## https://sploitus.com/exploit?id=854A9C36-B006-573C-8FEA-A71F469D2BB2
# Exploit-Tool
Single-console pentest platform built on authorization, scope, and audit. Correlates best-of-breed scanners; AI handles triage and reports.
## What It Is
A modular platform that gives pentesters single-console coverage across web, API, network, cloud, code/supply-chain, mobile, binary, and AI/LLM attack surfaces. Built on top of best-of-breed open-source scanners, with correlation, exploitability scoring, AI-assisted triage, and report automation as the differentiating layer.
## What It Is Not
- Not an unauthorized scanning tool. Every scan requires an active engagement with signed Rules of Engagement (RoE) and explicit scope.
- Not a C2 framework, not a malware distribution channel, not an evasion-tooling kit.
- Not continuous monitoring (see `siemless` for SOC tooling).
## Status
**Phase 2 โ in flight.** Phase 0 scaffolding complete; Phase 1 MVP (engagement, scope-gated scanning, web/API/SAST/SCA/secrets, baseline reporting) merged. Phase 2 work in progress: false-positive learning, SAST reachability scoring, DOCX evidence appendix, network/TLS recon (`dnsrecon`, `sslyze`).
- Architecture: [`docs/architecture.md`](docs/architecture.md)
- Surface coverage roadmap: [`docs/roadmap.md`](docs/roadmap.md)
- Project rules and tech stack: [`CLAUDE.md`](CLAUDE.md)
## Hard Rules
1. No scan runs without an Engagement + signed RoE.
2. Scope enforcement is a hard gate, not a warning.
3. All scanner invocations are audit-logged (legal cover).
4. Exploit code runs only in sandboxed workers.
5. Default to safe/dry-run; destructive checks require explicit per-engagement opt-in.
See [`CLAUDE.md`](CLAUDE.md) ยง2 for full safety rules.
## Repo Layout
```
src/
โโโ core/ engagement, scope, audit (cross-cutting)
โโโ recon/ asset discovery, fingerprinting
โโโ scanners/ wrappers around Nuclei, Semgrep, ZAP, Trivy, ...
โโโ correlation/ dedup, scoring, exploitability
โโโ exploit/ PoC engine, sandboxed executor
โโโ evidence/ artifact storage, chain of custody
โโโ reporting/ PDF/DOCX generation
โโโ api/ FastAPI routers
โโโ shared/ DB, queue, logging, config
```
## Tech Stack
Python 3.12 / FastAPI / PostgreSQL 16 / Redis + Arq / MinIO / React+TS+Zod / Keycloak / Docker (dev) + Helm (prod on-prem).
## License
MIT โ see [`LICENSE`](LICENSE).
Use only on systems you are explicitly authorized to test. The hard rules above are not optional.