Impact demonstration
When XBOW finds a significant vulnerability, an impact agent investigates how an attacker could exploit it. The depth of that investigation depends on the impact demonstration level you set when you ran the assessment.
Note: Impact agents run only on findings that show strong potential for demonstration. Informational findings are automatically ignored. This ensures that agents focus on findings with the largest potential to demonstrate escalation.
Overview
You can choose one of three levels for each assessment.
| Level | Summary | What XBOW does |
|---|---|---|
| Off | No escalation | XBOW confirms each vulnerability is exploitable but does not escalate severity or chain further. |
| Moderate (default) | Escalation within scope | Escalates the severity of each finding within the scope of the vulnerability. For example, on a SQL injection (SQLi), XBOW investigates whether it can be used to read database tables or run shell commands via SQL primitives. It does not pivot into other systems or chain into other vulnerability classes. |
| Deep | Escalation across systems | Treats the finding as an entry point and explores how far an attacker could escalate. Chains into other vulnerability classes, uses captured credentials or tokens, and pivots into adjacent network resources. For example, if agents were able to escalate the SQLi into RCE, this mode will try to use that RCE to pivot into other machines. It will also check env variables to see if there are any secrets or credentials that could be used to log in to other machines. This behaves more like a mini-and-noisy red team operation. |
Moderate is the default because it gives you exploit evidence without intrusive demonstration of consequence. This is appropriate for most production environments. For guidance on choosing a level for a specific assessment, see Limiting impact demonstration.
This setting has no impact on the cost of the assessment.
Other proof mechanisms
Impact demonstration is distinct from two other proof mechanisms XBOW uses:
-
Validators are non-AI, CWE-specific logic that verifies an exploit. Validators run on every applicable finding regardless of impact demonstration level. For more information, see Vulnerability classification.
-
Canary tokens are values you plant in your application to give XBOW a verifiable target. Canaries direct where the platform should look for proof. The impact demonstration level controls how intrusively the agent gathers further evidence. For more information, see Validate results with canary tokens.