Skip to main content
Agents are specialized security analyzers within the Ghost Exorcist engine. Each agent focuses on a category of vulnerabilities (authentication, injection, XSS, and so on) and evaluates your code against a set of defined criteria.

How agents work

Detection is organized in a three-level hierarchy:
LevelDescriptionExample
AgentA category-level analyzer focused on a class of vulnerabilitiesAuthentication
VectorA specific vulnerability pattern within an agentMissing Authentication, Broken Authentication
CriteriaThe individual checks a vector evaluates against your code”Verify that all API endpoints require authentication tokens”
The Exorcist engine runs the relevant agents for your project’s purpose and evaluates each vector’s criteria to produce findings. A finding is only surfaced when all criteria for a vector are true. The agent provides evidence supporting each criterion in the finding’s evidence section, so you can see exactly what was matched and why.

Why criteria?

Criteria are natural language rules that both humans and agents read and follow. You can look at a vector’s criteria and immediately understand what it checks for, without interpreting code or complex rule syntax. It’s a shared language between you and the detection engine. Each criterion is a statement of inclusion: it defines a condition or behavior that must be present for a match. If the condition isn’t there, the criterion isn’t met and the finding won’t be produced. System criteria are intentionally language, framework, and environment agnostic. They provide a baseline that works across any codebase. When you need something more specific, you can create custom vectors with criteria tailored to your language, framework, or environment.

Purpose

Agents and vectors are organized by purpose to match the type of code being analyzed. When you add a project to a repository, you assign it a purpose that determines which agents and vectors apply.
PurposeDescription
BackendServer-side and API code: injection, authentication, authorization, data exposure, and more
FrontendClient-side code: XSS, client-side authorization bypass, insecure token storage, and more
MobileMobile application code: insecure data storage, certificate pinning, deep link handling, and more

Viewing agents

Navigate to Agents to browse all agents, vectors, and their criteria. You can search by name, filter by purpose or agent type, and expand any agent to see its vectors.

System vs. custom vectors

System vectorsCustom vectors
SourceMaintained by GhostCreated by your organization
EditableRead-onlyManagers can add, edit, and delete
ScopeAll projectsGlobal (all projects) or per-project
PurposeDefault detection baselineOverride criteria to match your standards
Custom vectors override system vector criteria at the level they’re applied. Project-specific custom vectors take precedence over global ones, and global ones take precedence over system defaults.

Re-validation

After tuning agent criteria, you can re-validate existing findings against the updated criteria without waiting for the next scan. Ghost detects which findings have changed criteria, re-evaluates them against the current code, and updates their status accordingly. Findings that no longer meet the new criteria are closed, and recently closed findings that now meet the criteria are reopened.
See the Tuning guide for a step-by-step walkthrough of customizing detection and managing findings.