Glossary#
This page defines key terms used throughout SilentBolt and this documentation. Terms are listed alphabetically.
Accepted Risk#
A governance status indicating that the organization acknowledges a finding but has chosen not to remediate it at this time. Accepted risk findings require an expiry date — after which the finding should be re-evaluated. The effective severity of an accepted risk finding is reduced.
AI Provider#
The large language model service used for AI-driven features — test type suggestions in Attack Orchestration, template recommendations, and AI Review triage suggestions. SilentBolt supports OpenAI (GPT-4o), Google Gemini, and Anthropic Claude. Users can configure their own API key (BYOK) or use the system default provider.
AI Review#
An analyst-initiated process where AI examines all findings from a completed scan and generates per-finding triage suggestions (e.g., likely false positive, accept risk candidate, resolve candidate). Suggestions must be explicitly approved by an analyst before any governance status change takes effect.
Attack Orchestration#
A feature that extends scan results into AI-driven penetration testing. After a scan completes, users create an orchestration session, receive AI-suggested test types, and execute tool sequences with AI-generated configurations. See Attack Orchestration.
Authorization Status#
The approval state of a domain within SilentBolt. A domain must be authorized (approved) by an admin before scans can be executed against it. This is a safety control separate from verification.
Baseline Scan#
The first scan of a domain. Subsequent scans are compared against the baseline (and the most recent previous scan) to detect drift.
Company#
The top-level tenant in SilentBolt's multi-tenant model. Each company has its own isolated set of users, domains, scans, findings, integrations, and settings. A company maps to a customer organization (or a client workspace for MSSPs).
Confidence#
A numeric value (0.0–1.0) associated with a finding or an AI suggestion, indicating the system's or AI's certainty in the result. Higher confidence means the detection or suggestion is more reliable.
Discovery#
The first phase of a scan pipeline. SilentBolt uses an automated discovery engine for subdomain enumeration to discover all subdomains of the target domain. The output is a list of scan targets.
Domain#
A web domain (e.g., example.com) registered in SilentBolt as a scanning target. Domains belong to a company and must be verified and authorized before scanning. Domains can be classified by environment and organized with tags.
Drift#
A change in the security posture between scans. When a scan completes, SilentBolt compares its findings against the baseline scan and the previous scan. Each finding is labeled as one of: new, changed, resolved, or regression.
Effective Severity#
The adjusted severity of a finding after accounting for its governance status. For example, a high-severity finding marked as accepted risk will have a lower effective severity. This differs from technical severity, which reflects the raw detection result.
Endpoint#
An HTTP path + method combination discovered on a host during surface mapping. Endpoints carry risk scores and can be flagged as "forgotten" if they were present in a prior scan but absent in the current one.
Environment#
A classification applied to a domain, typically one of: production, staging, or development. Used for organizational and filtering purposes.
Finding#
A discrete security issue discovered during a scan. Findings can originate from template-driven vulnerability detections or heuristic analysis of endpoint patterns. Each finding has severity, scores, a governance lifecycle, and drift labels. See Findings.
Forgotten Endpoint#
An endpoint that was discovered in a previous scan but is no longer reachable in the current scan. Forgotten endpoints may represent decommissioned or hidden assets and carry additional risk.
Governance Status#
The lifecycle state of a finding, managed by analysts. Valid statuses:
| Status | Meaning |
|---|---|
open |
Newly discovered or awaiting triage |
in_progress |
Being actively investigated or remediated |
false_positive |
Determined to not be a real vulnerability |
accepted_risk |
Real issue, but accepted (requires expiry date) |
resolved |
Remediated and verified |
reopened |
Previously resolved, but reappeared |
See Reference: Finding Governance.
Host#
A hostname:port combination discovered during surface mapping. Hosts carry metadata including IP address, TLS status, HTTP status code, server headers, and reachability.
Integration#
A configured connection to an external service (Microsoft Teams, Telegram, Jira, or GitHub Issues) that receives automated notifications about scan events and critical findings. See Integrations.
Integration Event#
A specific occurrence that triggers an outbound notification to configured integrations. Examples: scan.completed, finding.created, finding.escalated.
Orchestration Session#
A single execution run of AI-driven penetration testing, linked to a completed scan. Sessions progress through statuses: draft → preparing → ready → running → completed (or failed, canceled). See Attack Orchestration.
Orchestration Step#
An individual tool execution within an orchestration session. Each step runs a specific security tool in a Container with AI-generated parameters.
Risk Score#
A numeric value assigned to a finding or endpoint representing its overall risk. Computed from severity, confidence, exposure, and contextual signals. Higher scores indicate greater risk.
Scan#
A single execution run of the security assessment pipeline against a verified and authorized domain. A scan progresses through discovery, WAF detection, surface mapping, vulnerability scanning, and post-processing. See Scans.
Scan Profile#
SilentBolt automatically downgrades to stealth if a WAF is detected.
Scan Target#
A subdomain or IP address discovered during the Discovery phase. Scan targets are the inputs to the Surface Mapping phase.
Scan Template#
A reusable security playbook that groups tools, test types, and workflow stages. SilentBolt includes 8 built-in system templates (Web App Security, API Security, Cloud Security, etc.). Users can create custom templates or duplicate system templates.
Scheduled Scan#
A recurring scan configured to run automatically based on a cron expression and timezone. The scheduler checks for due scans every 30 seconds and enqueues them for execution.
Severity#
A categorical risk rating assigned to a finding. Standard levels:
| Level | Description |
|---|---|
critical |
Actively exploitable, immediate action required |
high |
Significant risk, should be addressed urgently |
medium |
Moderate risk, plan for remediation |
low |
Minor risk, address when convenient |
info |
Informational, no immediate risk |
Surface Mapping#
The second phase of a scan pipeline. Multiple engines probe scan targets to build a live asset inventory: HTTP probing, port scanning, and web crawling. The output is a set of hosts, endpoints, and service records.
Tag#
A user-defined label applied to a domain for organizational purposes (e.g., "client-a", "critical-tier", "pci-scope").
Technical Severity#
The raw severity level of a finding as determined by the scanning tool or detection template, before any governance adjustments. Compare with effective severity.
Template#
See Scan Template.
Truth Layer#
An intermediate data store where raw tool output is staged before being normalized into the permanent data model. The Truth Layer stores scan targets, scan assets, scan findings, and scan events during pipeline execution.
Verification#
The process of proving ownership or control of a domain before it can be authorized for scanning. SilentBolt supports DNS TXT record verification and email-based verification.
WAF Detection#
An automatic check performed at the start of a scan to determine if the target domain is protected by a Web Application Firewall. If a WAF is detected, the scan profile is automatically switched to stealth to avoid being blocked.