Skip to content
Pilot Docs

Targets & enrichment

A target is one thing Pilot probes — a domain, a subdomain, or sometimes a bare IP. Each target goes through an enrichment pipeline that fans out and collects everything the platform can know about it without authenticating.

What enrichment does

When a target lands in Pilot (either because you added it directly or because subdomain enumeration discovered it), the pipeline runs:

  1. DNS lookup — A, AAAA, NS, MX, CNAME records. Identifies mail provider, nameserver provider, federation hints.
  2. HTTP probe — fetches / over HTTPS (and HTTP for visibility), captures status, redirect chain, response headers, server banner.
  3. Technology fingerprint — what’s running on the host (frameworks, CMS, JS libraries, CDN, WAF) derived from the HTTP response.
  4. SaaS detection — matches the host against a catalogue of known SaaS services (Auth0, Okta, Snowflake, Stripe, Cloudflare, etc.) using CNAME, response header, and request-host signals.
  5. Identity-asset probe — looks for OIDC discovery endpoints, SAML metadata, MX providers that imply an IdP.
  6. Subdomain enumeration (domain-type targets only) — queries seven public sources for child hosts.

Each step writes its data to the target row, the attack graph, and (where relevant) ClickHouse for full-text search.

Status lifecycle

Each target has a status field surfaced as a coloured dot:

  • gray (idle) — created but not yet enriched.
  • blue, pulsing (enriching) — pipeline running.
  • green (ready) — finished successfully.
  • yellow (ready, unreachable) — DNS resolved but HTTP failed.
  • red (error) — enrichment failed and was tried; click the row to see the error and retry.

Actions on a target row

Every target row ends in an actions cell:

  • ▶ Scrape (domain targets) — start a web crawl of the site. Opens a small modal so you can also include known subdomains in the crawl.
  • ↺ Refresh — re-run enrichment (useful when DNS or hosting changes).
  • (kebab) — opens the full menu: Transforms (Resolve DNS, HTTP Probe, Detect SaaS, Enumerate Subdomains — re-run a single step), Exclude from scope, Copy URL, Delete.

Right-click on the row works too — same menu — for keyboard-driven operators.

Scope and exclusion

A target can be marked excluded from scope. Pilot still keeps the record but won’t run further enrichment or scans against it. Use this for hosts you know are out of scope (parked domains, third-party infra, a staging host you don’t own).

The ontology view

The default table view is great for sorting and bulk actions. Toggle the ▤ / ◈ buttons next to the search bar for the tree view — which renders targets in their parent-child hierarchy (root domain → subdomain → sub-subdomain). Useful for “what does this company actually own” questions.

Manually adding subdomains

If automated enumeration missed a subdomain you know about, add it manually. The form is on the Targets page (+ button). Pilot detects that the host is a child of a tracked domain and links it automatically, tagging the source as manual.

Where the data lives

  • Most-recent enrichment state is on the target row itself in Postgres.
  • Crawled page bodies and headers live in ClickHouse (crawl_pages).
  • Nuclei findings live in ClickHouse (nuclei_findings).
  • The attack graph is rebuilt on demand from those sources — never stored as a separate cache.

That last point matters: if you re-enrich a target, the graph updates the moment you next open it.