Four security tools, one toolkit.

Web attack-surface mapper. Subdomain discovery, tech fingerprinting, endpoint discovery.

• Passive-first discovery via crt.sh and SecurityTrails before any active probing
• SSRF guard rejects private, loopback and cloud-metadata addresses before requests go out
• Headless browser via Playwright for JavaScript-rendered surfaces, depth- and page-capped

Local desktop source-code scanner. 50+ heuristic rules with optional local AI.

• 50+ regex and AST patterns: SQLi, command injection, eval/exec, unsafe deserialization (pickle, yaml.unsafe_load), weak crypto (MD5, SHA1, DES, ECB), hardcoded secrets, path traversal
• Local AI explanations via StarCoder2-3B/7B or Mixtral-8x7B with 8-bit quantization. Heuristic fallback when AI is unavailable
• Findings mapped to CWE, OWASP Top 10, SANS Top 25, with PCI-DSS, NIST, GDPR and HIPAA tags where rules apply

Native network scanner. Nmap port scanning, CMS CVE lookup, header grading.

• Nmap-driven host, port, service and OS discovery with CIDR notation support
• CMS fingerprinting (WordPress, Joomla, Drupal) cross-referenced against the CIRCL CVE database
• HTTP security-header grading weighted 0-100 (CSP, HSTS, X-Frame-Options, CORS, cookie flags)

Web compliance and vulnerability scanner mapped to GDPR, PCI-DSS, ISO 27001 and HIPAA.

• Inspects TLS configuration, security headers and cookie flags (Secure, HttpOnly, SameSite)
• Maps findings to GDPR, PCI-DSS, ISO 27001 and HIPAA with multi-standard simultaneous validation
• CVSS v3.1 scored findings, exportable as JSON, CSV, XML, SARIF, Markdown and branded PDF reports