Agnech
CLI Mode

Ultimate Mode

Maximum depth analysis with all 7 engines at full power. Symbolic execution, graph analysis, and AI verification for the most thorough security audit possible.

Resource Intensive

Ultimate mode can take 10-50x longer than standard scans and requires significant CPU and memory. Recommended for security audits, not CI/CD pipelines.

Overview

Ultimate mode is designed for comprehensive security audits where finding every possible vulnerability is more important than scan speed. It enables all analysis engines at their deepest settings.

Bash
1# Run ultimate mode scan
2bloodhound scan . --mode ultimate
3

4# Ultimate mode with specific focus
5bloodhound scan . --mode ultimate --focus authentication,cryptography
6

7# Resource-limited ultimate scan
8bloodhound scan . --mode ultimate --max-memory 16G --timeout 3600
9

10# Ultimate scan output
11# ═══════════════════════════════════════════════════════════════
12#  BLOODHOUND ULTIMATE SCAN
13# ═══════════════════════════════════════════════════════════════
14#
15#  Target: /project
16#  Files: 2,847
17#  Engines: ALL (7/7)
18#  Estimated time: 45-60 minutes
19#
20#  ┌─────────────────────────────────────────────────────────────┐
21#  │ Engine Pipeline                                             │
22#  ├─────────────────────────────────────────────────────────────┤
23#  │ [1/7] Pattern Matching      ████████████████████ COMPLETE   │
24#  │ [2/7] SAST Analysis         ████████████████████ COMPLETE   │
25#  │ [3/7] Dependencies          ████████████████████ COMPLETE   │
26#  │ [4/7] Taint Analysis        ████████████░░░░░░░░ 60%        │
27#  │ [5/7] Symbolic Execution    ░░░░░░░░░░░░░░░░░░░░ PENDING    │
28#  │ [6/7] Graph Analysis        ░░░░░░░░░░░░░░░░░░░░ PENDING    │
29#  │ [7/7] AI Verification       ░░░░░░░░░░░░░░░░░░░░ PENDING    │
30#  └─────────────────────────────────────────────────────────────┘

All Engines Active

Compare what's enabled in Ultimate mode versus Advanced mode.

EngineAdvancedUltimateDetails
Pattern Matching✓ ExtendedAll 2,400+ patterns active
SAST Analysis✓ DeepFull AST + CFG + DFG analysis
Dependencies✓ TransitiveFull dependency tree analysis
Taint Analysis✓ InterproceduralCross-function flow tracking
Symbolic ExecutionLimited✓ FullComplete path exploration
Graph AnalysisLimited✓ FullCode Property Graph queries
AI Verification✓ EnhancedMulti-model ensemble

Deep Analysis Features

Path Explosion Handling

Advanced techniques to explore complex control flow without timeout

Cross-File Analysis

Track vulnerabilities across module boundaries and imports

Constraint Solving

Z3 solver integration for precise exploitability analysis

Memory Models

Accurate heap/stack modeling for buffer overflow detection

Symbolic Execution

Ultimate mode enables full symbolic execution, which explores all possible execution paths through your code to find vulnerabilities that only manifest under specific conditions.

TypeScript
1// Symbolic execution example
2function processPayment(amount: number, userId: string) {
3  if (amount > 10000) {
4    // Path A: Large transaction
5    if (isAdminUser(userId)) {
6      // Path A1: Admin bypass - vulnerability found!
7      transferFunds(amount);  // No validation
8    } else {
9      // Path A2: Normal user - requires approval
10      requireApproval(amount, userId);
11    }
12  } else {
13    // Path B: Small transaction
14    transferFunds(amount);
15  }
16}
17

18// Symbolic execution explores ALL paths:
19//
20// Path A1 Analysis:
21// ┌──────────────────────────────────────────────────────────┐
22// │ Symbolic Execution Result                                │
23// ├──────────────────────────────────────────────────────────┤
24// │ Path: amount > 10000 ∧ isAdminUser(userId) = true        │
25// │ Constraint: userId ∈ {"admin", "superuser", "root"}      │
26// │                                                          │
27// │ VULNERABILITY: Authorization Bypass                      │
28// │                                                          │
29// │ An admin user can transfer unlimited funds without       │
30// │ the approval check required for regular users.           │
31// │                                                          │
32// │ Proof of Concept:                                        │
33// │   processPayment(999999, "admin")                        │
34// │   // Transfers $999,999 without approval                 │
35// │                                                          │
36// │ Recommendation: Apply same approval rules to admins      │
37// └──────────────────────────────────────────────────────────┘

Symbolic Execution Settings

Bash
1# Configure symbolic execution depth
2bloodhound scan . --mode ultimate \
3  --symbolic-depth 20 \            # Max path depth
4  --symbolic-timeout 60 \          # Timeout per function (seconds)
5  --symbolic-max-paths 10000 \     # Max paths to explore
6  --symbolic-solver z3              # Constraint solver (z3, cvc5)
7

8# Focus symbolic execution on specific functions
9bloodhound scan . --mode ultimate \
10  --symbolic-focus "auth*,payment*,transfer*"
11

12# Generate exploit proofs for findings
13bloodhound scan . --mode ultimate --generate-exploits

Graph Analysis

The Code Property Graph (CPG) combines AST, control flow, and data flow into a unified queryable graph structure for complex vulnerability patterns.

TypeScript
1// Graph analysis finds vulnerabilities that span multiple files
2// Example: Finding auth bypass through indirect calls
3

4// auth/middleware.ts
5export function requireAuth(handler: Handler) {
6  return (req, res) => {
7    if (!req.session?.user) {
8      return res.status(401).send('Unauthorized');
9    }
10    return handler(req, res);
11  };
12}
13

14// routes/api.ts
15import { requireAuth } from '../auth/middleware';
16import { getUser } from '../controllers/user';
17

18router.get('/user/:id', requireAuth(getUser));  // Protected ✓
19router.get('/user/:id/admin', getUser);         // UNPROTECTED! ✗
20

21// Graph query that finds this:
22// ┌──────────────────────────────────────────────────────────┐
23// │ Cypher Query                                             │
24// ├──────────────────────────────────────────────────────────┤
25// │ MATCH (route:RouteHandler)-[:CALLS]->(fn:Function)       │
26// │ WHERE NOT (route)-[:WRAPPED_BY]->(:AuthMiddleware)       │
27// │ AND fn.accessesSensitiveData = true                      │
28// │ RETURN route.path, fn.name, fn.file                      │
29// └──────────────────────────────────────────────────────────┘
30//
31// Result:
32// | path            | name    | file              |
33// |-----------------|---------|-------------------|
34// | /user/:id/admin | getUser | controllers/user  |
Bash
1# Run custom graph queries
2bloodhound query "MATCH (n:Function) WHERE n.name CONTAINS 'password' RETURN n"
3

4# Export graph for external analysis
5bloodhound scan . --mode ultimate --export-cpg ./code-graph.json
6

7# Interactive graph explorer
8bloodhound explore --mode graph
9

10# Built-in vulnerability queries
11bloodhound scan . --mode ultimate --graph-queries \
12  auth-bypass,\
13  privilege-escalation,\
14  data-exfiltration,\
15  injection-chains

Use Cases

Ultimate mode is ideal for these scenarios:

Pre-Release Security Audits

Run ultimate scans before major releases to catch complex vulnerabilities that faster scans might miss.

bloodhound scan . --mode ultimate --report audit-v2.0.pdf

Smart Contract Audits

Blockchain code requires exhaustive analysis due to the irreversible nature of deployed contracts.

bloodhound scan contracts/ --mode ultimate --blockchain ethereum

Compliance Certification

Generate evidence for SOC 2, PCI-DSS, or other compliance certifications with comprehensive analysis proof.

bloodhound scan . --mode ultimate --compliance pci-dss --evidence-pack

Incident Response

After a security incident, run ultimate mode to find similar vulnerabilities and understand the full attack surface.

bloodhound scan . --mode ultimate --focus injection,auth-bypass --since 2024-01-01