Skip to content

Version 6.0 - November 2025

Venari 6.0 introduces a new scan mode called Prioritized Scanning to handle extremely large applications with a lot of duplicate functionality between pages, URLs, JavaScript, Etc. Scans can now be configured to run in a phased (prioritized) mode that applies deep analysis to URLs and page content to dynamically reprioritize pending scan operations. Analysis items still pending in work queues are scored for novelty so that similar items bubble down in priority as more duplicates are encountered. Prioritized scanning prevents the discovery and fuzzing engines from getting stuck in 'rabbit holes' of duplicate processing. The novelty scoring heuristics move new page, script and URL structures to the front of the work queues. Phased, prioritized scanning maximizes coverage by preferentially promoting items that have not already processed duplicate or near-duplicate functionality or content.

Nuclei integration has been expanded so that templates can now be run in one of three modes: [1] in the Venari process, [2] in the Nuclei CLI process or [3] in a hybrid mode that uses both.

Internal parsing and fuzzing algorithms have been improved to understand alternate parameter syntaxes and complex sub-parameters. The fuzzing engine can now apply attack payloads deeper into HTTP request content while maintaining full structural integrity including encodings.

This version brings new reports, triage features, API configuration enhancements, storage optimizations, and DevOps API improvements.

The full list of features and enhancements is shown below.

Feature Highlights

Prioritized Scanning

Venari now supports prioritized scanning to improve throughput times on large scans. Run the scan in priority mode to minimize duplicate discovery and fuzz analysis.

Prioritized scans use a phase-by-phase scoring process to de-prioritize analysis work when it is deemed to have high similarity with previous items. The phased scoring approach iteratively downgrades duplicate items so that more novel (unique) operations are moved to the front of the work queues. This mode of scanning is appropriate for applications with high degrees of similarity in content and structure.

For example, a shopping application with many product pages will have a lot of URLs and browser operations that differ only by an ID or a text label. A scan of this application could be overloaded with discovery and fuzz operations that all hit the same back-end server logic. Priority scanning of such an application detects the duplicate analysis items and pushes the repeats to the back of their work queues. The scan yields a better mapping of functionality and attack surface much earlier than a non-prioritized scan would.

Scans can be time-limited by phase or by total time.

Nuclei Integrations

Nuclei templates can now be run in three separate modes:

Mode Execution Details
Venari The Venari process loads and runs the Nuclei templates. The Nuclei CLI is not run in this mode.
Nuclei CLI A Nuclei CLI process is spawned and it runs the templates natively. The Venari UI harvests results data from Nuclei-generated files.
Hybrid (default) Venari runs some of the templates in process and delegates others to the Nuclei CLI process. HTTP protocol templates run in the Venari scanner and headless (browser) protocol templates run in the Nuclei CLI.

The Venari scanner now generates sniper rules for each Nuclei finding. These rules are saved in the Nuclei YAML format as POC steps for use in triage, re-testing and as report artifacts.

See the animation and screenshot below to preview the Nuclei integration changes.

Selecting the Nuclei template execution mode


Nuclei Findings are highlighted and any extracted text is captured and exposed in the UI view. A Sniper rule is generated for the specific URL where the attack succeeded.

Front Loaded Findings Re-Test

Findings can now be front-loaded in a scan to prioritize the re-test of code or configuration fixes. This capability replicates the output of the Findings Validation configuration but places it at the beginning of a complete scan so that new analysis can be performed once the re-test is complete.

Database Storage Size Reduction

Venari's database storage has been optimized to reduce serialization overhead and to compact objects upon scan completion. Scan sizes during testing have shown 40% decrease in total storage in many cases.

Report/Export Improvements

The set of available reports has been expanded with two new additions:

  1. 'Executive Summary' PDF report

  2. SaltMiner export

Report customizations now include optional cover pages, URL coverage details and detailed appendices.

New Export Formats

New Report Options

Name Changes

Venari 6.0 includes important name changes to be aware of in the UI, API operations and documentation. The former name for 'Job Templates' is now 'Scan Configurations.' The word 'template' was overloaded due to multiple Nuclei integration features that span the Venari engine and UI. Venari provides deep support for Nuclei templates so the terms were adjusted for clarity. 'Scan' is also an accepted industry term so version 6.0 adopts more commonly used labels for consistency.

Old Name Name Name
Job Scan
Template Configuration

The image below shows the two main name changes on the home screen of the UI.

Advanced UI Toggle in Settings

Scan settings can now be filtered to allow either a BASIC set of UI controls or an ADVANCED set.

The image below shows a side by side comparison of the scope settings. Note that simplified settings show fewer controls in any most tabs or panel in the UI.

Traffic Search New Targets

The Traffic Search feature has been expanded with additional targets related to searching across multiple scans and matching inside FORM elements in HTML responses.

Search for text in Form method

New Traffic Search Targets

ServiceNow Platform Syntax Support

The Venari parsing and fuzzing components have been extended to natively understand special URL parameter syntax that is specific to the ServiceNOW platform. URLs with embedded structure inside the path and query parameters can now be detected, parsed and fuzzed with attack payloads. The fuzzing engine understands the parameter syntax, so the outer request envelope will wrap the URL components in the proper encoding, maintaining transport integrity.

Sub-parameter Detection/Parsing/Fuzzing

Venari's parameter parsing model can now reliably parse sub-parameters from the right-hand-side value of query parameters and body parameters (with name-val pair syntax). XML, JSON and nested name-value pairs can be detected, fuzzed and re-encoded to maintain HTTP transport integrity.

In each example below, a parameter 'data' with a value of 'XYZ' will be fuzzed with an attack value of 'BOOM'

---------------------------- Example 1: XML sub-parameter ---------------------------- # encoded in HTTP request /operation.do?summary=%3Cthing%3E%3Cdata%3EXYZ%3C%2Fdata%3E%3C%2Fthing%3E # decoded to demonstrate sub-structure /operation.do?summary=<thing><data>XYZ</data></thing> # fuzzed and re-encoded in HTTP request /operation.do?summary=%3Cthing%3E%3Cdata%3EBOOM%3C%2Fdata%3E%3C%2Fthing%3E ----------------------------- Example 2: JSON sub-parameter ----------------------------- # encoded in HTTP request /operation.do?summary=%7B%22thing%22%3A%7B%22data%22%3A%22XYZ%22%7D%7D # decoded to demonstrate sub-structure /operation.do?summary={"thing":{"data":"XYZ"}} # fuzzed and re-encoded in HTTP request /operation.do?summary=%7B%22thing%22%3A%7B%22data%22%3A%22BOOM%22%7D%7D ---------------------------------------- Example 3: Name-Value pair sub-parameter ---------------------------------------- # encoded in HTTP request /operation.do?thing=data%3DXYZ%26info%3DABC # decoded to demonstrate sub-structure /operation.do?thing=data=XYZ&info=ABC # fuzzed and re-encoded in HTTP request /operation.do?thing=data%3DBOOM%26info%3DABC

Findings Merge

Multiple findings can now be selected and merged into a single finding. The animation below shows two equivalent SQLI findings being merged into a single finding that serves as a representative sample for use in demonstrating and fixing the issue.

Triage Improvements

There are new finding states for added flexibility in handling reported issues, including the ability to flag a finding as being 'reintroduced.' There is also a new finding property for filtering triage states. When the triage state is 'suspicious' or 'exploitable' the user can now enter a comment with the finding.

The image below shows a composite of all the selectable findings properties in the Venari UI.

The animation below shows a finding being edited with an attached triage comment.

API Fail Condition Configuration

API scans can now be configured with one or more 'fail conditions'. A fail condition is any scan event, traffic pattern or other criteria that indicate that the scan should be terminated.

Specify Authorization Rule In Scan Wizard

The scan wizard now provides a set of pre-defined authorization rules that can be paired with imported traffic sources. Selecting the auhorization rule up front allows the scan wizard to generate better scan settings with minimal configuration.

Save Traffic Definition to Master

Traffic definitions curated in the Venari DevOps remote UI view can now have their settings persisted to the server database instead of just storing them in client local storage. This new capability allows a user to create settings for API scanning that can be shared between users.

DevOps Enhancements

Venari DevOps edition has new capabilities:

- DevOps user role RemoteScanOperator (this user cannot make or view applications in Local mode)
- New REST API operations. See below.

The DevOps API has new operations, shown below:

- Backup/restore from S3 bucket
- GetFindings
- DeleteFinding
- UpdateFinding
- GetJobQueues
- ExportQueueDetails
- DownloadExport
- ImportRule
- SCIM API’s (Standard API protocol for creating and managing users and groups)

- Support for specifying allow and disallow rules when importing traffic API sources in the DevOps API