ZeroPanic User Guide

What is ZeroPanic?

ZeroPanic is a cybersecurity platform built for everyone — whether you're a security professional running penetration tests, a developer reviewing your own code, or someone who simply wants to know if their passwords have been compromised and keep their accounts safe. You do not need a technical background to use ZeroPanic. The tools are powerful enough for experts and clear enough for anyone.

ZeroPanic is designed with privacy at its core. We do not serve ads, we do not sell your data, and recon session results are never stored beyond your active session. Whatever you do here stays here.

Creating Your Account

Getting started takes less than two minutes. All you need is an email address and a password.

1. Visit the sign-up page and enter your email address and a strong password. Passwords are hashed using Argon2 — we never store them in plain text.

2. Verify your email by clicking the confirmation link sent to your inbox.

3. Enable Two-Factor Authentication (2FA) from Settings → Security. We support TOTP apps (Google Authenticator, Authy, and any compatible app). Strongly recommended.

4. You're in. Your account starts on the Free tier — 10 AI assistant questions per month and full access to the Encryption Tool. No credit card required.

Free vs Pro

ZeroPanic offers two tiers. Free gives you access to the core features to get started. Pro unlocks the full platform.

Feature	Free	Pro
AI Chat Assistant	10 credits/month	Unlimited
File upload & analysis	Free	Pro
Reasoning Mode	Free	Pro
Web Search Mode	Free	Pro
Saved chat history	—	Pro
Auto-save chats	—	Pro
Recon Agent	—	Pro
Password Vault	—	Pro
Tokens & Keys Storage	—	Pro
Private Notes	—	Pro
Breach Monitoring	—	Pro
Encryption Tool	Free	Pro
2FA Security	Free	Pro

Pro is $15/month or $135/year ($11.25/mo — save $45 · 25% off). Upgrade from the Billing page at any time. Cancel any time — your Pro access continues until the end of the current billing period with no early termination fee. Having trouble with payment? Contact us and we'll sort it out.

Starting a Chat

The AI Chat Assistant is where most people start. Ask it anything security-related — from "what is a strong password?" to complex code reviews. You do not need to know technical terminology. Ask the way you would ask a knowledgeable friend and it will meet you where you are.

1. Navigate to AI Assistant from the top navigation bar.

2. Click "New Chat" to open a fresh conversation. Each chat maintains its own history — the AI remembers everything said within the same window.

3. Type your question and press Enter to send, or Shift+Enter for a new line.

4. Receive a formatted response with headers, code blocks, and bullet points for clarity.

What you can ask

• Answer everyday security questions — "is this email safe?", "what should I do if I was hacked?"
• Explain any security concept — from basic to advanced, in plain English
• Review code for vulnerabilities (paste or upload)
• Analyse log files, config files, and network captures
• Identify phishing emails — paste headers and body
• Get step-by-step hardening guides for any system or service
• Research CVEs, malware families, and attack techniques
• Generate security policies, incident response templates, and checklists

Uploading Files

ZeroPanic supports file uploads for analysis. Attach logs, configs, code, PDFs, or images — the AI reads and analyses them in context of your question.

Supported file types

• Text & data: .txt, .log, .csv, .md, .json, .xml, .yaml, .yml
• Code: .py, .js, .ts, .html, .css
• Documents: .pdf (text extracted automatically)
• Images: .png, .jpg, .jpeg, .gif, .webp
• And more — the list above is representative. If your file type is text-based, it will generally be accepted even if not listed explicitly.

How to upload

1. Click the paperclip icon (📎) in the chat input area.

2. Select your file. Up to 10 MB per upload. Multiple files can be attached before sending.

3. Type your question and send. The AI analyses the file(s) alongside your query.

Example use cases

• Upload auth.log → "Are there any brute-force attempts in this log?"
• Upload nginx.conf → "Review this for security misconfigurations."
• Upload a screenshot of a suspicious email → "Is this a phishing attempt?"
• Upload source code → "Find SQL injection vulnerabilities in this file."

Reasoning Mode

Reasoning Mode enables the AI to think through complex problems step-by-step before producing a response. Ideal for difficult analytical tasks, multi-step security reviews, and questions requiring careful logical deduction.

How to enable

Click the 🧠 Reasoning pill in the top-right of any chat. It illuminates green when active. Responses will show a "Reasoning applied" tag confirming the mode was used. The thinking indicator shows "Reasoning deeply…".

Best used for

• In-depth vulnerability analysis of complex code
• Multi-step incident response planning
• Evaluating competing security architectures
• Interpreting ambiguous log data or network captures
• Security architecture review with trade-off analysis

Web Search Mode

Web Search Mode connects the AI to the live internet, enabling it to retrieve up-to-date information when answering your question. Particularly useful for recent CVEs, newly disclosed vulnerabilities, current threat intelligence, and any topic that changes rapidly.

How to enable

Click the 🌐 Web Search pill in the top-right of any chat. It illuminates green when active. The thinking indicator shows "🌐 Surfing the web…" while live results are retrieved.

Best used for

• Looking up a CVE published recently
• Checking if a specific software version has known exploits
• Researching a malware family or threat actor in the news
• Getting current patch status for a vulnerability
• Finding the latest hardening guidance for a specific technology

Saving Chats

Chats are not saved by default — this is intentional. Security conversations often contain sensitive data, and you should consciously decide what to keep.

Saving a chat manually (Pro)

Click the 💾 Save button in the top-right of any chat. Saved chats appear on the AI Assistant home page and remain accessible across sessions.

Auto-save (Pro only)

Enable auto-save in Settings → Account. When active, every chat is automatically saved after the first assistant reply — useful if you want a permanent history of all security consultations.

What Is the Recon Agent?

The Recon Agent is an autonomous AI that investigates your authorised targets using real security tools running inside a secure, isolated environment. Point it at a domain or IP you own, and it works through a structured investigation — gathering public records, scanning for open services, fingerprinting technologies, inspecting certificates, analysing security headers, and more. At the end it writes a clear report summarising everything it found. You do not need to be a security professional to use it or read the results.

What the agent investigates

1. Subdomain Discovery — passively queries certificate transparency logs to find subdomains associated with the target. No traffic sent to the target itself.

2. WHOIS & DNS Lookup — retrieves registration data (registrar, creation date, expiry, name servers) and enumerates all DNS records (A, MX, NS, TXT, SOA). Useful for understanding who owns a domain and how their mail and DNS infrastructure is configured.

3. Port & Service Discovery — Nmap scans for open ports and identifies what software is running on them, including version numbers.

4. Web Technology Fingerprinting — WhatWeb identifies the web framework, CMS, server software, and libraries in use.

5. SSL Certificate Inspection — checks certificate expiry, issuer, TLS version, and Subject Alternative Names. Expired or misconfigured certificates are flagged clearly.

6. Security Headers Analysis — checks whether the site has key HTTP security headers in place (CSP, HSTS, X-Frame-Options and more) and assigns a grade. Missing headers are explained in plain English.

7. FTP Anonymous Check — only if Nmap confirms port 21 is open. Checks whether anonymous login is allowed and whether files can be written.

8. Directory Enumeration — Gobuster brute-forces common paths on web targets using wordlists and file extensions matched to the detected tech stack.

9. CVE & Exploit Research — SearchSploit searches Exploit-DB for known vulnerabilities matching the exact software versions found. Read-only — nothing is executed.

10. Recon Report — the AI synthesises every finding into a structured report with plain-English explanations, risk levels, and remediation steps.

Ephemeral by design

Recon sessions are ephemeral. All tool outputs and the final report exist only for the duration of your active session. Nothing is retained on our servers once the session ends. Download your report before closing.

Launching a Session

1. Open any chat and click the 🔍 Recon Agent button in the top-right toolbar.

2. Enter your target — a domain (example.com), subdomain (app.example.com), or IP address. Subdomain enumeration is automatic for domain targets.

3. Choose your scope if entering a subdomain. Select either "this host only" or "all of the parent domain" based on your authorisation.

4. Select a mode — Human-in-the-loop or Full Auto (see Section 13).

5. Confirm legal authorisation by ticking the required checkbox.

6. Click "🔍 Start Recon." The session begins immediately.

Scope & Authorisation

ZeroPanic enforces scope technically on every agent session. The agent will refuse to scan any target outside the scope you declared, regardless of what it discovers during reconnaissance.

Target entered	Scope behaviour
example.com (root domain)	All subdomains automatically in scope — admin.example.com, api.example.com etc. are permitted. Owning the domain means owning its subdomains.
ftp.example.com + "This host only"	Only ftp.example.com is scanned. Discovered subdomains are noted in the report as out-of-scope but not actively scanned.
ftp.example.com + "All of example.com"	Scope expands to *.example.com — all subdomains including api.example.com are in scope.
IP address (e.g. 192.168.1.1)	Exact IP only. Subdomain enumeration is skipped — there are no subdomains on a bare IP.

Tools & What They Do

Tool	Phase	What it does
Subdomain Enum 🌍	Passive OSINT	Queries certificate transparency logs to find subdomains. DNS-resolves each one and categorises by risk — admin, dev, API, and staging subdomains rank highest.
WHOIS + DNS 📋	Passive OSINT	Retrieves domain registration data (registrar, dates, name servers) and all DNS records (A, AAAA, MX, NS, TXT, SOA). Reveals ownership, mail setup, and infrastructure details.
Nmap 🔍	Port Scanning	Discovers open ports, identifies running services and software versions. Scans top 1,000 ports by default using TCP connect scan.
WhatWeb 🌐	Fingerprinting	Identifies web technologies: framework, CMS, server software, JavaScript libraries and versions. Drives file extension selection for Gobuster.
SSL Check 🔐	Certificate	Inspects the SSL/TLS certificate — expiry date, issuer, TLS version, cipher, and Subject Alternative Names. Expired certs, near-expiry warnings, and weak TLS versions are flagged. SANs often reveal related domains useful for OSINT.
Security Headers 🛡️	Web Security	Checks for CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Assigns a grade (A–F) and explains each missing or misconfigured header in plain English.
FTP Check 📡	Service Check	Only fires when Nmap confirms port 21 open. Attempts anonymous FTP login, lists accessible directories, checks for write access.
Gobuster 📂	Enumeration	Brute-forces directories and file paths on web targets. File extensions are chosen from the detected tech stack — never generic.
SearchSploit 💥	CVE Research	Searches Exploit-DB for known exploits matching exact software versions found. Read-only — no exploits are executed.

Intelligence-driven methodology

Every step is driven by what earlier steps discovered. WhatWeb detects Django → Gobuster uses Python file extensions, not PHP. Nmap finds port 21 → FTP check fires. Subdomain enum finds admin.example.com → Nmap prioritises that host. Nmap finds Apache 2.4.49 → SearchSploit searches that exact string. The agent reads its own prior findings and reasons from them — it does not run a fixed checklist.

Human-in-the-Loop vs Full Auto Mode

🙋 Human-in-the-Loop (HITL) — Recommended

The agent proposes each action, explains its reasoning in plain English, and waits for your approval before running anything. You can approve, skip, or modify the step. Good for beginners and non-techies who want to understand what is happening at each stage, and for professionals who need precise control over a sensitive target.

⚡ Full Auto Mode

The agent runs the full investigation on its own — executing tools, reading the output, deciding the next step — until the report is written. Best when you want results without approving each step. You can still interrupt at any point.

Interrupting a session

In either mode, click 💬 Interrupt & Instruct to send a mid-session directive. For example: "Focus on the admin subdomain" or "Skip gobuster and go straight to SearchSploit." The agent picks up the instruction on its next iteration.

Reading Results

Each step card shows three layers of information:

• 💭 Reasoning — why the agent chose this tool and what it expected to find.
• Command & Args — the exact target, flags, and arguments passed to the tool.
• Raw Output — the actual output from the tool.

After raw output, a 🧠 Analysis interprets what was found and what it means for the assessment.

Step status indicators

Status	Meaning
DONE	Step completed successfully.
ERROR	Step failed. Card auto-expands showing error details. Agent recovers and continues.
SKIPPED	Skipped by user (HITL) or automatically by the agent (e.g. scope violation).
RUNNING	Tool currently executing.
AWAITING	HITL mode — waiting for your approval to proceed.

Downloading Reports

When the investigation is complete, the final report appears at the bottom of the agent panel. Three export options are available:

• 📋 Copy — copies the full report as Markdown to your clipboard.
• ⬇ .md — downloads as a Markdown file named ZeroPanic_Report_[target]_[date].md.
• 🖨 PDF — opens the browser print dialog with A4 formatting. Use "Save as PDF" in your browser.

If you download before the investigation finishes, you receive a clearly marked partial report showing which steps have completed so far. Re-download once the session is complete.

Password Vault

The Vault is a Pro-only encrypted credential manager. All entries are encrypted with AES-256 before storage — we cannot read your contents. Beyond passwords, you can store PINs, API keys, access tokens, bearer tokens, and private notes — including security question answers, recovery codes, 2FA backup codes, or any sensitive text you need to keep secure in one place.

• Encrypted storage: store passwords, PINs, API keys, access tokens, bearer tokens, and private notes (security question answers, recovery codes, anything sensitive) — all encrypted with AES-256
• Password strength analysis: every stored password scored and colour-coded by strength
• Breach checking: stored passwords are automatically checked against Have I Been Pwned using k-anonymity — PINs and API keys are not sent to breach databases
• Copy to clipboard: copy credentials with a single click
• Search and filter: quickly find entries across large vaults

Breach Monitoring

Breach Monitoring automatically checks your stored passwords against the Have I Been Pwned (HIBP) database on a regular schedule. You receive an email alert when a new breach is detected.

Privacy of breach checks

CyberSuite uses the k-anonymity method. Your email is hashed (SHA-1) and only the first 5 characters of that hash are transmitted to HIBP. The response contains all hashes beginning with those 5 characters — we check locally whether your full hash is among them. Your actual email address is never sent to any third party.

Encryption Tool

The Encryption Tool allows you to encrypt and decrypt text or files using AES-256 directly in your browser. Available to Free and Pro users.

• Text encryption: paste any text, provide a passphrase, receive ciphertext to share securely
• File encryption: encrypt files before sending over untrusted channels
• Client-side processing: encryption happens in your browser — plaintext never leaves your device
• Passphrase-based: your passphrase is never stored or transmitted

Account & Settings

Access Settings from the ⚙️ Settings link in the navigation bar.

Account tab

• Update your display name and email address
• Enable or disable auto-save for chats (Pro only)
• Change your password

Security tab

• Enable or disable Two-Factor Authentication (TOTP)
• View and manage active sessions

Billing & Subscriptions

Pro subscriptions are processed securely by our payment provider. ZeroPanic never handles your card details directly.

• Upgrade: visit the Billing page and select Pro. Instant access to all Pro features.
• Cancel: cancel any time from Billing. Pro access continues until period end — no early termination fee.
• Refunds: we do not offer refunds on processed payments except where required by consumer protection law. Contact us if you believe you were charged in error.
• Downgrade: vault data, saved chats, and breach monitoring history are preserved — inaccessible until resubscription, not deleted.

Legal & Ethical Use

ZeroPanic is a legitimate security tool designed for authorised use only. The following are strictly prohibited and may result in immediate account termination and referral to law enforcement:

• Scanning or testing systems you do not own or have not been authorised to test
• Using ZeroPanic to facilitate any activity illegal in your jurisdiction
• Using the Recon Agent to investigate systems you do not own or have not been authorised to investigate

Security & Privacy

• Passwords: hashed with Argon2 (memory-hard, brute-force resistant)
• Vault data: AES-256 encrypted at rest — we cannot read your contents
• 2FA: TOTP-based, available to all users
• Sessions: HttpOnly, SameSite=Lax cookies; rotated on login to prevent fixation
• Recon sessions: ephemeral — all tool outputs and results are never persisted beyond your active session
• Tool isolation: all scanning tools run in a secure, isolated environment with no access to application data or databases
• No advertising: we do not serve ads, no advertiser has any access to your data
• No training data: we do not permit AI providers to use your conversations for model training

For the full picture, read our Privacy Policy.

Frequently Asked Questions

Can I use the Recon Agent on any domain or website?

Only on systems you own or have been authorised to test. The legal confirmation step is mandatory — you are solely responsible for compliance.

Why does the agent only scan top 1,000 ports by default?

Scanning all 65,535 ports on a live internet target takes 30–60+ minutes and will consistently time out. Top 1,000 covers 99% of real-world services. For deeper coverage, use Interrupt & Instruct to specify a range like -p 1-10000.

My report shows an error step but still says "Complete." Is that normal?

Yes. Individual step errors are non-fatal. If gobuster encounters a catch-all redirect or a tool finds nothing, the agent recovers and continues. The report reflects what was actually discovered from all steps that succeeded.

Why does subdomain enumeration sometimes fail?

Subdomain enumeration queries publicly available certificate transparency logs. If the service is temporarily slow or unavailable, the step may fail. This is non-fatal — the agent scans the root domain directly. Try again in a few minutes if it happens consistently.

Can I use Reasoning Mode and Web Search at the same time?

Yes. Enable both pills simultaneously. Web Search retrieves current information; Reasoning Mode ensures it is analysed carefully. This combination gives the most thorough, up-to-date responses.

Where is my vault data stored?

Vault data is stored AES-256 encrypted on our servers. We cannot read your vault contents. The encryption key is derived from your passphrase, which we never store or transmit.

What happens to my data if I cancel Pro?

Your data is preserved. Vault entries, saved chats, and breach history remain on our servers — inaccessible until resubscription, not deleted. Full access restores immediately upon reactivating Pro.

I'm not a security expert. Is ZeroPanic still useful for me?

Absolutely — that's exactly who ZeroPanic is built for. You can ask the AI assistant questions in plain English, check whether your passwords have been leaked, store your credentials securely, and encrypt files without needing any technical knowledge. The Recon Agent requires you to own or have permission to investigate the target — but it is designed to be readable by anyone, not just professionals. The report it produces uses plain English throughout.

Why use ZeroPanic's vault instead of my phone's built-in password manager?

Built-in managers like Apple Keychain or Samsung Pass are tied to your device and ecosystem. Switch phones, get locked out, or need a password on a different device and you're often stuck. ZeroPanic's vault is web-based — it works from any browser, on any device, on any platform. Your credentials aren't trapped on one phone or one operating system. Log in from your laptop, a work computer, or any browser and everything is right there.

I found a security vulnerability in ZeroPanic. What should I do?

Please report it responsibly to info@cybersuite.com. We take all reports seriously, respond promptly, and appreciate responsible disclosure.