🛡Free public scan: paste any URL — get every risk in 2 minutes. · No credit card. No setup.Run Free Scan →
𓆗PYTHORIX
LoginRun Free Scan
DOCS

Pythorix Docs.

Get from sign-up to first verified threat in two minutes — and master the full Autonomous Security Control Plane from there.

QUICK PATHS

Start here.

🚀

Getting Started

Create your account, verify email, add your first asset, run the first Intelligence Operation.

🎯

Running Your First Scan

Choose a scan template, watch progress live, see your first verified threat.

📋

Understanding Reports

Read attack-path scenarios, severity bands, Real Breach Risk score, and the recommended-actions table.

🛡

Security Model

How Pythorix authorises scans, the audit log, RBAC, OAST infrastructure, and data isolation.

🤝

Responsible Usage

Authorisation requirements, defensive-only commitments, and what NOT to point Pythorix at.

🔌

API & Integrations

Programmatic access via API keys, webhook deliveries, Slack/Jira/GitHub integrations.

01 · GETTING STARTED

Getting Started

Sign up, verify, and reach the Command Center in under 60 seconds.

1. Create your account

Visit pythorix.com/signup and either continue with Google (one-click) or enter your email and password. Email signup requires verifying a 6-digit OTP delivered to your inbox — the code expires in 5 minutes.

2. Default workspace + Free plan

Pythorix auto-creates a Workspace under your account on first sign-in and assigns the Free plan: 10 intelligence operations per month and 1 asset. You become its Owner.

3. Add your first asset

From the Command Center, click Add Asset or paste a URL into the top-right Run Intelligence Op input. Pythorix supports websites, APIs, domains, cloud accounts, mobile apps, repositories, and AI agents.

Tip: for production assets, click Verify to confirm ownership via a /.well-known/mythos-<token>.txt file. Verified assets unlock continuous monitoring schedules.
02 · FIRST SCAN

Running Your First Scan

Pick a template

  • Quick (~30s) — posture, TLS, DNS, headers. Right for drift checks.
  • Standard (~2 min) — all in-band checks including injection, SSRF, smuggling, file upload, edge appliances. The default for new assets.
  • Deep (~5 min) — adds port scan, full Certificate Transparency pull, cloud bucket enumeration, domain typosquats. Right for initial assessment.

Watch progress live

The Command Center subscribes to a WebSocket event stream. As the engine runs each phase, you'll see findings appear progressively. No waiting, no polling.

Read the result

Posture grade (A–F) and score (0–100) appear at the top. Verified threats are sorted by severity, with attack paths chained underneath. The most important finding for most assets is the Top Risks card — top-3 attack scenarios with full attacker chain.

03 · REPORTS

Understanding Reports

Every Intelligence Operation generates a Verified Threat Intelligence Reportin HTML / PDF / Markdown / CSV / JSON. The HTML format is presentation-grade with these sections:

  • Cover — host, posture grade tile, scan reference, scope statement
  • Executive Summary — auto-generated narrative
  • Top Risks — top-3 attack scenarios with What an attacker can do / What data is at risk
  • Recommended Actions — sequenced Now / 30 days / 90 days / Ongoing
  • Risk Posture by Domain — coverage status grid
  • All Breach Scenarios — full attacker chain + executive view
  • Detailed Findings — engineering follow-up
  • External Footprint — subdomains, technology, scan history
  • Compliance mapping — PCI / SOC 2 / ISO 27001 / GDPR / NIST CSF / OWASP
  • Out of Scope — what an external scanner cannot see (authenticated DAST, internal AD, CSPM, etc.)
04 · SECURITY MODEL

Security Model

Pythorix is built defensively. Every scan is audited (SHA-256 hash-chained log). Every action passes through Zero Trust + RBAC. Tools that touch production require explicit approval workflows.

Authorisation

Submitting a URL implicitly grants ACTIVE_FETCH for that host with a 60-min TTL. For continuous monitoring on production assets, ownership verification is required.

Data isolation

Multi-tenant by design. Every Asset, Scan, Finding, Integration, and API key is scoped to an Organization. The X-Org-Id header pins the active workspace.

OAST callbacks

Our Out-of-band Application Security Testing listener verifies blind vulnerabilities. Tokens are 16-char random, TTL-bounded, single-use. We never store callbacks beyond the active scan window.

05 · RESPONSIBLE USAGE

Responsible Usage

Pythorix is for defending assets you own or have explicit authorisation to assess. See our Acceptable Use Policy for the binding terms.

  • Allowed: your own websites, APIs, internal apps with admin sign-off, bug bounty targets in scope, customer assets covered by a written engagement.
  • Not allowed: arbitrary internet domains, competitors, news sites, anyone you can't produce written authorisation for.
  • Reporting suspected abuse: see our Responsible Disclosure policy.

Ready to start?

Free plan included. No card. First verified threat in 2 minutes.

Start Free →Contact Support
🛡Run Free Scan