Horizon3.ai - Automated Pen Testing as a Service


Getting Started

The Attacker's Perspective

Horizon3.ai is a leader in security assessment and validation enabling continuous security overwatch from an attacker’s perspective. Our solution, NodeZero, identifies and contextualizes ineffective security controls and kill chains that can be exploited, all without consultants, persistent agents or up-front configurations, so you spend your security resources fixing what matters.

1. Setup

NodeZero is our prepackaged software module that simulates the activities of an attacker within your network. Setting up NodeZero requires only two things:

  • A host with Docker installed from which NodeZero will operate (the NodeZero Host)
  • Connectivity to the Internet from that host
    • We recommend a hard-wired Ethernet connection of at least 40MBps download.

Once you have your NodeZero Host ready, log into a shell on it using your favorite method. We will be back here shortly.

2. Authenticate

Click here to navigate to our Portal and log in with your credentials.

3. Build

Choose the type of operation you want to run in our Portal:

  • Run a Pen Test: Executes an internal penetration test, recons and maneuvers using the same tactics as an attacker, chaining together harvested credentials + misconfigurations + dangerous defaults + safely exploitable vulnerabilities.
  • Run an Initial Damage Assessment: Similar to a pen test, but focuses on discoverable credentials and data resources within the immediate blast radius of a breach point.

3.1 Operation Parameters

to bring up the Op Configuration panel.


3.1.2 Operation Scope

The operation scope is the set of IPs and/or subnets (in CIDR notation) within which you want to run the operation. The larger the scope, the better results you will get. This is not a "vulnerability scanner" that has a narrow focus. NodeZero assesses your environment and uses any data it finds, and the context around it, to identify and exploit your vulnerabilities, misconfigurations, and poor cyber-security hygiene.

If you are unclear on CIDR notation, here is a reference and a calculator app to assist you:

If your environment uses and the subnet mask is, then you'll add the following to the scope:

For properly segmented environments, use comma-separated CIDR notation.
For example:,,

If you are running NodeZero in a more complex environment, you'll want to set the scope to cover as many subnets as possible. You should ask your Network Administrator for a list of CIDR annotated subnets.

3.1.3 Operation Blacklist

The Blacklist stops NodeZero from scanning or exploiting a set of IPs or subnets. The IPs within the blacklist may be discovered by NodeZero via various techniques within the operation, but NodeZero will not touch them. They may show up in the "Out-of-scope" list in the post-operation report.

This parameter also requires CIDR notation.

3.1.4 Operation Name

Use the Operation Name to quickly identify this operation among the others you have run. We recommend you come up with a naming-standard that fits your needs.

Some recommendations

[date]|[library]|[Nodezero Src]|[scope]

2020-10-01|NodeZero|East-Coast-Bizops|Full. This Indicates that the NodeZero host was place in the East Coast Bizops network and the scope was the entire enterprise.


2020-12-24|NodeZero|Netherlands Dev|US East Finiance. This was a test to validate new controls were affective in stopping an attacker from reaching the US East finance network from a development network.

3.1.5 Prepare the Op

Click the green_run.png button.

Your operation will begin to build its one-time-use software module, NodeZero, which you will execute in the next step. Our platform will coordinate with this module to assess your environment.

4 Execute

The operation will display its status in the window.

When the operational configuration is baked and ready to execute, you will be provided with a command.

Click the Copy to Clipboard button or highlight the script and copy it with cmd+c or ctrl+c.

Lastly, paste this command into the terminal of your NodeZero Host.

This script will validate the Docker installation, download the most up-to-date NodeZero Docker image, and begin the operation. You will see the status of the operation transition from Ready to Running.