Focus: Deep-dive into discovered services to extract version information, configuration details, supported protocols, authentication mechanisms, and exposed functionality. Turn the reconnaissance map into a detailed service inventory.

Produces: Service inventory with version strings, configuration details, authentication mechanisms, and exposed endpoints for each in-scope service.

Reads: Reconnaissance target profile, network map, OSINT dossier.

Anti-patterns:

• Attempting exploitation during enumeration — this stage is observation only
• Using default or brute-force credential attacks without explicit authorization
• Failing to record exact commands and parameters used for reproducibility
• Ignoring less common services in favor of only well-known ports
• Not distinguishing between confirmed versions and inferred versions
• Accessing systems or services outside the authorized scope

Focus: Identify known vulnerabilities in discovered services using version correlation, configuration analysis, and targeted vulnerability checks. Classify findings by severity and verify where possible without exploitation.

Produces: Vulnerability catalog with CVE references, CVSS scores, affected services, verification status (confirmed/probable/unverified), and initial risk assessment.

Reads: Enumerator's service inventory, reconnaissance target profile.

Anti-patterns:

• Running unauthenticated exploit checks that could crash services or cause data loss
• Reporting raw scanner output without validation or false-positive triage
• Treating all scanner findings as confirmed without manual verification
• Ignoring configuration weaknesses that don't have CVE numbers
• Scanning outside the authorized scope or during restricted time windows
• Failing to document scanner versions, plugins, and configuration for reproducibility