
Horizon3.ai NodeZero
Application Security- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The Horizon3.ai Connector integrates with the NodeZero autonomous penetration testing platform to synchronize pentest operation data, security weaknesses, weakness definitions, and host information into Brinqa. It connects to the Horizon3.ai GraphQL API to fetch data across all completed and in-progress pentest operations.
Data retrieved from Horizon3.ai
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Op | Yes | Assessment |
| Weakness | Yes | Pentest Finding |
| Weakness Definition | Yes | Pentest Finding Definition |
| Host | Yes | Host |
Model relationships
For detailed steps on how to view the data retrieved from Horizon3.ai in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Horizon3.ai from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | No | https://api.horizon3ai.com | Horizon3.ai API URL (default: https://api.horizon3ai.com) |
| API key | Yes | — | Horizon3.ai API key used to authenticate requests |
| Max retries | No | 5 | Maximum number of retries permitted during a request. Default is 5. |
| Parallel requests | No | CPUs (max 4) | Maximum number of parallel API requests. Default is the number of available CPU cores (capped at 4). |
| Page size | No | 100 | Number of records to request per page. Default is 100. |
Authentication
The connector uses an API key exchanged for a short-lived bearer token. The token is cached in memory and automatically refreshed before expiry.
Endpoint
| Method | URL |
|---|---|
POST | {url}/v1/auth |
Request Headers
| Header | Value |
|---|---|
Content-Type | application/json |
Request Body
{
"key": "your-api-key"
}
Sample Response
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
Response Fields
| Field | Type | Description |
|---|---|---|
token | String | Bearer token for subsequent GraphQL requests |
Usage
All GraphQL requests are sent to {url}/v1/graphql with the bearer token:
Authorization: Bearer <token>
The token factory automatically invalidates and re-fetches the token on a 401 Unauthorized response.
How to obtain Horizon3.ai credentials
Generate a Horizon3.ai API key
You can generate an API key from the Horizon3.ai Portal. For additional information, see Horizon3.ai API documentation.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Op
| Source Field Name | SDM Attribute |
|---|---|
Op.asset_group_uuid | ASSET_GROUP_UUID |
Op.attack_paths_count | ATTACK_PATHS_COUNT |
Op.canceled_at | CANCELED_AT |
Op.completed_at | LAST_STOPPED |
Op.confirmed_credentials_count | CONFIRMED_CREDENTIALS_COUNT |
Op.created_at | SOURCE_CREATED_DATE |
Op.credentials_count | CREDENTIALS_COUNT |
Op.data_resources_count | DATA_RESOURCES_COUNT |
Op.data_stores_count | DATA_STORES_COUNT |
Op.duration_hms | DURATION_HMS |
Op.duration_humanize | DURATION_HUMANIZE |
Op.duration_s | DURATION_S |
Op.etl_completed_at | ETL_COMPLETED_AT |
Op.external_domains_count | EXTERNAL_DOMAINS_COUNT |
Op.hosts_count | HOSTS_COUNT |
Op.impact_paths_count | IMPACT_PATHS_COUNT |
Op.in_scope_hosts_count | IN_SCOPE_HOSTS_COUNT |
Op.launched_at | LAST_STARTED |
Op.nodezero_ip | NODEZERO_IP |
Op.nodezero_script_url | NODEZERO_SCRIPT_URL |
Op.op_id | UID |
Op.op_name (fallback: op_id) | NAME |
Op.op_param_blacklist | OP_PARAM_BLACKLIST |
Op.op_param_max_scope | OP_PARAM_MAX_SCOPE |
Op.op_param_min_scope | OP_PARAM_MIN_SCOPE |
Op.op_state | PROVIDER_STATUS |
Op.op_state | SOURCE_STATUS |
Op.op_template_name | OP_TEMPLATE_NAME |
Op.op_template_uuid | OP_TEMPLATE_UUID |
Op.op_type | TYPE |
Op.out_of_scope_hosts_count | OUT_OF_SCOPE_HOSTS_COUNT |
Op.phished_attack_paths_count | PHISHED_ATTACK_PATHS_COUNT |
Op.phished_impact_paths_count | PHISHED_IMPACT_PATHS_COUNT |
Op.portal_op_state | PORTAL_OP_STATE |
Op.portal_url | URL |
Op.proven_weaknesses_count | PROVEN_WEAKNESSES_COUNT |
Op.runner_name | RUNNER_NAME |
Op.runner_uuid | RUNNER_UUID |
Op.schedule_name | SCHEDULE_NAME |
Op.schedule_uuid | SCHEDULE_UUID |
Op.scheduled_at | SCHEDULED_AT |
Op.services_count | SERVICES_COUNT |
Op.users_count | USERS_COUNT |
Op.weaknesses_count | WEAKNESSES_COUNT |
Op.websites_count | WEBSITES_COUNT |
| — | CATEGORIES |
| — | LAST_CAPTURED |
Weakness
| Source Field Name | SDM Attribute |
|---|---|
WeaknessSeries.annotation_status | ANNOTATION_STATUS |
WeaknessSeries.attack_paths_count | ATTACK_PATHS_COUNT |
WeaknessSeries.credentials_count | CREDENTIALS_COUNT |
WeaknessSeries.critical_impacts_count | CRITICAL_IMPACTS_COUNT |
WeaknessSeries.critical_impacts_percentage | CRITICAL_IMPACTS_PERCENTAGE |
WeaknessSeries.first_found_op_id | FIRST_FOUND_OP_ID |
WeaknessSeries.first_found_op_type | FIRST_FOUND_OP_TYPE |
WeaknessSeries.first_seen_at | FIRST_FOUND |
WeaknessSeries.ip | TARGETS |
WeaknessSeries.ip | IP |
WeaknessSeries.last_found_op_id | ASSESSMENT |
WeaknessSeries.last_found_op_types | LAST_FOUND_OP_TYPES |
WeaknessSeries.last_mitigated_at | LAST_FIXED |
WeaknessSeries.last_mitigated_op_id | LAST_MITIGATED_OP_ID |
WeaknessSeries.last_pentested_op_id | LAST_PENTESTED_OP_ID |
WeaknessSeries.last_seen_at | LAST_FOUND |
WeaknessSeries.last_weakness_uuid | LAST_WEAKNESS_UUID |
WeaknessSeries.min_time_to_finding_hms | MIN_TIME_TO_FINDING_HMS |
WeaknessSeries.port | PORT |
WeaknessSeries.protocol | PROTOCOL |
WeaknessSeries.score | SEVERITY_SCORE |
WeaknessSeries.score | SOURCE_SEVERITY_SCORE |
WeaknessSeries.severity | SEVERITY |
WeaknessSeries.severity | SOURCE_SEVERITY |
WeaknessSeries.status | PROVIDER_STATUS |
WeaknessSeries.total_impacts_count | TOTAL_IMPACTS_COUNT |
WeaknessSeries.vuln_category | CATEGORIES |
WeaknessSeries.vuln_category + WeaknessSeries.business_risks | TAGS |
WeaknessSeries.vuln_id | TYPE |
WeaknessSeries.vuln_id | VULN_ID |
WeaknessSeries.vuln_id + WeaknessSeries.ip | UID |
WeaknessSeries.vuln_name | NAME |
WeaknessSeries.weakness_series_found_count | TIMES_FOUND |
| — | SOURCE_STATUS |
| — | LAST_CAPTURED |
| — | AFFECTED_ASSET_DISPLAY_NAME |
Weakness Definition
| Source Field Name | SDM Attribute |
|---|---|
Vuln.base_score | SOURCE_SEVERITY_SCORE |
Vuln.base_severity | SEVERITY |
Vuln.base_severity | SOURCE_SEVERITY |
Vuln.base_severity | SEVERITY_SCORE |
Vuln.category / Vuln.impact_categories | CATEGORIES |
Vuln.cisa_kev | CISA_EXPLOITED |
Vuln.description | DESCRIPTION |
Vuln.id | UID |
Vuln.id + Vuln.aliases | CVE_IDS |
Vuln.id + Vuln.aliases | CVE_RECORDS |
Vuln.id + Vuln.aliases / Vuln.category | TAGS |
Vuln.impact | IMPACT |
Vuln.known_ransomware_campaign_use | OBSERVED_IN_THE_WILD |
Vuln.mitigations[].description | RECOMMENDATION |
Vuln.name | NAME |
Vuln.one_click_verify | ONE_CLICK_VERIFY |
Vuln.references[].url | REFERENCES |
Vuln.short_name | SHORT_NAME |
Vuln.threat_actors[].name | THREAT_ACTORS |
| — | LAST_CAPTURED |
Host
| Source Field Name | SDM Attribute |
|---|---|
Host.attack_paths_count | ATTACK_PATHS_COUNT |
Host.cloud_arns | CLOUD_ARNS |
Host.cloud_provider | CLOUD_PROVIDER |
Host.cloud_region | REGION |
Host.cname_chains | DNS_NAMES |
Host.context_score_description | CONTEXT_SCORE_DESCRIPTION |
Host.created_at | SOURCE_CREATED_DATE |
Host.credentials_count | CREDENTIALS_COUNT |
Host.data_resources_count | DATA_RESOURCES_COUNT |
Host.data_stores_count | DATA_STORES_COUNT |
Host.device_fingerprints | DEVICE_FINGERPRINTS |
Host.display_name / Host.host_name / Host.ip / Host.uuid | NAME |
Host.downstream_impact_types | DOWNSTREAM_IMPACT_TYPES |
Host.hardware_fingerprints | HARDWARE_FINGERPRINTS |
Host.host_name + Host.host_names | HOSTNAMES |
Host.ip | IP_ADDRESSES |
Host.ip (fallback: Host.uuid) | UID |
Host.is_database_server | IS_DATABASE_SERVER |
Host.is_domain_controller | IS_DOMAIN_CONTROLLER |
Host.is_in_scope | IS_IN_SCOPE |
Host.is_load_balancer | IS_LOAD_BALANCER |
Host.is_mail_server | IS_MAIL_SERVER |
Host.is_public | IS_PUBLIC |
Host.is_vpn | IS_VPN |
Host.is_waf | IS_WAF |
Host.mac | MAC_ADDRESSES |
Host.op_id | LAST_OP |
Host.os_fingerprints | OS_FINGERPRINTS |
Host.os_names | OS_NAMES |
Host.portal_url | URL |
Host.portal_url | PORTAL_URL |
Host.score | SOURCE_SEVERITY_SCORE |
Host.services_count | SERVICES_COUNT |
Host.severity | SEVERITY |
Host.severity | SOURCE_SEVERITY |
Host.severity | SEVERITY_SCORE |
Host.subnet | IPV4_RANGES |
Host.weaknesses_count | WEAKNESSES_COUNT |
Host.web_resources_count | WEB_RESOURCES_COUNT |
| — | CATEGORIES |
| — | STATUS |
| — | LAST_CAPTURED |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Op
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: GraphQL query · Endpoint:
POST /v1/graphql
query OpsPage($page_input: PageInput) {
ops_page(page_input: $page_input) {
page_info {
page_num
page_size
}
ops {
op_id
op_type
op_state
portal_op_state
op_name
op_param_min_scope
op_param_max_scope
op_param_blacklist
scheduled_at
created_at
completed_at
canceled_at
launched_at
etl_completed_at
duration_s
services_count
credentials_count
confirmed_credentials_count
hosts_count
out_of_scope_hosts_count
external_domains_count
users_count
websites_count
data_stores_count
data_resources_count
weaknesses_count
proven_weaknesses_count
in_scope_hosts_count
nodezero_script_url
nodezero_ip
duration_hms
duration_humanize
op_template_uuid
op_template_name
impact_paths_count
attack_paths_count
phished_impact_paths_count
phished_attack_paths_count
runner_uuid
runner_name
schedule_uuid
schedule_name
asset_group_uuid
portal_url
}
}
}
Weakness
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: GraphQL query · Endpoint:
POST /v1/graphql
query WeaknessSeriesPage($page_input: PageInput!) {
weakness_series_page(page_input: $page_input) {
page_info { page_num page_size }
weakness_series {
name last_weakness_uuid
first_seen_at last_seen_at
first_found_op_id first_found_op_type
last_found_op_id last_found_op_types
last_pentested_op_id
last_mitigated_at last_mitigated_op_id
vuln_id vuln_name vuln_category
status severity score
ip port protocol
annotation_status
attack_paths_count weakness_series_found_count
credentials_count
total_impacts_count critical_impacts_count critical_impacts_percentage
min_time_to_finding_hms
business_risks
}
}
}
Weakness Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: GraphQL query · Endpoint:
POST /v1/graphql
query WeaknessesPage($input: OpInput, $page_input: PageInput) {
weaknesses_page(input: $input, page_input: $page_input) {
page_info {
page_num
page_size
}
weaknesses {
uuid
vuln_id
vuln {
id
name
short_name
description
base_score
base_severity
category
impact
aliases
mitigations {
description
}
references {
name
url
}
impact_categories
one_click_verify
cisa_kev
known_ransomware_campaign_use
threat_actors {
name
short_description
}
}
}
}
}
Host
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: GraphQL query · Endpoint:
POST /v1/graphql
query HostsPage($input: OpInput!, $page_input: PageInput) {
hosts_page(input: $input, page_input: $page_input) {
page_info {
page_num
page_size
}
hosts {
uuid
created_at
ip
mac
cname_chains
host_name
host_names
is_in_scope
is_domain_controller
is_database_server
is_load_balancer
is_mail_server
is_vpn
is_waf
os_fingerprints
os_names
hardware_fingerprints
device_fingerprints
op_id
score
severity
context_score_description
subnet
cloud_provider
cloud_region
cloud_arns
is_public
downstream_impact_types
display_name
weaknesses_count
credentials_count
services_count
data_stores_count
attack_paths_count
data_resources_count
web_resources_count
portal_url
}
}
}
Changelog
The Horizon3.ai connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.0.4 | Improvements - Updated the connector category from Application Security to Penetration Testing to accurately reflect the nature of Horizon3.ai NodeZero operations. - All custom attributes now correctly participate in platform consolidation and priority resolution. Previously, custom attribute definitions were built with the raw AttributeInfoBuilder, which omitted the required ORDER_CRITERIA mapping and caused silent merge behavior issues. | N/A |
| 3.0.3 | Improvements Dependency Upgrades Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.0.2 | Improvements - Renamed the connector's internal artifact and local cache directory for consistency with platform naming conventions. This is a transparent change with no impact on synchronized data. | N/A |
| 3.0.1 | New Features - The API URL is now an editable connection setting, allowing you to point the connector at a non-default Horizon3.ai API endpoint. Improvements - API requests now apply configurable retry behavior with exponential backoff, improving resilience to transient network and service errors during synchronization. - The Max Retries setting now ignores invalid (non-positive) values, preventing misconfiguration from disabling retries. | N/A |
| 3.0.0 | Overview The Horizon3.ai connector integrates with the Horizon3.ai NodeZero platform to synchronize autonomous penetration test results, including hosts, confirmed weaknesses, and weakness definitions. Category: Penetration Testing Models | N/A |