Getting started

Pilot’s whole experience is built around one motion:

1. Tell it about an organisation (a company).
2. Watch it enumerate the surface (enrichment runs automatically).
3. Scan that surface for vulnerabilities and leaked credentials.
4. Review and triage the findings, or walk the attack graph for blast-radius questions.
5. Ask Pilot when you don’t know where to look.

You’ll do all five from one login.

Step 1 — Add a company

From the sidebar, click Companies → + Create your first company.

Give it a name (Acme) and at least one seed domain (acme.com). Pilot will treat that domain as the root of your investigation; you can add more seeds later if the organisation owns multiple domains (acme.io, acmesecurity.com, etc.).

The moment you save, Pilot:

• Creates a target for the seed domain.
• Kicks off enrichment: DNS lookup, HTTP fingerprint, SaaS detection, subdomain enumeration. Most companies have first results within 60–90 seconds.
• Auto-links any subdomains it discovers under the parent domain.

Step 2 — Watch the surface populate

Open the company you just created (or sit on the Targets page). You’ll see targets appear with status pills:

• enriching (blue, pulsing) — running.
• ready (green) — has DNS + HTTP data.
• error (red) — something timed out; click to retry.

Open any target row to see the panel: resolved IPs, HTTP response, detected technologies, subdomains, identity assets, SaaS the host serves to its visitors.

No findings yet. Enrichment maps the surface — it doesn’t scan for vulnerabilities. That’s the next step.

Step 3 — Run your first scan

Go to Vulnerabilities in the sidebar (or click the row’s ▶ Scrape button on the Targets page for a crawl, or the Active sub-tab on Vulnerabilities for a Nuclei vulnerability scan).

Pick the targets you want to scan, choose Scan power (Small / Medium / Large — Small is fine for first scans), and click Start Scan. Pilot queues the job and runs it in the background. You can keep working — toasts pop when the scan finishes.

Step 4 — Review what Pilot found

When the scan completes:

• Vulnerabilities tab lists CVEs and template matches with severity pills.
• Vulnerabilities → Secrets tab lists any credentials Pilot recovered from your crawled content or repos. Pilot also runs an automated triage pass — most “secret matches” are false positives (build artefacts, third-party JS minification noise) and are tagged as probable_fp so you only triage real ones.
• The Home dashboard rolls everything up into a posture grade and a next-step recommendation.

Step 5 — Ask Pilot when you’re stuck

The emerald pill bottom-left (“Ask Pilot”) opens the AI agent. Type questions in plain English:

• “What does Acme actually run their site on?”
• “Are there any leaked credentials that reach our SaaS data?”
• “What are the riskiest attack paths I should investigate today?”
• “What if our identity provider leaked?” (this triggers the hypothetical / blast-radius mode — opt-in).

Pilot picks the right read-only tool, runs it against your data, and shows you the actual rows it used. Every claim it makes carries a [N] citation pointing to the step that produced it.

Where to next

• Concepts → Targets — the enrichment pipeline in detail.
• Concepts → Findings & secrets — triage states, severities, what to escalate.
• Concepts → Attack graph — how Pilot builds the picture of how your assets connect.
• Glossary — every term in one place if a label feels unfamiliar.