Skip to main content

Execution Timeline

The campaign detail page tells the story of a run as a single horizontal timeline. Instead of scrolling a log, operators see the campaign's arc as a chevron of phases, each phase decorated with the tactics and steps that actually executed — a shape that fits on one screen and makes hours of activity legible at a glance.

Screenshot: Chevron timeline with phase tactic pills and step findings

Chevron Phases

Each phase is a chevron that lights up as the campaign advances: Reconnaissance, Initial Access, Execution, Persistence, Privilege Escalation, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Impact. Phases the planner decided to skip are rendered dim; phases the planner is currently in pulse with an animated border. Click a chevron to scroll the detail view to that phase.

Tactic Pills

Below each chevron, tactic pills show which ATT&CK tactics ran in that phase. Pills are color-coded by outcome — green for fully succeeded, amber for partial, red for blocked, grey for skipped. Every pill has a visible boundary so they remain distinguishable against the background in both light and dark themes. Clicking a pill expands the step list for that tactic, showing the technique, the exit region that carried the traffic, the duration, and a short summary of what was learned.

Step-Level Findings

When a step generates a finding — a CVE match, an exposed credential, a vulnerable misconfiguration — the finding appears inline beneath the step. The inline card shows the severity, the affected asset, and a one-click jump into the full finding in the Findings tab. This is where operators most often pivot from "what the engine did" to "what matters for the report."

Abort Flow

Abort controls live in the timeline header. Abort Step halts only the running step and allows the planner to pick a different next move; Abort Campaign terminates the entire run, drains in-flight sessions, and flushes artifacts to the evidence bundle. Both actions require a confirmation with a reason, which is stored on the audit record.

Findings and Intel Tabs

The Findings tab is a filterable table of every vulnerability the campaign surfaced. The Recon Intel tab is the campaign's knowledge graph — hosts, users, services, credentials, and the edges the planner discovered between them — and doubles as the input to follow-up campaigns.