AI Scan Planner
Daily portfolio review that picks which targets to scan today and explains why. Contestable by the operator at every step. Complements Scan Schedules and manual scans.
The AI Scan Planner is a daily decision layer that watches every target in your portfolio, weighs risk against budget, and proposes a scan plan for the day with a written rationale per target. The operator can accept the plan, force a scan, veto a target for the next cycle, or pause the planner with Vacation Mode.
It does not replace manual scans or Scan Schedules. It runs alongside them as a third source of dispatches, driven by signals the operator does not have time to monitor every day.
The page at Scans → AI Scan Planner opens with the daily rationale:
Daily portfolio review picks which targets to scan today and explains why. Every decision is contestable: force a scan, veto next cycle, accept a proposal, or pause the planner with vacation mode.
How a decision is made
Every cycle (default daily, 02:00 in the org's time zone), the planner walks every target in your portfolio and computes a priority score between 0.000 and 1.000.
The score combines four weighted inputs per target:
| Input | What it measures |
|---|---|
| Risk | Aggregated severity and Risk Score of open Findings on the target. |
| Decay | How long since the last successful scan. The longer the silence, the higher the pull. |
| Evidence | Signals that something changed: Environment Profile drift, certificate change, new subdomain, new technology detected. |
| Cost | The estimated scan budget cost relative to the daily quota. Used to skip low-value runs when the quota is tight. |
The weights are tuned per organization. Operator feedback (force, veto, apply, ignore) nudges the weights in the direction of what the team has historically accepted. The team's signal becomes part of the model.
Action types
Per target, the planner emits one of these actions:
| Action | What it means |
|---|---|
| Full scan | Run a full-coverage scan today. Used when the score exceeds the threshold. |
| Pulse | A maintenance-class scan within the daily quota. Lightweight; keeps the inventory fresh without consuming the full budget. |
| Skip | Score is below threshold or quota is exhausted. The target is left alone today; the rationale explains why. |
| Propose profile | The detected environment suggests a different scan profile than the one currently used (e.g., switch from web_app to api_jwt because the stack now exposes GraphQL). Operator clicks Apply or Ignore. |
| Propose add | A newly discovered surface element (subdomain, route, port) is worth adding to the existing scan scope. Operator clicks Add to scope or Ignore. |
The rationale column is always plain English. Examples:
- Maintenance pulse within daily quota.
- Below threshold; skipped to preserve budget.
- Environment profile changed; full scan recommended.
- GraphQL detected; suggest
api_jwtprofile.
Daily quota
The planner is budget-aware. Each plan tier ships a daily quota that caps how many autonomous dispatches the planner runs in 24 hours:
| Plan | Daily quota |
|---|---|
| Starter | 1 |
| Pro | 3 |
| Enterprise | 10 |
| Platinum | Custom |
Above the quota, the planner emits Skip rows so the operator can see what was not scanned and why. Force-scanning a Skip row is one click; the operator decision overrides the quota for that target.
The portal page
Scans → AI Scan Planner.
Header
| Element | What it does |
|---|---|
| Enabled / Disabled toggle | Master switch. When off, no autonomous dispatch happens. Schedules and manual scans continue to work. |
| Run review now | Forces a planner cycle on demand. Useful after a config change. |
| Vacation mode | Pauses autonomous dispatch for a number of days (0 to 60). |
| Pills | Quick status: Vacation: off | active until <date>, Daily quota: N, Last review: <timestamp>. |
Decisions table
| Column | Meaning |
|---|---|
| Target | The target the decision applies to. |
| Action | One of the five action types above. |
| Rationale | Plain-English explanation of why this action was chosen. |
| Priority | Score 0.000 to 1.000. Threshold is org-dependent. |
| Status | PENDING (decision recorded, not yet dispatched), OK (dispatched), VETOED, APPLIED. |
| Decided | When the planner made the call. |
| Actions | Operator buttons, contextual to the action: see below. |
Contextual buttons
| Action | Buttons available |
|---|---|
| Full scan / Pulse / Skip | Force scan now (immediate dispatch) / Veto next cycle (30-day block on this target for this action). |
| Propose profile | Apply (set the target's preferred scan template) / Ignore (dismiss for the cooldown window). |
| Propose add | Add to scope / Ignore. |
Every button click is captured in the customer-facing Audit log, with the operator identity and the original decision.
Per-target template suggestion
The planner reads the per-host Environment Profile produced by every scan and proposes a more appropriate template when the detected stack disagrees with the current configuration.
| Signal observed | Suggested template |
|---|---|
| GraphQL endpoint detected | api_jwt |
| OpenAPI / Swagger document | api_jwt |
| JWT issuance observed on login | api_jwt |
| SOAP service detected | soap |
| WebSocket upgrade observed | web_app |
| Server-rendered web stack with forms | web_app |
| Inconclusive | No proposal |
The suggestion is silent for 30 days per (target, template). After 30 days, the planner will propose again if the signal still holds.
Auto-apply safety net
If the operator does not click Apply or Ignore on a profile
proposal by the time the planner dispatches the next scan for that
target, the planner applies the suggested template itself. The
target's preferred_scan_template is updated; an audit row is
written with actor = ai_scan_planner and a auto-applied note.
This is by design. The cost of letting the planner adapt is lower than the cost of running the wrong profile against a stack that changed.
Drift radar
Outside the daily quota, the planner monitors environment profile
drift. When the per-host fingerprint changes (new technology,
auth surface change, protocol change), and the change is observed
outside business hours, the planner emits a full-scan dispatch
flagged as drift_dispatch to capture evidence before the change
propagates further.
Drift dispatches do not count against the daily quota. They are
audited under ai_scan_planner_drift_dispatch.
Vacation mode
Pauses the planner for up to 60 days. Useful for:
- Maintenance windows where the team does not want autonomous scans.
- Holidays or quiet periods where alerts should stay silent.
- Investigations where the team wants to control the scan timeline manually.
Vacation mode does not pause Scan Schedules or manual scans; it only pauses the autonomous decision layer. Drift dispatches respect vacation mode.
How it fits with Scan Schedules and manual scans
The three dispatch sources are independent and complementary:
| Source | Trigger | When to use |
|---|---|---|
| Manual scan | Operator clicks Scan. | Investigations, ad-hoc validation, demos. |
| Scan Schedules | Operator-defined cron. | Predictable cadence, compliance windows. |
| AI Scan Planner | Daily priority review. | Continuous coverage of a large portfolio without manual triage. |
A target can be touched by all three in the same week. The planner respects a 24-hour cooldown between any two dispatches of the same target, so a manual scan in the morning will not be redundantly re-scanned by the planner at 02:00.
Plan availability
| Plan | Notes |
|---|---|
| Starter | Daily quota 1. Lower-tier autonomous coverage. |
| Pro | Daily quota 3. Drift radar enabled. |
| Enterprise | Daily quota 10. Drift radar enabled. Custom weight tuning available. |
| Platinum | Custom quota and weights. |
The current quota is shown as a pill on the planner page and can be raised by request.
Audit and contestability
Every planner action is auditable:
- Each decision row is append-only with full rationale.
- Every operator override (Force, Veto, Apply, Ignore, Vacation
toggle, Master toggle) writes an entry in the customer-facing
audit log with
actor = human. - Every autonomous action (dispatch, drift dispatch, auto-apply)
writes an entry with
actor = ai_scan_planner. - Vetoes carry a 30-day TTL and are revocable at any time.
The audit log is queryable from Audit Log in the portal sidebar,
filterable by ai_scan_planner_* action codes.
What it does NOT do
- No black-box decisions. Every action has a rationale and is contestable in one click.
- No surprise scans. Cooldown prevents re-runs within 24 hours; quota prevents budget blowout; vacation mode pauses the planner entirely.
- No takeover of manual scans or schedules. The planner is a third dispatch source, not a replacement.
- No external data sharing. All signals are computed from your own targets, findings, and Environment Profiles. The planner does not call out to third-party intelligence to score a target.
Where it lives in the portal
- Scans → AI Scan Planner: the decisions page.
- Scans → Scan Schedules: cron-driven scans (independent).
- Audit Log: filterable history of every planner action.
- Settings → Usage → AI Scan Planner tab: daily quota usage, monthly AI-driven scan count, vacation mode state, pending proposals, active vetoes.