Assessment Registration

When you identify an attack vector, CVE, or vulnerability chain to investigate, delegate its registration to the register-assessment subagent. The subagent validates quality, checks for duplicates against existing assessments, creates the assessment, and auto-creates a P5 deep investigation task.

No more two-step process — one call creates both the assessment and its P5 task.

The Registration Process

Step 1: Parse Input

The subagent extracts: assessment type (vector/cve/chain), targets, category/CVE-ID, title, description, and any evidence from your delegation message.

Step 2: Duplicate Check

The subagent lists existing assessments on the same target and applies novelty rules:

Same technique on same location = duplicate (stops)
Same CWE with different payloads = duplicate (stops)
Same CWE but different target location = novel (proceeds)
Same location but different technique = novel (proceeds)
Different entry point (GET vs POST vs header) = novel (proceeds)
When in doubt, errs toward novel

Step 3: Quality Validation

Description must be ≥100 chars covering: target location, approach, prerequisites, impact.

Step 4: Registration

Calls create_assessment which validates and auto-creates P5 task with consolidation.

Quality Standards

Description (min 100 characters) must answer:

Target location: Which specific parameter, field, header, or endpoint?
Approach: How should this be tested? What technique?
Prerequisites: Auth needed? Specific role? Session state?
Expected impact: What happens if exploitable? Data exposure? Privilege escalation?

GOOD: "Time-based blind SQL injection on the 'sort_by' query parameter of POST /api/v2/users/search (endpoint 42). The parameter is directly interpolated into an ORDER BY clause without sanitization. Requires authenticated session (any role). Approach: use SLEEP-based payloads with conditional statements. Impact: full database read access, potential data exfiltration of user PII."

BAD: "SQL injection on user search endpoint" (too short, no target location, no approach)

When to Use This

Identified a CWE-based attack vector during P4 vulnerability research
Found a CVE that applies to the target's technology stack
Want to chain multiple confirmed findings into a more impactful attack
Discovered an unexpected vulnerability during P5 investigation
Found a business logic flaw during P3 flow analysis

How to Delegate

Vector (most common)

Agent("register-assessment", "Vector: CWE-89 SQL injection on endpoint 42
(POST /api/v2/users/search). Target location: 'sort_by' query parameter in
JSON body. Approach: time-based blind injection via ORDER BY clause.
Prerequisites: any authenticated session. Impact: full DB read access.
Targets: endpoint://42, service://5.")

CVE

Agent("register-assessment", "CVE: CVE-2024-1234 affects Django 4.2 on
service 5 (api.target.com). Target: the auth service running Django.
Approach: exploit the path traversal in file upload. Impact: RCE.
Targets: service://5.")

Chain

Agent("register-assessment", "Chain: linking finding 12 (SSRF) and
finding 15 (internal API no auth) into a complete attack path.
SSRF on endpoint 42 allows reaching internal admin API (finding 15)
which has no authentication. Impact: admin access via external request.
Targets: endpoint://42, service://5. Finding IDs: 12, 15.")

Rules

To register assessments, always delegate to the register-assessment subagent
Each assessment must target specific entities (endpoints, services, flows)
The subagent will auto-create a P5 task — you do NOT need to create one separately
Register assessments one at a time, wait for each to complete
If the subagent reports a duplicate, do NOT retry — move to your next vector

The Registration Process​

Step 1: Parse Input​

Step 2: Duplicate Check​

Step 3: Quality Validation​

Step 4: Registration​

Quality Standards​

When to Use This​

How to Delegate​

Vector (most common)​

CVE​

Chain​

Rules​