Skip to main content
Esprit provides three scan modes optimized for different use cases: quick, standard, and deep. Each mode balances speed, thoroughness, and resource usage.

Overview

Scan modes control the testing strategy, agent parallelization, and time investment. From esprit/llm/config.py:14, modes are configured at scan initialization.

Quick

Surface-level scan (~5 min)High-impact vulns only

Standard

Balanced coverage (~15 min)Systematic methodology

Deep

Comprehensive (~30+ min)Exhaustive analysis

Setting Scan Mode

Specify the mode with the --scan-mode or -m flag: 
esprit scan https://example.com --scan-mode quick
esprit scan https://example.com -m quick
Default mode is deep - if no mode is specified, Esprit runs a comprehensive deep scan.

Quick Mode

Time-boxed rapid assessment targeting high-impact vulnerabilities. Based on esprit/skills/scan_modes/quick.md.

When to Use Quick Mode

  • CI/CD Pipeline - Fast security checks on every commit
  • Bug Bounty Recon - Initial triage of multiple targets
  • Time-Constrained - Limited time for testing
  • High-Priority Only - Focus on critical issues

Testing Strategy

Whitebox (source available)
  • Focus on recent changes (git diffs, new commits)
  • Identify security-sensitive patterns in changed code
  • Trace user input through modified code paths
  • Check if security controls were modified
Blackbox (no source)
  • Map authentication and critical user flows
  • Identify exposed endpoints and entry points
  • Skip deep content discovery

Agent Parallelization

Quick mode creates 2-3 parallel subagents after orientation: 
# From esprit/skills/scan_modes/quick.md:60-62
# Spawn agents for:
# (1) auth bypass + access control
# (2) injection (SQLi/RCE)
# (3) SSRF + secrets
Quick mode philosophy: Running 3 agents for 5 min each > running 1 agent for 15 min sequentially. Always prefer parallel execution.

Resource Usage

From esprit/llm/cost_estimator.py:14-18: 
"quick": {
    "input_tokens_per_target": 100_000,
    "output_tokens_per_target": 30_000,
    "cached_ratio": 0.3,
}
Estimated cost: ~0.100.10 - 0.50 per target (model-dependent)

Standard Mode

Balanced security assessment with systematic methodology and full attack surface coverage. Based on esprit/skills/scan_modes/standard.md.

When to Use Standard Mode

  • Production Pre-Release - Thorough testing before deployment
  • Quarterly Audits - Regular security assessments
  • Third-Party Apps - Vendor security evaluation
  • Bug Bounty Hunting - Comprehensive coverage without exhaustive depth

Testing Strategy

Whitebox
  • Map codebase structure: modules, entry points, routing
  • Identify architecture pattern (MVC, microservices, monolith)
  • Trace input vectors: forms, APIs, file uploads, headers
  • Review authentication and authorization flows
  • Analyze database interactions and ORM usage
  • Check dependencies for known CVEs
Blackbox
  • Crawl application thoroughly
  • Enumerate endpoints, parameters, and functionality
  • Fingerprint technology stack
  • Map user roles and access levels
  • Capture traffic with proxy

Agent Parallelization

MANDATORY PARALLELIZATION - Standard mode creates 3-5 parallel subagents: 
# From esprit/skills/scan_modes/standard.md:48-55
# Create at least 3-5 parallel subagents immediately after Phase 1-2:
# • One for injection testing (SQLi, command injection, SSTI)
# • One for access control (IDOR, privilege escalation, broken auth)
# • One for client-side (XSS, CSRF, open redirects)
# • One for server-side (SSRF, XXE, deserialization)
# • One for business logic (race conditions, workflow bypass)
Do NOT serialize testing that can be parallelized. Multiple agents running concurrently is always preferred.

Resource Usage

From esprit/llm/cost_estimator.py:19-23: 
"standard": {
    "input_tokens_per_target": 400_000,
    "output_tokens_per_target": 120_000,
    "cached_ratio": 0.4,
}
Estimated cost: ~0.400.40 - 2.00 per target (model-dependent)

Deep Mode

Exhaustive security assessment with maximum coverage, depth, and vulnerability chaining. Based on esprit/skills/scan_modes/deep.md.

When to Use Deep Mode

  • Critical Applications - Banking, healthcare, infrastructure
  • Pre-IPO Security Audit - Comprehensive due diligence
  • Advanced Persistent Testing - Finding what others miss
  • Red Team Engagement - Maximum depth and creativity

Testing Strategy

Whitebox
  • Map every file, module, and code path
  • Trace all entry points from HTTP handlers to database queries
  • Document all authentication mechanisms
  • Map authorization checks and access control model
  • Identify all external service integrations
  • Analyze configuration for secrets and misconfigurations
  • Review database schemas and data relationships
  • Map background jobs, cron tasks, async processing
  • Identify all serialization/deserialization points
  • Review file handling: upload, download, processing
  • Check all dependency versions against CVE databases
Blackbox
  • Exhaustive subdomain enumeration with multiple sources
  • Full port scanning across all services
  • Complete content discovery with multiple wordlists
  • Technology fingerprinting on all assets
  • API discovery via docs, JavaScript analysis, fuzzing
  • Identify all parameters including hidden ones
  • Map all user roles with different account types
  • Document rate limiting, WAF rules, security controls

Agent Parallelization

Deep mode decomposes the application hierarchically: 
# From esprit/skills/scan_modes/deep.md:142-151
# 1. Component level - Auth System, Payment Gateway, User Profile
# 2. Feature level - Login Form, Registration API, Password Reset
# 3. Vulnerability level - SQLi Agent, XSS Agent, Auth Bypass Agent
#
# Spawn specialized agents at each level. Scale horizontally:
# - Do NOT overload a single agent with multiple vulnerability types
# - Each agent focuses on one specific area or vulnerability type
# - Creates a massive parallel swarm covering every angle
Deep mode philosophy: Relentless. Creative. Patient. Thorough. Persistent. This is about finding what others miss.

Resource Usage

From esprit/llm/cost_estimator.py:24-28: 
"deep": {
    "input_tokens_per_target": 1_200_000,
    "output_tokens_per_target": 350_000,
    "cached_ratio": 0.45,
}
Estimated cost: ~1.201.20 - 6.00 per target (model-dependent)

Reasoning Effort

From esprit/llm/llm.py:184-187, scan modes also affect the LLM reasoning effort: 
if config.scan_mode == "quick":
    self._reasoning_effort = "medium"
else:
    self._reasoning_effort = "high"
Quick mode uses medium reasoning for faster responses. Standard and Deep modes use high reasoning for better quality analysis.

Mode Comparison

FeatureQuickStandardDeep
Duration~5 min~15 min~30+ min
Agent Count2-33-510+
CoverageHigh-impact onlyFull attack surfaceExhaustive
DepthSurface-levelSystematicComprehensive
ChainingSingle pivotMulti-step pathsComplex chains
ReasoningMediumHighHigh
Input Tokens~100K~400K~1.2M
Output Tokens~30K~120K~350K
Cost Range0.100.10-0.500.400.40-2.001.201.20-6.00
Best ForCI/CD, TriageProduction testingCritical systems

Terminal Output

Scan mode is displayed in the startup panel: 
┌─────────────────────────────────────────────────────────────┐
│ ESPRIT                                                      │
├─────────────────────────────────────────────────────────────┤
│                                                             │
│  Penetration test initiated                                 │
│                                                             │
│  Target  https://example.com                                │
│  Mode    Deep                                               │
│  Output  esprit_runs/example-com_a3f2                       │
│                                                             │
└─────────────────────────────────────────────────────────────┘

Best Practices

  • Quick for fast feedback loops (CI/CD, bug bounty recon)
  • Standard for regular security testing (pre-release, audits)
  • Deep for critical applications (banking, healthcare, infrastructure)
  • Start with quick mode to identify low-hanging fruit
  • Use standard mode for production environments
  • Reserve deep mode for critical systems
  • Monitor token usage with real-time stats
  • Whitebox (repository/local code): Deep mode provides maximum value
  • Blackbox (web URLs): Standard mode often sufficient
  • Mixed targets: Use different modes per target
  • Use --instruction to focus deep mode on specific areas
  • Override default priorities with custom guidance
  • Example: “Focus on authentication and authorization only”

Next Steps

Custom Instructions

Guide scans with custom testing instructions

Non-Interactive Mode

Integrate Esprit into CI/CD pipelines

Build docs developers (and LLMs) love

Get started for freeTalk to us