Glossary
The product surface uses precise security terminology because that’s what operators expect. If any of it reads as jargon when you’re evaluating Pilot or onboarding a new teammate, this is your reference.
Pilot-specific terms
Company
The top of the tree. An organisation you’re investigating. Holds one or more seed domains; everything Pilot discovers gets scoped to a company. See Concepts → Companies.
Target
A host, domain, or IP Pilot probes. Each one goes through enrichment (DNS, HTTP, SaaS detection, subdomain enumeration) and can be scanned for vulnerabilities. See Concepts → Targets.
Seed domain
The root URL Pilot starts from when enumerating a company. A company can have multiple seeds; Pilot stitches discovered subdomains back to whichever seed they belong under.
Enrichment
The automated pipeline that runs on every target — DNS lookup, HTTP probe, technology fingerprint, SaaS detection, identity-asset probe, and (for domain-type targets) subdomain enumeration through seven public sources.
Finding
A specific vulnerability detection on a specific target. Comes from Nuclei templates firing against scanned hosts. Has a severity (critical / high / medium / low / info), an optional CVE id, and the URL or parameter where it matched. See Concepts → Findings & secrets.
Secret
A leaked credential pattern Pilot recovered from crawled pages, JS
bundles, or connected repos. Triaged automatically into unverified,
probable_fp, public_by_design, or real_secret.
Transform
A single enrichment step you can manually re-run on a target — Resolve DNS, HTTP Probe, Detect SaaS, Enumerate Subdomains. Available from the target row’s kebab menu or right-click context menu.
Posture grade
The A–F letter grade on the home dashboard and company detail page. Computed from verified data: HTTPS adoption, security header coverage, open vulnerability counts by severity, leaked-secret exposure (real-secret count, not raw matches), and identity / SaaS coverage.
Scope
The currently-active filter. Either a specific company (the scope
chip shows its name) or GLOBAL (everything in the customer
account). The scope chip lives at the top of every page; click to
switch.
Hypothetical scenario / chain
A research lead from the SaaS Attack Matrix catalogue or the LLM
What-if synthesiser. Always tagged with if true: <severity> to
distinguish it from verified findings. Never appears as urgency on
the home dashboard.
Ask Pilot
The AI agent. Click the emerald pill bottom-left or use the inline agent panel on any page’s empty state.
Security & infra terminology
Nuclei
The vulnerability scanner Pilot uses to test targets against a large library of templates (CVEs, misconfigurations, exposed admin panels). Open-source, template-driven. See projectdiscovery.io/nuclei.
Subdomain enumeration
The process of discovering hostnames under a known domain. Pilot queries seven public sources: crt.sh (Certificate Transparency logs), HackerTarget, CertSpotter, AlienVault OTX, urlscan.io, subfinder (binary), and SecurityTrails (when API-keyed).
Certificate Transparency (CT) logs
Public, append-only logs of every TLS certificate issued by a CA.
Querying CT for *.acme.com reveals every subdomain a certificate
was ever issued for. Pilot uses crt.sh and CertSpotter for this.
SaaS detection
Pattern-matching against a catalogue of known SaaS providers using CNAME records, response headers, and request-host signatures. Tells you “this host uses Cloudflare / Auth0 / Snowflake” passively, from public DNS and HTTP responses.
Identity provider (IdP)
The system that authenticates users for downstream applications. Common ones Pilot detects: Okta, Auth0, Azure AD (Entra ID), Google Workspace, OneLogin, JumpCloud, Ping. Detected via OIDC discovery endpoints, SAML metadata, or MX records.
OIDC (OpenID Connect)
An authentication protocol layered on top of OAuth 2.0. The IdP
publishes a discovery endpoint at
/.well-known/openid-configuration describing how to obtain tokens.
Pilot uses this to identify the IdP and its capabilities.
SAML
An older XML-based SSO protocol. The IdP publishes metadata at a known URL; Pilot reads it to identify the IdP and its signing certificates.
MITRE PRE-ATT&CK
The MITRE framework’s catalogue of techniques an adversary uses
before they have a foothold — reconnaissance, resource
development, initial access prep. Every edge on the attack graph
carries a PRE-ATT&CK technique id (e.g. T1590.002 — DNS).
Attack graph
A Bloodhound-style view of how external assets connect. Every node is something an attacker would collect; every edge is a pivot they would make. See Concepts → Attack graph.
Confidence (on graph edges)
How sure Pilot is about an edge:
- verified — observed directly.
- inferred — follows necessarily from observed data.
- speculative — the attacker’s reasonable guess (catalogue hypothesis, naming convention, etc.).
Dork (or “Google dork”)
A targeted search query — usually with site:, inurl:,
intext:, etc. — used to find specific kinds of public content.
Pilot’s search uses similar operators against your own crawl data.
Passive mode
A company setting that tells Pilot to skip active probes (HTTP fetches, port scans) and rely only on passive sources (DNS, CT logs, third-party SaaS detection feeds). Useful when active probes would be ethically or legally questionable.
Crawl / scrape
Visiting pages on a target in a browser, following links, collecting the HTML / JS / response headers. The “Web Scraper” sidebar entry covers crawl jobs; targets get crawled when you click ▶ Scrape on their row.
vCPU
Virtual CPU — the unit Pilot uses to allocate scan compute. By default the UI shows friendly tier labels (Small / Medium / Large / Extra Large). Operators with Developer mode enabled in Settings see the raw vCPU numbers.
Confidence-related terms
Verified
The data was directly observed. A host RUNS technology edge is
verified because Pilot fingerprinted the response.
Inferred
Follows necessarily from what was observed. An idp FEDERATES_WITH saas_service edge is inferred when both endpoints are detected for
the same company — federation isn’t confirmed, but it’s the obvious
implication.
Speculative
The attacker’s reasonable guess, NOT directly observed. A
cloud_asset HOSTS_DATA inferred-bucket edge based on a naming
pattern is speculative. SaaS Matrix chain edges are also
speculative by design.
Hypothetical
Used specifically for SaaS Matrix and What-if scenarios. Same meaning as speculative but in operator-facing prose. A hypothetical chain is a research lead, not a finding.
Triage verdict (on secrets)
What Pilot’s automated triage decided about a secret pattern match:
unverified— not yet triaged.probable_fp— confidently a false positive.public_by_design— a real value intentionally public.real_secret— high-confidence true positive.