Surface. Classify.
Report.

Vertigo maps the full attack surface of modern web applications using a real browser engine and cloud-hosted machine learning.

Get an API Key See how it works →
How It Works

From installation to audit report, in minutes

Vertigo uses a real Chromium browser to authenticate, crawl, and classify your application — then delivers a structured JSON report your team can act on immediately.

🔑
Authenticate
Vertigo uses ML-guided form detection to log into your application, capturing cookies, localStorage, and session headers into a portable session object for subsequent commands. MFA prompts and CAPTCHA challenges are surfaced rather than silently failed.
ML-guided detection
🔍
Crawl the application
A deep BFS crawl discovers endpoints through browser navigation, static JS analysis, runtime fetch/XHR interception, interaction simulation, and known API schema paths. Each page is fully rendered by a real browser before analysis.
Playwright + Chromium
🌐
Cloud ML classifies findings
Every page and HTTP response is sent to the XAHICO cloud as a feature vector — never as raw HTML. Three models classify page type, identify login forms, and score each response for statistical anomalies across 20 features.
No local model weights
📄
Review the structured report
A single JSON document describes the full asset fingerprint, every discovered endpoint with its page type and anomaly score, all forms, dynamic API shapes, and subdomain discoveries. Schema-stable across patch releases.
Stable JSON schema
Capabilities

Everything needed to audit modern web applications

Three focused commands — authentication, fingerprinting, and deep scanning — that compose cleanly into CI pipelines or standalone audit workflows.

🔑
Authentication Auditing
Log into any web application through a real browser. ML-guided form detection handles custom-styled and JavaScript-rendered auth pages, multi-strategy submission, MFA surfacing, and weighted success scoring.
🌎
Asset Fingerprinting
Generate a deterministic, content-addressed fingerprint of your application's full endpoint surface — suitable for change detection in CI pipelines. Powered by Katana for fast, shallow crawling with optional authenticated sessions.
🔭
Deep Surface Mapping
BFS crawl with six parallel endpoint-discovery strategies, ML page classification, anomaly scoring on every HTTP response, subdomain detection, and structured JSON output — all in a single command.
⚙️
Runtime Interception
Live network instrumentation captures real fetch and XHR calls as the page executes, including authenticated API calls with token shapes, beyond anything static analysis can see.
📊
Anomaly Detection
Every HTTP response is scored against 20 features — status codes, timing, headers, DOM structure — by an Isolation Forest running in the cloud. Responses above 0.7 are flagged for review.
🏠
Subdomain Intelligence
Subdomains discovered during crawl are tracked and deduplicated. Controlled subdomain scanning is available via -sub-depth, allowing recursive auditing of an entire application estate.
Scan Output

A single document describing your entire application surface

Every vertigo scan produces a structured JSON report with a stable schema, designed to be consumed directly by downstream tooling, ticketing systems, or security dashboards.

  • Metadata — authentication status, crawl duration, and summary statistics
  • Asset fingerprint — SHA-256 of the full sorted endpoint surface
  • Endpoints — URL, method, page type, anomaly score, and discovery method
  • Forms — action, method, and full field inventory
  • Dynamic endpoints — normalised API shapes captured at runtime
  • Subdomains — discovered and scanned, with depth reached
scan-report.json
{ "metadata": { "status": "COMPLETE", "authenticated": true, "duration_ms": 14823 }, "asset_fingerprint": "sha256:a3f8c...", "endpoints": [ { "url": "/api/v1/users", "method": "GET", "page_type": "api", "anomaly_score": 0.12 }, { "url": "/admin/settings", "method": "GET", "page_type": "admin", "anomaly_score": 0.88 // flagged } ], "summary": { "total_endpoints": 48, "anomalies": 2, "subdomains_found": 3 } }
Cloud ML

Three models. No local weights. Continuously improving.

All inference runs exclusively in the XAHICO cloud. The client package contains only the browser automation engine and HTTP plumbing — no model files, no training data, no GPU required.

📊
Form Classifier
Random Forest + TF-IDF
Identifies login forms from DOM structure, field labels, placeholders, and button text. Achieves reliable detection even on heavily customised or JavaScript-rendered authentication pages.
🏠
Page Classifier
LightGBM
Labels each visited page as login, dashboard, admin, profile, api, form, list, detail, error, or static using combined text and structural features extracted from the rendered DOM.
🚫
Anomaly Detector
Isolation Forest
Scores every HTTP response across 20 features — status codes, response timing, security headers, and DOM structure. Responses with a score above 0.7 are flagged as statistical anomalies in the report.
Privacy by design. The client never transmits raw page HTML, credentials, or cookie values to the cloud. Only derived feature vectors and metadata are sent. Every classified sample is optionally submitted for quality-verified continuous model improvement.
Scan Workflow

Authenticated scanning, end to end

A complete audit — from credential handoff to final report — runs as a single pipeline. Each stage builds on the last, and every step is logged to stderr when --debug is enabled.

  • Session established via vertigo auth, then handed off to vertigo scan
  • Browser navigates and interacts as an authenticated user throughout
  • Cloud ML is called per-page and per-response — not just at the end
  • JSON output is written to stdout or -output <file>
  vertigo scan · app.example.com
Session loadedCookies & headers from auth
done
JS interceptors installedfetch & XHR patched
done
BFS crawl running34 URLs visited, depth 5
done
Cloud ML classified48 endpoints labelled
done
Anomaly scoring2 responses flagged (>0.7)
done
Report writtenscan-report.json ready
complete
Debug Output

Structured logs on every operation

All output is suppressed unless --debug is passed. When enabled, structured log lines are written to stderr — one key=value pair per field, parseable by any log aggregator.

  stderr · --debug enabled
14:32:01 DEBUG vertigo.scan.crawler crawl_start target='https://example.com' depth=5 sub_depth=0
14:32:01 DEBUG vertigo.scan.js_analyzer interceptors_installed
14:32:02 DEBUG vertigo.scan.crawler url_loaded url='https://example.com/' status=200 elapsed_ms=843
14:32:02 DEBUG vertigo.scan.crawler subdomain_discovered host='api.example.com'
14:32:03 DEBUG vertigo.scan.page_classifier page_classified url='example.com/dashboard' type=dashboard confidence=0.934
14:32:04 DEBUG vertigo.scan.anomaly_detector anomaly_detected score=0.8821 url='https://example.com/admin'
14:32:05 DEBUG vertigo.scan.crawler crawl_complete status=COMPLETE urls=34 endpoints=58 anomalies=1
Get Started

Ready to audit?

Get an API key, install the package, and run your first scan in under five minutes — no configuration required.

Get an API Key →