Horizon3.ai NodeZero
Horizon3.ai NodeZero is an autonomous penetration testing platform that continuously assesses your attack surface for exploitable weaknesses. You can bring assessment, pentest finding, and host data from Horizon3.ai into Brinqa to gain a unified view of your attack surface, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Horizon3.ai NodeZero and how to obtain that information from Horizon3.ai. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Horizon3.ai NodeZero from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Horizon3.ai with Brinqa:
-
API URL: The Horizon3.ai API base URL. The default URL is
https://api.horizon3ai.com. -
API Key: The API key used to authenticate with the Horizon3.ai API. The connector exchanges this key for a short-lived bearer token that is automatically refreshed before expiry.
Generate a Horizon3.ai API key
You can generate an API key from the Horizon3.ai Portal. For additional information, see Horizon3.ai API documentation.
Additional settings
The Horizon3.ai NodeZero connector contains additional options for specific configuration:
- Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
- Parallel requests: The maximum number of parallel API requests. The default setting is 4.
- Maximum retries: The maximum number of times that the integration attempts to connect to the Horizon3.ai API before giving up and reporting a failure. The default setting is 5.
Types of data to retrieve
The Horizon3.ai NodeZero connector can retrieve the following types of data from the Horizon3.ai API:
Table 1: Data retrieved from Horizon3.ai NodeZero
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Host | Yes | Host |
| Op | Yes | Assessment |
| Weakness | Yes | Pentest Finding |
| Weakness Definition | Yes | Pentest Finding Definition |
The Horizon3.ai NodeZero connector does not currently support operation options for the types of data it retrieves.
For detailed steps on how to view the data retrieved from Horizon3.ai NodeZero in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Host
Table 2: Host attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
Host.attack_paths_count | ATTACK_PATHS_COUNT |
Host.cloud_arns | CLOUD_ARNS |
Host.cloud_provider | CLOUD_PROVIDER |
Host.cloud_region | REGION |
Host.cname_chains | DNS_NAMES |
Host.context_score_description | CONTEXT_SCORE_DESCRIPTION |
Host.created_at | SOURCE_CREATED_DATE |
Host.credentials_count | CREDENTIALS_COUNT |
Host.data_resources_count | DATA_RESOURCES_COUNT |
Host.data_stores_count | DATA_STORES_COUNT |
Host.device_fingerprints | DEVICE_FINGERPRINTS |
Host.display_name / Host.host_name / Host.ip / Host.uuid | NAME |
Host.downstream_impact_types | DOWNSTREAM_IMPACT_TYPES |
Host.hardware_fingerprints | HARDWARE_FINGERPRINTS |
Host.host_name + Host.host_names | HOSTNAMES |
Host.ip | IP_ADDRESSES |
Host.ip (fallback: Host.uuid) | UID |
Host.is_database_server | IS_DATABASE_SERVER |
Host.is_domain_controller | IS_DOMAIN_CONTROLLER |
Host.is_in_scope | IS_IN_SCOPE |
Host.is_load_balancer | IS_LOAD_BALANCER |
Host.is_mail_server | IS_MAIL_SERVER |
Host.is_public | IS_PUBLIC |
Host.is_vpn | IS_VPN |
Host.is_waf | IS_WAF |
Host.mac | MAC_ADDRESSES |
Host.op_id | LAST_OP |
Host.os_fingerprints | OS_FINGERPRINTS |
Host.os_names | OS_NAMES |
Host.portal_url | PORTAL_URL |
Host.portal_url | URL |
Host.score | SOURCE_SEVERITY_SCORE |
Host.services_count | SERVICES_COUNT |
Host.severity | SEVERITY |
Host.severity | SEVERITY_SCORE |
Host.severity | SOURCE_SEVERITY |
Host.subnet | IPV4_RANGES |
Host.weaknesses_count | WEAKNESSES_COUNT |
Host.web_resources_count | WEB_RESOURCES_COUNT |
| Generated (always "Host") | CATEGORIES |
| Generated (always "active") | STATUS |
| Generated (sync capture timestamp) | LAST_CAPTURED |
Op
Table 3: Op attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
Op.asset_group_uuid | ASSET_GROUP_UUID |
Op.attack_paths_count | ATTACK_PATHS_COUNT |
Op.canceled_at | CANCELED_AT |
Op.completed_at | LAST_STOPPED |
Op.confirmed_credentials_count | CONFIRMED_CREDENTIALS_COUNT |
Op.created_at | SOURCE_CREATED_DATE |
Op.credentials_count | CREDENTIALS_COUNT |
Op.data_resources_count | DATA_RESOURCES_COUNT |
Op.data_stores_count | DATA_STORES_COUNT |
Op.duration_hms | DURATION_HMS |
Op.duration_humanize | DURATION_HUMANIZE |
Op.duration_s | DURATION_S |
Op.etl_completed_at | ETL_COMPLETED_AT |
Op.external_domains_count | EXTERNAL_DOMAINS_COUNT |
Op.hosts_count | HOSTS_COUNT |
Op.impact_paths_count | IMPACT_PATHS_COUNT |
Op.in_scope_hosts_count | IN_SCOPE_HOSTS_COUNT |
Op.launched_at | LAST_STARTED |
Op.nodezero_ip | NODEZERO_IP |
Op.nodezero_script_url | NODEZERO_SCRIPT_URL |
Op.op_id | UID |
Op.op_name (fallback: op_id) | NAME |
Op.op_param_blacklist | OP_PARAM_BLACKLIST |
Op.op_param_max_scope | OP_PARAM_MAX_SCOPE |
Op.op_param_min_scope | OP_PARAM_MIN_SCOPE |
Op.op_state | PROVIDER_STATUS |
Op.op_state | SOURCE_STATUS |
Op.op_template_name | OP_TEMPLATE_NAME |
Op.op_template_uuid | OP_TEMPLATE_UUID |
Op.op_type | TYPE |
Op.out_of_scope_hosts_count | OUT_OF_SCOPE_HOSTS_COUNT |
Op.phished_attack_paths_count | PHISHED_ATTACK_PATHS_COUNT |
Op.phished_impact_paths_count | PHISHED_IMPACT_PATHS_COUNT |
Op.portal_op_state | PORTAL_OP_STATE |
Op.portal_url | URL |
Op.proven_weaknesses_count | PROVEN_WEAKNESSES_COUNT |
Op.runner_name | RUNNER_NAME |
Op.runner_uuid | RUNNER_UUID |
Op.schedule_name | SCHEDULE_NAME |
Op.schedule_uuid | SCHEDULE_UUID |
Op.scheduled_at | SCHEDULED_AT |
Op.services_count | SERVICES_COUNT |
Op.users_count | USERS_COUNT |
Op.weaknesses_count | WEAKNESSES_COUNT |
Op.websites_count | WEBSITES_COUNT |
| Generated (always "Penetration Test") | CATEGORIES |
| Generated (sync capture timestamp) | LAST_CAPTURED |
Weakness
Table 4: Weakness attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
WeaknessSeries.affected_asset_name | AFFECTED_ASSET_DISPLAY_NAME |
WeaknessSeries.annotation_status | ANNOTATION_STATUS |
WeaknessSeries.attack_paths_count | ATTACK_PATHS_COUNT |
WeaknessSeries.business_risks | TAGS |
WeaknessSeries.credentials_count | CREDENTIALS_COUNT |
WeaknessSeries.critical_impacts_count | CRITICAL_IMPACTS_COUNT |
WeaknessSeries.critical_impacts_percentage | CRITICAL_IMPACTS_PERCENTAGE |
WeaknessSeries.first_found_op_id | FIRST_FOUND_OP_ID |
WeaknessSeries.first_found_op_type | FIRST_FOUND_OP_TYPE |
WeaknessSeries.first_seen_at | FIRST_FOUND |
WeaknessSeries.ip | IP |
WeaknessSeries.ip / WeaknessSeries.affected_asset_name | TARGETS |
WeaknessSeries.last_found_op_id | ASSESSMENT |
WeaknessSeries.last_found_op_types | LAST_FOUND_OP_TYPES |
WeaknessSeries.last_mitigated_at | LAST_FIXED |
WeaknessSeries.last_mitigated_op_id | LAST_MITIGATED_OP_ID |
WeaknessSeries.last_pentested_op_id | LAST_PENTESTED_OP_ID |
WeaknessSeries.last_seen_at | LAST_FOUND |
WeaknessSeries.last_weakness_uuid | LAST_WEAKNESS_UUID |
WeaknessSeries.min_time_to_finding_hms | MIN_TIME_TO_FINDING_HMS |
WeaknessSeries.port | PORT |
WeaknessSeries.protocol | PROTOCOL |
WeaknessSeries.score | SEVERITY_SCORE |
WeaknessSeries.score | SOURCE_SEVERITY_SCORE |
WeaknessSeries.severity | SEVERITY |
WeaknessSeries.severity | SOURCE_SEVERITY |
WeaknessSeries.status | PROVIDER_STATUS |
WeaknessSeries.total_impacts_count | TOTAL_IMPACTS_COUNT |
WeaknessSeries.vuln_category | CATEGORIES |
WeaknessSeries.vuln_category | TAGS |
WeaknessSeries.vuln_id | TYPE |
WeaknessSeries.vuln_id | VULN_ID |
WeaknessSeries.vuln_id + WeaknessSeries.ip | UID |
WeaknessSeries.vuln_name | NAME |
WeaknessSeries.weakness_series_found_count | TIMES_FOUND |
| Generated (normalized from PROVIDER_STATUS) | SOURCE_STATUS |
| Generated (sync capture timestamp) | LAST_CAPTURED |
Weakness Definition
Table 5: Weakness Definition attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
Vuln.aliases | CVE_IDS |
Vuln.aliases | CVE_RECORDS |
Vuln.aliases | TAGS |
Vuln.base_score | SOURCE_SEVERITY_SCORE |
Vuln.base_severity | SEVERITY |
Vuln.base_severity | SEVERITY_SCORE |
Vuln.base_severity | SOURCE_SEVERITY |
Vuln.category / Vuln.impact_categories | CATEGORIES |
Vuln.cisa_kev | CISA_EXPLOITED |
Vuln.description | DESCRIPTION |
Vuln.id | UID |
Vuln.impact | IMPACT |
Vuln.known_ransomware_campaign_use | OBSERVED_IN_THE_WILD |
Vuln.mitigations[].description | RECOMMENDATION |
Vuln.name | NAME |
Vuln.one_click_verify | ONE_CLICK_VERIFY |
Vuln.references[].url | REFERENCES |
Vuln.short_name | SHORT_NAME |
Vuln.threat_actors[].name | THREAT_ACTORS |
| Generated (sync capture timestamp) | LAST_CAPTURED |
APIs
The Horizon3.ai NodeZero connector uses the Horizon3.ai GraphQL API. Specifically, it uses the following endpoints:
Table 6: Horizon3.ai NodeZero API endpoints
| Connector Object | API Endpoint |
|---|---|
| Host | POST /v1/graphql — hosts_page query |
| Op | POST /v1/graphql — ops_page query |
| Weakness | POST /v1/graphql — weakness_series_page query |
| Weakness Definition | POST /v1/graphql — weaknesses_page query (embedded vuln subobject) |
Changelog
The Horizon3.ai NodeZero connector has undergone the following changes:
This connector is part of a bundled release with other connectors from the same vendor. If a version shows "No change", it means that the connector version was updated for consistency as part of the bundle, but no functional changes were made to this specific connector. You can update to or skip this version without affecting your existing configuration.
Table 7: Horizon3.ai NodeZero changelog
| Version | Description | Date Published |
|---|---|---|
| 3.0.0 | Initial Integration+ release. | April 1st, 2026 |