The Blue Team Flow

/lagune.detect

Read your code and map what your system does and where the risks are.

/lagune.detect

🔬 Find out what your system really does and where the risks are.

Detect reads the code and records only what it actually finds, with the evidence the later phases need. Its governing instruction is detection, not invention.

Run it

/lagune.detect

What it maps

Lagune reads the code and maps what it finds. Each finding carries what it is, why it matters, and the evidence. For example:

  • File uploads, the system accepts files from users:
    • Why it matters: a file disguised as an image can hide malicious code.
    • Evidence: the POST /upload handler trusts the MIME type the client sends, without checking the file's real type.
  • Login and sessions, users sign in to reach their account:
    • Why it matters: weak session handling lets one account be taken over by another.
    • Evidence: the session issuance logic, where sessions are issued with no expiry set.

From there, you have a clear map of what your system does and where the risks live, ready for the next steps to act on.

tip
  • Running it again updates the map: solved findings drop off, new ones come in.
  • The detect map lives in .lagune/memory/detect.md.

Next

Turn the map into a plan: /lagune.plan.

Copyright © 2026-present Weslley Araújo and contributors. SDH: Lagune is under the MIT License. Please check the Security Policy.

All product names, trademarks, and registered trademarks mentioned are the property of their respective owners and are used for identification purposes only.