NullSquare
conceptbeginnerReviewed May 18, 2026

Welcome to NullSquare

A tour of the platform: what it does, how an assessment flows from scope to report, and how your team stays in control.

NullSquare is an AI-powered offensive security platform. You point it at an authorized environment, describe what you want tested, and an autonomous agent plans the work, executes it inside the boundaries you set, and hands back a durable record of every asset it found, every finding it produced, and every piece of evidence it preserved.

This page is the high-level map. If you read nothing else, read this — it explains the moving parts, where they live in the app, and how a brand-new account becomes a working security program in a few days.

What you will learn

  • How the platform is organized. Organizations, scopes, targets, runs, and the data they produce.
  • What the agent does for you. Planning, discovery, testing, evidence capture, and reporting.
  • What your team owns. Authorization, context, prioritization, and triage decisions.
  • Where to go next. A direct path to your first scope and first assessment.

The idea behind NullSquare

Traditional pentests are infrequent, manual, and expensive. NullSquare replaces that cadence with an always-available offensive agent that you can launch on a goal: "discover our external attack surface", "test the customer API for authorization issues", "review this internal subnet for weak services". The agent decides which techniques fit, executes them safely, and produces the same outputs a senior pentester would: assets, validated findings, evidence, and a written report.

You stay in the loop on three decisions: what is in scope, what the agent should test, and what to do with the results. The platform handles everything in between.

How the platform is organized

Five primary objects make up the operating model. Once you understand how they fit together, every screen in the app falls into place.

  • Organization — the account boundary. It holds your team, roles, billing, integrations, business context, and the compliance frameworks you care about.
  • Scope — one authorized target environment, for example "Production web app" or "Corporate internal network". Targets, rules of engagement, credentials, mapped repositories, and assigned runners all live inside a scope.
  • Target — a domain, host, or CIDR range that you authorize the agent to assess. Public targets are verified through DNS or HTTP; internal CIDRs are reached through a private runner.
  • Run — a goal-driven assessment inside a scope. The agent plans the work, executes it, and produces assets, findings, evidence, activity, and a report.
  • Outputs — the durable record. Assets (the attack surface), findings (security issues with evidence), reports, and compliance readiness signals are tracked over time across all of your runs.

What the agent does

When you start a run, the agent reads your goal alongside the scope, rules of engagement, prior assets, credentials, and any mapped repositories. It drafts an assessment plan, executes it inside the configured boundaries, and decides what to investigate deeper based on what it finds in real time.

  • Turns a written goal into a structured plan you can review before execution.
  • Discovers reachable hosts, services, endpoints, technologies, and authentication surfaces.
  • Performs active testing — authentication, authorization, injection, business logic, network exposure — inside the rules of engagement.
  • Validates and preserves evidence so findings are reproducible and reviewable.
  • Writes a stakeholder-ready report and stores the underlying activity for replay.

What your team does

NullSquare is autonomous, but it is not unsupervised. Your team owns the authorization boundary and the prioritization decisions that follow each run.

  • Define scopes that match real product surfaces or environments.
  • Add authorized public domains, hosts, or internal CIDR ranges as targets.
  • Deploy a private runner when targets are internal, VPN-only, or otherwise unreachable from the cloud.
  • Capture business context: who owns this surface, what data it handles, what is critical to the company.
  • Review plans when Safe Mode is on, triage findings, retest fixes, and accept risk where appropriate.

The authorization model

Scope is the platform's authorization boundary. The agent will never touch a target that is not explicitly listed in an active scope, and every run, finding, asset, and report is bound to one. Targets you do not own — or do not have written permission to test — should never be added.

For public assets, the platform requires DNS or HTTP verification before active testing begins. For private CIDRs the platform cannot verify ownership the same way, so you are responsible for confirming authorization before adding the range and attaching a runner.

The platform enforces the boundary, your team owns the decision

NullSquare will not test outside an active scope. But adding a target to a scope is an authorization claim — only do it for environments your organization owns or has written permission to assess.

Rules of engagement

Each scope carries a written rules-of-engagement document. It tells the agent what you care about, what is off limits, what rate is acceptable, when the testing window opens and closes, and who to escalate to if something high-impact appears.

Good rules of engagement are the single biggest lever on how useful — and how safe — an assessment is. The platform reads them on every run, so investing a few minutes in writing them clearly pays off across every future assessment in that scope.

Where to go from here

If you are new, head straight to the quickstart and run a discovery assessment on a non-production target. It is the fastest way to see the platform produce something tangible.

If you already have an environment in mind, jump to the Scopes guide and set up your first authorization boundary, then come back to the quickstart.

Related articles