Skip to content

Common Flags

These flags are shared by command families, not every command at the root.

  • discover network, scan targets, and assess network share output, HTTP/runtime, and concurrency controls.
  • discover files shares output plus local concurrency and stealth controls.
  • Service modules share output and HTTP/runtime controls, and mutating module actions use --force-exploit.

Output Control

Flag Short Default Description
--output -o (stdout) Output file path. When omitted, findings write to stdout.
--format -f console Output format: console, json, jsonl, csv, html, sarif, markdown (or md), pdf (requires Chrome; use --output).
--verbose -v false Enable verbose output with extended descriptions and evidence.

Network & Transport

Flag Default Description
--timeout 10s HTTP request timeout.
--fingerprint-timeout 10s Per-port fingerprinting budget for discover network and assess network. TCP-open ports remain visible even if fingerprinting times out.
--proxy (none) Proxy URL. Supports http://, https://, and socks5:// schemes. Applied to all HTTP requests and WebSocket connections.
--insecure false Skip TLS certificate verification for HTTPS targets.

Concurrency & Stealth

Flag Default Description
--concurrency 10 Number of parallel workers for scanning and fingerprinting. Must be >= 1.
--stealth false OPSEC mode: caps concurrency to 1, adds 1-5s random jitter per request, rotates User-Agent headers.
--max-hosts 65536 Maximum hosts to scan in discover network or assess network CIDR expansion. Set to 0 to disable the guardrail. Large IPv6 CIDRs (63+ host bits) are rejected before expansion to prevent overflow.

Safety

Flag Default Description
--force-exploit false Enable mutating and high-noise exploit actions. Required for commands that modify target state (model poisoning, code execution, file uploads, etc.).

Warning

--yes-i-mean-it is a deprecated alias for --force-exploit. It is hidden from help output but still accepted.

Usage Examples

# Write JSON output to a file through a SOCKS5 proxy
./aipostex scan targets --target http://10.0.0.5:11434 \
  --format json --output findings.json \
  --proxy socks5://127.0.0.1:1080

# Stealth scan with verbose output
./aipostex discover network --target 10.0.0.0/24 \
  --stealth --verbose

# Skip TLS verification for HTTPS targets
./aipostex scan targets --target https://10.0.0.10:8443 --insecure

# Stream JSONL for a long-running network scan
./aipostex discover network --target 10.0.0.0/16 \
  --format jsonl --output findings.jsonl --max-hosts 0