33 Repos
Mapping and minimizing exposed interfaces to reduce exploitation risk.
Distinguishing note: Focuses on surface area reduction, distinct from vulnerability scanning.
Explore 33 awesome GitHub repositories matching security & cryptography · Attack Surface Analysis. Refine with filters or upvote what's useful.
The OWASP Cheat Sheet Series is a comprehensive, community-driven repository of concise security best practices and defensive coding patterns. It serves as a centralized knowledge base for developers and security professionals, providing actionable guidance to secure applications across the entire software development lifecycle. The project covers a vast array of security domains, ranging from fundamental web application hardening and authentication protocols to specialized controls for modern infrastructure and artificial intelligence systems. What distinguishes this project is its decentral
Maps entry points and exposed interfaces to identify potential vulnerabilities.
This project is a Linux server security guide and system administration manual designed to harden the operating system and kernel. It functions as an OS hardening checklist and a collection of instructions for reducing the server attack surface to protect against intruders. The guide covers the establishment of a server security baseline and the reduction of the network attack surface. It provides practical guidance for managing system permissions and network configurations to maintain a secure environment. The content is organized as a series of step-by-step procedural layouts and topic-cat
Guides the reduction of the network attack surface via firewall settings and server parameter configuration.
Deepagents is an LLM agent orchestration platform and stateful application server designed for deploying and managing AI agents built with computational graphs. It provides a containerized runtime environment that handles agent execution, state persistence, and the versioning of AI assistants. The platform distinguishes itself through deep integration with the Model Context Protocol, allowing agents to function as servers that expose tools and capabilities to external clients. It features a sophisticated observability suite for capturing execution traces, performing LLM-based evaluations agai
Reduces the system attack surface by disabling specific groups of built-in HTTP routes.
Distroless provides a set of OCI-compliant minimal base images and hardening tools designed to create secure, language-specific execution environments. These images are stripped of non-essential system binaries, shells, and package managers to reduce the container attack surface. The project utilizes upstream-tracked automated patching to monitor operating system releases and generate updated images when security vulnerabilities are addressed. It ensures supply chain integrity through image provenance verification using ephemeral-key digital signatures. The system supports the generation of
Limits security exploit vectors by removing shells, package managers, and unnecessary binaries from images.
This project is a security hardening guide and privacy configuration manual for macOS. It provides a comprehensive set of instructions for configuring system settings to improve privacy, reduce the attack surface, and implement a malware defense framework. The guide covers technical methods for validating software notarization, verifying application sandboxing, and auditing system activity. It distinguishes itself by providing detailed workflows for restricting high-risk features and applying advanced security configurations to protect the operating system. The documentation covers several k
Provides methods to disable specific operating system features to minimize the available attack surface.
This project is a comprehensive security hardening and privacy management guide for macOS. It provides a set of instructions and checklists for reducing the system attack surface through manual configuration, policy enforcement, and a layered defense strategy. The guide emphasizes a system auditing framework, using binary analysis, system logs, and packet inspection to verify that security controls and application sandboxing are functioning as intended. It offers tool-agnostic recommendations, defining security goals while allowing users to select their own third-party software for implementa
Focuses on minimizing exposed interfaces and disabling risky features to reduce the attack surface.
This project provides a framework for managing multi-agent systems, designed to automate complex software development, infrastructure, and business workflows. It functions as a multi-agent workflow orchestrator that routes tasks to domain-specific workers while maintaining state persistence and infrastructure automation. By leveraging large language models, the system decomposes high-level objectives into actionable plans, ensuring that complex operations are executed with consistency and reliability. The framework distinguishes itself through its hierarchical agent registry and policy-driven
Detects credential theft vectors and service vulnerabilities to provide prioritized remediation paths.
Strix is an automated security research and vulnerability scanning platform that leverages language models to orchestrate complex security analysis tasks. It functions as a comprehensive framework for penetration testing and continuous security integration, allowing users to embed automated vulnerability research directly into development pipelines or execute it within isolated, containerized environments. The platform distinguishes itself through a multi-agent orchestration engine that coordinates specialized autonomous agents to perform parallel security assessments. By integrating LLM-agno
Maps application structures and identifies potential entry points to assess the infrastructure attack surface.
This project is a secure container runtime that provides strong isolation for application workloads by implementing a userspace kernel. By intercepting system calls and executing them within a memory-safe, restricted environment, it minimizes the attack surface exposed to the host kernel. It functions as a drop-in engine for standard container orchestration platforms, ensuring compatibility with industry-standard runtime specifications while maintaining a hardened execution boundary. The runtime distinguishes itself through its ability to virtualize core system resources, including an indepen
Minimizes the host kernel attack surface by restricting the available system call interface to a strictly controlled and enumerated set.
Prowler is a multi-cloud security scanner and security posture management tool. It automates security and compliance assessments across multiple cloud environments to identify misconfigurations and vulnerabilities. The project provides a multi-cloud security analysis engine that operates as an automated auditor, evaluating infrastructure against industry-standard regulatory frameworks and security benchmarks. It features a cloud security visualization dashboard that uses a graph database to map cloud inventory and visualize potential attack paths. Capabilities include automated cloud infrast
Maps cloud inventory into a graph database to visualize potential movement paths for attackers.
Prowler is an automated cloud infrastructure security scanner and posture management tool. It evaluates cloud environments and infrastructure-as-code templates against security benchmarks to identify misconfigurations, vulnerabilities, and compliance gaps that could compromise system integrity. The platform distinguishes itself through graph-based attack path analysis, which identifies chains of misconfigurations that create exploitable routes for unauthorized access. It utilizes a plugin-based execution model to perform state-based assessments of live environments and static analysis of conf
Uses graph analysis to identify chains of misconfigurations that create exploitable routes for unauthorized access.
This project provides a comprehensive configuration template designed to harden the Firefox browser. By modifying internal preference settings, it enforces a standardized security posture that minimizes telemetry, reduces digital fingerprinting, and limits the exposure of unique data to external web services. The configuration operates through local preference injection, where users manually integrate a static text file into their browser profile directory. This approach maintains a decoupled security policy that functions entirely offline, ensuring that privacy protections remain under local
Reduces the browser's attack surface by restricting functionality and telemetry reporting.
Talos is a minimal, immutable Linux distribution designed specifically for deploying and managing Kubernetes clusters. It functions as an API-driven infrastructure manager that replaces traditional shell access with a declarative gRPC interface to control operating system state and configuration. The system is distinguished by its use of a read-only root filesystem and a security-hardened kernel, which removes standard GNU utilities to reduce the attack surface. It ensures environment consistency by distributing the operating system as versioned, signed images and utilizes TPM-backed verified
Reduces the system attack surface by removing shells and GNU utilities from the OS image.
Bloodhound is an Active Directory attack path mapper and security auditor designed to visualize trust relationships and permission chains. It serves as an attack surface management tool that identifies paths to domain administrator and other high-privileged accounts. The project uses a graph database analyzer to map complex identity and access relationships. It quantifies the risk of privilege escalation by identifying misconfigured permissions and trust links within Windows domains. The system provides capabilities for Active Directory security analysis, identity and access auditing, and ne
Visualizes the sequence of steps an attacker could take to escalate privileges and compromise a target system.
This project is a comprehensive security suite and knowledge base focused on the engineering and construction of trustworthy digital and physical systems. It provides a systematic framework for security engineering design, covering the establishment of high-assurance architectures and the implementation of security models that govern how a system achieves its safety goals. The project is distinguished by its focus on formal assurance and adversarial deterrence. It includes methodologies for creating security assurance cases and proofs to verify system trustworthiness, alongside economic and t
Provides a structured approach to mapping and minimizing exposed interfaces to reduce exploitation risk.
WPScan is a security analysis utility and vulnerability scanner designed specifically for auditing WordPress installations and other content management systems. It functions as a web application security tool that identifies misconfigurations, outdated software, and security holes in core installations, plugins, and themes. The tool employs black-box scanning techniques to perform site component enumeration, identifying users, themes, and plugins by matching known file paths and response signatures. It matches these detected components against a database of known security flaws to analyze the
Maps the total attack surface by discovering installed plugins, themes, and user accounts.
Kata Containers is an OCI container runtime that launches containers inside lightweight virtual machines to combine hardware-level isolation with container operational speed. It functions as a hardware-isolated container engine and lightweight VM hypervisor, providing a virtual machine monitor interface that abstracts multiple hypervisors to optimize for performance or specific hardware emulation. The project distinguishes itself through a confidential computing runtime that leverages hardware-backed trusted execution environments, such as Intel TDX and AMD SEV-SNP, to protect data in use. It
Restricts the available system call interface within the guest environment to reduce the attack surface.
Bubblewrap ist ein unprivilegiertes Sandbox-Ausführungsdienstprogramm für Linux, das Prozesse vom Host-System isoliert. Es schafft sichere Umgebungen durch die Nutzung von Linux-Namespaces zur Trennung von Systemressourcen, einschließlich Netzwerk-, PID- und IPC-Stacks. Das Projekt zeichnet sich dadurch aus, dass es die Ausführung nicht vertrauenswürdiger Software ermöglicht, ohne Root-Rechte auf der Host-Maschine zu erfordern. Es verhindert Privilegienerweiterungen durch Deaktivierung der Ausführung von setuid-Binärdateien und verwendet Benutzeridentitäts-Mapping, um Prozessberechtigungen vom Host-Betriebssystem zu isolieren. Das Tool verwaltet eine umfassende Sicherheitsoberfläche, die Dateisystem-Zugriffskontrolle zur Einschränkung der Verzeichnissichtbarkeit und schreibgeschützte Berechtigungen umfasst. Es reduziert zudem die Angriffsfläche des Kernels durch seccomp-Systemaufruf-Filterung.
Reduces the kernel attack surface by restricting the available host system call interface using seccomp.
Monkey is an adversary emulation platform and breach and attack simulation tool designed to test network defenses through automated lateral movement and exploit delivery. It functions as a network security testing system that evaluates security posture by attempting to propagate through vulnerabilities and extract sensitive system credentials. The platform distinguishes itself by simulating specific real-world attacker behaviors, such as ransomware encryption, cryptojacking, and the theft of browser-stored credentials and secure shell keys. It utilizes binary hash randomization to evade antiv
Tracks simulation progress and reports agent activities through a command server to provide empirical security data.
Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host system. It uses kernel namespaces and seccomp filters to restrict filesystem access, drop kernel capabilities, and limit the system attack surface. The project is distinguished by its use of predefined security profiles to automatically apply filesystem restrictions and syscall limits based on the executable being launched. It provides specialized isolation for portable packages such as AppImages and implements X11 display isolation via proxy servers to prevent keyboard loggi
Reduces the kernel attack surface by restricting the available system call interface to a controlled set.