CodeWallDocs
Hunts

Using Hunts

Triage, run, and dismiss hunts. Read the results.

The hunt queue lives at /hunts in the dashboard. Every proposal that hasn't been dismissed or archived shows up there, sorted by priority score.

Triaging the queue

Each row in the queue shows the hunt's severity, source, title, affected assets, and priority score. Click a row to open the side panel with full detail:

  • Rationale — why CodeWall thinks this applies to you
  • Objective — what the agent will attempt
  • Affected assets — exactly what gets tested
  • Source — which signal flagged it (KEV / NVD / GHSA / variant / asset / review)
  • Source finding (variant hunts only) — the parent finding with a one-click drawer to inspect

Three actions on every proposal:

  1. Run — kicks off the scoped test immediately. Returns a confirmation toast and a link to the active run.
  2. Dismiss — removes the hunt from the queue with a recorded reason. Use this when the proposal doesn't apply (false stack match, scope mismatch, accepted risk, etc.).
  3. Detail — open the side panel for full context.

Running a hunt

When you click Run, CodeWall:

  1. Spawns a new test run scoped to the hunt's affected assets and objective
  2. Picks up the hunt's suggested skills as starting tactics
  3. Runs the agent in a constrained "hunt mode" — narrower than a full pentest, focused on the specific hypothesis

Hunt runs typically finish in 5–30 minutes (versus hours for a full test). You can watch progress live on the run page or wait for the completion notification.

Reading the result

When the run completes, the hunt's status changes to Completed with one of three outcomes:

Confirmed

The vulnerability was reproduced. A finding has been created in your Findings list, stamped with the originating hunt id. The finding contains:

  • Full attack chain showing how the agent reached the vulnerable code path
  • Proof-of-concept evidence (HTTP requests/responses, screenshots, payloads)
  • Severity inherited from the hunt (or adjusted up if the agent demonstrated greater impact)
  • Remediation guidance
  • A link back to the source intelligence (the CVE record, parent finding, etc.)

Triage from here as you would any other finding — see Understanding Findings.

Not Vulnerable

The agent attempted the exploit and the system held up. This is a positive signal: it confirms the hypothesis was tested and your infrastructure passed. The hunt's notes section explains specifically what was tried and what didn't work.

Inconclusive

The agent couldn't reach a definitive yes/no. Common causes:

  • Authentication required and credentials weren't provided
  • A WAF or rate limit blocked the test before completion
  • The targeted endpoint moved or returned an unexpected response shape
  • Required preconditions (e.g. a specific user account) couldn't be satisfied

The notes section explains what got in the way. You can:

  • Provide additional context (credentials, scope expansion) and re-run
  • Dismiss with a reason if it's not worth pursuing
  • Convert the inconclusive notes into a follow-up test

Dismissing a hunt

Click Dismiss on the proposal and pick a reason:

  • Not applicable — the stack match is wrong; this CVE doesn't actually apply
  • Already remediated — the underlying issue is already patched
  • Accepted risk — the team has acknowledged and accepted the risk
  • Out of scope — the affected assets shouldn't be tested
  • Other — anything else, with a free-text note

Dismissed hunts stay in your audit trail with the reason and timestamp. They won't auto-resurrect unless the underlying signal changes (e.g. a new CVE references the same component, or a fresh finding triggers a fresh variant analysis).

Notifications

Critical and high-severity proposals trigger an immediate email to your team — see Settings for the threshold and recipient configuration.

Lower-severity proposals are bundled into a daily digest so they don't flood your inbox.

The queue supports filtering by:

  • Status — proposed, running, completed, dismissed, archived
  • Severity — critical, high, medium, low
  • Source kindcti_kev, cti_nvd, cti_ghsa, finding_variant, asset_context, llm_review
  • Affected asset — show only hunts targeting a specific asset

The default view is status=proposed, sort=priority_score desc — your action queue.

The Stats view shows hunt activity over time:

  • Hunts proposed by source (volume per feed per week)
  • Run-through rate (proposed → completed)
  • Confirmed-finding yield (hunts that turned into findings)
  • Dismiss reasons (what's noisy)

Use this to spot when a particular source is producing too much false-positive noise — you can then disable or down-weight it in Settings.

Hunt Sources

The six signals CodeWall uses to propose hunts, and what each catches.

Hunt Settings

Configure which sources are active, who gets alerted, and how long proposals live in the queue.

On this page

Triaging the queueRunning a huntReading the resultConfirmedNot VulnerableInconclusiveDismissing a huntNotificationsFiltering and searchStats and trends