:40.294996",
      "canceled_timestamp": "1600793100.0",
      "canceled_timestamp_iso": "2021-07-22T05:02:40.294996",
      "duration_hms": "22:35:09",
      "duration_humanize": "2 hours, 23 minutes",
      "op_type": "NodeZero",
      "weakness_types_count": 123,
      "weaknesses_count": 123,
      "host_tabs_count": 123,
      "domain_controllers_count": 123,
      "credentials_count": 123,
      "proven_credentials_count": 123,
      "confirmed_credentials_count": 123,
      "unproven_credentials_count": 123,
      "activedir_passwords_count": 123,
      "enabled_activedir_passwords_count": 123,
      "disabled_activedir_passwords_count": 123,
      "feature_flags": [FeatureFlag],
      "impacts_headline_count": 987,
      "impact_paths_count": 123,
      "attack_paths_count": 123,
      "phished_impact_paths_count": 987,
      "phished_attack_paths_count": 123,
      "nodezero_script_url": "https://example.com/example",
      "nodezero_ip": "123.45.67.89",
      "etl_completed_at": "2021-07-22T05:02:40.294996",
      "start_paused": true,
      "minimum_run_time": 123,
      "maximum_run_time": 987,
      "paused_at": "2021-07-22T05:02:40.294996",
      "paused_by_user_account_uuid": "12341234-1234-1234-1234-123412341234",
      "paused_by_user_account": UserAccount,
      "op_template_uuid": "12341234-1234-1234-1234-123412341234",
      "op_template_name": "abc123",
      "excluded_ips": [ExcludedIP],
      "excluded_domains": [ExcludedDomain],
      "runner_uuid": "12341234-1234-1234-1234-123412341234",
      "runner_name": "xyz789",
      "schedule_uuid": "12341234-1234-1234-1234-123412341234",
      "schedule_name": "xyz789",
      "schedule": Schedule,
      "auto_injected_credential_uuids": [
        "xyz789"
      ],
      "tripwires_count": 123
    }
  }
}

create_asset_group

Description

Create an asset group. The asset group uses the scope configured in the given schedule_op_form to discover assets. The name of the asset group can be set via schedule_op_form.op_name.

Response

Returns an AssetGroupOutput!

Arguments
Name Description
schedule_op_form - ScheduleOpFormInput! Scope for discovering assets.

Example

Query
mutation create_asset_group($schedule_op_form: ScheduleOpFormInput!) {
  create_asset_group(schedule_op_form: $schedule_op_form) {
    asset_group {
      ...AssetGroupFragment
    }
  }
}
Variables
{"schedule_op_form": ScheduleOpFormInput}
Response
{
  "data": {
    "create_asset_group": {"asset_group": AssetGroup}
  }
}

create_campaign

Description

Create a new campaign

Response

Returns a Campaign!

Arguments
Name Description
input - CreateCampaignInput!

Example

Query
mutation create_campaign($input: CreateCampaignInput!) {
  create_campaign(input: $input) {
    uuid
    name
    description
    client_account_uuid
    is_deleted
    deleted_at
    row_created_at
    row_updated_at
    perspective_uuids
    perspectives_count
  }
}
Variables
{"input": CreateCampaignInput}
Response
{
  "data": {
    "create_campaign": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "name": "xyz789",
      "description": "xyz789",
      "client_account_uuid": "12341234-1234-1234-1234-123412341234",
      "is_deleted": true,
      "deleted_at": "2021-07-22T05:02:40.294996",
      "row_created_at": "2021-07-22T05:02:40.294996",
      "row_updated_at": "2021-07-22T05:02:40.294996",
      "perspective_uuids": ["xyz789"],
      "perspectives_count": 987
    }
  }
}

create_client_account

Description

Create a client account and grant the current user access.

Response

Returns a ClientAccountOutput!

Arguments
Name Description
client_account_input - ClientAccountInput!

Example

Query
mutation create_client_account($client_account_input: ClientAccountInput!) {
  create_client_account(client_account_input: $client_account_input) {
    client_account {
      ...ClientAccountFragment
    }
  }
}
Variables
{"client_account_input": ClientAccountInput}
Response
{
  "data": {
    "create_client_account": {
      "client_account": ClientAccount
    }
  }
}

create_op

Description

Create an Op, aka "operation". An op is an cybersecurity assessment conducted autonomously by NodeZero.

You must specify an op type. There are several op types, including "NodeZero", which performs an internal pentest. To see the full list of op types and their configuration requirements, see OpType.

Before creating an op for the first time, you can optionally save the op configuration in an op template. This makes it easier to run ops in the future using the same configuration every time. See OpTemplate for more details.

You can override the configuration from the op template using the schedule_op_form parameter.

This mutation creates a single pentest, for execution immediately. Use create_scheduled_action for running recurring pentests on a schedule, eg. weekly or monthly.

Response

Returns a CreateOpOutput!

Arguments
Name Description
op_template_uuid - String

OpTemplate.uuid of the op template to use for this op.

If not specified, it uses the default op template for the op type specified in schedule_op_form.op_type. If schedule_op_form.op_type is not defined, the default op type is NodeZero.

schedule_op_form - ScheduleOpFormInput schedule_op_form contains optional parameters that, if defined, override the corresponding parameters defined in OpTemplate.schedule_op_form.

Example

Query
mutation create_op(
  $op_template_uuid: String,
  $schedule_op_form: ScheduleOpFormInput
) {
  create_op(
    op_template_uuid: $op_template_uuid,
    schedule_op_form: $schedule_op_form
  ) {
    op {
      ...OpFragment
    }
  }
}
Variables
{
  "op_template_uuid": "xyz789",
  "schedule_op_form": ScheduleOpFormInput
}
Response
{"data": {"create_op": {"op": Op}}}

create_op_template

Description

Create a pentest (aka "op") template.

Response

Returns a SaveOpTemplateOutput!

Arguments
Name Description
op_template_name - String! Name of pentest template. The name uniquely identifies the template in the client account.
schedule_op_form - ScheduleOpFormInput! Input data for scheduling pentest.

Example

Query
mutation create_op_template(
  $op_template_name: String!,
  $schedule_op_form: ScheduleOpFormInput!
) {
  create_op_template(
    op_template_name: $op_template_name,
    schedule_op_form: $schedule_op_form
  ) {
    op_template {
      ...OpTemplateFragment
    }
    asset_group {
      ...AssetGroupFragment
    }
  }
}
Variables
{
  "op_template_name": "abc123",
  "schedule_op_form": ScheduleOpFormInput
}
Response
{
  "data": {
    "create_op_template": {
      "op_template": OpTemplate,
      "asset_group": AssetGroup
    }
  }
}

create_scheduled_action

Description

Create or update a ScheduledAction.

ScheduledActions are actions within a Schedule that run at a specific time, similar to a cron job.

A ScheduledAction can be used to run a pentest on a recurring basis, eg. weekly or monthly.

You can also use ScheduledActions to pause, resume, and cancel a pentest at specific times, for example to pause a pentest during a maintenance window. See CreateScheduledActionInput.action for more details.

Response

Returns a ScheduledActionOutput!

Arguments
Name Description
input - CreateScheduledActionInput!

Example

Query
mutation create_scheduled_action($input: CreateScheduledActionInput!) {
  create_scheduled_action(input: $input) {
    scheduled_action {
      ...ScheduledActionFragment
    }
  }
}
Variables
{"input": CreateScheduledActionInput}
Response
{
  "data": {
    "create_scheduled_action": {
      "scheduled_action": ScheduledAction
    }
  }
}

create_user_account

Description

Add a user to a given client account. The user will receive an invitation email along with temporary login credentials, if needed.

Response

Returns a UserAccount

Arguments
Name Description
input - CreateUserAccountInput! Input data for creating user.

Example

Query
mutation create_user_account($input: CreateUserAccountInput!) {
  create_user_account(input: $input) {
    uuid
    email
    name
    user_role_id
    sign_in_type
    last_signed_in_at
    has_unread_notifications_by_type
    has_tripwires_access
    has_rapid_response_access
  }
}
Variables
{"input": CreateUserAccountInput}
Response
{
  "data": {
    "create_user_account": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "email": "john.smith@example.com",
      "name": "John Smith",
      "user_role_id": "USER",
      "sign_in_type": "BASIC",
      "last_signed_in_at": "2021-07-22T05:02:40.294996",
      "has_unread_notifications_by_type": ["EvidenceOfWeakness"],
      "has_tripwires_access": false,
      "has_rapid_response_access": true
    }
  }
}

deauthorize_domains

Description

DE-authorize the given AssetGroup domains for external pentesting.

Response

Returns a PentestableEntitiesOutput!

Arguments
Name Description
external_domain_xop_uuids - [String!]!

Example

Query
mutation deauthorize_domains($external_domain_xop_uuids: [String!]!) {
  deauthorize_domains(external_domain_xop_uuids: $external_domain_xop_uuids) {
    pentestable_entities {
      ...PentestableEntityFragment
    }
    blocked_pentestable_entities {
      ...BlockedPentestableEntityFragment
    }
  }
}
Variables
{"external_domain_xop_uuids": ["abc123"]}
Response
{
  "data": {
    "deauthorize_domains": {
      "pentestable_entities": [PentestableEntity],
      "blocked_pentestable_entities": [
        BlockedPentestableEntity
      ]
    }
  }
}

deauthorize_ips

Description

DE-authorize the given AssetGroup IPs for external pentesting.

Response

Returns a PentestableEntitiesOutput!

Arguments
Name Description
host_tab_xop_uuids - [String!]!

Example

Query
mutation deauthorize_ips($host_tab_xop_uuids: [String!]!) {
  deauthorize_ips(host_tab_xop_uuids: $host_tab_xop_uuids) {
    pentestable_entities {
      ...PentestableEntityFragment
    }
    blocked_pentestable_entities {
      ...BlockedPentestableEntityFragment
    }
  }
}
Variables
{"host_tab_xop_uuids": ["xyz789"]}
Response
{
  "data": {
    "deauthorize_ips": {
      "pentestable_entities": [PentestableEntity],
      "blocked_pentestable_entities": [
        BlockedPentestableEntity
      ]
    }
  }
}

delete_campaign

Description

Delete a campaign (soft delete)

Response

Returns a Boolean!

Arguments
Name Description
uuid - String!

Example

Query
mutation delete_campaign($uuid: String!) {
  delete_campaign(uuid: $uuid)
}
Variables
{"uuid": "abc123"}
Response
{"data": {"delete_campaign": false}}

delete_client_account

Description

Delete a client account.

Response

Returns a Deleted!

Arguments
Name Description
client_account_uuid - String! Client account to delete.

Example

Query
mutation delete_client_account($client_account_uuid: String!) {
  delete_client_account(client_account_uuid: $client_account_uuid) {
    success
  }
}
Variables
{"client_account_uuid": "xyz789"}
Response
{"data": {"delete_client_account": {"success": true}}}

delete_op_template

Description

Delete a pentest (aka "op") template by name.

Response

Returns a DeleteOpTemplateOutput!

Arguments
Name Description
op_template_name - String! Name of pentest template.
op_type - String Type of pentest, see OpType for options.
also_delete_schedules - Boolean Also delete any schedules assigned to the template.

Example

Query
mutation delete_op_template(
  $op_template_name: String!,
  $op_type: String,
  $also_delete_schedules: Boolean
) {
  delete_op_template(
    op_template_name: $op_template_name,
    op_type: $op_type,
    also_delete_schedules: $also_delete_schedules
  ) {
    op_template {
      ...OpTemplateFragment
    }
  }
}
Variables
{
  "op_template_name": "abc123",
  "op_type": "abc123",
  "also_delete_schedules": true
}
Response
{
  "data": {
    "delete_op_template": {"op_template": OpTemplate}
  }
}

delete_op_template_by_uuid

Description

Delete a pentest (aka "op") template by uuid.

Response

Returns a DeleteOpTemplateOutput!

Arguments
Name Description
uuid - String! ID of pentest template.
also_delete_schedules - Boolean Also delete any schedules assigned to the template.

Example

Query
mutation delete_op_template_by_uuid(
  $uuid: String!,
  $also_delete_schedules: Boolean
) {
  delete_op_template_by_uuid(
    uuid: $uuid,
    also_delete_schedules: $also_delete_schedules
  ) {
    op_template {
      ...OpTemplateFragment
    }
  }
}
Variables
{
  "uuid": "abc123",
  "also_delete_schedules": false
}
Response
{
  "data": {
    "delete_op_template_by_uuid": {
      "op_template": OpTemplate
    }
  }
}

delete_operator

Description

This mutation deletes the given Operator.

Response

Returns an Operator

Arguments
Name Description
operator_uuid - String!

Example

Query
mutation delete_operator($operator_uuid: String!) {
  delete_operator(operator_uuid: $operator_uuid) {
    uuid
    name
  }
}
Variables
{"operator_uuid": "xyz789"}
Response
{
  "data": {
    "delete_operator": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "name": "xyz789"
    }
  }
}

delete_scheduled_action

Description

Delete a ScheduledAction. To fully delete a Schedule, delete all ScheduledActions within it.

Response

Returns a ScheduledActionOutput!

Arguments
Name Description
input - DeleteScheduledActionInput!

Example

Query
mutation delete_scheduled_action($input: DeleteScheduledActionInput!) {
  delete_scheduled_action(input: $input) {
    scheduled_action {
      ...ScheduledActionFragment
    }
  }
}
Variables
{"input": DeleteScheduledActionInput}
Response
{
  "data": {
    "delete_scheduled_action": {
      "scheduled_action": ScheduledAction
    }
  }
}

delete_user_account

Description

Delete a user from a given client account.

Response

Returns a UserAccount

Arguments
Name Description
email - EmailAddress! Email address of user to delete.
client_account_uuid - String ID of client account to delete the user from. Defaults to the caller's client account.
also_delete_api_keys - Boolean Option to also delete user's API keys. Defaults to False

Example

Query
mutation delete_user_account(
  $email: EmailAddress!,
  $client_account_uuid: String,
  $also_delete_api_keys: Boolean
) {
  delete_user_account(
    email: $email,
    client_account_uuid: $client_account_uuid,
    also_delete_api_keys: $also_delete_api_keys
  ) {
    uuid
    email
    name
    user_role_id
    sign_in_type
    last_signed_in_at
    has_unread_notifications_by_type
    has_tripwires_access
    has_rapid_response_access
  }
}
Variables
{
  "email": EmailAddress,
  "client_account_uuid": "abc123",
  "also_delete_api_keys": false
}
Response
{
  "data": {
    "delete_user_account": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "email": "john.smith@example.com",
      "name": "John Smith",
      "user_role_id": "USER",
      "sign_in_type": "BASIC",
      "last_signed_in_at": "2021-07-22T05:02:40.294996",
      "has_unread_notifications_by_type": ["EvidenceOfWeakness"],
      "has_tripwires_access": false,
      "has_rapid_response_access": true
    }
  }
}

install_agent

Description

This mutation returns a convenient curl command that can be run on your NodeZero Host to install a NodeZero Runner on the host.

NodeZero Runners simplify the process of running ops. They are lightweight agents that can automatically launch NodeZero on the host when a pentest or op is created and configured to use the Runner. You can also configure an OpTemplate to use the Runner for all ops created from that template.

The curl command downloads and runs an install script that installs and runs the NodeZero Runner on the NodeZero host.

The mutation also creates an API key with AuthzRole.NODEZERO_RUNNER permissions. This API key is used by the Runner to connect to the API. The API key is embedded in the installation command and is stored on the NodeZero host.

A reference to the Runner is returned in the InstallAgentOutput object. This reference can be used to assign the Runner to an Op or OpTemplate.

Note that a NodeZero Runners are also known as "Agents" in the Horizon3 API.

Response

Returns an InstallAgentOutput!

Arguments
Name Description
agent_name - String DEPRECATED - use name instead.
name - String The name of the NodeZero Runner. This is used to identify the Runner in the API.
The name is required and must not be empty. The name must not contain spaces and must conform to RFC 1123 DNS subdomain naming conventions.
is_kubernetes - Boolean Flag to indicate if the Runner is being deployed in a Kubernetes environment. Defaults to false.
kubernetes_namespace - String The Kubernetes namespace to deploy the Runner in. This is only required if is_kubernetes is true.

Example

Query
mutation install_agent(
  $agent_name: String,
  $name: String,
  $is_kubernetes: Boolean,
  $kubernetes_namespace: String
) {
  install_agent(
    agent_name: $agent_name,
    name: $name,
    is_kubernetes: $is_kubernetes,
    kubernetes_namespace: $kubernetes_namespace
  ) {
    command
    kubernetes_install_command
  }
}
Variables
{
  "agent_name": "xyz789",
  "name": "abc123",
  "is_kubernetes": true,
  "kubernetes_namespace": "abc123"
}
Response
{
  "data": {
    "install_agent": {
      "command": "abc123",
      "kubernetes_install_command": "abc123"
    }
  }
}

pause_op

Description

Pause a pentest, if its current state allows it.

Response

Returns an OpTab!

Arguments
Name Description
op_id - String!

Example

Query
mutation pause_op($op_id: String!) {
  pause_op(op_id: $op_id) {
    uuid
    op_id
    op_state
    portal_op_state
    op_name
    scheduled_timestamp
    scheduled_at
    scheduled_at_date
    scheduled_timestamp_iso
    create_timestamp
    create_timestamp_iso
    launched_timestamp
    launched_timestamp_iso
    launched_at
    completed_at
    completed_timestamp
    completed_timestamp_iso
    canceled_at
    canceled_timestamp
    canceled_timestamp_iso
    duration_hms
    duration_humanize
    op_type
    weakness_types_count
    weaknesses_count
    host_tabs_count
    domain_controllers_count
    credentials_count
    proven_credentials_count
    confirmed_credentials_count
    unproven_credentials_count
    activedir_passwords_count
    enabled_activedir_passwords_count
    disabled_activedir_passwords_count
    feature_flags {
      ...FeatureFlagFragment
    }
    impacts_headline_count
    impact_paths_count
    attack_paths_count
    phished_impact_paths_count
    phished_attack_paths_count
    nodezero_script_url
    nodezero_ip
    etl_completed_at
    start_paused
    minimum_run_time
    maximum_run_time
    paused_at
    paused_by_user_account_uuid
    paused_by_user_account {
      ...UserAccountFragment
    }
    op_template_uuid
    op_template_name
    excluded_ips {
      ...ExcludedIPFragment
    }
    excluded_domains {
      ...ExcludedDomainFragment
    }
    runner_uuid
    runner_name
    schedule_uuid
    schedule_name
    schedule {
      ...ScheduleFragment
    }
    auto_injected_credential_uuids
    tripwires_count
  }
}
Variables
{"op_id": "abc123"}
Response
{
  "data": {
    "pause_op": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "op_id": "12341234-1234-1234-1234-123412341234",
      "op_state": "running",
      "portal_op_state": "done",
      "op_name": "your op name",
      "scheduled_timestamp": "1600793100.0",
      "scheduled_at": "2021-07-22T05:02:40.294996",
      "scheduled_at_date": "2025-10-03T15:50:42.673Z",
      "scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
      "create_timestamp": "1600793100.0",
      "create_timestamp_iso": "2021-07-22T05:02:40.294996",
      "launched_timestamp": "1600793100.0",
      "launched_timestamp_iso": "2021-07-22T05:02:40.294996",
      "launched_at": "2021-07-22T05:02:40.294996",
      "completed_at": "2021-07-22T05:02:40.294996",
      "completed_timestamp": "1600793100.0",
      "completed_timestamp_iso": "2021-07-22T05:02:40.294996",
      "canceled_at": "2021-07-22T05:02:40.294996",
      "canceled_timestamp": "1600793100.0",
      "canceled_timestamp_iso": "2021-07-22T05:02:40.294996",
      "duration_hms": "22:35:09",
      "duration_humanize": "2 hours, 23 minutes",
      "op_type": "NodeZero",
      "weakness_types_count": 987,
      "weaknesses_count": 123,
      "host_tabs_count": 123,
      "domain_controllers_count": 123,
      "credentials_count": 987,
      "proven_credentials_count": 987,
      "confirmed_credentials_count": 123,
      "unproven_credentials_count": 987,
      "activedir_passwords_count": 123,
      "enabled_activedir_passwords_count": 987,
      "disabled_activedir_passwords_count": 987,
      "feature_flags": [FeatureFlag],
      "impacts_headline_count": 123,
      "impact_paths_count": 987,
      "attack_paths_count": 987,
      "phished_impact_paths_count": 123,
      "phished_attack_paths_count": 123,
      "nodezero_script_url": "https://example.com/example",
      "nodezero_ip": "123.45.67.89",
      "etl_completed_at": "2021-07-22T05:02:40.294996",
      "start_paused": true,
      "minimum_run_time": 123,
      "maximum_run_time": 123,
      "paused_at": "2021-07-22T05:02:40.294996",
      "paused_by_user_account_uuid": "12341234-1234-1234-1234-123412341234",
      "paused_by_user_account": UserAccount,
      "op_template_uuid": "12341234-1234-1234-1234-123412341234",
      "op_template_name": "abc123",
      "excluded_ips": [ExcludedIP],
      "excluded_domains": [ExcludedDomain],
      "runner_uuid": "12341234-1234-1234-1234-123412341234",
      "runner_name": "xyz789",
      "schedule_uuid": "12341234-1234-1234-1234-123412341234",
      "schedule_name": "abc123",
      "schedule": Schedule,
      "auto_injected_credential_uuids": [
        "xyz789"
      ],
      "tripwires_count": 987
    }
  }
}

remove_domains_from_asset_group

Description

Remove domains from an asset group.

Response

Returns an AssetGroupOutput!

Arguments
Name Description
asset_group_uuid - String! ID of asset group to update.
domains - [StringNotEmpty]! List of domains to remove from the asset group's scope.

Example

Query
mutation remove_domains_from_asset_group(
  $asset_group_uuid: String!,
  $domains: [StringNotEmpty]!
) {
  remove_domains_from_asset_group(
    asset_group_uuid: $asset_group_uuid,
    domains: $domains
  ) {
    asset_group {
      ...AssetGroupFragment
    }
  }
}
Variables
{
  "asset_group_uuid": "abc123",
  "domains": [StringNotEmpty]
}
Response
{
  "data": {
    "remove_domains_from_asset_group": {
      "asset_group": AssetGroup
    }
  }
}

rerun_op

Description

Create a pentest using the same configuration as the pentest with the given op_id.

Response

Returns a ScheduleOpOutput!

Arguments
Name Description
op_id - String! The op_id of the pentest to use for the base configuration.
op_name - String Optionally override the name of the pentest.
schedule_op_form - ScheduleOpFormInput Optional parameters that, if set, override the corresponding parameters in the base configuration.
agent_name - String Optionally override the h3-cli agent in the base configuration.
runner_uuid - String Optionally override the h3-cli runner in the base configuration.

Example

Query
mutation rerun_op(
  $op_id: String!,
  $op_name: String,
  $schedule_op_form: ScheduleOpFormInput,
  $agent_name: String,
  $runner_uuid: String
) {
  rerun_op(
    op_id: $op_id,
    op_name: $op_name,
    schedule_op_form: $schedule_op_form,
    agent_name: $agent_name,
    runner_uuid: $runner_uuid
  ) {
    op {
      ...OpFragment
    }
  }
}
Variables
{
  "op_id": "abc123",
  "op_name": "abc123",
  "schedule_op_form": ScheduleOpFormInput,
  "agent_name": "abc123",
  "runner_uuid": "abc123"
}
Response
{"data": {"rerun_op": {"op": Op}}}

resume_op

Description

Resume a pentest, if its current state allows it.

Response

Returns an OpTab!

Arguments
Name Description
op_id - String!

Example

Query
mutation resume_op($op_id: String!) {
  resume_op(op_id: $op_id) {
    uuid
    op_id
    op_state
    portal_op_state
    op_name
    scheduled_timestamp
    scheduled_at
    scheduled_at_date
    scheduled_timestamp_iso
    create_timestamp
    create_timestamp_iso
    launched_timestamp
    launched_timestamp_iso
    launched_at
    completed_at
    completed_timestamp
    completed_timestamp_iso
    canceled_at
    canceled_timestamp
    canceled_timestamp_iso
    duration_hms
    duration_humanize
    op_type
    weakness_types_count
    weaknesses_count
    host_tabs_count
    domain_controllers_count
    credentials_count
    proven_credentials_count
    confirmed_credentials_count
    unproven_credentials_count
    activedir_passwords_count
    enabled_activedir_passwords_count
    disabled_activedir_passwords_count
    feature_flags {
      ...FeatureFlagFragment
    }
    impacts_headline_count
    impact_paths_count
    attack_paths_count
    phished_impact_paths_count
    phished_attack_paths_count
    nodezero_script_url
    nodezero_ip
    etl_completed_at
    start_paused
    minimum_run_time
    maximum_run_time
    paused_at
    paused_by_user_account_uuid
    paused_by_user_account {
      ...UserAccountFragment
    }
    op_template_uuid
    op_template_name
    excluded_ips {
      ...ExcludedIPFragment
    }
    excluded_domains {
      ...ExcludedDomainFragment
    }
    runner_uuid
    runner_name
    schedule_uuid
    schedule_name
    schedule {
      ...ScheduleFragment
    }
    auto_injected_credential_uuids
    tripwires_count
  }
}
Variables
{"op_id": "xyz789"}
Response
{
  "data": {
    "resume_op": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "op_id": "12341234-1234-1234-1234-123412341234",
      "op_state": "running",
      "portal_op_state": "done",
      "op_name": "your op name",
      "scheduled_timestamp": "1600793100.0",
      "scheduled_at": "2021-07-22T05:02:40.294996",
      "scheduled_at_date": "2025-04-03T15:50:42.673Z",
      "scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
      "create_timestamp": "1600793100.0",
      "create_timestamp_iso": "2021-07-22T05:02:40.294996",
      "launched_timestamp": "1600793100.0",
      "launched_timestamp_iso": "2021-07-22T05:02:40.294996",
      "launched_at": "2021-07-22T05:02:40.294996",
      "completed_at": "2021-07-22T05:02:40.294996",
      "completed_timestamp": "1600793100.0",
      "completed_timestamp_iso": "2021-07-22T05:02:40.294996",
      "canceled_at": "2021-07-22T05:02:40.294996",
      "canceled_timestamp": "1600793100.0",
      "canceled_timestamp_iso": "2021-07-22T05:02:40.294996",
      "duration_hms": "22:35:09",
      "duration_humanize": "2 hours, 23 minutes",
      "op_type": "NodeZero",
      "weakness_types_count": 987,
      "weaknesses_count": 123,
      "host_tabs_count": 987,
      "domain_controllers_count": 987,
      "credentials_count": 123,
      "proven_credentials_count": 123,
      "confirmed_credentials_count": 987,
      "unproven_credentials_count": 987,
      "activedir_passwords_count": 123,
      "enabled_activedir_passwords_count": 123,
      "disabled_activedir_passwords_count": 987,
      "feature_flags": [FeatureFlag],
      "impacts_headline_count": 987,
      "impact_paths_count": 123,
      "attack_paths_count": 987,
      "phished_impact_paths_count": 123,
      "phished_attack_paths_count": 123,
      "nodezero_script_url": "https://example.com/example",
      "nodezero_ip": "123.45.67.89",
      "etl_completed_at": "2021-07-22T05:02:40.294996",
      "start_paused": true,
      "minimum_run_time": 987,
      "maximum_run_time": 123,
      "paused_at": "2021-07-22T05:02:40.294996",
      "paused_by_user_account_uuid": "12341234-1234-1234-1234-123412341234",
      "paused_by_user_account": UserAccount,
      "op_template_uuid": "12341234-1234-1234-1234-123412341234",
      "op_template_name": "xyz789",
      "excluded_ips": [ExcludedIP],
      "excluded_domains": [ExcludedDomain],
      "runner_uuid": "12341234-1234-1234-1234-123412341234",
      "runner_name": "xyz789",
      "schedule_uuid": "12341234-1234-1234-1234-123412341234",
      "schedule_name": "xyz789",
      "schedule": Schedule,
      "auto_injected_credential_uuids": [
        "xyz789"
      ],
      "tripwires_count": 987
    }
  }
}

save_op_template

Use create_op_template and update_op_template instead.
Description

Create or update a pentest (aka "op") template.

Response

Returns a SaveOpTemplateOutput!

Arguments
Name Description
op_template_name - String! Name of pentest template. The name uniquely identifies the template in the client account.
schedule_op_form - ScheduleOpFormInput! Input data for scheduling pentest. Note that partial/patch updates are NOT supported by this mutation. The entire schedule_op_form must be provided. Use update_op_template for partial/patch updates.

Example

Query
mutation save_op_template(
  $op_template_name: String!,
  $schedule_op_form: ScheduleOpFormInput!
) {
  save_op_template(
    op_template_name: $op_template_name,
    schedule_op_form: $schedule_op_form
  ) {
    op_template {
      ...OpTemplateFragment
    }
    asset_group {
      ...AssetGroupFragment
    }
  }
}
Variables
{
  "op_template_name": "xyz789",
  "schedule_op_form": ScheduleOpFormInput
}
Response
{
  "data": {
    "save_op_template": {
      "op_template": OpTemplate,
      "asset_group": AssetGroup
    }
  }
}

schedule_op_template

Use create_op instead.
Description

Create an op from an op template. DEPRECATED - use create_op instead.

See Mutation.create_op for details.

Notes:

  • Despite its name, this mutation does NOT create a schedule for recurring pentests.
    It only creates a single pentest, for execution immediately. Use create_scheduled_action for running recurring pentests on a schedule.

Response

Returns a ScheduleOpOutput!

Arguments
Name Description
op_template_name - String @deprecated - use op_template_uuid instead. Name of pentest template. If not specified, defaults to the default template for the op_type specified in schedule_op_form.op_type, which in turn defaults to NodeZero.
op_template_uuid - String ID of pentest template. If not specified, defaults to the default template for the op_type specified in schedule_op_form.op_type, which in turn defaults to NodeZero.
op_name - String Name of the pentest, defaults to the name in pentest template.
schedule_op_form - ScheduleOpFormInput Optional parameters that, if set, override the corresponding parameters in the pentest template.
agent_name - String Assign an h3-cli agent to automatically launch NodeZero for this pentest.
runner_uuid - String Assign an h3-cli runner to automatically launch NodeZero for this pentest.
schedule_name - String The automated schedule to which this pentest is assigned. This is used internally by automated scheduling.

Example

Query
mutation schedule_op_template(
  $op_template_name: String,
  $op_template_uuid: String,
  $op_name: String,
  $schedule_op_form: ScheduleOpFormInput,
  $agent_name: String,
  $runner_uuid: String,
  $schedule_name: String
) {
  schedule_op_template(
    op_template_name: $op_template_name,
    op_template_uuid: $op_template_uuid,
    op_name: $op_name,
    schedule_op_form: $schedule_op_form,
    agent_name: $agent_name,
    runner_uuid: $runner_uuid,
    schedule_name: $schedule_name
  ) {
    op {
      ...OpFragment
    }
  }
}
Variables
{
  "op_template_name": "xyz789",
  "op_template_uuid": "xyz789",
  "op_name": "abc123",
  "schedule_op_form": ScheduleOpFormInput,
  "agent_name": "xyz789",
  "runner_uuid": "abc123",
  "schedule_name": "xyz789"
}
Response
{"data": {"schedule_op_template": {"op": Op}}}

test_tripwire

Description

Triggers a test of the specified Tripwire.

Response

Returns a Tripwire

Arguments
Name Description
uuid - String!

Example

Query
mutation test_tripwire($uuid: String!) {
  test_tripwire(uuid: $uuid) {
    uuid
    external_id
    op_id
    op {
      ...OpTabFragment
    }
    deployment_asset_name
    file_attributes {
      ...FileAttributesFragment
    }
    processes
    active_at
    inactive_at
    last_tested_at
    data_store {
      ...DataStoreFragment
    }
  }
}
Variables
{"uuid": "xyz789"}
Response
{
  "data": {
    "test_tripwire": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "external_id": "xyz789",
      "op_id": "12341234-1234-1234-1234-123412341234",
      "op": OpTab,
      "deployment_asset_name": "xyz789",
      "file_attributes": [FileAttributes],
      "processes": ["xyz789"],
      "active_at": "2021-07-22T05:02:40.294996",
      "inactive_at": "2021-07-22T05:02:40.294996",
      "last_tested_at": "2021-07-22T05:02:40.294996",
      "data_store": DataStore
    }
  }
}

trigger_scheduled_action

Description

Trigger a ScheduledAction to run now.

This mutation can be used to verify a ScheduledAction's configuration and ensure it behaves as expected. It can also be used as a convenient way to run a pentest immediately, without waiting for the next scheduled time.

Response

Returns a ScheduledActionOutput!

Arguments
Name Description
input - TriggerScheduledActionInput!

Example

Query
mutation trigger_scheduled_action($input: TriggerScheduledActionInput!) {
  trigger_scheduled_action(input: $input) {
    scheduled_action {
      ...ScheduledActionFragment
    }
  }
}
Variables
{"input": TriggerScheduledActionInput}
Response
{
  "data": {
    "trigger_scheduled_action": {
      "scheduled_action": ScheduledAction
    }
  }
}

update_asset_group_template

Description

Update an asset group's configuration. The name of the asset group can be updated via schedule_op_form.op_name.

Response

Returns a SaveOpTemplateOutput!

Arguments
Name Description
asset_group_uuid - String! ID of asset group.
schedule_op_form - ScheduleOpFormInput! Scope for discovering assets.

Example

Query
mutation update_asset_group_template(
  $asset_group_uuid: String!,
  $schedule_op_form: ScheduleOpFormInput!
) {
  update_asset_group_template(
    asset_group_uuid: $asset_group_uuid,
    schedule_op_form: $schedule_op_form
  ) {
    op_template {
      ...OpTemplateFragment
    }
    asset_group {
      ...AssetGroupFragment
    }
  }
}
Variables
{
  "asset_group_uuid": "abc123",
  "schedule_op_form": ScheduleOpFormInput
}
Response
{
  "data": {
    "update_asset_group_template": {
      "op_template": OpTemplate,
      "asset_group": AssetGroup
    }
  }
}

update_campaign

Description

Update an existing campaign

Response

Returns a Campaign!

Arguments
Name Description
input - UpdateCampaignInput!

Example

Query
mutation update_campaign($input: UpdateCampaignInput!) {
  update_campaign(input: $input) {
    uuid
    name
    description
    client_account_uuid
    is_deleted
    deleted_at
    row_created_at
    row_updated_at
    perspective_uuids
    perspectives_count
  }
}
Variables
{"input": UpdateCampaignInput}
Response
{
  "data": {
    "update_campaign": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "name": "abc123",
      "description": "xyz789",
      "client_account_uuid": "12341234-1234-1234-1234-123412341234",
      "is_deleted": true,
      "deleted_at": "2021-07-22T05:02:40.294996",
      "row_created_at": "2021-07-22T05:02:40.294996",
      "row_updated_at": "2021-07-22T05:02:40.294996",
      "perspective_uuids": ["abc123"],
      "perspectives_count": 123
    }
  }
}

update_client_account

Description

Update a client account.

Response

Returns a ClientAccount!

Arguments
Name Description
client_account_input - ClientAccountUpdateInput!

Example

Query
mutation update_client_account($client_account_input: ClientAccountUpdateInput!) {
  update_client_account(client_account_input: $client_account_input) {
    uuid
    parent_uuid
    child_client_accounts {
      ...ClientAccountFragment
    }
    child_client_accounts_page {
      ...ClientAccountsPageFragment
    }
    child_client_accounts_count
    company_name
    company_short_name
    company_logo_url
    secondary_company_logo_url
    company_colors {
      ...BrandColorFragment
    }
    white_label_reports_enabled
    white_label_reports_cascade
    row_created_at
    session_user_role_id
    tripwires_enabled
    assets_count
    internal_assets_count
    external_assets_count
  }
}
Variables
{"client_account_input": ClientAccountUpdateInput}
Response
{
  "data": {
    "update_client_account": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "parent_uuid": "12341234-1234-1234-1234-123412341234",
      "child_client_accounts": [ClientAccount],
      "child_client_accounts_page": ClientAccountsPage,
      "child_client_accounts_count": 123,
      "company_name": "Horizon3 AI, Inc",
      "company_short_name": "H3",
      "company_logo_url": "https://example.com/example",
      "secondary_company_logo_url": "https://example.com/example",
      "company_colors": [BrandColor],
      "white_label_reports_enabled": true,
      "white_label_reports_cascade": false,
      "row_created_at": "2021-07-22T05:02:40.294996",
      "session_user_role_id": "USER",
      "tripwires_enabled": true,
      "assets_count": 987,
      "internal_assets_count": 987,
      "external_assets_count": 987
    }
  }
}

update_op

Description

Update an existing pentest.

Response

Returns an UpdateOpOutput

Arguments
Name Description
op_id - String!
update_op_input - UpdateOpInput!

Example

Query
mutation update_op(
  $op_id: String!,
  $update_op_input: UpdateOpInput!
) {
  update_op(
    op_id: $op_id,
    update_op_input: $update_op_input
  ) {
    op {
      ...OpFragment
    }
  }
}
Variables
{
  "op_id": "abc123",
  "update_op_input": UpdateOpInput
}
Response
{"data": {"update_op": {"op": Op}}}

update_op_template

Description

Update a pentest (aka "op") template by uuid. Allows for template renaming.
Allows for partial/patch updates of OpTemplate.schedule_op_form.

Response

Returns an UpdateOpTemplateOutput!

Arguments
Name Description
input - UpdateOpTemplateInput! Input data for updating pentest template.

Example

Query
mutation update_op_template($input: UpdateOpTemplateInput!) {
  update_op_template(input: $input) {
    op_template {
      ...OpTemplateFragment
    }
  }
}
Variables
{"input": UpdateOpTemplateInput}
Response
{
  "data": {
    "update_op_template": {"op_template": OpTemplate}
  }
}

update_scheduled_action

Description

Update a ScheduledAction.

Response

Returns a ScheduledActionOutput!

Arguments
Name Description
input - UpdateScheduledActionInput!

Example

Query
mutation update_scheduled_action($input: UpdateScheduledActionInput!) {
  update_scheduled_action(input: $input) {
    scheduled_action {
      ...ScheduledActionFragment
    }
  }
}
Variables
{"input": UpdateScheduledActionInput}
Response
{
  "data": {
    "update_scheduled_action": {
      "scheduled_action": ScheduledAction
    }
  }
}

update_user_account

Description

Update a user and their role for a given client account.

Response

Returns a UserAccount!

Arguments
Name Description
input - UpdateUserAccountInput! Input data for updating user.

Example

Query
mutation update_user_account($input: UpdateUserAccountInput!) {
  update_user_account(input: $input) {
    uuid
    email
    name
    user_role_id
    sign_in_type
    last_signed_in_at
    has_unread_notifications_by_type
    has_tripwires_access
    has_rapid_response_access
  }
}
Variables
{"input": UpdateUserAccountInput}
Response
{
  "data": {
    "update_user_account": {
      "uuid": "12341234-1234-1234-1234-123412341234",
      "email": "john.smith@example.com",
      "name": "John Smith",
      "user_role_id": "USER",
      "sign_in_type": "BASIC",
      "last_signed_in_at": "2021-07-22T05:02:40.294996",
      "has_unread_notifications_by_type": ["EvidenceOfWeakness"],
      "has_tripwires_access": false,
      "has_rapid_response_access": false
    }
  }
}

Types

APIKey

Description

API key data.

Fields
Field Name Description
uuid - String! ID of API key.
api_key - String The API key. This field is only populated when the API key is first created.
h3_cli_install_command - String The command to run that will install h3-cli and configure it to use this API key. Only available when the API key is created.
starts_with - String! Starting characters of API key. This is useful for referencing a key.
created_at - Datetime! Date and time of API key creation.
last_accessed_at - Datetime Date and time of the last time the API key was used.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "api_key": "abc123",
  "h3_cli_install_command": "xyz789",
  "starts_with": "xyz789",
  "created_at": "2021-07-22T05:02:40.294996",
  "last_accessed_at": "2021-07-22T05:02:40.294996"
}

AWSAccountId

Description

String scalar type with AWS Account ID format required (a 12-digit number).

Example
AWSAccountId

AccessLevel

Description

Client account access level.

Values
Enum Value Description

FREE_TRIAL

Free trial access with certain limitations.

READONLY

Read-only access.

FULL

Full access.

POV

Proof-of-value access

C_PLUS

Consulting+ access.

MSP

Managed Service Provider

FLEX

Flexible access.
Example
"FREE_TRIAL"

ActionLog

Description

An action/command executed by NodeZero during an op.

Fields
Field Name Description
uuid - String! ID of action log.
start_time - Datetime! Timestamp at the start of action, in ISO format (UTC).
endpoint_uuid - String ID of host targeted by action.
endpoint_ip - String IP address of host targeted by action.
end_time - Datetime! Timestamp at the end of action, in ISO format (UTC).
cmd - String! The command executed by NodeZero.
module_id - String Name of attack module used in action.
module_name - String Title name of attack module used in action.
module_description - String Description of attack module used in action.
module_meta - ModuleMeta Metadata for the attack module used in action.
mitre_mappings - [MitreMapping] The MITRE tactic/technique/subtechnique(s) employed by this action/command.
target_h3_names - [String] List of assets and weaknesses associated with action. Assets include the IP, service, application, URL, or data store being targeted.
exit_code - String! Exit code from attack command run in action.
op_id - String! ID of pentest associated with action.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "start_time": Datetime,
  "endpoint_uuid": "12341234-1234-1234-1234-123412341234",
  "endpoint_ip": "123.45.67.89",
  "end_time": Datetime,
  "cmd": "abc123",
  "module_id": "xyz789",
  "module_name": "xyz789",
  "module_description": "xyz789",
  "module_meta": ModuleMeta,
  "mitre_mappings": [MitreMapping],
  "target_h3_names": ["abc123"],
  "exit_code": "xyz789",
  "op_id": "12341234-1234-1234-1234-123412341234"
}

ActionLogsPage

Description

Paginated data of action logs.

Fields
Field Name Description
page_info - PageInfo Pagination of response.
action_logs - [ActionLog!]! List of action logs.
Example
{
  "page_info": PageInfo,
  "action_logs": [ActionLog]
}

Agent

Description

Represents a NodeZero Runner. Note that Runners are also known as Agents in the API.

Fields
Field Name Description
uuid - String! Unique identifier
name - String! The name of the agent. The name is used when assigning scheduled ops to an agent.
api_key_uuid - String! The ID of the API key that (last) started the agent
api_key - APIKey! The API key that (last) started the agent
uname - String The output of uname on the agent machine
log_file - String The file the agent is logging to on the local machine
last_heartbeat_at - Datetime The last time the agent made contact with H3 (via GQL)
last_heartbeat_time_ago - String last_heartbeat_at as a human-friendly "time ago" statement, eg. "3 minutes ago"
last_command - AgentCommand The last (or next) command for the agent.
commands - [AgentCommand] The last n command for the agent.
Arguments
last_n - Int
created_at - Datetime! When the agent was first created
h3_cli_version - String The h3-cli version the agent is running.
is_kubernetes - Boolean! Whether the agent is a Kubernetes agent.
kubernetes_namespace - String The Kubernetes namespace the agent is running in.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "name": "abc123",
  "api_key_uuid": "12341234-1234-1234-1234-123412341234",
  "api_key": APIKey,
  "uname": "xyz789",
  "log_file": "xyz789",
  "last_heartbeat_at": "2021-07-22T05:02:40.294996",
  "last_heartbeat_time_ago": "abc123",
  "last_command": AgentCommand,
  "commands": [AgentCommand],
  "created_at": "2021-07-22T05:02:40.294996",
  "h3_cli_version": "abc123",
  "is_kubernetes": true,
  "kubernetes_namespace": "xyz789"
}

AgentCommand

Description

Represents a command run by an Agent aka NodeZero Runner (see Agent).

Fields
Field Name Description
uuid - String! Unique identifier
agent_uuid - String! The agent to run the command.
command - String! The command to run
received_at - Datetime When the agent received the command.
completed_at - Datetime When the agent completed the command.
exit_status - String The exit status/return code from the command process.
log - String The stdout+stderr log from the command process.
created_at - Datetime! When the command was created
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "agent_uuid": "12341234-1234-1234-1234-123412341234",
  "command": "xyz789",
  "received_at": "2021-07-22T05:02:40.294996",
  "completed_at": "2021-07-22T05:02:40.294996",
  "exit_status": "abc123",
  "log": "xyz789",
  "created_at": "2021-07-22T05:02:40.294996"
}

Application

Description

Represents an Application running on a Service.

Fields
Field Name Description
uuid - String! The unique ID for the Application.
created_at - Datetime! Time when the Application was found during the Op (UTC).
service_uuid - String! The ID of the Service this Application is running on.
service - Service! The Service this Application is running on.
ip - String The IP of the Service the Application is running on.
port - Int! Port number of the Service the Application is running on.
name - String! The Application name.
op_id - String! The ID of the Op this Application was found in.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "created_at": "2021-07-22T05:02:40.294996",
  "service_uuid": "12341234-1234-1234-1234-123412341234",
  "service": Service,
  "ip": "123.45.67.89",
  "port": 987,
  "name": "xyz789",
  "op_id": "12341234-1234-1234-1234-123412341234"
}

AssetGroup

Description

An AssetGroup represents a set of assets in a pentest environment. Assets are discovered by scanning the environment using the scope defined in the associated op template.

Fields
Field Name Description
uuid - String! ID of asset group
name - String! Name of asset group.
op_template_uuid - String! ID of pentest template for asset group.
op_template - OpTemplate! Data of pentest template for asset group.
user_account_uuid - String! ID of user that created the asset group.
user_account_name - String! Name of user account that created the asset group.
client_account_uuid - String! ID of client account that created the asset group.
client_account_company_name - String! Company name on the client account that created the asset group.
last_ead_etl_completed_at - Datetime Timestamp when the last asset discovery completed for this asset group.
created_at - Datetime! Timestamp when the asset group was created.
updated_at - Datetime Timestamp when the asset group was last updated.
op_series_uuid - String! ID of the ExternalAssetDiscovery op series associated with the asset group.
assets_count - Int! The number of domain and IP assets in this asset group.
authorized_assets_count - Int! The number of authorized domain and IP assets in this asset group.
external_domain_xops_count - Int! The number of discovered domains in this asset group.
authorized_external_domain_xops_count - Int! The number of authorized domains in this asset group.
in_scope_host_tab_xops_count - Int! The number of in-scope IPs in this asset group.
authorized_host_tab_xops_count - Int! The number of authorized IPs in this asset group.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "name": "abc123",
  "op_template_uuid": "12341234-1234-1234-1234-123412341234",
  "op_template": OpTemplate,
  "user_account_uuid": "12341234-1234-1234-1234-123412341234",
  "user_account_name": "xyz789",
  "client_account_uuid": "12341234-1234-1234-1234-123412341234",
  "client_account_company_name": "abc123",
  "last_ead_etl_completed_at": "2021-07-22T05:02:40.294996",
  "created_at": "2021-07-22T05:02:40.294996",
  "updated_at": "2021-07-22T05:02:40.294996",
  "op_series_uuid": "12341234-1234-1234-1234-123412341234",
  "assets_count": 123,
  "authorized_assets_count": 123,
  "external_domain_xops_count": 987,
  "authorized_external_domain_xops_count": 123,
  "in_scope_host_tab_xops_count": 987,
  "authorized_host_tab_xops_count": 987
}

AssetGroupOutput

Description

Asset group return type.

Fields
Field Name Description
asset_group - AssetGroup! The asset group.
Example
{"asset_group": AssetGroup}

AssetGroupsPage

Fields
Field Name Description
page_info - PageInfo Pagination of response.
asset_groups - [AssetGroup!]! List of asset groups.
Example
{
  "page_info": PageInfo,
  "asset_groups": [AssetGroup]
}

AttackConfigValue

Description

Represents the user-provided value for a FeatureFlag.

Fields
Field Name Description
bool_value - Boolean Boolean value for boolean-type flags.
int_value - Int Integer value for integer-type flags.
float_value - Float Floating-point value for float-type flags.
string_value - String String value for string-type flags.
Example
{
  "bool_value": true,
  "int_value": 987,
  "float_value": 987.65,
  "string_value": "abc123"
}

AttackConfigValueInput

Description

Represents the valid value types a user can provide for a FeatureFlag, varying based on option data_type.

Fields
Input Field Description
bool_value - Boolean Boolean value for boolean-type flags.
int_value - Int Integer value for integer-type flags.
float_value - Float Floating-point value for float-type flags.
string_value - String String value for string-type flags.
Example
{
  "bool_value": true,
  "int_value": 123,
  "float_value": 987.65,
  "string_value": "abc123"
}

AttackGraph

Description

An AttackGraph comprises the set of nodes and edges for an AttackVector.

The AttackGraph is a directed acyclic graph (DAG).

The nodes represent the hosts, services, weaknesses, credentials, and other entities that NodeZero discovered and exploited as part of the attack path.

The edges are all of type PATH and define the sequence of steps from one node to the next that NodeZero took along the path.

The attack path can be organized into layers. The layers represent the distinct time steps in the attack path. Each node is associated with a layer via Node.layer_label. All nodes in the same layer were discovered or exploited at the same time. The layers can be used to render the graph in a way that shows the progression of the attack path over time.

Fields
Field Name Description
nodes - [Node] The nodes of the graph. The nodes represent the hosts, services, weaknesses, credentials, and other entities that NodeZero discovered and exploited as part of the attack path.
edges - [Edge] The edges of the graph. The edges are all of type PATH and define the sequence of steps from one node to the next that NodeZero took along the path.
Example
{"nodes": [Node], "edges": [Edge]}

AttackPath

Description

An AttackPath represents the steps NodeZero took to reach the target Impact at the end of the AttackPath.
The path includes exploited weaknesses, compromised credentials, and other findings that led to the Impact.

Fields
Field Name Description
uuid - String! Unique ID for this AttackPath.
impact_type - ImpactType! The ImpactType of the target Impact.
impact_title - String! The ImpactType title for the target Impact.
impact_description - String! The ImpactType description for the target Impact.
name - String! The AttackPath's name/title.
attack_path_title - String! The AttackPath's name/title.
score - Float The target Impact's risk score.
severity - Severity The target Impact's severity.
context_score_description_md - String A description of the AttackPath, including the target Impact along with the Weaknesses, Credentials, and Hosts involved in the AttackPath. In markdown format.
context_score_description - String A description of the AttackPath, including the target Impact along with the Weaknesses, Credentials, and Hosts involved in the AttackPath.
attack_vector - AttackVector The AttackVector for this AttackPath.
The AttackVector details the step-by-step actions NodeZero took to reach the target Impact.
Arguments
op_id - String! The op.
weakness_refs - [String] The Weaknesses that appear in the AttackPath. Refs are formatted as {weakness_uuid},{weakness-id},{asset-name}
credential_refs - [String] The Credentials that appear in the AttackPath. Refs are formatted as {credential_uuid},{user_or_role_name},{asset-name}
host_refs - [String] The Hosts that appear in the AttackPath. Refs are formatted as {host_uuid},{ip}
time_to_finding_hms - String The time it took to reach the target Impact. Formatted as hours:minutes:seconds (hh:mm:ss).
time_to_finding_s - Int The time it took (in seconds) to reach the target Impact.
created_at - Datetime Timestamp when the target Impact was achieved.
target_entity_text - String The display name of the entity that is the direct cause of the target Impact.
target_entity_short_text - String The short-name of the entity that is the direct cause of the target Impact
affected_asset_text - String The display name of the asset affected by the target Impact.
affected_asset_short_text - String The short-name of the asset affected by the target Impact.
ip - String The IP of the Host affected by the target Impact.
host_name - String The host_name of the Host affected by the target Impact.
host_text - String The display name of the Host affected by the target Impact.
affected_host - Host The Host affected by the target Impact.
proofs_count - Int The number of Proofs that appear in the AttackPath.
proofs - [Proof] The list of Proofs that appear in the AttackPath.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "impact_type": "AWSUserRoleCompromise",
  "impact_title": "xyz789",
  "impact_description": "abc123",
  "name": "abc123",
  "attack_path_title": "abc123",
  "score": 123.45,
  "severity": "INFO",
  "context_score_description_md": "xyz789",
  "context_score_description": "abc123",
  "attack_vector": AttackVector,
  "op_id": "12341234-1234-1234-1234-123412341234",
  "weakness_refs": ["xyz789"],
  "credential_refs": ["xyz789"],
  "host_refs": ["abc123"],
  "time_to_finding_hms": "22:05:31",
  "time_to_finding_s": 987,
  "created_at": "2021-07-22T05:02:40.294996",
  "target_entity_text": "abc123",
  "target_entity_short_text": "xyz789",
  "affected_asset_text": "xyz789",
  "affected_asset_short_text": "xyz789",
  "ip": "123.45.67.89",
  "host_name": "abc123",
  "host_text": "xyz789",
  "affected_host": Host,
  "proofs_count": 123,
  "proofs": [Proof]
}

AttackPathsPage

Description

Contains a page of AttackPath records, as fetched via Query.attack_paths_page.

Fields
Field Name Description
page_info - PageInfo Pagination of response.
attack_paths - [AttackPath!]! List of attack paths.
Example
{
  "page_info": PageInfo,
  "attack_paths": [AttackPath]
}

AttackVector

Description

An AttackVector is a graph of nodes and edges that represent the step-by-step attack path that NodeZero took to reach a target node.

The graph is a directed acyclic graph (DAG) of nodes and edges. It can be retrieved via the attack_graph field.

We track attack vectors for certain entit types:

  • impacts
  • weaknesses
  • credentials
  • data stores
  • relay events (cyanide)
  • privilege escalation events (sudo)

Each node in the attack graph has a found_by_module_instance field, which is a reference to the ModuleInstance used by NodeZero during that step of the attack path. The ModuleInstance can be used to retrieve further details about that step of the attack path, including:

  • information about the module that was used (ModuleInstance.module_meta)
  • how the module maps to the MITRE framework (ModuleInstance.module_meta.mitre_mappings)
  • the commands it ran during the pentest (ModuleInstance.action_logs)

When summarizing an AttackVector, it can be useful to break it down by:

  • the hosts involved (AttackVector.host_nodes)
  • the credentials used (AttackVector.credential_nodes)
  • the weaknesses exploited (AttackVector.weakness_nodes)

The complexity of the attack path is related to the length of the path (ie. the number of nodes) and the types of nodes involved. The more credentials and weaknesses involved, the more complex the attack path is. The attack path complexity is relevant in assessing the likelihood that a real-world attacker would be able to replicate the attack path.

Fields
Field Name Description
uuid - String! A unique identifier for this AttackVector
target_node - Node! The target node of the attack vector.
algorithm - AttackVectorAlgorithm! The algorithm used to generate this AttackVector.
total_score - Float The total sum of risk scores of all nodes in the attack vector.
max_score - Float The max risk score of all nodes in the attack vector.
attack_graph - AttackGraph The directed acyclic graph of nodes and edges that comprise the attack path.
op_id - String! The op_id for this AttackVector.
nodes_count - Int Number of nodes in the attack vector
credentials_count - Int Number of credential_tabs in the attack vector, ie. credentials or unverified potential credentials
credential_nodes - [Node] The subset of nodes from the graph that refer to credential_tabs, ie. credentials or unverified potential credentials.
weaknesses_count - Int Number of weaknesses in the attack vector
weakness_nodes - [Node] The subset of nodes from the graph that refer to weaknesses.
hosts_count - Int Number of weaknesses in the attack vector
host_nodes - [Node] The subset of nodes from the graph that refer to hosts.
narrative - [Node] The subset of nodes from the graph that are most relevant for telling a step-by-step narrative of the attack path.
has_phished_cred - Boolean Flag indicating if the attack vector includes phished credentials.
has_injected_cred - Boolean Flag indicating if the attack vector includes injected credentials.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "target_node": Node,
  "algorithm": "POC",
  "total_score": 123.45,
  "max_score": 987.65,
  "attack_graph": AttackGraph,
  "op_id": "12341234-1234-1234-1234-123412341234",
  "nodes_count": 987,
  "credentials_count": 123,
  "credential_nodes": [Node],
  "weaknesses_count": 123,
  "weakness_nodes": [Node],
  "hosts_count": 123,
  "host_nodes": [Node],
  "narrative": [Node],
  "has_phished_cred": true,
  "has_injected_cred": true
}

AttackVectorAlgorithm

Description

The set of AttackVector algorithms

Values
Enum Value Description

POC

aka v1. This is the base algorithm. It is the most verbose; it does not prune anything out, like the others do.

v2

This algorithm is no longer used.

v3

This algorithm takes a v1 graph and applies the following changes:

  • Removes impact and proof nodes. These are now surfaced as labels on the nodes they connect to.
  • Removes AWS Connection nodes.
  • Structures the graph chronologically by timesteps aka "layers". All nodes that were created at the same time are grouped together in the same layer. The first node is kept in the attack graph; all the other nodes are stored as sub_nodes of the first node. The sub_nodes are technically un-stitched from the attack graph, by re-routing their edges to the first node. This structure facilitates rendering the graph on a timeline, as it is in the Portal.

v4

This algorithm is a more consolidated version of a v3 graph.
Example
"POC"

AttackVectorAlgorithmInput

Description

The set of AttackVector algorithms, as an Input type

Values
Enum Value Description

POC

aka v1. This is the base algorithm. It is the most verbose; it does not prune anything out, like the others do.

v2

This algorithm is no longer used.

v3

This algorithm takes a v1 graph and applies the following changes:

  • Removes impact and proof nodes. These are now surfaced as labels on the nodes they connect to.
  • Removes AWS Connection nodes.
  • Structures the graph chronologically by "layers". All nodes that were created at the same time are grouped together in the same layer. The first node is kept in the attack graph; all the other nodes are stored as sub_nodes of the first node. The sub_nodes are technically un-stitched from the attack graph, by re-routing their edges to the first node. This structure facilitates rendering the graph on a timeline, as it is in the Portal.

v4

This algorithm is a more consolidated version of a v3 graph.
Example
"POC"

AuthzRole

Description

Authorization role of a user within a client account. A user's role may change with the client account.

Values
Enum Value Description

USER

User has non-admin access in the client account.

READONLY

User has read-only access in the client account.

ORG_ADMIN

User has organizational admin access in the client account.

NODEZERO_RUNNER

This role is used with the h3-cli for configuring an automated runner for NodeZero.

NODEZERO_OPERATOR

This role is used by the NodeZero Kubernetes Operator for accessing the API when provisioning Runners or Pentests.

PHISHER

This role is used for pentests in which phishing is conducted, enable POSTing of phished credentials.
Example
"USER"

BlockedPentestableEntity

Description

A BlockedPentestableEntity links an external domain or IP asset (the PentestableEntity) with its PentestableRules.
The PentestableRules determine whether or not we allow external pentesting of the asset. Assets are blocked if we determine they are owned by providers that do not permit pentesting.

Fields
Field Name Description
pentestable_entity - PentestableEntity The pentestable entity that was blocked.
pentestable_rules - PentestableRules Then rules that determined why we blocked the asset from external pentesting.
Example
{
  "pentestable_entity": PentestableEntity,
  "pentestable_rules": PentestableRules
}

Boolean

Description

The Boolean scalar type represents true or false.

Example
true

BrandColor

Fields
Field Name Description
type - BrandColorType! Primary or Secondary.
color - HexColor! The color in hex notation.
Example
{"type": "primary", "color": "#bb032d"}

BrandColorInput

Fields
Input Field Description
type - BrandColorType! Primary or Secondary.
color - HexColor! The color in hex notation.
Example
{"type": "primary", "color": "#bb032d"}

BrandColorType

Values
Enum Value Description

primary

Primary color.

secondary

Secondary color.
Example
"primary"

Campaign

Description

Campaign entity for organizing perspectives.

Fields
Field Name Description
uuid - String! Campaign UUID
name - String! Campaign name
description - String! Campaign description
client_account_uuid - String! Client account UUID
is_deleted - Boolean! Whether the campaign is soft-deleted
deleted_at - String When the campaign was soft-deleted
row_created_at - String! When the campaign was created
row_updated_at - String When the campaign was last updated
perspective_uuids - [String!] List of perspective UUIDs associated with this campaign
perspectives_count - Int! Returns count of perspectives that are included in this campaign
Arguments
page_input - PageInput
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "name": "xyz789",
  "description": "xyz789",
  "client_account_uuid": "12341234-1234-1234-1234-123412341234",
  "is_deleted": true,
  "deleted_at": "2021-07-22T05:02:40.294996",
  "row_created_at": "2021-07-22T05:02:40.294996",
  "row_updated_at": "2021-07-22T05:02:40.294996",
  "perspective_uuids": ["xyz789"],
  "perspectives_count": 987
}

ClientAccount

Description

Represents a client account.

Fields
Field Name Description
uuid - String! ID of client account.
parent_uuid - String ID of parent client account.
child_client_accounts - [ClientAccount!]! List of child client accounts, also known as sub-client accounts.
child_client_accounts_page - ClientAccountsPage! List of child client accounts, also known as sub-client accounts. Paginated.
Arguments
page_input - PageInput
child_client_accounts_count - Int! Count of child client accounts, also known as sub-client accounts.
Arguments
page_input - PageInput
company_name - String! Full company name.
company_short_name - String! Short name of company.
company_logo_url - String Company logo URL.
secondary_company_logo_url - String Secondary company logo URL.
company_colors - [BrandColor!] Company color scheme.
white_label_reports_enabled - Boolean Flag to enable co-branded reports.
white_label_reports_cascade - Boolean Flag to cascade co-branded reports to child accounts, if applicable.
row_created_at - Datetime Timestamp when the account was created, in ISO format (UTC).
session_user_role_id - AuthzRole Role of the current user in this client account.
tripwires_enabled - Boolean! Flag to indicate whether NodeZero Tripwires is enabled for the client account.
assets_count - Int Count of assets for this client. Does not include assets from child accounts.
internal_assets_count - Int Count of internal assets for this client. Does not include assets from child accounts.
external_assets_count - Int Count of external assets for this client. Does not include assets from child accounts.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "parent_uuid": "12341234-1234-1234-1234-123412341234",
  "child_client_accounts": [ClientAccount],
  "child_client_accounts_page": ClientAccountsPage,
  "child_client_accounts_count": 123,
  "company_name": "Horizon3 AI, Inc",
  "company_short_name": "H3",
  "company_logo_url": "https://example.com/example",
  "secondary_company_logo_url": "https://example.com/example",
  "company_colors": [BrandColor],
  "white_label_reports_enabled": true,
  "white_label_reports_cascade": true,
  "row_created_at": "2021-07-22T05:02:40.294996",
  "session_user_role_id": "USER",
  "tripwires_enabled": true,
  "assets_count": 123,
  "internal_assets_count": 987,
  "external_assets_count": 987
}

ClientAccountInput

Description

Arguments to create client account.

Fields
Input Field Description
CompanyName - StringNotEmpty! Full company name.
company_short_name - StringNotEmpty Short company name.
access_level - AccessLevel! Access level of client account.
parent_uuid - String ID of client account to assign as parent.
Example
{
  "CompanyName": StringNotEmpty,
  "company_short_name": StringNotEmpty,
  "access_level": "FREE_TRIAL",
  "parent_uuid": "12341234-1234-1234-1234-123412341234"
}

ClientAccountOutput

Description

Client account data wrapper.

Fields
Field Name Description
client_account - ClientAccount The client account.
Example
{"client_account": ClientAccount}

ClientAccountUpdateInput

Description

Arguments to update client account.

Fields
Input Field Description
uuid - String! Client account to update.
CompanyName - StringNotEmpty Full company name.
company_short_name - StringNotEmpty Short company name.
company_colors - [BrandColorInput!] Company color scheme.
white_label_reports_enabled - Boolean Flag to enable co-branded reports.
white_label_reports_cascade - Boolean Flag to cascade co-branded reports to child accounts, if applicable.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "CompanyName": StringNotEmpty,
  "company_short_name": StringNotEmpty,
  "company_colors": [BrandColorInput],
  "white_label_reports_enabled": true,
  "white_label_reports_cascade": true
}

ClientAccountsPage

Fields
Field Name Description
page_info - PageInfo Pagination of response.
client_accounts - [ClientAccount!]! List of client accounts.
Example
{
  "page_info": PageInfo,
  "client_accounts": [ClientAccount]
}

CloudResource

Description

Represents a resource in a CloudAccount, eg. an AWS EC2 instance, an AWS Lambda, an Azure Viritual Machine, etc.

Fields
Field Name Description
uuid - String! The unique ID of the CloudResource.
cloud_service_name - String The CloudService that hosts this CloudResource, eg. aws_ec2.
ip - String The IP address of the CloudResource.
arn - String The unique ID of the CloudResource, as assigned by the cloud provider. Eg. the AWS ARN, the Azure Resource ID, etc.
data_resources_count - Long The number of data resources found on this CloudResource. Includes all files and DB records. Excludes web pages.
op_id - String! The ID of the Op this CloudResource was found in.
created_at - Datetime Time when the CloudResource was found during the Op (UTC).
cloud_account_id - String The cloud account ID that owns this CloudResource.
cloud_provider_name - String The cloud provider of this CloudResource, eg. AWS, AZURE
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "cloud_service_name": "xyz789",
  "ip": "123.45.67.89",
  "arn": "xyz789",
  "data_resources_count": Long,
  "op_id": "12341234-1234-1234-1234-123412341234",
  "created_at": "2021-07-22T05:02:40.294996",
  "cloud_account_id": "xyz789",
  "cloud_provider_name": "abc123"
}

CloudRole

Description

Represents a security role in a cloud account.

Fields
Field Name Description
uuid - String! The unique ID of the CloudRole.
created_at - Datetime! The time when the CloudRole was found during the Op (UTC).
name - String! The role name.
cloud_account_id - String The cloud account where this CloudRole is defined.
cloud_provider_name - String The cloud provider of this CloudRole.
op_id - String! The ID of the Op this CloudRole was found in.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "created_at": "2021-07-22T05:02:40.294996",
  "name": "xyz789",
  "cloud_account_id": "abc123",
  "cloud_provider_name": "xyz789",
  "op_id": "12341234-1234-1234-1234-123412341234"
}

CommandOutput

Description

Output from a shell command executed by NodeZero during a pentest.

Fields
Field Name Description
command - String The command executed.
output - String The output from the command.
Example
{
  "command": "xyz789",
  "output": "abc123"
}

CreateCampaignInput

Description

Input for creating a new campaign.

Fields
Input Field Description
name - String! Campaign name (required, max 128 characters)
description - String! Campaign description (required, max 256 characters)
perspective_uuids - [String!] Optional list of perspective UUIDs to associate with the campaign
Example
{
  "name": "xyz789",
  "description": "abc123",
  "perspective_uuids": ["xyz789"]
}

CreateOpOutput

Description

The output from Mutation.create_op.

Fields
Field Name Description
op - Op! The created op.
Example
{"op": Op}

CreateScheduledActionInput

Description

Input type for Mutation.create_scheduled_action

Fields
Input Field Description
schedule_name - String! The name of the Schedule that the ScheduledAction belongs to. A Schedule is a collection of ScheduledActions.
action - String!

The action to execute. Supported actions are:

  • run-pentest: Run a pentest using the OpTemplate configured in the ScheduledAction.
  • pause-pentest: Pause a pentest that is currently running.
  • resume-pentest: Resume a paused pentest.
  • cancel-pentest: Cancel a pentest that is currently running.
cron_expression - String!

A cron expression that defines when the action is executed.

A cron expression is a string consisting of 5 fields separated by spaces. The 5 fields represent the following:

  • minute (0–59) - this field must always be set to '*' or '0'.
  • hour (0–23) - note this is in UTC time.
  • day of the month (1–31)
  • month (1–12)
  • day of the week (0–6) (Sunday to Saturday)

Notes:

  • ScheduledActions only support hourly resolution. The minutes field must always be set to '*' or '0'.
  • The cron expression is configured in UTC time. If you want to run the action at a specific time in another timezone, you will need to convert that time to UTC.
op_template_uuid - String This field is used with the run-pentest action. This is the OpTemplate that will be used to run the pentest when the ScheduledAction is triggered.
Example
{
  "schedule_name": "xyz789",
  "action": "xyz789",
  "cron_expression": "abc123",
  "op_template_uuid": "12341234-1234-1234-1234-123412341234"
}

CreateUserAccountInput

Description

Arguments to create user account.

Fields
Input Field Description
name - String! Name of user.
email - EmailAddress! Email of user.
client_account_uuid - String ID of client account to add the user to. Defaults to the current user client account.
user_role_id - AuthzRole! Role of user in the given client account.
is_sso - Boolean If set, a BASIC auth username/password account will not be created for the user.
Example
{
  "name": "John Smith",
  "email": "john.smith@example.com",
  "client_account_uuid": "12341234-1234-1234-1234-123412341234",
  "user_role_id": "USER",
  "is_sso": true
}

Credential

Description

A Credential represents a user + password/hash/secret pair found by NodeZero during a pentest.

Fields
Field Name Description
uuid - String! Unique ID for this Credential.
created_at - Datetime! When the Credential was found by NodeZero.
cred_type - String The type of Credential, eg. STANDARD.
user_name - String The name of the user or subject associated with this Credential.
k8s_identity_name - String The name of the Kubernetes identity associated with this Credential.
cloud_role_name - String The name of the CloudRole, eg. an AWS IAM role, associated with this Credential.
cloud_account_id - String The ID of the CloudAccount, eg. an AWS account, where this Credential was found.
ip - String The IP where this Credential was used. Note that some Credentials might be used on multiple IPs, eg. Domain User Credentials. See ips.
ips - [String] The IP(s) where this Credential was used. Note that some Credentials might be used on multiple IPs, eg. Domain User Credentials.
sockets - [String] The IP(s) and port(s) where this Credential was used. A socket is the concatenation of {ip}:{port}
product - String The product or service this Credential was used for.
permissions_list - [String] The list of permissions associated with this Credential.
api_key_id - String The API key ID, eg. an AWS Access Key ID.
api_secret_key - String The API key secret.
api_session_token - String The API key session token.
cleartext - String The (masked-out) cleartext password for this Credential.
hash - String The (masked-out) encrypted hash for this Credential.
has_proof - Boolean true if NodeZero obtained Proof of this Credential.
proofs - [Proof] Proofs for this Credential.
is_validated - Boolean true if the Credential was used and validated during the Op.
hosts - [Host] The list of Hosts accessed by this Credential during the Op.
is_injected - Boolean true if the Credential was injected into the pentest.
is_cracked - Boolean true if the Credential was cracked during the pentest.
is_local_admin - Boolean true if the Credential has Local Admin privileges on a host.
is_domain_admin - Boolean true if the Credential has Domain Admin privileges.
is_entra_global_admin - Boolean true if the Credential has Global Admin privileges in Entra.
role_name - String Pretty printed format of role, e.g. Domain User, Local Admin, etc.
context_score_description - String A human-friendly description for the Credential's risk score.
score - Float The risk score for this Credential.
severity - Severity The Severity level associated with the score.
weaknesses_count - Int! The number of Weaknesses associated with this Credential.
weaknesses_page - WeaknessesPage! The list of Weaknesses associated with this Credential.
Arguments
page_input - PageInput
services_count - Int! The number of Services accessed by this Credential.
data_stores_count - Int! The number of DataStores accessed by this Credential.
op_id - String! The Op the Credential was found in.
op - Op! The Op the Credential was found in.
downstream_impact_types - [ImpactType!] List of ImpactTypes found downstream of this Credential during the Op. This is equivalent to attack_paths.
attack_paths_count - Int! The number of AttackPaths the Credential is included in. This is equivalent to the number of Impacts found downstream of this Credential.
Arguments
page_input - PageInput
attack_paths_page - AttackPathsPage! The list of AttackPaths the Credential is included in. This is equivalent to the list of Impacts found downstream of this Credential.
Arguments
page_input - PageInput
time_to_finding_hms - String The time it took to find the Credential. Formatted as hours:minutes:seconds (hh:mm:ss).
time_to_finding_s - Int The time it took (in seconds) to find the Credential.
display_name - String Display name for this Credential. This is either the username, username@ip, or aws_access_key_id, depending on the type of credential.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "created_at": "2021-07-22T05:02:40.294996",
  "cred_type": "abc123",
  "user_name": "abc123",
  "k8s_identity_name": "xyz789",
  "cloud_role_name": "abc123",
  "cloud_account_id": "abc123",
  "ip": "123.45.67.89",
  "ips": ["xyz789"],
  "sockets": ["abc123"],
  "product": "xyz789",
  "permissions_list": ["xyz789"],
  "api_key_id": "xyz789",
  "api_secret_key": "abc123",
  "api_session_token": "xyz789",
  "cleartext": "xyz789",
  "hash": "abc123",
  "has_proof": true,
  "proofs": [Proof],
  "is_validated": false,
  "hosts": [Host],
  "is_injected": false,
  "is_cracked": false,
  "is_local_admin": true,
  "is_domain_admin": true,
  "is_entra_global_admin": true,
  "role_name": "xyz789",
  "context_score_description": "abc123",
  "score": 987.65,
  "severity": "INFO",
  "weaknesses_count": 987,
  "weaknesses_page": WeaknessesPage,
  "services_count": 987,
  "data_stores_count": 123,
  "op_id": "12341234-1234-1234-1234-123412341234",
  "op": Op,
  "downstream_impact_types": ["AWSUserRoleCompromise"],
  "attack_paths_count": 123,
  "attack_paths_page": AttackPathsPage,
  "time_to_finding_hms": "22:05:31",
  "time_to_finding_s": 123,
  "display_name": "abc123"
}

CredentialsPage

Description

Contains a page of Credential records.

Fields
Field Name Description
page_info - PageInfo Information about the current page.
credentials - [Credential!]! List of Credentials for the current page.
Example
{
  "page_info": PageInfo,
  "credentials": [Credential]
}

DataStore

Description

A DataStore represents a digital repository that stores and manages data. For example a file share, database, FTP service, S3 bucket, Docker Registry, etc.

The type of data store is indicated by the data_store_type field.

Fields
Field Name Description
uuid - String! Unique ID for this DataStore.
created_at - Datetime! When the DataStore was observed
name - String The DataStore name
name_and_account - String The DataStore name, prefixed by the account when applicable, e.g. :
title - String eg. File Share ADMIN$ on 123.4.5.6 Port 345
ip - String The IP address of the DataStore.
port - Int The port of the DataStore.
host_name - String The hostname of the DataStore.
service_type - String FileShare: SMB / NFS / h3_service_name DockerRegistry: Docker Registry (or Docker Image?) DatabaseRepo: PostgreSQL, - prettify db name (iana_service_name) - ref_exp.node_label_line1 ? S3Bucket: S3 GitRepo: GitLab / GitHub / git_account.source AzureOutlook: Azure Mailbox
account - String S3Bucket: cloud_account.id GitRepo: git_account.name AzureOutlook: cloud_account.id
address - String FileShare: service.ip | service.dns_address_fqdn DockerRegistry: service.ip | service.dns_address_fqdn DatabaseRepo: service.ip | service.dns_address_fqdn S3Bucket: s3://{repo.name} GitRepo: repo.git_clone_url AzureOutlook: repo.name (the mailbox url)
data_resources_count - Long FileShare: total file count DockerRegistry: total image count DatabaseRepo: total recourd count S3Bucket: total file count GitRepo: sensitive findings count (TODO: total file count?) AzureOutlook: total email count
data_resources_label - String FileShare: FILES S3Bucket: OBJECTS AzureOutlook: EMAILS GitRepo: SENSITIVE FINDINGS DatabaseRepo: RECORDS DockerRegistry: IMAGES
sensitive_resources_count - Int! For FileShares/S3Buckets, the count of sensitive files. For GitRepos, the count of sensitive findings. For DatabaseRepo, DockerRegistry, AzureOutlook: n/a
is_authenticated - Boolean True if the DataStore was accessed by a non-anonymous credential.
cloud_resource_arn - String ARN of the CloudResource that hosts this share
cloud_service_name - String Applies to S3Buckets and CloudResources
cloud_provider_name - String Applies to S3Buckets and CloudResources
permissions_list - [String] Aggregated permissions across all credentials with access to this share. read, write, list.
aws_anonymous_user_permissions_list - [String] Applies to S3Buckets
aws_cross_account_user_permissions_list - [String] Applies to S3Buckets
op_id - String! The Op in which this DataStore was observed.
score - Float The risk score for this DataStore (equal to context_score if set, otherwise base_score).
severity - Severity Severity level associated with the score.
base_score - Float Base risk score associated with the DataStore.
base_severity - Severity Severity level associated with the base risk score.
context_score - Float Risk score based on the total impact derived from exploiting the weaknesses and data found on this DataStore.
context_severity - Severity Severity level associated with the context score.
sensitive_data_item_count - Int Sum of sensitive data items found across all InterestingResources on the ShareTab. Sensitive data may be include PII or PCI, such as social security numbers, credit card numbers, etc.
sensitive_data_item_types_and_counts - [String!] List of unique sensitive data types and their aggregate counts found across all InterestingResources on the ShareTab. Each array element is formatted as SensitiveDataType,count, e.g. ["CREDIT_CARD,2", ...]
sensitive_data_item_titles_and_counts - [String!] List of unique sensitive data titles and their aggregate counts found across all InterestingResources on the ShareTab. Each array element is formatted as title,count, e.g. ["Credit Card Number,2", ...]
downstream_impact_types - [ImpactType!] List of ImpactTypes found downstream of this ShareTab, equivalent to related impacts.
downstream_impact_types_and_counts - [String!] List of ImpactTypes and associated counts found downstream of this ShareTab, equivalent to related impacts. Each array element is formatted as ImpactType,count, e.g. ["RansomwareExposure,2", "SensitiveDataExposure,2"]
impact_paths_count - Int! The number of Impact paths the DataStore is included in. Alias of attack_paths_count.
attack_paths_count - Int! The number of attack paths the DataStore is included in. Alias of impact_paths_count.
weaknesses_count - Int! Number of weaknesses affecting this DataStore.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "created_at": "2021-07-22T05:02:40.294996",
  "name": "xyz789",
  "name_and_account": "xyz789",
  "title": "abc123",
  "ip": "123.45.67.89",
  "port": 123,
  "host_name": "abc123",
  "service_type": "xyz789",
  "account": "abc123",
  "address": "abc123",
  "data_resources_count": Long,
  "data_resources_label": "xyz789",
  "sensitive_resources_count": 123,
  "is_authenticated": false,
  "cloud_resource_arn": "xyz789",
  "cloud_service_name": "abc123",
  "cloud_provider_name": "xyz789",
  "permissions_list": ["abc123"],
  "aws_anonymous_user_permissions_list": [
    "abc123"
  ],
  "aws_cross_account_user_permissions_list": [
    "xyz789"
  ],
  "op_id": "12341234-1234-1234-1234-123412341234",
  "score": 987.65,
  "severity": "INFO",
  "base_score": 987.65,
  "base_severity": "INFO",
  "context_score": 123.45,
  "context_severity": "INFO",
  "sensitive_data_item_count": 123,
  "sensitive_data_item_types_and_counts": [
    "abc123"
  ],
  "sensitive_data_item_titles_and_counts": [
    "xyz789"
  ],
  "downstream_impact_types": ["AWSUserRoleCompromise"],
  "downstream_impact_types_and_counts": [
    "xyz789"
  ],
  "impact_paths_count": 123,
  "attack_paths_count": 987,
  "weaknesses_count": 987
}

Date

Description

String scalar type with date ISO format serialization, eg. 2021-07-22.

Example
"2025-10-03T15:50:42.673Z"

Datetime

Description

String scalar type with datetime ISO format serialization, eg. 2021-07-22T05:02:40.294996.

Example
Datetime

DeleteOpTemplateOutput

Fields
Field Name Description
op_template - OpTemplate The deleted op template
Example
{"op_template": OpTemplate}

DeleteScheduledActionInput

Description

Input type for Mutation.delete_scheduled_action

Fields
Input Field Description
schedule_name - String! The Schedule name
action - String! The action to delete. Supported actions: run-pentest, pause-pentest, resume-pentest, cancel-pentest
Example
{
  "schedule_name": "xyz789",
  "action": "xyz789"
}

Deleted

Fields
Field Name Description
success - Boolean! The result of the operation.
Example
{"success": false}

DiffStats

Description

Aggregate stats used with diff-related APIs, for example Query.weaknesses_diff_stats.

Fields
Field Name Description
added_count - Int The number of records with diff_status: ADDED.
removed_count - Int The number of records with diff_status: REMOVED.
unchanged_count - Int The number of records that are the same between the two sets being compared.
Example
{"added_count": 123, "removed_count": 987, "unchanged_count": 123}

DiffStatus

Description

Used with diff-related APIs, for example Query.weaknesses_diff_page.

Values
Enum Value Description

ADDED

Indicates the record is NOT present in the first set, but is present in the second set.

REMOVED

Indicates the record is present in the first set, but is NOT present in the second set.
Example
"ADDED"

Edge

Description

An edge in an AttackVector. Connects two nodes in the AttackVector DAG: the source/from node and the target/to node.

Fields
Field Name Description
from_uuid - String! The uuid of the source node. Aka the "from" node of an edge that goes from one node to another node.
to_uuid - String! The uuid of the target node. Aka the "to" node of an edge that goes from one node to another node.
Example
{
  "from_uuid": "12341234-1234-1234-1234-123412341234",
  "to_uuid": "12341234-1234-1234-1234-123412341234"
}

EmailAddress

Description

String scalar type with email address format required.

Example
EmailAddress

EnumerationProofOutput

Description

A structured enumeration item from Discovery proof data.

Fields
Field Name Description
name - String! The primary display name for this enumeration item.
metadata - JSONObject! Additional metadata for this enumeration item.
Example
{
  "name": "abc123",
  "metadata": JSONObject
}

ExcludedDomain

Description

Represents an external domain that was excluded from a pentest due to the given reason.

Fields
Field Name Description
op_id - String! The op that excluded the domain.
domain - String! The external domain that was excluded.
Example
{
  "op_id": "12341234-1234-1234-1234-123412341234",
  "domain": "abc123"
}

ExcludedIP

Description

Represents an IP address that was excluded from a pentest due to the given reason.

Fields
Field Name Description
op_id - String! The op that excluded the IP.
ip - String! The IP that was excluded.
Example
{"op_id": "12341234-1234-1234-1234-123412341234", "ip": "123.45.67.89"}

ExternalDomain

Description

Represents a publicly resolvable DNS domain name.

Fields
Field Name Description
uuid - String! The unique ID for this ExternalDomain.
created_at - Datetime! The time when the ExternalDomain was found during the Op (UTC).
name - String! The domain name.
cnames - [String] CNAMEs linked to this domain name.
ips - [String] The IPs this ExternalDomain resolves to.
op_id - String! The ID of the Op this ExternalDomain was found in.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "created_at": "2021-07-22T05:02:40.294996",
  "name": "abc123",
  "cnames": ["abc123"],
  "ips": ["xyz789"],
  "op_id": "12341234-1234-1234-1234-123412341234"
}

ExternalDomainXop

Description

This type is an abstraction over the ExternalDomain type representing a uniquely identified ExternalDomain asset across an OpSeries of ops. The asset is id'ed via the xop_id field. The xop_id field is set to the domain name.

Fields
Field Name Description
uuid - String! {op_series_uuid}/{xop_id}
op_series_uuid - String! This ExternalDomainXop type represents an asset being tracked across this OpSeries.
xop_id - String! The durable xop identity. Always derived from the data itself (ie. not an arbitrary uuid) For ExternalDomainXop, the xop_id is the domain name.
last_external_domain - ExternalDomain! The underlying ExternalDomain record from the last op where this domain name appeared
last_external_domains - [ExternalDomain]! The underlying ExternalDomain records from the last op where this domain name appeared
last_op_id - String The last op this domain name appeared in.
current_op_id - String The most recently run op in the OpSeries.
is_authorized - Boolean Indicates whether or not the domain has been marked "authorized for pentesting" by the user.
pentestable_rules - PentestableRules Apply rules to determine whether we allow the user to authorizie this ExternalDomain for pentesting.
is_dynamic_ip - Boolean Indicates whether the xop has been marked as "uses dynamic IPs" by the user
excluded_domain_from_last_pentest - ExcludedDomain The ExcludedDomain record from the LAST ExternalAttack pentest against this AssetGroup/OpSeries. This will be non-null if the asset was authorized for pentesting, but was excluded (moved out of scope) in the last ExternalAttack pentest, due to drift or unreachability.
third_party_aliases - [String] Full list of 3rd-party aliases. Includes all subdomains NOT covered by a TLD in the AssetGroup config. Aliases include CNAMEs (ExternalDomain.cname_chain) and DNS Reverse-Lookup Names (ExternalDomain.endpoint_dns_hostnames).
third_party_certificate_subject_cns - [String] 3rd-party certificate subject CNs. Includes all CNs NOT covered by a TLD in the AssetGroup config.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "op_series_uuid": "12341234-1234-1234-1234-123412341234",
  "xop_id": "abc123",
  "last_external_domain": ExternalDomain,
  "last_external_domains": [ExternalDomain],
  "last_op_id": "xyz789",
  "current_op_id": "xyz789",
  "is_authorized": true,
  "pentestable_rules": PentestableRules,
  "is_dynamic_ip": "123.45.67.89",
  "excluded_domain_from_last_pentest": ExcludedDomain,
  "third_party_aliases": ["abc123"],
  "third_party_certificate_subject_cns": [
    "abc123"
  ]
}

FeatureFlag

Description

Represents Advanced Configuration settings.

Fields
Field Name Description
name - String! The name of the advanced configuration option.
value - Boolean Indicates whether the option is enabled or disabled.
config_value - AttackConfigValue The value declared by the user for the feature flag. See 'AttackConfigValue' for more details.
property_name - String Human-friendly name for this advanced configuration option.
property_description - String Description for this advanced configuration option.
category_name - String Category of this advanced configuration option.
category_description - String Category description.
risk - FeatureFlagRiskType The disruption risk associated with this advanced configuration option.
enables_min_runtime - Boolean Indicates whether this advanced configuration option should be used in conjunction with ScheduleOpFormInput.minimum_run_time.
enables_password_spray - Boolean Indicates whether this advanced configuration option should be used in conjunction with ScheduleOpFormInput.passwords_to_spray.
is_new - Boolean! Indicates the FeatureFlag was introduced after the last time the containing OpTemplate was saved. This helps alert the user about new Attack Config options available in their OpTemplate.
Once the OpTemplate is re-saved with the new options, the is_new field is reset.
Example
{
  "name": "xyz789",
  "value": false,
  "config_value": AttackConfigValue,
  "property_name": "xyz789",
  "property_description": "xyz789",
  "category_name": "abc123",
  "category_description": "xyz789",
  "risk": "none",
  "enables_min_runtime": false,
  "enables_password_spray": true,
  "is_new": false
}

FeatureFlagInput

Description

Represents Advanced Configuration input.

Fields
Input Field Description
name - String! The name of the advanced configuration option.
value - Boolean Indicates whether the option is enabled or disabled (Used for bool type ONLY options)
config_value - AttackConfigValueInput This field represents the configuration value for the feature flag. It should match the type specified by the data_type attribute. (See AttackConfigValueInput for more details).
Example
{
  "name": "abc123",
  "value": false,
  "config_value": AttackConfigValueInput
}

FeatureFlagRiskType

Values
Enum Value Description

none

The feature has no risk of disruption to your environment.

low

The feature has low risk of disruption to your environment.

moderate

The feature has moderate risk of disruption to your environment.

high

The feature has high risk of disruption to your environment.
Example
"none"

FileAttributes

Fields
Field Name Description
name - String! Name of the file
path - String! Path to the file in the file system
sha1 - String SHA1 hash of the file.
Example
{
  "name": "xyz789",
  "path": "xyz789",
  "sha1": "abc123"
}

FilterBy

Description

Filtering of response data. Corresponding type for FilterByInput.

Fields
Field Name Description
field_name - StringNoWhitespace! Name of parameter being filtered by.
values - [String] Values to filter for. See FilterByInput.
not_values - [String] Values to filter out. See FilterByInput.
less_than - String The field value is strictly less than this value. See FilterByInput.
less_than_or_equal - String The field value is less than OR equal to this value. See FilterByInput.
greater_than - String The field value is strictly greater than this value. See FilterByInput.
greater_than_or_equal - String The field value is strictly greater than this value. See FilterByInput.
Example
{
  "field_name": StringNoWhitespace,
  "values": ["abc123"],
  "not_values": ["abc123"],
  "less_than": "xyz789",
  "less_than_or_equal": "abc123",
  "greater_than": "abc123",
  "greater_than_or_equal": "abc123"
}

FilterByInput

Description

Filter by parameter, e.g. fetch results where field_name in values.

Fields
Input Field Description
field_name - StringNoWhitespace! Name of parameter to filter by.
values - [String] Values to filter for. Cannot be combined with not_values input. Can be combined with greater_than* or less_than* inputs. Combined inputs are AND'ed together.
not_values - [String] Values to filter out. Cannot be combined with values input. Can be combined with greater_than* or less_than* inputs. Combined inputs are AND'ed together.
greater_than - String The field value is strictly greater than this value. Cannot be combined with greater_than_or_equal input. Can be combined with less_than* inputs and values, not_values inputs. Combined inputs are AND'ed together.
greater_than_or_equal - String The field value is strictly greater than this value. Cannot be combined with greater_than input. Can be combined with less_than* inputs and values, not_values inputs. Combined inputs are AND'ed together.
less_than - String The field value is strictly less than this value. Cannot be combined with less_than_or_equal input. Can be combined with greater_than* inputs and values, not_values inputs. Combined inputs are AND'ed together.
less_than_or_equal - String The field value is less than OR equal to this value. Cannot be combined with less_than input. Can be combined with greater_than* inputs and values, not_values inputs. Combined inputs are AND'ed together.
filter_by_input_mode - FilterByInputMode Determines the logical operator to use, AND or OR, when applying multiple filters to a query. Defaults to AND
is_null - Boolean The field value IS NULL or IS NOT NULL. If true, checks the field value for IS NULL. If false, checks the field value for IS NOT NULL. If null, does not check for either IS NULL or IS NOT NULL. Combined inputs are AND'ed together.
Example
{
  "field_name": StringNoWhitespace,
  "values": ["xyz789"],
  "not_values": ["xyz789"],
  "greater_than": "xyz789",
  "greater_than_or_equal": "xyz789",
  "less_than": "abc123",
  "less_than_or_equal": "xyz789",
  "filter_by_input_mode": "AND",
  "is_null": false
}

FilterByInputMode

Description

Logical operator to use when applying multiple filters to a query.

Values
Enum Value Description

AND

AND operator. The query results must satisfy all filters. This is the default.

OR

OR operator. The query results must satisfy at least one of the filters.
Example
"AND"

Float

Description

The Float scalar type represents signed double-precision fractional values as specified by IEEE 754.

Example
987.65

GitAccount

Description

Corresponding (non-input) GitAccount type.

Note that GitAccount objects are also created by the op as they are discovered.

Fields
Field Name Description
name - String! Name of the git account.
source - GitAccountSource! The git service associated with this git account.
Example
{"name": "xyz789", "source": "GitLab"}

GitAccountInput

Description

GitAccount input type.

Fields
Input Field Description
name - StringNoWhitespace! Name of the git account.
source - GitAccountSource! The git service associated with this git account.
Example
{"name": StringNoWhitespace, "source": "GitLab"}

GitAccountSource

Description

The git service for a GitAccount.

Values
Enum Value Description

GitLab

The git account is associated with GitLab

GitHub

The git account is associated with GitHub

Bitbucket

The git account is associated with BitBucket.
Example
"GitLab"

GraphQLDef

Description

A GraphQLDef represents the schema definition of a single schema element in the GraphQL API. The schema element can be one of:

  • a GraphQL Type (eg. Query, Mutation, WeaknessesPage, Weakness, etc)
  • a GraphQL Field within a type (eg. Query.weaknesses_page, Weakness.op_id, etc)
  • a GraphQL Enum (eg. AuthzRole, PortalOpState, etc)
  • a GraphQL Enum Value (eg. AuthzRole.ORG_ADMIN, PortalOpState.running, etc)
Fields
Field Name Description
id - String!

Uniq id of the schema element in the GraphQL API.

  • for a Type, it's the type name (eg. Query, WeaknessesPage)
  • for a Field, it's the type name + field name (eg. Query.weaknesses_page)
  • for an Enum, it's the enum name (eg. AuthzRole)
  • for an Enum Value, it's the enum name + enum value (eg. AuthzRole.ORG_ADMIN)
description - String The description of the schema element (sourced from its docstring)
declaration - String How the GraphQL schema element would be declared in a GraphQL schema. eg. "weaknesses_page(input: OpInput!, page_input: PageInput): WeaknessesPage!"
name - String!

The name of the GraphQL schema element.

  • for a Type, it's the type name (eg. Query, WeaknessesPage)
  • for a Field, it's the field name (eg. weaknesses_page)
  • for an Enum, it's the enum name (eg. AuthzRole)
  • for an Enum Value, it's the enum value (eg. ORG_ADMIN)
type - String! The type of the field. May include modifiers like ! and []
type_name - String! The type name of the field. This excludes modifiers like ! and []
parent_id - String The parent type. this applies only to fields and enums
default_value - String Default value for an inputField or arg.
related_type_ids - [String!] All types that are related to this GraphQL schema element. This applies only to fields w/ args.
It includes the type of the field and the types of all args.
related_types - [GraphQLDef!] All types that are related to this GraphQL schema element. This applies only to fields w/ args.
It includes the type of the field and the types of all args.
args - [JSONObject!] List of args that look something like this. args only apply to fields that take parameters. { "declaration": "page_input: PageInput", "defaultValue": null, "description": null, "name": "page_input", "type": "PageInput", "type_name": "PageInput" }
fields - [GraphQLDef!] The list of fields for this type.
Example
{
  "id": "abc123",
  "description": "abc123",
  "declaration": "xyz789",
  "name": "xyz789",
  "type": "xyz789",
  "type_name": "abc123",
  "parent_id": "abc123",
  "default_value": "xyz789",
  "related_type_ids": ["abc123"],
  "related_types": [GraphQLDef],
  "args": [JSONObject],
  "fields": [GraphQLDef]
}

HexColor

Description

Hex color string, eg. #def or #bb032b.

Example
HexColor

Host

Description

A Host represents a unique IP address found by NodeZero during an Op.

Fields
Field Name Description
uuid - String! Unique ID for the Host.
created_at - Datetime! When the Host was found during the Op (UTC).
ip - String The IP address of this Host. A Host record is uniquely identified by the IP address.
mac - String The MAC address of this Host.
cname_chains - [String] The CNAMEs linked to any DNS hostnames associated with this Host.
host_name - String The hostname for this Host. May be an LDAP hostname or DNS hostname.
host_names - [String]

All hostnames found for this Host/IP. This includes:

  • Internal/External DNS hostnames
  • LDAP hostname
  • VHost names
is_in_scope - Boolean true if the Host was included in the configured scope.
is_domain_controller - Boolean true if the Host is a domain controller.
is_database_server - Boolean true if the Host is a database server.
is_load_balancer - Boolean true if the Host is a load balancer.
is_mail_server - Boolean true if the Host is a mail server.
is_vpn - Boolean true if the Host is a VPN.
is_waf - Boolean true if the Host is a WAF.
os_fingerprints - [String] Set of OS names/fingerprints for the Host.
hardware_fingerprints - [String] Set of hardware names/fingerprints for the Host.
device_fingerprints - [String] Set of device names/fingerprints for the Host.
op_id - String! ID of the Op in which this Host was found
data_stores_count - Int! The number of DataStores found on this Host.
credentials_count - Int! The number of Credentials that accessed this Host during the Op.
credentials_page - CredentialsPage! The list of Credentials that accessed this Host during the Op.
Arguments
page_input - PageInput
data_resources_count - Long The number of data resources found on this Host. Includes all files and DB records. Excludes web pages. See web_resources_count.
web_resources_count - Long The number of web pages found on this Host.
services_count - Int! The number of Services found on this Host.
context_score_description - String A human-friendly description for the Host's risk score.
score - Float The risk score for this Host.
severity - Severity The Severity level associated with the score.
subnet - String Subnet containing this Host's IP address.
cloud_provider - String The cloud provider of this Host, eg. aws, gcp, azure, etc.
cloud_region - String The cloud region where this Host was found, eg. us-east-1, us-central1, etc.
cloud_arns - [String!] The ARNs of the CloudResources associated with this Host.
is_public - Boolean True if this is a public IP address.
action_logs_count - Int! The number of actions/commands run by NodeZero on this Host during the Op.
Arguments
page_input - PageInput
action_logs_page - ActionLogsPage! The list of actions/commands run by NodeZero on this Host during the Op.
Arguments
page_input - PageInput
action_logs_csv_url - String Link to CSV of all actions/commands run by NodeZero on this Host during the Op.
downstream_impact_types - [ImpactType!] List of ImpactTypes found downstream of this Host during the Op.
os_names - [String!] List of operating system(s) running on the Host.
attack_paths_count - Int! The number of AttackPaths the Host is included in. This is equivalent to the number of Impacts found downstream of this Host.
attack_paths_page - AttackPathsPage! The list of AttackPaths the Host is included in. This is equivalent to the list of Impacts found downstream of this Host.
Arguments
page_input - PageInput
display_name - String Human-friendly display name for this Host.
weaknesses_count - Int! The number of Weaknesses found on this Host
Arguments
page_input - PageInput
weaknesses_page - WeaknessesPage! The list of Weaknesses found on this Host
Arguments
page_input - PageInput
op - Op! The Op the Host was found in.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "created_at": "2021-07-22T05:02:40.294996",
  "ip": "123.45.67.89",
  "mac": "xyz789",
  "cname_chains": ["xyz789"],
  "host_name": "xyz789",
  "host_names": ["abc123"],
  "is_in_scope": true,
  "is_domain_controller": false,
  "is_database_server": false,
  "is_load_balancer": false,
  "is_mail_server": false,
  "is_vpn": true,
  "is_waf": true,
  "os_fingerprints": ["xyz789"],
  "hardware_fingerprints": ["abc123"],
  "device_fingerprints": ["xyz789"],
  "op_id": "12341234-1234-1234-1234-123412341234",
  "data_stores_count": 123,
  "credentials_count": 123,
  "credentials_page": CredentialsPage,
  "data_resources_count": Long,
  "web_resources_count": Long,
  "services_count": 123,
  "context_score_description": "abc123",
  "score": 123.45,
  "severity": "INFO",
  "subnet": "xyz789",
  "cloud_provider": "xyz789",
  "cloud_region": "abc123",
  "cloud_arns": ["xyz789"],
  "is_public": false,
  "action_logs_count": 987,
  "action_logs_page": ActionLogsPage,
  "action_logs_csv_url": "https://example.com/example",
  "downstream_impact_types": ["AWSUserRoleCompromise"],
  "os_names": ["xyz789"],
  "attack_paths_count": 987,
  "attack_paths_page": AttackPathsPage,
  "display_name": "xyz789",
  "weaknesses_count": 987,
  "weaknesses_page": WeaknessesPage,
  "op": Op
}

HostCSV

Description

String scalar type representing a HostCSV row with columns:

  • FirstSeen: Datetime
  • Subnet: String
  • SubnetSource: String
  • IP: String
  • Hostname: String
  • DNSHostnames: String
  • LDAPHostname: String
  • InScope: Boolean
  • OS: String
  • Hardware: String
  • Device: String
  • NumWeaknesses: Int
  • NumConfirmedWeaknesses: Int
  • NumDataResources: Int
  • NumCredentials: Int
  • NumConfirmedCredentials: Int
  • NumServices: Int
  • NumWebShares: Int
  • RiskScore: Float
  • RiskScoreDescription: String
  • OpID: String
  • BusinessRisks: String
Example
HostCSV

HostTabXop

Description

This type is an abstraction over the HostTab type representing a uniquely identified HostTab asset across an OpSeries of ops. The asset is ID'ed via the xop_id field. A HostTab's xop_id is set to its ip.

Fields
Field Name Description
uuid - String! {op_series_uuid}/{xop_id}
op_series_uuid - String! This HostTabXop type represents an asset being tracked across this OpSeries.
xop_id - String! The durable xop identity. Always derived from the data itself (ie. not an arbitrary uuid). For HostTabXops that represent AssetGroup IPs, the xop_id is the IP.
ip - String! The ip of this host.
last_op_id - String The last op this IP appeared in.
current_op_id - String The most recently run op in the OpSeries.
is_authorized - Boolean
Indicates whether or not this IP has been marked "authorized for pentest" by the user.
excluded_ip_from_last_pentest - ExcludedIP The ExcludedIP record from the LAST ExternalAttack pentest against this AssetGroup/OpSeries. This will be non-null if the asset was authorized for pentesting, but was excluded (moved out of scope) in the last ExternalAttack pentest, due to drift or unreachability.
pentestable_rules - PentestableRules Apply rules to determine whether we allow the user to authorize this IP for pentesting.
third_party_aliases - [String] Full list of 3rd-party aliases. Includes all subdomains NOT covered by a TLD in the AssetGroup config. Aliases include CNAMEs (ExternalDomain.cname_chain) and DNS Reverse-Lookup Names (ExternalDomain.endpoint_dns_hostnames).
third_party_certificate_subject_cns - [String] 3rd-party certificate subject CNs. Includes all CNs NOT covered by a TLD in the AssetGroup config.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "op_series_uuid": "12341234-1234-1234-1234-123412341234",
  "xop_id": "abc123",
  "ip": "123.45.67.89",
  "last_op_id": "xyz789",
  "current_op_id": "xyz789",
  "is_authorized": true,
  "excluded_ip_from_last_pentest": ExcludedIP,
  "pentestable_rules": PentestableRules,
  "third_party_aliases": ["abc123"],
  "third_party_certificate_subject_cns": [
    "abc123"
  ]
}

HostsPage

Description

Contains a page of Host records, as fetched via Query.hosts_page.

Fields
Field Name Description
page_info - PageInfo Information about the current page.
hosts - [Host!]! List of hosts for the current page.
Example
{
  "page_info": PageInfo,
  "hosts": [Host]
}

ID

Description

The ID scalar type represents a unique identifier, often used to refetch an object or as key for a cache. The ID type appears in a JSON response as a String; however, it is not intended to be human-readable. When expected as an input type, any string (such as "4") or integer (such as 4) input value will be accepted as an ID.

Example
"4"

ImpactType

Description

Impact types.

Values
Enum Value Description

AWSUserRoleCompromise

Once an AWS user or role is compromised, anything that user or role has access to including cloud resources, cloud services, and data should be considered compromised.

AWSAccountCompromise

Once an AWS account is fully compromised, all cloud resources, cloud services, and data that exists in that AWS account should be considered fully compromised.

AzureADUserCompromise

DEPRECATED.

MicrosoftEntraUserCompromise

Once a Microsoft Entra user is compromised, anything that user has access to should be considered compromised. This could include access to the Microsoft Entra tenant, Microsoft 365, and even access to Azure subscriptions.

MicrosoftEntraAccountCompromise

Once an Entra (AzureAD) tenant is fully compromised, any application, service, or resource that utilizes the Entra Entra tenant for Identity and Access Management (IAM) should be considered compromised. This includes cloud services such as Microsoft 365 and Azure-hosted resources such as virtual machines or databases.

MicrosoftEntraFullTenantCompromise

DEPRECATED

BrandCompromise

Brand compromise covers ways in which an attacker can harm your company's reputation by, for instance, defacing the company's website, hosting malware off the company's domain, or carrying out phishing attacks that appear to originate from the company.

BusinessEmailCompromise

Business email compromise allows attackers to send and receive emails under the guise of that user. Attackers commonly leverage email access to conduct business accounting fraud, conduct highly targeted phishing attacks, gain access to sensitive information, and elicit trusting coworkers to perform actions on their behalf.

CloudCompromise

DEPRECATED.

CloudServiceCompromise

DEPRECATED.

CriticalInfrastructureCompromise

Critical infrastructure consists of key devices and applications that provide attackers a privileged position in the network from which they can access a wealth of sensitive data and launch further attacks.

DomainCompromise

Once a domain is fully compromised, all hosts, domain user accounts, data, infrastructure and applications tied to that domain should be considered fully compromised. Additionally, applications running on a domain-joined machine or any application that uses Active Directory integration to authenticate users should be considered fully compromised.

DomainUserCompromise

Once a domain user is compromised, anything that user account has access to should be considered compromised.

HostCompromise

Host compromise can lead to attackers gaining access to sensitive information, maintaining persistence within your network, and obtaining lateral movement within your networks.

PerimeterBreach

Perimeter breach can lead to attackers gaining access to your internal network from the public internet.

RansomwareExposure

Ransomware exposures can be used by attackers to obtain access to business-critical data stores, encrypt them with a secret key, and demand a ransom payment from your company before releasing the decryption key. Ransomware attacks can cause severe disruption to your business operations, even after the ransom is paid, as data stores must be decrypted and affected services restored.

SensitiveDataExposure

Sensitive data exposures can be used by attackers to obtain user credentials, PII (Personally identifiable information), financial account data, and other business-critical information to further exploit or gain profit.

ThirdPartySaaSUserCompromise

Once a Third Party SaaS user is compromised, anything that user has access to should be considered compromised. This could include access to private messages, files, and other application specific items.

KubernetesIdentityCompromise

Once a Kubernetes Identity is compromised, anything that identity has access to including pods, services, secrets, service accounts, and data should be considered compromised.

KubernetesClusterCompromise

Once a Kubernetes Cluster is fully compromised, all pods, services, secrets, service accounts, and data should be considered compromised.
Example
"AWSUserRoleCompromise"

InstallAgentOutput

Description

Output type for Mutation.install_agent.

The output includes the shell command to install and start the Runner on the NodeZero Host.

Fields
Field Name Description
command - String

The shell command for installing the NodeZero Runner. The command must be run on the NodeZero Docker Host. It will install and start the Runner.

This field is populated only if you set is_kubernetes: false in Mutation.install_agent. If you are deploying the Runner in a Kubernetes environment, use the kubernetes_install_command field instead.

kubernetes_install_command - String

The kubectl shell command for installing the NodeZero Runner in a Kubernetes environment.
The command must be run against the Kubernetes cluster where you want to deploy the Runner.

This field is populated only if you set is_kubernetes: true in Mutation.install_agent. If you are deploying the Runner in a non-Kubernetes environment, use the command field instead.

Example
{
  "command": "abc123",
  "kubernetes_install_command": "abc123"
}

Int

Description

The Int scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1.

Example
987

InterestingResource

Description

An InterestingResource flags a file or web page that may have potentially sensitive info in it.

Fields
Field Name Description
uuid - String! The unique ID of the InterestingResource
created_at - Datetime! The time when the InterestingResource was found during the Op (UTC).
uri - String The URI or full path name of the InterestingResource.
op_id - String! The Op in which the InterestingResource was found.
service_uuid - String The Service where this InterestingResource was found.
service - Service! The Service where this InterestingResource was found.
data_store_uuid - String The DataStore where this InterestingResource was found.
data_store - DataStore The DataStore where this InterestingResource was found.
proofs - [Proof] Proof of this InterestingResource captured during the Op.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "created_at": "2021-07-22T05:02:40.294996",
  "uri": "abc123",
  "op_id": "12341234-1234-1234-1234-123412341234",
  "service_uuid": "12341234-1234-1234-1234-123412341234",
  "service": Service,
  "data_store_uuid": "12341234-1234-1234-1234-123412341234",
  "data_store": DataStore,
  "proofs": [Proof]
}

JSONObject

Description

String scalar type with JSON serialization.

Example
JSONObject

LDAPDomain

Description

Represents an AD LDAP Domain.

Fields
Field Name Description
uuid - String! The unique ID of the LDAPDomain.
created_at - Datetime! The time when the LDAPDomain was found during the Op (UTC).
name - String! The LDAPDomain name.
op_id - String! The Op in which the LDAPDomain was found.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "created_at": "2021-07-22T05:02:40.294996",
  "name": "xyz789",
  "op_id": "12341234-1234-1234-1234-123412341234"
}

Long

Description

Int scalar type alias.

Example
Long

MitreMapping

Description

A MitreMapping consists of a specific combination of a MITRE Tactic, Technique, and optionally a Subtechnique. MitreMappings are associated with attack modules via ModuleMeta.

Fields
Field Name Description
mitre_tactic_id - String! The MITRE Tactic ID
mitre_tactic - MitreTactic The MITRE Tactic
mitre_technique_id - String! The MITRE Technique ID
mitre_technique - MitreTechnique The MITRE Technique
mitre_subtechnique_id - String The MITRE Subtechnique ID
mitre_subtechnique - MitreSubtechnique The MITRE Subtechnique
Example
{
  "mitre_tactic_id": "TA0043",
  "mitre_tactic": MitreTactic,
  "mitre_technique_id": "T1595",
  "mitre_technique": MitreTechnique,
  "mitre_subtechnique_id": "T1595.002",
  "mitre_subtechnique": MitreSubtechnique
}

MitreSubtechnique

Description

Represents a MITRE Subtechnique

Fields
Field Name Description
id - String! The MITRE Subtechnique ID
mitre_technique_id - String The MITRE Technique ID that is the parent of this Subtechnique
name - String The MITRE Subtechnique name
description - String The MITRE Subtechnique description
url - String The documentation URL for the MITRE Subtechnique
Example
{
  "id": "T1595.001",
  "mitre_technique_id": "T1595",
  "name": "Scanning IP Blocks",
  "description": "Adversaries may scan victim IP blocks...",
  "url": "https://attack.mitre.org/techniques/T1595/001/"
}

MitreTactic

Description

Represents a MITRE Tactic

Fields
Field Name Description
id - String! The MITRE Tactic ID
name - String The MITRE Tactic name
description - String The MITRE Tactic description
url - String The documentation URL for the MITRE Tactic
Example
{
  "id": "TA0043",
  "name": "Reconnaissance",
  "description": "The adversary is trying to gather information...",
  "url": "https://attack.mitre.org/tactics/TA0043/"
}

MitreTechnique

Description

Represents a MITRE Technique

Fields
Field Name Description
id - String! The MITRE Technique ID
name - String The MITRE Technique name
description - String The MITRE Technique description
url - String The documentation URL for the MITRE Technique
Example
{
  "id": "T1595",
  "name": "Active Scanning",
  "description": "Adversaries may execute active reconnaissance scans...",
  "url": "https://attack.mitre.org/techniques/T1595/"
}

ModuleInstance

Description

An instance of NodeZero attack module that executed during an op.

Use ModuleInstance.action_logs to see the commands executed by this module.

Fields
Field Name Description
uuid - String! Unique identifier for this ModuleInstance
created_at - Datetime! The time the module was created. Note this is different than when the model started execution. See started_at
module_id - String! The attack module id. Matches up with ModuleMeta.id
options - String Command options used by this module.
started_at - Datetime! The time the module started execution.
ended_at - Datetime! The time the module completed execution.
success_flag - Boolean True if the module completed successfully.
error_msg - String An error message if the module failed.
op_id - String! The op that this module ran under.
name - String The module name. Alias of ModuleMeta.name
description - String The module description. Alias of ModuleMeta.description
action_logs_count - Int The number of actions/commands executed by this NodeZero attack module.
action_logs - [ActionLog] The actions/commands executed by this NodeZero attack module.
module_meta - ModuleMeta Metadata for this NodeZero attack module.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "created_at": "2021-07-22T05:02:40.294996",
  "module_id": "abc123",
  "options": "abc123",
  "started_at": "2021-07-22T05:02:40.294996",
  "ended_at": "2021-07-22T05:02:40.294996",
  "success_flag": true,
  "error_msg": "xyz789",
  "op_id": "12341234-1234-1234-1234-123412341234",
  "name": "xyz789",
  "description": "abc123",
  "action_logs_count": 987,
  "action_logs": [ActionLog],
  "module_meta": ModuleMeta
}

ModuleMeta

Description

Attack module metadata.

Fields
Field Name Description
id - String! ID of attack module.
name - String Name of attack module.
description - String Description of attack module.
mitre_mappings - [MitreMapping] MITRE Tactics, Techniques, and Subtechniques associated with this attack module
Example
{
  "id": "host_discovery",
  "name": "Host Discovery",
  "description": "The Host Discovery module finds assets on the network...",
  "mitre_mappings": [MitreMapping]
}

Node

Description

A node in an AttackVector.

A Node wraps attack-vector context around a target entity.

The icon_label, label_line1, label_line2, and label_line3 fields are useful for rendering the node.

Fields
Field Name Description
uuid - String! The uuid of this node in the attack graph. Referenced by graph edges via Edge.from_uuid and Edge.to_uuid.
attack_vector_node_uuid - String! The uuid of the AVNode record, for fetching this specific node.
found_by_module_meta - ModuleMeta ModuleMeta for the Module that found this node.
found_by_module_instance - ModuleInstance The Module that found this node.
score - Float The cyber risk score of this node, as a number from 0 - 10. The higher the number, the greater the risk.
severity - Severity The cyber risk severity of this node, as a Severity label.
proofs - [Proof] Proofs attached to this node
time_to_finding - String The time it took for NodeZero to find this node, in the format of HH:MM:SS
label_line1 - String The first line of the node label (for v3 and v4 attack vectors)
label_line2 - String The second line of the node label (for v3 and v4 attack vectors)
label_line3 - String The third line of the node label (for v3 and v4 attack vectors)
icon_label - String The label for the icon used to render this type of node. eg. Found Host, Exploited Weakness
description - String A human-readable description of the action NodeZero took on this node.
subflow_nodes - [Node] These are downstream nodes in the attack path that occurred at the same time as this node. These nodes are rendered in the same timestamp aka "layer" in the attack graph timeline.
weakness - Weakness The corresponding Weakness object for this Node, if it refers to a weakness.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "attack_vector_node_uuid": "12341234-1234-1234-1234-123412341234",
  "found_by_module_meta": ModuleMeta,
  "found_by_module_instance": ModuleInstance,
  "score": 123.45,
  "severity": "INFO",
  "proofs": [Proof],
  "time_to_finding": "xyz789",
  "label_line1": "xyz789",
  "label_line2": "abc123",
  "label_line3": "abc123",
  "icon_label": "xyz789",
  "description": "abc123",
  "subflow_nodes": [Node],
  "weakness": Weakness
}

NotificationType

Values
Enum Value Description

EvidenceOfWeakness

Notification type indicating that evidence of a breaking vulnerability was found during Rapid Response exploit testing.

Notification recipients should take immediate action to confirm whether the vulnerability still exists, such as by running a Rapid Response test if available.

PossibleEvidenceOfWeakness

Possible Evidence of Weakness Found, but not confirmable

NoEvidenceOfWeakness

No Evidence of Weakness Found

TripwireTripped

Notification type indicating that activity was detected on an active tripwire in the recipients' environment.

Notification recipients should urgently review activity details and take appropriate remedial action, such as quarantining the affected asset and/or removing the alerting tripwire if appropriate.

Example
"EvidenceOfWeakness"

Op

Description

Op data. An Op represents a cypersecurity operation conducted by NodeZero.
A Pentest is the most common type of Op. Other types include Asset Discovery, Network Enumeration, Password Audit, cloud-specific operations for AWS and Azure, and more.

Fields
Field Name Description
op_id - String Unique ID for the op.
op_type - OpType Indicates the type of Op. See OpType for descriptions of the various op types.
op_state - String!

The current state of the Op.

  • scheduled
  • provisioning
  • ready
  • running
  • complete
  • post-processing
  • done
  • cancelling
  • canceled
  • paused
  • error

portal_op_state - PortalOpState! The current state of the Op. See PortalOpState for more details.
op_name - String! Name of the op. The name is used for display purposes and in op reports.
op_param_min_scope - [String] The "minimum" scope is used in combination with "auto-expand scope" to specify the set of IPs and CIDR ranges that specifically should be scanned, in addition to whatever other IPs are discovered during the op (up to and including the op_param_max_scope, if defined).
op_param_max_scope - [String] The "maximum" scope specifies the full range of IPs and CIDR ranges that are allowed to be discovered and scanned during the op.
op_param_blacklist - String IPs and CIDR ranges that are excluded from the op , as comma-separated list.
scheduled_timestamp - Float! Timestamp of pentest scheduling, in epoch seconds.
scheduled_timestamp_iso - String! Timestamp when the op was created, in ISO format (UTC). use scheduled_at instead
scheduled_at - Datetime! Timestamp when the op was created. Alias of created_at
scheduled_at_date - Date! Date when the op was created.
created_at - Datetime! Timestamp when the op was created.
completed_timestamp_iso - String Timestamp when the op completed its scan, in ISO format (UTC). use completed_at instead
completed_at - Datetime Timestamp when the op completed its scan. This does not include post-processing time. Use etl_completed_at to include post-processing time.
canceled_at - Datetime Timestamp when the op was canceled.
launched_timestamp_iso - String Timestamp when the op launched, in ISO format (UTC). use launched_at instead
launched_at - Datetime Timestamp when the op launched. This is when the op begins actively scanning the network.
etl_completed_at - Datetime Timestamp when the op completed post-processing. This is when the op results are made available in Portal.
duration_s - Int Op duration in seconds. The duration is calculated as the difference between created_at and completed_at.
confirmed_credentials_count - Int Number of confirmed credentials found.
weaknesses_count - Int Number of weaknesses found (weakness INSTANCEs, not unique weakness IDs).
weaknesses_page - WeaknessesPage! Returns the list of weaknesses found in this op.
Arguments
page_input - PageInput
in_scope_hosts_count - Int Number of hosts found in scope.
feature_flags - [FeatureFlag] Advanced configuration settings for this pentest.
nodezero_script_url - String URL of the script that downloads and launches NodeZero.
duration_hms - String Op duration in HH:MM:SS format. The duration is calculated as the difference between created_at and completed_at.
duration_humanize - String Op duration in "humanized" format. The duration is calculated as the difference between created_at and completed_at. .
op_template_uuid - String ID of OpTemplate used for this pentest.
op_template_name - String Name of OpTemplate used for this pentest.
impact_paths_count - Int Number of impact paths in the pentest. Alias of attack_paths_count.
attack_paths_count - Int Number of attack paths in the pentest. Alias of impact_paths_count.
attack_paths_page - AttackPathsPage! Returns the list of attack paths for this op.
Arguments
page_input - PageInput
phished_impact_paths_count - Int! Number of impact paths downstream of phished credentials in the pentest. Alias of phished_attack_paths_count
phished_attack_paths_count - Int! Number of attack paths downstream of phished credentials in the pentest. Alias of phished_impact_paths_count.
runner_uuid - String ID of NodeZero Runner the op is assigned to.
runner_name - String Name of NodeZero Runner the op is assigned to.
schedule_uuid - String ID of schedule the op is associated with.
schedule_name - String Name of schedule the op is associated with.
schedule - Schedule The schedule the op is associated with.
schedule_op_form - ScheduleOpForm! The ScheduleOpForm that contains the full configuration that was used to run this op.
asset_group_uuid - String The ID of the AssetGroup the op is associated with. This field is set for ExternalAssetDiscovery and ExternalAttack op types.
asset_group - AssetGroup The AssetGroup the op is associated with. This field is set for ExternalAssetDiscovery and ExternalAttack op types.
Example
{
  "op_id": "12341234-1234-1234-1234-123412341234",
  "op_type": "NodeZero",
  "op_state": "running",
  "portal_op_state": "done",
  "op_name": "your op name",
  "op_param_min_scope": ["123.45.67.89, 12.3.4.56"],
  "op_param_max_scope": ["123.45.67.89, 12.3.4.56"],
  "op_param_blacklist": "123.45.67.89, 12.3.4.56",
  "scheduled_timestamp": "1600793100.0",
  "scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
  "scheduled_at": "2021-07-22T05:02:40.294996",
  "scheduled_at_date": "2025-04-03T15:50:42.673Z",
  "created_at": "2021-07-22T05:02:40.294996",
  "completed_timestamp_iso": "2021-07-22T05:02:40.294996",
  "completed_at": "2021-07-22T05:02:40.294996",
  "canceled_at": "2021-07-22T05:02:40.294996",
  "launched_timestamp_iso": "2021-07-22T05:02:40.294996",
  "launched_at": "2021-07-22T05:02:40.294996",
  "etl_completed_at": "2021-07-22T05:02:40.294996",
  "duration_s": 987,
  "confirmed_credentials_count": 123,
  "weaknesses_count": 123,
  "weaknesses_page": WeaknessesPage,
  "in_scope_hosts_count": 123,
  "feature_flags": [FeatureFlag],
  "nodezero_script_url": "https://example.com/example",
  "duration_hms": "22:05:21",
  "duration_humanize": "2 hours, 23 minutes",
  "op_template_uuid": "12341234-1234-1234-1234-123412341234",
  "op_template_name": "xyz789",
  "impact_paths_count": 987,
  "attack_paths_count": 123,
  "attack_paths_page": AttackPathsPage,
  "phished_impact_paths_count": 987,
  "phished_attack_paths_count": 123,
  "runner_uuid": "12341234-1234-1234-1234-123412341234",
  "runner_name": "abc123",
  "schedule_uuid": "12341234-1234-1234-1234-123412341234",
  "schedule_name": "abc123",
  "schedule": Schedule,
  "schedule_op_form": ScheduleOpForm,
  "asset_group_uuid": "12341234-1234-1234-1234-123412341234",
  "asset_group": AssetGroup
}

OpDiffInput

Description

Input for Query.weaknesses_diff_page and other diff-related APIs.

Fields
Input Field Description
op_id_1 - String! The first op of the diff. This is normally the older op.
op_id_2 - String! The second op of the diff. This is normally the newer op.
Example
{
  "op_id_1": "xyz789",
  "op_id_2": "xyz789"
}

OpInput

Description

Pentest input arguments.

Fields
Input Field Description
op_id - String! ID of pentest.
Example
{"op_id": "12341234-1234-1234-1234-123412341234"}

OpTab

Description

Pentest data.

Fields
Field Name Description
uuid - String ID of pentest.
op_id - String ID of pentest. Same as uuid.
op_state - String!

State of pentest:

  • scheduled
  • provisioning
  • ready
  • running
  • complete
  • post-processing
  • done
  • cancelling
  • canceled
  • paused
  • error
portal_op_state - PortalOpState! Op State surfaced in portal
op_name - String! Name of pentest.
scheduled_timestamp - Float! Timestamp of pentest scheduling, in epoch seconds.
scheduled_at - Datetime! Timestamp of pentest scheduling
scheduled_at_date - Date! Date of pentest scheduling
scheduled_timestamp_iso - String! Timestamp of pentest scheduling, in ISO format (UTC).
create_timestamp - Int! Timestamp of pentest creation, in epoch seconds.
create_timestamp_iso - String! Timestamp of pentest creation, in ISO format (UTC).
launched_timestamp - Int Timestamp of pentest launching, in epoch seconds.
launched_timestamp_iso - String Timestamp of pentest launching, in ISO format (UTC).
launched_at - Datetime Timestamp of pentest launching
completed_at - Datetime Timestamp of pentest completion.
completed_timestamp - Float Timestamp of pentest completion, in epoch seconds.
completed_timestamp_iso - String Timestamp of pentest completion, in ISO format (UTC).
canceled_at - Datetime Timestamp of pentest cancellation.
canceled_timestamp - Int Timestamp of pentest cancellation, in epoch seconds.
canceled_timestamp_iso - String Timestamp of pentest cancellation, in ISO format (UTC).
duration_hms - String Pentest duration in HH:MM:SS format .
duration_humanize - String Pentest duration in "humanized" format .
op_type - OpType Type of pentest.
weakness_types_count - Int Number of unique weakness IDs found.
weaknesses_count - Int Number of weaknesses found (weakness INSTANCEs, not unique weakness IDs).
host_tabs_count - Int Number of hosts found in scope. Same as in_scope_endpoints_count.
domain_controllers_count - Int Number of domain controllers found in scope.
credentials_count - Int Number of credentials and potential credentials found.
proven_credentials_count - Int Number of credentials and potential credentials found with proof.
confirmed_credentials_count - Int Number of credentials with proof. Alias of proven_credentials_count.
unproven_credentials_count - Int Number of credentials without proof.
activedir_passwords_count - Int Number of credentials found in Active Directory Password Audit(s).
enabled_activedir_passwords_count - Int Number of enabled credentials found in Active Directory Password Audit(s).
disabled_activedir_passwords_count - Int Number of disabled credentials found in Active Directory Password Audit(s).
feature_flags - [FeatureFlag] Advanced configuration settings for this pentest.
impacts_headline_count - Int Number of impacts in the pentest, which generally refers to the number of assets affected by an impact.
impact_paths_count - Int Number of impact paths in the pentest. Alias of attack_paths_count.
attack_paths_count - Int Number of attack paths in the pentest. Alias of impact_paths_count.
phished_impact_paths_count - Int! Number of impact paths downstream of phished credentials in the pentest. Alias of phished_attack_paths_count
phished_attack_paths_count - Int! Number of attack paths downstream of phished credentials in the pentest. Alias of phished_impact_paths_count.
nodezero_script_url - String URL of the script that downloads and launches NodeZero.
nodezero_ip - String The IP address where NodeZero was launched.
etl_completed_at - Datetime Timestamp of pentest post-processing completion, in ISO format (UTC).
start_paused - Boolean Start paused.
minimum_run_time - Int Op minimum run-time, in minutes.
maximum_run_time - Int Op maximum run-time, in minutes.
paused_at - Datetime Time when the pentest was most recently paused.
paused_by_user_account_uuid - String ID of the user that most recently paused the pentest.
paused_by_user_account - UserAccount Data of user account that most recently paused the pentest.
op_template_uuid - String ID of OpTemplate used for this pentest.
op_template_name - String Name of OpTemplate used for this pentest.
excluded_ips - [ExcludedIP] IPs that were excluded from the pentest scope. Applies to external pentests only.
excluded_domains - [ExcludedDomain] Domains that were excluded from the pentest scope. Applies to external pentests only.
runner_uuid - String ID of NodeZero Runner the op is assigned to.
runner_name - String Name of NodeZero Runner the op is assigned to.
schedule_uuid - String ID of schedule the op is associated with.
schedule_name - String Name of schedule the op is associated with.
schedule - Schedule The schedule the op is associated with.
auto_injected_credential_uuids - [String] The set of credentials to be auto-injected (by a NodeZero Runner) into the op.
tripwires_count - Int The number of Tripwires dropped during the op
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "op_id": "12341234-1234-1234-1234-123412341234",
  "op_state": "running",
  "portal_op_state": "done",
  "op_name": "your op name",
  "scheduled_timestamp": "1600793100.0",
  "scheduled_at": "2021-07-22T05:02:40.294996",
  "scheduled_at_date": "2025-04-03T15:50:42.673Z",
  "scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
  "create_timestamp": "1600793100.0",
  "create_timestamp_iso": "2021-07-22T05:02:40.294996",
  "launched_timestamp": "1600793100.0",
  "launched_timestamp_iso": "2021-07-22T05:02:40.294996",
  "launched_at": "2021-07-22T05:02:40.294996",
  "completed_at": "2021-07-22T05:02:40.294996",
  "completed_timestamp": "1600793100.0",
  "completed_timestamp_iso": "2021-07-22T05:02:40.294996",
  "canceled_at": "2021-07-22T05:02:40.294996",
  "canceled_timestamp": "1600793100.0",
  "canceled_timestamp_iso": "2021-07-22T05:02:40.294996",
  "duration_hms": "22:35:09",
  "duration_humanize": "2 hours, 23 minutes",
  "op_type": "NodeZero",
  "weakness_types_count": 123,
  "weaknesses_count": 123,
  "host_tabs_count": 987,
  "domain_controllers_count": 123,
  "credentials_count": 987,
  "proven_credentials_count": 123,
  "confirmed_credentials_count": 987,
  "unproven_credentials_count": 987,
  "activedir_passwords_count": 987,
  "enabled_activedir_passwords_count": 123,
  "disabled_activedir_passwords_count": 123,
  "feature_flags": [FeatureFlag],
  "impacts_headline_count": 123,
  "impact_paths_count": 123,
  "attack_paths_count": 987,
  "phished_impact_paths_count": 123,
  "phished_attack_paths_count": 123,
  "nodezero_script_url": "https://example.com/example",
  "nodezero_ip": "123.45.67.89",
  "etl_completed_at": "2021-07-22T05:02:40.294996",
  "start_paused": true,
  "minimum_run_time": 123,
  "maximum_run_time": 123,
  "paused_at": "2021-07-22T05:02:40.294996",
  "paused_by_user_account_uuid": "12341234-1234-1234-1234-123412341234",
  "paused_by_user_account": UserAccount,
  "op_template_uuid": "12341234-1234-1234-1234-123412341234",
  "op_template_name": "xyz789",
  "excluded_ips": [ExcludedIP],
  "excluded_domains": [ExcludedDomain],
  "runner_uuid": "12341234-1234-1234-1234-123412341234",
  "runner_name": "xyz789",
  "schedule_uuid": "12341234-1234-1234-1234-123412341234",
  "schedule_name": "xyz789",
  "schedule": Schedule,
  "auto_injected_credential_uuids": [
    "abc123"
  ],
  "tripwires_count": 123
}

OpTabsPage

Description

Paginated data of pentests.

Fields
Field Name Description
page_info - PageInfo Pagination of response.
op_tabs - [OpTab!]! List of pentests.
Example
{
  "page_info": PageInfo,
  "op_tabs": [OpTab]
}

OpTemplate

Description

An OpTemplate is a reusable template for running pentests and other op types.

An OpTemplate can be linked to a Schedule in order to run the op on a recurring basis.

Fields
Field Name Description
uuid - String! ID of template.
user_account_uuid - String! ID of the user account that created the template.
client_account_uuid - String! ID of the client account that created the template.
client_account - ClientAccount! Client account that created the template.
op_template_name - String! The template's name.
name - String! The template's name.
op_type - OpType! Type of op this template applies to. See OpType for details.
schedule_op_form - ScheduleOpForm! Template data for configuring ops.
schedules - [Schedule!]! Schedules that use this template.
row_created_at - Datetime! Timestamp when the template was created.
row_updated_at - Datetime Timestamp when the template was last updated.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "user_account_uuid": "12341234-1234-1234-1234-123412341234",
  "client_account_uuid": "12341234-1234-1234-1234-123412341234",
  "client_account": ClientAccount,
  "op_template_name": "xyz789",
  "name": "xyz789",
  "op_type": "NodeZero",
  "schedule_op_form": ScheduleOpForm,
  "schedules": [Schedule],
  "row_created_at": "2021-07-22T05:02:40.294996",
  "row_updated_at": "2021-07-22T05:02:40.294996"
}

OpTemplatesPage

Fields
Field Name Description
page_info - PageInfo Information about the page.
op_templates - [OpTemplate!]! List of pentest templates.
Example
{
  "page_info": PageInfo,
  "op_templates": [OpTemplate]
}

OpType

Description

Whenever you create an operation or an op template, you must specify an op type. NodeZero can run several types of operations. The op types are described by this enum.

Values
Enum Value Description

NodeZero

An Internal Pentest op, for pentesting your internal network.

There are many configuration options, but the minimum to get started are: 1. a network scope to pentest, specified in CIDR notation 2. a Docker Host within the network, on which to launch NodeZero

ExternalAssetDiscovery

An External Asset Discovery op, for discovering public-facing domains and IPs in an AssetGroup.

This op is usually run in advance of running an external pentest. It does initial discovery of your external attack surface. You may then select one or more of the discovered domains and IPs to authorize for external pentesting.

To run an ExternalAssetDiscovery op for an AssetGroup, use Mutation.create_op and pass the AssetGroup.uuid via schedule_op_form.asset_group_uuid. Alternatively, you can pass the AssetGroup.op_template_uuid via the op_template_uuid parameter.

This is an external operation and therefore NodeZero is launched from the H3 cloud. It does not require a Docker Host within the network.

ExternalAttack

An External Pentest op, for pentesting public-facing domains and IPs in an AssetGroup.

In many cases users will run an ExternalAssetDiscovery op first, to discover their external attack surface, then authorize NodeZero to pentest one or more of the discovered domains and IPs. This workflow involves several steps:: 1. create an AssetGroup 2. run an ExternalAssetDiscovery op, to discover public domains and IPs 3. authorize discovered domains and IPs for external pentesting 4. run an ExternalAttack op against the authorized assets

However, this workflow is no longer strictly required. As of April 2025, you may now configure and run an external pentest directly, without first running an ExternalAssetDiscovery op.
NodeZero will auto-discover your attack surface during the pentest, and it will auto-authorize and pentest any discovered domain that doesn't have a CNAME record from a third-party service.

After the external pentest completes, all discovered domains and IPs are included in the results in Portal. You may then authorize additional domains and IPs for further pentesting.

To run an ExternalAttack op for an AssetGroup use Mutation.create_op and pass the AssetGroup.uuid via schedule_op_form.asset_group_uuid. Alternatively you can create an OpTemplate for the ExternalAttack op and set the AssetGroup.uuid in OpTemplate.schedule_op_form.asset_group_uuid.

This is an external operation and therefore NodeZero is launched from the H3 cloud. It does not require a Docker Host within the network.

NetworkEnumeration

Network Enumeration, for enumerating assets in an internal network.

Hosts, services, applications, and data stores are enumerated, but no pentesting is performed.

This is an internal operation and therefore requires that you launch NodeZero on a Docker Host within the network.

ADPasswordAudit

An Active Directory Password Audit op, for auditing the user passwords in your Active Directory. Requires privileged access, by providing a domain admin or dcsync credential in the op configuration.

This is an internal operation and therefore requires that you launch NodeZero on a Docker Host within the network.

Phishing

A Phishing op, for running an internal pentest that makes uses of credentials harvested from a phishing campaign.

This is an internal operation and therefore requires that you launch NodeZero on a Docker Host within the network.

AWSPentest

An AWS Pentest op, for assessing the security of your AWS cloud configuration.

To run an AWS Pentest, you must first configure one or more AWSConnection objects, one for each AWS account you want to pentest. NodeZero uses the AWSConnection to connect to your AWS account.
The AWSConnection objects are specified using schedule_op_form.aws_connection_uuids.

This is an external operation and therefore NodeZero is launched from the H3 cloud. It does not require a Docker Host within the network.

K8sPentest

A K8s Pentest op, for pentesting Kubernetes clusters.

This operation requires that NodeZero is launched from within a Kubernetes cluster. This can be done using a NodeZero Runner for Kubernetes. See Mutation.install_agent for how to install a Runner in Kubernetes.

Scope configuration options to consider for a K8sPentest include:

  • k8s_deployment (this should be set to true)
  • k8s_namespace
  • k8s_service_account_name
  • k8s_node

AzurePentest

An Azure Pentest op, for pentesting your Azure AD.

InsiderThreatAttack

An Insider Threat Attack op, for simulating the fallout from an insider-turned-attacker.

This is essentially an internal pentest with additional configuration for injecting the user credentials of an insider-threat attacker, eg. the credentials of an employee. The pentest results help you understand the degree to which that employee -- or an attacker who has compromised that employee's credentials -- can attack your network.

This is an internal operation and therefore requires that you launch NodeZero on a Docker Host within the network.

TripwiresInternal

A "Drop Tripwires" op, for dropping tripwires on designated targets in your internal network. An injected credential should be included for each target included in the scope of the op.

This is an internal operation and therefore requires that you launch NodeZero on a Docker Host within the network.

WebApp

A Web App Pentest op, for pentesting your web app.
Example
"NodeZero"

Operator

Fields
Field Name Description
uuid - ID! Unique identifier
name - String! The name of the agent. The name is used when assigning scheduled ops to an agent.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "name": "abc123"
}

OpsPage

Description

A page of ops data.

Fields
Field Name Description
ops - [Op!]! List of ops.
Example
{"ops": [Op]}

PageInfo

Description

Pagination of response data.

Fields
Field Name Description
page_num - Int Page number returned by query.
page_size - Int Maximum number of items in page.
text_search - String Text searched across all text columns in the target table.
filter_by_inputs - [FilterBy] List of filters used with AND condition.
Example
{
  "page_num": 1,
  "page_size": 20,
  "text_search": "xyz789",
  "filter_by_inputs": [FilterBy]
}

PageInput

Description

Pagination inputs.

Fields
Input Field Description
page_num - Int Page number to query. Page numbers start at 1.
page_size - Int Number of items to fetch per page. Maximum page_size is 100.
order_by - String Name of the field to order the results by. If you want to order by multiple fields, use sort_inputs.
sort_order - SortOrder Method to order by, ASC or DESC. Used in conjunction with the order_by parameter.
sort_inputs - [SortInput] List of fields to sort by.
filter_by_inputs - [FilterByInput] List of fields to filter the results by. Multiple filters are combined together with AND clauses.
filter_by_input_mode - FilterByInputMode Determines the logical operator to use, AND or OR, when applying multiple filters to a query.
text_search - String Simple free-text search across the text-based fields of the target type.
Example
{
  "page_num": 1,
  "page_size": 10,
  "order_by": "name",
  "sort_order": "ASC",
  "sort_inputs": [SortInput],
  "filter_by_inputs": [FilterByInput],
  "filter_by_input_mode": "AND",
  "text_search": "xyz789"
}

Pentest

Description

Pentest data.

Fields
Field Name Description
op_id - String! ID of pentest.
op_type - OpType Type of pentest.
name - String! Name assigned to the pentest.
state - PortalOpState! op state used exclusively in portal
user_name - String! The user who scheduled the pentest.
client_name - String! The client account that owns the pentest.
min_scope - [String] The "minimum" scope is used in combination with "auto-expand scope" to specify the set of IPs and CIDR ranges that positively should be scanned, in addition to whatever other IPs are discovered during the pentest (up to and including the max_scope, if defined).
max_scope - [String] The "maximum" scope specifies the full range of IPs and CIDR ranges that are allowed to be discovered and scanned during the pentest.
exclude_scope - [String] IPs and CIDR ranges that are excluded from the pentest.
git_accounts - [GitAccount] List of Git accounts to include in pentest.
aws_account_ids - [AWSAccountId] List of AWS accounts to include in pentest.
feature_flags - [FeatureFlag] Advanced configuration options.
scheduled_at - Datetime! Timestamp of pentest scheduling.
launched_at - Datetime Timestamp of pentest launching.
completed_at - Datetime Timestamp of pentest completion.
canceled_at - Datetime Timestamp of pentest cancellation.
etl_completed_at - Datetime Timestamp of pentest ETL completion.
duration_s - Int Pentest duration in seconds.
impacts_count - Int Number of impacts found. Technically counts up the number of unique impact type + affected asset combinations.
impact_paths_count - Int Number of impact paths found. Alias of `attack_paths_count.
attack_paths_count - Int Number of attack paths found. Alias of `impact_paths_count.
attack_paths_page - AttackPathsPage!

Returns the list of attack paths for this op.

The AttackPath.uuid field can be used to fetch more details about a specific AttackPath via Query.attack_path.

Arguments
page_input - PageInput
phished_impact_paths_count - Int! Number of impact paths found downstream of phished credentials. Alias of phished_attack_paths_count
phished_attack_paths_count - Int! Number of attack paths found downstream of phished credentials. Alias of phished_impact_paths_count.
weakness_types_count - Int Number of unique weakness IDs found.
weaknesses_count - Int Number of weaknesses found.
weaknesses_page - WeaknessesPage!

Returns the list of weaknesses for this op.

The Weakness.uuid field can be used to fetch more details about a specific Weakness via Query.weakness.

Arguments
page_input - PageInput
hosts_count - Int Number of in-scope hosts (IPs) scanned during the pentest
out_of_scope_hosts_count - Int Number of out-of-scope hosts (IPs) found during the pentest.
external_domains_count - Int Number of domains found.
services_count - Int Number of services found.
credentials_count - Int Number of credentials found, both discovered and confirmed.
users_count - Int Number of users found.
cred_access_count - Int Counts the number of unique combinations of credential + accessed asset.
data_stores_count - Int Number of data stores found, eg FileShares, DatabaseRepos, S3Buckets, GitRepos, etc. Excludes websites.
websites_count - Int Number of websites found.
data_resources_count - Long Count of all data resources (files, DB records, etc) across all data stores.
nodezero_script_url - String URL of the script that downloads and launches NodeZero.
nodezero_ip - String IP address of NodeZero.
schedule - Schedule The schedule the op is associated with.
Example
{
  "op_id": "12341234-1234-1234-1234-123412341234",
  "op_type": "NodeZero",
  "name": "abc123",
  "state": "done",
  "user_name": "abc123",
  "client_name": "abc123",
  "min_scope": ["xyz789"],
  "max_scope": ["xyz789"],
  "exclude_scope": ["abc123"],
  "git_accounts": [GitAccount],
  "aws_account_ids": [AWSAccountId],
  "feature_flags": [FeatureFlag],
  "scheduled_at": "2021-07-22T05:02:40.294996",
  "launched_at": "2021-07-22T05:02:40.294996",
  "completed_at": "2021-07-22T05:02:40.294996",
  "canceled_at": "2021-07-22T05:02:40.294996",
  "etl_completed_at": "2021-07-22T05:02:40.294996",
  "duration_s": 987,
  "impacts_count": 987,
  "impact_paths_count": 987,
  "attack_paths_count": 987,
  "attack_paths_page": AttackPathsPage,
  "phished_impact_paths_count": 123,
  "phished_attack_paths_count": 987,
  "weakness_types_count": 987,
  "weaknesses_count": 987,
  "weaknesses_page": WeaknessesPage,
  "hosts_count": 987,
  "out_of_scope_hosts_count": 123,
  "external_domains_count": 123,
  "services_count": 987,
  "credentials_count": 123,
  "users_count": 987,
  "cred_access_count": 123,
  "data_stores_count": 123,
  "websites_count": 123,
  "data_resources_count": Long,
  "nodezero_script_url": "https://example.com/example",
  "nodezero_ip": "123.45.67.89",
  "schedule": Schedule
}

PentestableEntitiesBulkOutput

Description

Output type for several Mutations that authorize assets for external pentesting.

Fields
Field Name Description
pentestable_entities_count - Int! Number of domain and IP assets that were updated by this request.
Example
{"pentestable_entities_count": 987}

PentestableEntitiesOutput

Description

Output type for several Mutations that authorize assets for external pentesting.

Fields
Field Name Description
pentestable_entities - [PentestableEntity] List of domain and IP assets, along with their authorization status, that were modified by this request.
blocked_pentestable_entities - [BlockedPentestableEntity] List of domain and IP assets that were BLOCKED from authorization.
Assets are blocked if we determine they are owned by providers that do not permit pentesting. See BlockedPentestableEntity.pentestable_rules.authz_warning for more details.
Example
{
  "pentestable_entities": [PentestableEntity],
  "blocked_pentestable_entities": [
    BlockedPentestableEntity
  ]
}

PentestableEntity

Description

A PentestableEntity links a domain (ExternalDomainXop) or IP (HostTabXop) to its authorization status for external pentesting.

Fields
Field Name Description
uuid - String! ID of pentestable entity.
is_authorized - Boolean! Flag to indicate if entity is pentestable.
Example
{"uuid": "12341234-1234-1234-1234-123412341234", "is_authorized": false}

PentestableRules

Description

The result of applying the rules for allowing ExternalDomains/HostTabs to be pentested via ExternalAttack.

Fields
Field Name Description
action_tooltip - String Tooltip text explaining why an asset was BLOCKED.
authz_warning - String Tooltip text warning the user about authorizing this asset and extra vetting of asset ownership that may be required.
authz_warning_label - String Label for auth_warning
is_allowed - Boolean! The final, ultimate result of applying the authz rules.
Example
{
  "action_tooltip": "abc123",
  "authz_warning": "abc123",
  "authz_warning_label": "xyz789",
  "is_allowed": false
}

PentestsPage

Fields
Field Name Description
page_info - PageInfo Pagination of response.
pentests - [Pentest!]! List of pentests.
Example
{
  "page_info": PageInfo,
  "pentests": [Pentest]
}

PortalOpState

Description

Op states used in portal

Values
Enum Value Description

done

The pentest is fully complete and results are available in Portal.

ended

The pentest was ended early by the user. Results are available in Portal.

error

The pentest suffered an error. The H3 team is working on it!

installation_needed

The pentest is waiting for NodeZero to be launched.

awaiting_runner

The pentest is waiting for NodeZero Runner.

start_paused

The pentest was configured to start in a paused state.

user_paused

The pentest is paused by a user.

paused

The pentest is paused, possibly due to connectivity issues with NodeZero.

pausing

The pentest is in the process of pausing.

preparing

Resources are being provisioned for the pentest.

preparing_start_paused

Resources are being provisioned for the pentest. Once provisioning is complete, the pentest will start in a paused state.

processing

The pentest results are being processed.

resuming

The pentest is resuming from a paused state.

running

The pentest is live and running.

scheduled

The pentest has been queued up and will begin provisioning resources shortly.

queued

The pentest has been queued up and will begin provisioning resources shortly.

unknown

The pentest is in an unknown state.
Example
"done"

Proof

Description

Each Proof object represents a single Proof captured by NodeZero during a pentest. A Proof can be either (1) a screenshot, or (2) the output from a shell command.

Screenshots are image files that can be retrieved via the presigned_url field. The presigned URL is generated on-demand at request time and expires after a short time period.

Command output can be retrieved via the command_outputs field.

Fields
Field Name Description
uuid - String! A unique identifier.
created_at - Datetime! When this Proof object was created. See also collected_at.
proof_type - String! Either CommandOutputProofResource, ScreenshotProofResource, or EnumerationProofResource
collected_at - Datetime When this Proof was captured.
annotation - String An annotation/caption describing the Proof.
url - String The URL that was captured in a screenshot.
presigned_url - String A presigned URL that can be used to download the screenshot image. Presigned urls are generated at request time and expire within a short period of time.
command_outputs - [CommandOutput] A presigned URL that can be used to download the screenshot image.
enumeration_type - String The type of enumeration performed (Process, Program, User).
enumeration_outputs - [EnumerationProofOutput] The structured enumeration data captured.
proven_entity_labels - [String] A set of labels for the entities this Proof applies to. A Proof may apply to more than one entity, for example a weakness, credential, and/or a web resource.
found_by_module_meta - ModuleMeta Metadata including MITRE tactics and techniques associated with the NodeZero module that found this Proof.
op_id - String! The Op/Pentest in which this Proof was captured.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "created_at": "2021-07-22T05:02:40.294996",
  "proof_type": "xyz789",
  "collected_at": "2021-07-22T05:02:40.294996",
  "annotation": "abc123",
  "url": "xyz789",
  "presigned_url": "https://example.com/example",
  "command_outputs": [CommandOutput],
  "enumeration_type": "abc123",
  "enumeration_outputs": [EnumerationProofOutput],
  "proven_entity_labels": ["xyz789"],
  "found_by_module_meta": ModuleMeta,
  "op_id": "12341234-1234-1234-1234-123412341234"
}

SaveOpTemplateOutput

Fields
Field Name Description
op_template - OpTemplate! The saved op template
asset_group - AssetGroup The op template's asset group, if applicable.
Example
{
  "op_template": OpTemplate,
  "asset_group": AssetGroup
}

Schedule

Description

A Schedule is a set of ScheduledActions that can be used together to control the execution of a pentest on a recurring basis.

Typically a Schedule has only one ScheduledAction with its action set to run-pentest. This is used to run a pentest at a specific date and time on a recurring basis.

A Schedule may further control the execution of the pentests it runs by using additional ScheduledActions with actions set to pause-pentest, resume-pentest, and/or cancel-pentest, for pausing, resuming, and canceling/ending the pentest respectively.

Fields
Field Name Description
uuid - String! Unique ID of the Schedule.
name - String! The Schedule name.
actions - [ScheduledAction] The ScheduledActions associated with this Schedule.
created_at - Datetime! When the Schedule was created.
last_updated_at - Datetime When the Schedule was last updated.
is_disabled - Boolean True if all ScheduledActions are disabled.
state - String ENABLED vs DISABLED label corresponding with the is_disabled field.
ops_count - Int! The number of operations run under this Schedule.
Arguments
page_input - PageInput
ops_page - OpsPage! The list of operations run under this Schedule.
Arguments
page_input - PageInput
run_pentest_action - ScheduledAction The run-pentest ScheduledAction for this Schedule.
last_op - Op The last (or current) op that ran under this Schedule.
total_triggers - Int Number of times the schedule has run.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "name": "abc123",
  "actions": [ScheduledAction],
  "created_at": "2021-07-22T05:02:40.294996",
  "last_updated_at": "2021-07-22T05:02:40.294996",
  "is_disabled": true,
  "state": "xyz789",
  "ops_count": 987,
  "ops_page": OpsPage,
  "run_pentest_action": ScheduledAction,
  "last_op": Op,
  "total_triggers": 123
}

ScheduleOpForm

Description

Configuration for creating a pentest or any other type of operation.

The main parts of the ScheduleOpForm are:

Fields
Field Name Description
op_name - String

The name of the operation.

The name can be anything. It is used in reports and the UI to label the operation.

op_type - OpType

The type of op.

Defaults to OpType.NodeZero (an internal pentest).

See OpType for a list of supported op types and their configuration requirements.

op_param_blacklist - String

This scope is EXCLUDED from the pentest.

Hosts and subnets that fall within this scope will NOT be pentested.

The scope is defined as comma-separated values. Accepts CIDR ranges and/or individual IP addresses.

op_param_min_scope - String

op_param_min_scope and op_param_max_scope are mutually exclusive ways to define the scope of an op. You can define one or the other, but not both at the same time.

If op_param_min_scope is defined, then the Auto-Expand Scope feature is enabled. This means NodeZero will scan not only the hosts defined in op_param_min_scope, but it will dynamically expand the scope during the operation to include any additional hosts it discovers organically.

Use op_param_min_scope if you're not sure of your full scope, and you want NodeZero to dynamically discover and scan additional hosts and scope, beyond the scope you defined in op_param_min_scope.

op_param_min_scope is typically configured as a set of individual host IPs, not large CIDR ranges or subnets. NodeZero will specifically search for and scan the defined IPs, in addition to any other hosts and subnets it discovers during the op.

Use op_param_max_scope if you know exactly the scope of hosts and subnets you want to scan, and you do NOT want NodeZero to scan any hosts or subnets beyond that scope. This is the more commonly used option, as it gives you the most control over which hosts and subnets are included in the scan.

If neither op_param_min_scope nor op_param_max_scope are defined, then NodeZero defaults to using Intelligent Scope. Intelligent Scope starts with the IP of the host that NodeZero is deployed on. From there, NodeZero enumerates and scans the /16 subnet that the host belongs to. NodeZero then expands into adjacent /23 subnets, continuously identifying and testing nearby assets. The cycle repeats until no additional devices are detected. The ultimate scope of the test depends on the level of privilege and access NodeZero has, either through captured or granted permissions.

The scope is specified as a list of comma-separated IPs and/or CIDR ranges.

op_param_max_scope - String

op_param_min_scope and op_param_max_scope are mutually exclusive ways to define the scope of an op. You can define one or the other, but not both at the same time.

If op_param_max_scope is defined, then the Auto-Expand Scope feature is disabled. This means NodeZero will only scanthe hosts and subnets defined in op_param_max_scope. NodeZero will NOT try to dynamically expand the scope during the operation to include any additional hosts it discovers organically. Only the hosts and subnets that fall within the scope defined in op_param_max_scope will be scanned.

Use op_param_max_scope if you know exactly the scope of hosts and subnets you want to scan, and you do NOT want NodeZero to scan any hosts or subnets beyond that scope. This is the more commonly used option, as it gives you the most control over which hosts and subnets are included in the scan.

Use op_param_min_scope if you're not sure of your full scope, and you want NodeZero to dynamically discover and scan additional hosts and scope.

If neither op_param_min_scope nor op_param_max_scope are defined, then NodeZero defaults to using Intelligent Scope. Intelligent Scope starts with the IP of the host that NodeZero is deployed on. From there, NodeZero enumerates and scans the /16 subnet that the host belongs to. NodeZero then expands into adjacent /23 subnets, continuously identifying and testing nearby assets. The cycle repeats until no additional devices are detected. The ultimate scope of the test depends on the level of privilege and access NodeZero has, either through captured or granted permissions.

The scope is specified as a list of comma-separated IPs and/or CIDR ranges.

feature_flags - [FeatureFlag] Advanced configuration settings that control the types of attacks conducted during the pentest.
osint_domains - [String] List of public-facing domains that will be scanned for OSINT (open-source intelligence).
osint_company_names - [String] List of company names that will be used for discovering OSINT (open-source intelligence).
passwords_to_spray - [String] A set of passwords to use for password spraying.
git_accounts - [GitAccount] List of Git accounts to scan during the pentest.
aws_account_ids - [AWSAccountId] List of AWS accounts to scan during the pentest.
asset_group_uuid - String ID of asset group containing authorized assets that will be pentested. Applies to external pentests only (op_type=ExternalAttack).
start_paused - Boolean Start the pentest in paused state. This option is useful for external pentests when NodeZero's IP address must first be known in order to open up firewalls.
minimum_run_time - Int The minimum number of minutes the op will run for, even if it has fully completed its scan of the environment and scope. This option is useful to give extra time for password spraying and/or man-in-the-middle relay attacks.
maximum_run_time - Int The maximum number of minutes the op will run for, even if it has not yet completed its scan of the environment and scope.
runner_uuid - String ID of the NodeZero Runner that will launch the op.
auto_injected_credential_uuids - [String!] The set of credentials to be auto-injected (by a NodeZero Runner) into the op.
targeted_test_id - String ID of the targeted test to use for the pentest.
k8s_deployment - Boolean Set this to true if you intend to deploy NodeZero in a Kubernetes cluster. This should be true for the K8sPentest op type.
k8s_node - String The Kubernetes node to use for the op. This is used by the K8sPentest op type.
k8s_namespace - String The Kubernetes namespace to use for the op.
This is used by the K8sPentest op type.
k8s_service_account_name - String The Kubernetes service account to use for the op. This is used by the K8sPentest op type.
Example
{
  "op_name": "your op name",
  "op_type": "NodeZero",
  "op_param_blacklist": "123.45.67.89, 12.3.4.56",
  "op_param_min_scope": "123.45.67.89, 12.3.4.56",
  "op_param_max_scope": "123.45.67.89, 12.3.4.56",
  "feature_flags": [FeatureFlag],
  "osint_domains": ["www.horizon3.ai"],
  "osint_company_names": ["Horizon3"],
  "passwords_to_spray": ["passw0rd!"],
  "git_accounts": [GitAccount],
  "aws_account_ids": [AWSAccountId],
  "asset_group_uuid": "12341234-1234-1234-1234-123412341234",
  "start_paused": true,
  "minimum_run_time": 123,
  "maximum_run_time": 123,
  "runner_uuid": "12341234-1234-1234-1234-123412341234",
  "auto_injected_credential_uuids": [
    "xyz789"
  ],
  "targeted_test_id": "xyz789",
  "k8s_deployment": true,
  "k8s_node": "abc123",
  "k8s_namespace": "abc123",
  "k8s_service_account_name": "abc123"
}

ScheduleOpFormInput

Description

Configuration for creating an operation.

Partial/patch updates of an op template's schedule_op_form are supported via update_op_template.

Fields
Input Field Description
op_name - String

The name of the operation.

The name can be anything. It is used in reports and the UI to label the operation.

This also sets AssetGroup.name when used with create_asset_group and update_asset_group_template.

op_type - OpType

The type of op.

Defaults to OpType.NodeZero (an internal pentest).

See OpType for a list of supported op types and their configuration requirements.

op_param_blacklist - String

This scope is EXCLUDED from the pentest.

Hosts and subnets that fall within this scope will NOT be pentested.

The scope is defined as comma-separated values. Accepts CIDR ranges and/or individual IP addresses.

op_param_min_scope - String

op_param_min_scope and op_param_max_scope are mutually exclusive ways to define the scope of an op. You can define one or the other, but not both at the same time.

If op_param_min_scope is defined, then the Auto-Expand Scope feature is enabled. This means NodeZero will scan not only the hosts defined in op_param_min_scope, but it will dynamically expand the scope during the operation to include any additional hosts it discovers organically.

Use op_param_min_scope if you're not sure of your full scope, and you want NodeZero to dynamically discover and scan additional hosts and scope, beyond the scope you defined in op_param_min_scope.

op_param_min_scope is typically configured as a set of individual host IPs, not large CIDR ranges or subnets. NodeZero will specifically search for and scan the defined IPs, in addition to any other hosts and subnets it discovers during the op.

Use op_param_max_scope if you know exactly the scope of hosts and subnets you want to scan, and you do NOT want NodeZero to scan any hosts or subnets beyond that scope. This is the more commonly used option, as it gives you the most control over which hosts and subnets are included in the scan.

If neither op_param_min_scope nor op_param_max_scope are defined, then NodeZero defaults to using Intelligent Scope. Intelligent Scope starts with the IP of the host that NodeZero is deployed on. From there, NodeZero enumerates and scans the /16 subnet that the host belongs to. NodeZero then expands into adjacent /23 subnets, continuously identifying and testing nearby assets. The cycle repeats until no additional devices are detected. The ultimate scope of the test depends on the level of privilege and access NodeZero has, either through captured or granted permissions.

The scope is specified as a list of comma-separated IPs and/or CIDR ranges.

op_param_max_scope - String

op_param_min_scope and op_param_max_scope are mutually exclusive ways to define the scope of an op. You can define one or the other, but not both at the same time.

If op_param_max_scope is defined, then the Auto-Expand Scope feature is disabled. This means NodeZero will only scanthe hosts and subnets defined in op_param_max_scope. NodeZero will NOT try to dynamically expand the scope during the operation to include any additional hosts it discovers organically. Only the hosts and subnets that fall within the scope defined in op_param_max_scope will be scanned.

Use op_param_max_scope if you know exactly the scope of hosts and subnets you want to scan, and you do NOT want NodeZero to scan any hosts or subnets beyond that scope. This is the more commonly used option, as it gives you the most control over which hosts and subnets are included in the scan.

Use op_param_min_scope if you're not sure of your full scope, and you want NodeZero to dynamically discover and scan additional hosts and scope.

If neither op_param_min_scope nor op_param_max_scope are defined, then NodeZero defaults to using Intelligent Scope. Intelligent Scope starts with the IP of the host that NodeZero is deployed on. From there, NodeZero enumerates and scans the /16 subnet that the host belongs to. NodeZero then expands into adjacent /23 subnets, continuously identifying and testing nearby assets. The cycle repeats until no additional devices are detected. The ultimate scope of the test depends on the level of privilege and access NodeZero has, either through captured or granted permissions.

The scope is specified as a list of comma-separated IPs and/or CIDR ranges.

feature_flags - [FeatureFlagInput] Advanced configuration settings that control the types of attacks conducted during the pentest. Partial/patch updates are supported (via update_op_template). Only flags defined in the input will be updated.
osint_domains - [String] List of public-facing domains that will be scanned for OSINT (open-source intelligence).
osint_company_names - [String] List of company names that will be used for discovering OSINT (open-source intelligence).
passwords_to_spray - [String] A set of passwords to use for password spraying.
git_accounts - [GitAccountInput] List of Git accounts to scan during the pentest.
aws_account_ids - [AWSAccountId] List of AWS accounts to scan during the pentest.
asset_group_uuid - String ID of asset group containing authorized assets that will be pentested. Applies to external pentests only (op_type=ExternalAttack).
start_paused - Boolean Start the pentest in paused state. This option is useful for external pentests when NodeZero's IP address must first be known in order to open up firewalls.
minimum_run_time - Int The minimum number of minutes the op will run for, even if it has fully completed its scan of the environment and scope. This option is useful to give extra time for password spraying and/or man-in-the-middle relay attacks.
maximum_run_time - Int The maximum number of minutes the op will run for, even if it has not yet completed its scan of the environment and scope.
runner_uuid - String ID of the NodeZero Runner that will launch the op.
auto_injected_credential_uuids - [String!] The set of credentials to be auto-injected (by a NodeZero Runner) into the op.
targeted_test_id - String ID of the targeted test to use for the pentest.
k8s_deployment - Boolean Set this to true if you intend to deploy NodeZero in a Kubernetes cluster. This should be true for the K8sPentest op type.
k8s_node - String The Kubernetes node to use for the op. This is used by the K8sPentest op type.
k8s_namespace - String The Kubernetes namespace to use for the op.
This is used by the K8sPentest op type.
k8s_service_account_name - String The Kubernetes service account to use for the op. This is used by the K8sPentest op type.
enable_tripwires - Boolean Enables dropping tripwires during the op if the client account is enabled for tripwires. To drop tripwires, the types of tripwires to drop must also be specified via the feature_flags field.
Example
{
  "op_name": "your op name",
  "op_type": "NodeZero",
  "op_param_blacklist": "123.45.67.89, 12.3.4.56",
  "op_param_min_scope": "123.45.67.89, 12.3.4.56",
  "op_param_max_scope": "123.45.67.89, 12.3.4.56",
  "feature_flags": [FeatureFlagInput],
  "osint_domains": ["www.horizon3.ai"],
  "osint_company_names": ["Horizon3"],
  "passwords_to_spray": ["passw0rd!"],
  "git_accounts": [GitAccountInput],
  "aws_account_ids": [AWSAccountId],
  "asset_group_uuid": "12341234-1234-1234-1234-123412341234",
  "start_paused": true,
  "minimum_run_time": 123,
  "maximum_run_time": 987,
  "runner_uuid": "12341234-1234-1234-1234-123412341234",
  "auto_injected_credential_uuids": [
    "abc123"
  ],
  "targeted_test_id": "abc123",
  "k8s_deployment": false,
  "k8s_node": "abc123",
  "k8s_namespace": "abc123",
  "k8s_service_account_name": "abc123",
  "enable_tripwires": false
}

ScheduleOpOutput

Description

The output from a range of mutations that create ops.

Fields
Field Name Description
op - Op! Data for a pentest.
Example
{"op": Op}

ScheduledAction

Description

An action to run at a specific time on a recurring schedule, like a cron job. ScheduledActions are useful for running pentests on a recurring basis, such as weekly or monthly.

There are four types of actions:

  • run-pentest: Run a pentest using the OpTemplate configured in the ScheduledAction.
  • pause-pentest: Pause a pentest that is currently running.
  • resume-pentest: Resume a paused pentest.
  • cancel-pentest: Cancel a pentest that is currently running.
Fields
Field Name Description
uuid - String! Unique ID of the ScheduledAction.
schedule_name - String! The name of the Schedule that the ScheduledAction belongs to. A Schedule is a collection of ScheduledActions.
schedule_uuid - String! ID of the Schedule that the ScheduledAction belongs to. A Schedule is a collection of ScheduledActions.
action - String!

The action to execute. Supported actions are:

  • run-pentest: Run a pentest using the OpTemplate configured in the ScheduledAction.
  • pause-pentest: Pause a pentest that is currently running.
  • resume-pentest: Resume a paused pentest.
  • cancel-pentest: Cancel a pentest that is currently running.
cron_expression - String!

A cron expression that defines when the action is executed.

A cron expression is a string consisting of 5 fields separated by spaces. The 5 fields represent the following:

  • minute (0–59) - this field must always be set to '*' or '0'.
  • hour (0–23) - note this is in UTC time.
  • day of the month (1–31)
  • month (1–12)
  • day of the week (0–6) (Sunday to Saturday)

Notes:

  • ScheduledActions only support hourly resolution. The minutes field must always be set to '*' or '0'.
  • The cron expression is configured in UTC time. If you want to run the action at a specific time in another timezone, you will need to convert that time to UTC.
cron_description - String Friendly description of the cron schedule.
op_template_uuid - String This field is used with the run-pentest action. This is the uuid of the OpTemplate that will be used to run the pentest when the ScheduledAction is triggered.
op_template - OpTemplate This field is used with the run-pentest action. This is the OpTemplate that will be used to run the pentest when the ScheduledAction is triggered.
last_triggered_at - Datetime The last time the action was triggered.
last_triggered_time_ago - String last_triggered_at as a human-friendly "time ago" statement, eg. "3 minutes ago"
last_triggered_error - String The error message, if an error occurred the last time the action was triggered.
next_triggered_at - Datetime The next time the action will be triggered.
next_triggered_time_in - String next_triggered_at as a human-friendly statement, eg. "3 minutes from now"
next_triggered_ats - [Datetime] The next time(s) the action will be triggered.
Arguments
next_n - Int
cadence - String The cadence text (Daily/Weekly/Monthly/Quarterly/Custom) of the schedule.
is_disabled - Boolean Enabled vs disabled
total_triggers - Int Number of times the schedule has run.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "schedule_name": "xyz789",
  "schedule_uuid": "12341234-1234-1234-1234-123412341234",
  "action": "xyz789",
  "cron_expression": "abc123",
  "cron_description": "xyz789",
  "op_template_uuid": "12341234-1234-1234-1234-123412341234",
  "op_template": OpTemplate,
  "last_triggered_at": "2021-07-22T05:02:40.294996",
  "last_triggered_time_ago": "xyz789",
  "last_triggered_error": "xyz789",
  "next_triggered_at": "2021-07-22T05:02:40.294996",
  "next_triggered_time_in": "xyz789",
  "next_triggered_ats": [Datetime],
  "cadence": "abc123",
  "is_disabled": true,
  "total_triggers": 123
}

ScheduledActionOutput

Description

Output type for Mutation.create_scheduled_action and other mutations.

Fields
Field Name Description
scheduled_action - ScheduledAction The created ScheduledAction
Example
{"scheduled_action": ScheduledAction}

SchedulesPage

Fields
Field Name Description
page_info - PageInfo Pagination of response.
schedules - [Schedule!]! List of Schedules.
Example
{
  "page_info": PageInfo,
  "schedules": [Schedule]
}

Service

Description

A Service represents an open port on a Host.

Fields
Field Name Description
uuid - String! Unique ID of the Service.
created_at - Datetime! Time when the Service was found during the Op (UTC).
ip - String! IP address of the Service.
port - Int! Port number of this Service.
protocol - String Transport protocol of the Service, eg. tcp, udp.
fingerprints - [String] Set of fingerprints that identify the type of applications running on the Service.
iana_service_name - String The IANA (Internet Assigned Numbers Authority) name of the Service.
host - Host The Host where the Service runs.
data_resources_count - Long The number of data resources found on this Service. Includes all files and DB records. Excludes web pages. See web_resources_count.
web_resources_count - Long The number of web pages found on this Service.
op_id - String! The ID of the Op in which the Service was found.
context_score_description - String Description of context score.
score - Float The risk score for the Service.
severity - Severity The Severity level associated with the score.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "created_at": "2021-07-22T05:02:40.294996",
  "ip": "123.45.67.89",
  "port": 123,
  "protocol": "xyz789",
  "fingerprints": ["xyz789"],
  "iana_service_name": "abc123",
  "host": Host,
  "data_resources_count": Long,
  "web_resources_count": Long,
  "op_id": "12341234-1234-1234-1234-123412341234",
  "context_score_description": "abc123",
  "score": 987.65,
  "severity": "INFO"
}

Severity

Description

Severity levels associated with a finding's cyber risk score.

       score <= 0  : INFO
0   <  score <  4.0: LOW
4.0 <= score <  7.0: MEDIUM
7.0 <= score <  9.0: HIGH
9.0 <= score       : CRITICAL
Values
Enum Value Description

INFO

score <= 0

LOW

0 < score < 4.0

MEDIUM

4.0 <= score < 7.0

HIGH

7.0 <= score < 9.0

CRITICAL

9.0 <= score
Example
"INFO"

SignInType

Values
Enum Value Description

BASIC

Basic authentiation using username and password.

GOOGLE

Federated authentication via Google.

LINKED_IN

Federated authentication via LinkedIn.

MICROSOFT

Federated authentication via Microsoft.

SSO

Private SSO.
Example
"BASIC"

SortInput

Description

Parameter to sort by.

Fields
Input Field Description
order_by - StringNoWhitespace! Name of parameter to order by.
sort_order - SortOrder Method to order by.
nulls_first - Boolean Flag to control if nulls are ordered first or last.
Example
{"order_by": "name", "sort_order": "ASC", "nulls_first": true}

SortOrder

Description

Method to order by.

Values
Enum Value Description

ASC

Ascending order.

DESC

Descending order.
Example
"ASC"

String

Description

The String scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.

Example
"abc123"

StringNoWhitespace

Description

String scalar type that cannot be an empty string or contain whitespace.

Example
StringNoWhitespace

StringNotEmpty

Description

String scalar type that cannot be an empty string.

Example
StringNotEmpty

ThreatActor

Description

Information about known Threat Actors.

Fields
Field Name Description
name - String! The Threat Actor's name.
short_description - String A short description of the Threat Actor.
description - String! A detailed description of the Threat Actor.
origin_country - String! The country where the Threat Actor is believed to originate.
remediation_urgency - String! A brief assessment of remediating urgency, based on known behavior of this Threat Actor.
aliases - [String!]! Well-known aliases for this Threat Actor.
references - [ThreatActorReference!]! Additional resources related to this Threat Actor.
Example
{
  "name": "xyz789",
  "short_description": "xyz789",
  "description": "xyz789",
  "origin_country": "xyz789",
  "remediation_urgency": "xyz789",
  "aliases": ["xyz789"],
  "references": [ThreatActorReference]
}

ThreatActorReference

Description

A reference to additional resources related to a Threat Actor.

Fields
Field Name Description
display_name - String! The reference document's name/title.
url - String! The reference document's URL.
Example
{
  "display_name": "abc123",
  "url": "abc123"
}

TicketCSV

Description

String scalar type representing a TicketCSV row with columns:

  • UUID: String
  • AssignedBy: String
  • Status: String
  • Severity: String
  • TicketName: String
  • WeaknessID: String
  • WeaknessName: String
  • AssetCount: Int
  • CreatedAt: Datetime
  • LastUpdated: Datetime
  • SyncSystem: String
  • SyncDate: Datetime
  • ExternalID: String
Example
TicketCSV

TriggerScheduledActionInput

Description

Input type for Mutation.trigger_scheduled_action

Fields
Input Field Description
schedule_name - String! The Schedule name
action - String! The action to trigger. Supported actions: run-pentest, pause-pentest, resume-pentest, cancel-pentest
Example
{
  "schedule_name": "abc123",
  "action": "xyz789"
}

Tripwire

Fields
Field Name Description
uuid - ID! UUID of the Tripwire
external_id - String! External ID of the Tripwire, often used as the display name. For AWS Access Key tripwires this represents the access key ID, for Windows Suspicious Process and MySQL dump tripwires this represents the DNS subdomain embedded within the tripwire, and for Active Directory tripwires this represents the fully qualified user name of the tripwire account.
op_id - String Op ID for pentest or tripwire job in which Tripwire was dropped, if applicable.
op - OpTab Op details for pentest or tripwire job in which Tripwire was dropped, if applicable.
deployment_asset_name - String! Name describing the host and/or data store in which the Tripwire was deployed, as determined during deployment.
file_attributes - [FileAttributes!] List of file attributes including the name of the file, the path, and the SHA1 hash for each file deployed as part of the Tripwire.
processes - [String!] Processes monitored by the Tripwire. Only applicable for Windows Suspicious Process Tripwires.
active_at - Date Date and time when the Tripwire became active.
inactive_at - Date Date and time when the Tripwire became inactive.
last_tested_at - Date Date and time when the Tripwire was last tested.
data_store - DataStore Details about the data store in which the Tripwire was dropped, collected during the op in which the Tripwire was dropped.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "external_id": "xyz789",
  "op_id": "12341234-1234-1234-1234-123412341234",
  "op": OpTab,
  "deployment_asset_name": "xyz789",
  "file_attributes": [FileAttributes],
  "processes": ["xyz789"],
  "active_at": "2021-07-22T05:02:40.294996",
  "inactive_at": "2021-07-22T05:02:40.294996",
  "last_tested_at": "2021-07-22T05:02:40.294996",
  "data_store": DataStore
}

UpdateCampaignInput

Description

Input for updating an existing campaign.

Fields
Input Field Description
uuid - String! Campaign UUID (required)
name - String Campaign name (optional, max 128 characters)
description - String Campaign description (optional, max 256 characters)
add_perspective_uuids - [String!] Optional list of perspective UUIDs to add to the campaign
delete_perspective_uuids - [String!] Optional list of perspective UUIDs to remove from the campaign
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "name": "xyz789",
  "description": "xyz789",
  "add_perspective_uuids": ["xyz789"],
  "delete_perspective_uuids": ["xyz789"]
}

UpdateOpInput

Fields
Input Field Description
op_name - StringNotEmpty Update the op_name.
is_deleted - Boolean Delete the op. Deleted ops are removed from the main views and (most) aggregations, and they are no longer retrievable in the Portal or via the API.
is_archived - Boolean Archive the op. Archived ops are removed from the main views and (most) aggregations, but they are still retrievable in Portal and via the API.
Example
{"op_name": "your op name", "is_deleted": true, "is_archived": false}

UpdateOpOutput

Fields
Field Name Description
op - Op The updated Op.
Example
{"op": Op}

UpdateOpTemplateInput

Fields
Input Field Description
uuid - String! ID of pentest template.
op_template_name - String Name of pentest template. The name uniquely identifies the template in the client account.
schedule_op_form - ScheduleOpFormInput Input data for scheduling pentest. Partial/patch updates are supported. Only fields defined in the input will be updated.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "op_template_name": "xyz789",
  "schedule_op_form": ScheduleOpFormInput
}

UpdateOpTemplateOutput

Fields
Field Name Description
op_template - OpTemplate! The updated op template
Example
{"op_template": OpTemplate}

UpdateScheduledActionInput

Description

Input type for Mutation.update_scheduled_action

Fields
Input Field Description
uuid - String! ID of ScheduledAction to update.
cron_expression - String

A cron expression that defines when the action is executed.

A cron expression is a string consisting of 5 fields separated by spaces. The 5 fields represent the following:

  • minute (0–59) - this field must always be set to '*' or '0'.
  • hour (0–23) - note this is in UTC time.
  • day of the month (1–31)
  • month (1–12)
  • day of the week (0–6) (Sunday to Saturday)

Notes:

  • ScheduledActions only support hourly resolution. The minutes field must always be set to '*' or '0'.
  • The cron expression is configured in UTC time. If you want to run the action at a specific time in another timezone, you will need to convert that time to UTC.
op_template_uuid - String This field is used with the run-pentest action. This is the OpTemplate that will be used to run the pentest when the ScheduledAction is triggered.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "cron_expression": "xyz789",
  "op_template_uuid": "12341234-1234-1234-1234-123412341234"
}

UpdateUserAccountInput

Description

Arguments to update user account.

Fields
Input Field Description
email - EmailAddress! Email of user to update.
client_account_uuid - String ID of client account to update the user for, when applicable. Defaults to the current user client account.
user_role_id - AuthzRole! Role of user in the given client account.
name - String! Name of user.
Example
{
  "email": "john.smith@example.com",
  "client_account_uuid": "12341234-1234-1234-1234-123412341234",
  "user_role_id": "USER",
  "name": "John Smith"
}

UserAccount

Description

User account data.

Fields
Field Name Description
uuid - String ID of user account.
email - EmailAddress User email address.
name - String User name.
user_role_id - AuthzRole Role of this user in the calling user's ClientAccount.
sign_in_type - SignInType Indicates the type of sign-in credentials used by this specific UserAccount
last_signed_in_at - Datetime Timestamp of last time this user signed in under the current user's ClientAccount.
has_unread_notifications_by_type - [NotificationType]! Returns notification types with unread notifications for the user's current client account.
has_tripwires_access - Boolean!

Indicates whether the user is authorized to the Tripwires product in the user's current client account.

Users with access to Tripwires will be able query tripwire data and receive notifications about activity on active tripwires.

has_rapid_response_access - Boolean! Indicates whether the user is authorized to Rapid Response notifications regarding evidence of breaking vulnerabilities in user's current client account.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "email": "john.smith@example.com",
  "name": "John Smith",
  "user_role_id": "USER",
  "sign_in_type": "BASIC",
  "last_signed_in_at": "2021-07-22T05:02:40.294996",
  "has_unread_notifications_by_type": ["EvidenceOfWeakness"],
  "has_tripwires_access": true,
  "has_rapid_response_access": true
}

Vuln

Description

Static information about a Weakness.

Fields
Field Name Description
id - String! The unique ID of the Vuln.
base_score - Float! The statically assigned base score for the Vuln. Note that the corresponding Weakness may have a different score, based on its context scoring and impact within the environment.
name - String! The Vuln name.
short_name - String! A short name for the Vuln.
description - String! The Vuln description.
impact - String The potential impact if an attacker exploited the Vuln.
category - VulnCategory! High-level categorization of the Vuln.
base_severity - Severity! Severity level associated with the Vuln's base_score.
aliases - [String]! Well-known aliases for the Vuln.
mitigations - [VulnMitigation]! Recommended ways to mitigate the Vuln.
references - [VulnReference]! Additional resources related to the Vuln.
impact_categories - [VulnImpactCategory]! Categories related to the potential impact if an attacker exploited the Vuln.
one_click_verify - Boolean! If true, then the Vuln can be verified via one-click verify. Most Vulns are one-click verifiable. Vulns that require complex multi-step attack paths may not be one-click verifiable.
cisa_kev - Boolean! If true, then the Vuln is a Known Exploited Vulnerability, according to CISA.
known_ransomware_campaign_use - Boolean If true, then the Vuln is known to be used in ransomware campaigns.
threat_actors - [ThreatActor!]! Threat actors that are known to exploit this Vuln.
Example
{
  "id": "abc123",
  "base_score": 987.65,
  "name": "xyz789",
  "short_name": "xyz789",
  "description": "xyz789",
  "impact": "abc123",
  "category": "SECURITY_MISCONFIGURATION",
  "base_severity": "INFO",
  "aliases": ["xyz789"],
  "mitigations": [VulnMitigation],
  "references": [VulnReference],
  "impact_categories": ["FILE_UPLOAD"],
  "one_click_verify": true,
  "cisa_kev": false,
  "known_ransomware_campaign_use": true,
  "threat_actors": [ThreatActor]
}

VulnCategory

Description

Vuln categories.

Values
Enum Value Description

SECURITY_MISCONFIGURATION

The Vuln is related to a security misconfiguration of an asset.

VULNERABILITY

A product/asset vulnerability.

SECURITY_CONTROLS

The Vuln is related to ineffective or insufficient security controls or policies.

CREDENTIALS

The Vuln is related to credential management or policies.
Example
"SECURITY_MISCONFIGURATION"

VulnImpactCategory

Description

Categories related to the potential impact of an exploited Vuln.

Values
Enum Value Description

FILE_UPLOAD

The Vuln may lead to unauthorized file uploads.

DENIAL_OF_SERVICE

The Vuln may result in a Denial-of-Service (DOS) attack.

REMOTE_CODE_EXECUTION

The Vuln may enable remote code execution.

INFORMATION_DISCLOSURE

The Vuln may expose sensitive information.

PRIVILEGE_ESCALATION

The Vuln may enable an attacker to escalate privileges.

DEFACEMENT

The Vuln may lead to defacement of a website.

IMPERSONATION

The Vuln may enable impersonation of a user.

UNAUTHORIZED_ACCESS

The Vuln may allow unauthorized access to a system.
Example
"FILE_UPLOAD"

VulnMitigation

Description

Recommended ways to mitigate a Vuln.

Fields
Field Name Description
description - String! Description of the mitigation.
Example
{"description": "abc123"}

VulnReference

Description

Additional resources related to a Vuln.

Fields
Field Name Description
name - String! The reference document's name/title.
url - String The reference document's URL.
Example
{
  "name": "xyz789",
  "url": "xyz789"
}

Weakness

Description

A Weakness represents a vulnerability on an affected asset, found by NodeZero during a pentest. A Weakness record is created for each unique combination of vuln_id + affected_asset + op_id.

To track Weaknesses across pentests, use WeaknessSeries.

Fields
Field Name Description
uuid - String! Unique ID for this Weakness instance.
created_at - Datetime! When this Weakness was found during the Op (UTC).
vuln_id - String! The Weakness's vuln ID.
vuln - Vuln! Static information about the Vuln ID.
vuln_aliases - [String!] Well-known aliases for this vuln.
vuln_category - VulnCategory The vuln's category
vuln_name - String The vuln's official name.
vuln_short_name - String A convenient short name for the vuln.
vuln_cisa_kev - Boolean True if the vuln is a CISA Known Exploited Vulnerability
vuln_known_ransomware_campaign_use - Boolean True if the vuln is a CISA Known to be Used in Ransomware Campaigns.
op_id - String! The op_id for the Op in which this Weakness was observed.
ip - String The IP address where this Weakness was observed.
has_proof - Boolean Indicates whether or not we captured proof of the Weakness.
proof_failure_code - String The reason why we failed to capture proof, if applicable. One of: exploit_failed, not_configured, no_exploit, timeout.
proof_failure_reason - String The reason why we failed to capture proof, if applicable.
score - Float The risk score for this Weakness (equal to context_score if set, otherwise base_score).
severity - Severity Severity level associated with the score.
base_score - Float Base risk score associated with the vuln ID.
base_severity - Severity Severity level associated with the base risk score.
context_score - Float Risk score based on the weakness's total impact on the environment.
context_severity - Severity Severity level associated with the context score.
context_score_description_md - String Description explaining the context score/downstream impact for this weakness (in markdown format).
context_score_description - String Description explaining the context score/downstream impact for this weakness.
time_to_finding_hms - String The time it took to find the Weakness. Formatted as hours:minutes:seconds (hh:mm:ss).
time_to_finding_s - Int The time it took (in seconds) to find the Weakness.
affected_asset_display_name - String The display name of the asset directly affected by this weakness.
affected_asset_short_name - String The short name of the asset directly affected by this weakness.
downstream_impact_types - [ImpactType!] List of ImpactTypes found downstream of this Weakness.
attack_paths_count - Int! The number of AttackPaths the Weakness is included in. This is equivalent to the number of Impacts found downstream of this Weakness.
Arguments
page_input - PageInput
attack_paths_page - AttackPathsPage! The list of AttackPaths the Weakness is included in. This is equivalent to the list of Impacts found downstream of this Weakness.
Arguments
page_input - PageInput
proofs - [Proof] Proof(s) for this Weakness.
affected_host - Host The Host that this Weakness was found on.
diff_status - DiffStatus

This field is only used when performing a diff between ops, for example via Query.weaknesses_diff_page.

If a weakness was present in the first op, but not the second op, its diff_status will be set to REMOVED.

If a weakness was present in the second op, but not the first op, its diff_status will be set to ADDED.

mitre_mappings - [MitreMapping!] The set of MITRE techniques associated with the discovery of this weakness.
affected_credentials_count - Int! The number of Credentials affected by this Weakness. Typically there's only 1 affected Credential per Weakness, but in some edge cases there can be multiple.
Arguments
page_input - PageInput
affected_credentials_page - CredentialsPage! The list of Credentials affected by this Weakness. Typically there's only 1 affected Credential per Weakness, but in some edge cases there can be multiple.
Arguments
page_input - PageInput
affected_service - Service The Service affected by this Weakness.
affected_application - Application The Application affected by this Weakness.
affected_cloud_resource - CloudResource The CloudResource affected by this Weakness.
affected_cloud_role - CloudRole The CloudRole affected by this Weakness.
affected_external_domain - ExternalDomain The ExternalDomain affected by this Weakness.
affected_interesting_resource - InterestingResource The InterestingResource affected by this Weakness.
affected_ldap_domain - LDAPDomain The LDAPDomain affected by this Weakness.
affected_data_store - DataStore The DataStore affected by this Weakness.
Example
{
  "uuid": "12341234-1234-1234-1234-123412341234",
  "created_at": "2021-07-22T05:02:40.294996",
  "vuln_id": "abc123",
  "vuln": Vuln,
  "vuln_aliases": ["abc123"],
  "vuln_category": "SECURITY_MISCONFIGURATION",
  "vuln_name": "abc123",
  "vuln_short_name": "xyz789",
  "vuln_cisa_kev": true,
  "vuln_known_ransomware_campaign_use": false,
  "op_id": "12341234-1234-1234-1234-123412341234",
  "ip": "123.45.67.89",
  "has_proof": true,
  "proof_failure_code": "abc123",
  "proof_failure_reason": "xyz789",
  "score": 987.65,
  "severity": "INFO",
  "base_score": 123.45,
  "base_severity": "INFO",
  "context_score": 123.45,
  "context_severity": "INFO",
  "context_score_description_md": "abc123",
  "context_score_description": "xyz789",
  "time_to_finding_hms": "22:05:31",
  "time_to_finding_s": 987,
  "affected_asset_display_name": "abc123",
  "affected_asset_short_name": "abc123",
  "downstream_impact_types": ["AWSUserRoleCompromise"],
  "attack_paths_count": 987,
  "attack_paths_page": AttackPathsPage,
  "proofs": [Proof],
  "affected_host": Host,
  "diff_status": "ADDED",
  "mitre_mappings": [MitreMapping],
  "affected_credentials_count": 123,
  "affected_credentials_page": CredentialsPage,
  "affected_service": Service,
  "affected_application": Application,
  "affected_cloud_resource": CloudResource,
  "affected_cloud_role": CloudRole,
  "affected_external_domain": ExternalDomain,
  "affected_interesting_resource": InterestingResource,
  "affected_ldap_domain": LDAPDomain,
  "affected_data_store": DataStore
}

WeaknessCSV

Description

String scalar type representing a WeaknessCSV row with columns:

  • WeaknessID: String
  • FirstSeen: Datetime
  • Name: String
  • RootCause: String
  • Severity: String
  • ContextScore: Float
  • ContextScoreDescription: String
  • Confirmed: Boolean
  • Hostname: String
  • CNAME: String
  • OS: String
  • IP: String
  • Port: Int
  • Protocol: String
  • ProtocolPort: String
  • Service: String
  • ServiceType: String
  • Product: String
  • OpID: String
  • Description: String
  • AssetID: String
  • AllHostnames: String
  • Repo: String
  • Vhost: String
  • ResourceUri: String
  • UserName: String
  • UserDomainName: String
  • ProvenEntityEid: String
  • Impact: String
  • Mitigations: String
  • References: String
  • ThreatActors: String
  • BusinessRisks: String
Example
WeaknessCSV

WeaknessesDiffPage

Description

Contains a page of Weakness records, as fetched via Query.weaknesses_diff_page.

Fields
Field Name Description
page_info - PageInfo Information about the current page.
weaknesses - [Weakness!]! List of weaknesses for the current page.
Example
{
  "page_info": PageInfo,
  "weaknesses": [Weakness]
}

WeaknessesPage

Description

Contains a page of Weakness records, as fetched via Query.weaknesses_page.

Fields
Field Name Description
page_info - PageInfo Information about the current page.
weaknesses - [Weakness!]! List of weaknesses for the current page.
Example
{
  "page_info": PageInfo,
  "weaknesses": [Weakness]
}