# Profiles

`secator` profiles are a way to mutualize sets of options to be quickly re-used in tasks, workflows, and scans. Profiles allow you to apply predefined option configurations with a single flag, making it easy to switch between different scanning strategies.

***

## Using profiles

You can use profiles with any task, workflow, or scan by using the `-pf` or `--profiles` flag:

{% tabs %}
{% tab title="Task" %}

```bash
secator x httpx example.com -pf aggressive,full
```

{% endtab %}

{% tab title="Workflow" %}

```bash
secator w host_recon example.com -pf aggressive,full
```

{% endtab %}

{% tab title="Scan" %}

```bash
secator s host example.com -pf aggressive,full
```

{% endtab %}
{% endtabs %}

You can combine multiple profiles by separating them with commas. Options from profiles are merged, with later profiles taking precedence over earlier ones.

***

## Listing available profiles

To see all available profiles and their options:

```bash
secator p list
```

***

## Built-in profiles

`secator` comes with several built-in profiles organized by category:

### Speed profiles

These profiles control the aggressiveness and speed of scans by adjusting rate limits, delays, timeouts, and retries.

#### Aggressive (`aggressive`)

Optimized for internal networks or time-sensitive scans with no rate limiting.

```yaml
rate_limit: 10000
delay: 0
timeout: 1
retries: 1
```

**Use case**: Fast scanning on trusted internal networks where you need results quickly.

#### Insane (`insane`)

Maximum speed for local LAN scanning or stress testing.

```yaml
rate_limit: 100000
delay: 0
timeout: 1
retries: 0
```

**Use case**: Local network scanning or stress testing where network impact is not a concern.

#### Paranoid (`paranoid`)

Maximum stealth with very conservative settings.

```yaml
rate_limit: 5
delay: 5
timeout: 15
retries: 5
```

**Use case**: Scanning sensitive networks where stealth is critical and you can afford to wait.

#### Polite (`polite`)

Balanced settings to avoid overloading the network.

```yaml
rate_limit: 100
delay: 0
timeout: 10
retries: 5
```

**Use case**: General-purpose scanning where you want to be respectful of network resources.

***

### Evasion profiles

These profiles help evade detection systems and maintain anonymity.

#### Sneaky (`sneaky`)

IDS/IPS evasion for sensitive networks using packet fragmentation.

```yaml
fragment: true
nmap_light_fragment: true
```

**Use case**: Scanning networks with active IDS/IPS systems that you want to evade.

#### Stealth (`stealth`)

Stealth scan using TCP SYN scanning.

```yaml
tcp_syn_stealth: true
nmap_light_tcp_syn_stealth: true
scan_type: s
```

**Use case**: Port scanning where you want to minimize detection by using stealth techniques.

#### Tor (`tor`)

Anonymous scanning using the Tor network.

```yaml
proxy: auto
```

**Use case**: Scanning where you need anonymity and want to route traffic through Tor.

{% hint style="info" %}
Make sure you have Tor configured and running, and set up your proxy settings in the config (see [Proxies](/in-depth/concepts/proxies.md)).
{% endhint %}

***

### General profiles

These profiles control the overall scanning approach and feature activation.

#### Active (`active`)

Active scanning only - no passive sources are used. This profile enforces active-only mode.

```yaml
active: true
domain_recon_active: true
subdomain_recon_active: true
host_recon_active: true
url_crawl_active: true
url_vuln_active: true
```

**Use case**: When you want to ensure all scanning is done actively (making requests to targets) and avoid passive data sources.

#### Passive (`passive`)

Passive scanning only - no requests are made to targets. This profile enforces passive-only mode.

```yaml
passive: true
domain_recon_passive: true
subdomain_recon_passive: true
host_recon_passive: true
url_crawl_passive: true
url_vuln_passive: true
```

**Use case**: When you want to gather information without making any requests to the target (e.g., using only OSINT sources).

#### Full (`full`)

Activates all optional features for comprehensive scanning.

```yaml
# Task options
headless: true
system_chrome: true
no_sandbox: true
screenshot: true
juicy_extensions: 3
server_defaults: false

# Workflow options
ports: "-"
nuclei: true
brute_dns: true
brute_http: true
hunt_secrets: true
test_ssl: true

# Scan options
host_recon_nuclei: true
host_recon_nmap_ports: "-"
domain_recon_testssl_server_defaults: null
subdomain_recon_hunt_secrets: true
subdomain_recon_test_ssl: true
subdomain_recon_testssl_server_defaults: null
url_crawl_hunt_secrets: true
url_vuln_nuclei: true
url_crawl_cariddi_juicy_extensions: 3
```

**Use case**: Comprehensive security assessments where you want to enable all available features including headless browsing, screenshots, vulnerability scanning, secret hunting, and SSL testing.

***

### Network profiles

These profiles configure network-specific scanning options.

#### All Ports (`all_ports`)

Scans all ports instead of just common ones.

```yaml
ports: "-"
host_recon_nmap_ports: "-"
```

**Use case**: When you need a complete port scan of all 65535 ports (warning: this can be very slow).

#### HTTP Headless (`http_headless`)

Enables headless browser mode for HTTP tasks.

```yaml
headless: true
system_chrome: true
no_sandbox: true
```

**Use case**: When you need to render JavaScript or interact with modern web applications that require a browser.

#### HTTP Record (`http_record`)

Records HTTP requests/responses and takes screenshots.

```yaml
screenshot: true
store_responses: true
system_chrome: true
no_sandbox: true
```

**Use case**: When you need to capture full HTTP interactions and visual evidence of web pages.

***

## Profile enforcement

Some profiles have the `enforce: true` setting, which means they override any conflicting options you might pass directly. Profiles with enforcement are:

* `active`
* `passive`
* `full`
* `all_ports`

When using enforced profiles, the profile options take precedence over command-line options.

***

## Combining profiles

You can combine multiple profiles to create a custom configuration:

```bash
# Combine speed and evasion profiles
secator w host_recon example.com -pf aggressive,stealth

# Combine feature activation with speed
secator s host example.com -pf full,polite

# Combine network and evasion
secator x naabu example.com -pf all_ports,tor
```

When combining profiles, options are merged with later profiles taking precedence over earlier ones.

***

## Setting default profiles

You can set default profiles in your configuration that will be applied automatically:

```bash
secator config set profiles.defaults aggressive,polite
```

Default profiles are automatically applied to all runs unless you explicitly override them with the `-pf` flag.

***

## Creating custom profiles

To create your own profile, create a YAML file in `~/.secator/templates/profiles/`:

```yaml
type: profile
name: my_custom_profile
category: general
description: "My custom profile description"
opts:
    rate_limit: 500
    delay: 0.5
    timeout: 5
    retries: 3
```

After creating the profile file, it will be automatically available for use with the `-pf` flag.

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.freelabz.com/in-depth/concepts/profiles.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.