Reconnaissance, Attack-surface Visibility & Evidence Navigator
By TRUSTTECH CybersecuritySelect an existing task to keep working on it, or create a new one. Each task groups its own discovery + deep-analysis runs in its own folder.
Reconnaissance status
Composite score across discovery, deep scan, CVE, OSINT, ZAP DAST and manual findings. Lower scores indicate cleaner posture.
Snapshot
Consolidated technical/executive picture of this task across discovery, deep scan, CVE, OSINT, ZAP DAST and manual findings.
Attack surface map
Five attack vectors normalised to a 0–100 score so the threat shape is comparable across tasks. Hover/inspect each vertex for the raw counter that drove the value.
Attack surface
- Alive hosts0
- Services0
- Risky ports0
- Subnets0
Vulnerabilities
- Critical0
- High0
- Medium0
- Low0
- Unknown0
- Exploitable risks0
OSINT footprint
- Takeover candidates0
- GitHub leaks0
- Dorks critical0
- Dorks high0
- Typosquats0
ZAP DAST
- High0
- Medium0
- Low0
- Vulnerable libs0
Manual findings
- Critical0
- High0
- Medium0
- Low0
- Total findings0
Hardening compliance
- Critical failures0
- High failures0
- Medium failures0
- Partial0
- Pass0
- N/A0
- Total verdicts0
Top vulnerable hosts
Top critical CVEs
Top exposed services
Critical/high manual findings
Host risk heatmap
Hosts ranked by critical/high/medium CVEs. Color intensity reflects per-band count; the Total column is the sum across all bands. Type to filter; click a row for host detail.
No CVE data yet. Run a CVE scan to populate the heatmap.
Risk indicators based on unmitigated (persistent) vulnerabilities for the selected client.
By severity
By type
Incidents by status
Incidents by severity
InfoStealer credentials by status
Top incident categories
Top 10 affected users
Top 10 affected URLs
Unmitigated vulnerabilities (days open)
CVEs from Global Status, grouped by asset, service and shared score for the selected client.
Pentesting and hardening findings from Global Status for the selected client.
Compromised credential URLs for the selected client.
Cybersecurity incidents to manage for the selected client.
Identify live hosts and reachable services to seed the rest of the pipeline (deep scan, CVE enumeration, OSINT, ZAP, Metasploit).
Select discovered ports for in-depth service and vulnerability analysis. Results enrich the CVE pipeline and downstream verification.
Generate evidence snapshots
For every tool artifact captured during this deep run (NSE, external tools, Impacket, service probes), render a PNG "terminal capture" of the output. Read-only post-process. The original .txt/.json artifacts are not modified.
Will render: — PNG(s)
Output:
<run>/<host>/_evidence_snaps/
Without this option, files that already exist on disk are skipped.
Public-CVE discovery against detected services. Uses nmap vulners + per-service vuln scripts; results feed the CVE dashboard and Metasploit surface scan.
The CVE scan will use nmap -sV --version-intensity 7 -Pn -n --script vulners on the selected ports of each host. The vulners script queries vulners.com for each detected service version and returns matching public CVEs.
Deep mode runs vulners + the entire vuln NSE category (60+ scripts: smb-vuln-ms17-010, ssl-heartbleed, http-vuln-cveYYYY-NNNN, ssl-poodle, etc). It detects CVEs that vulners alone misses because it actively probes for the vulnerability instead of just matching a CPE string. Cost: ~2-3x scan time per host.
Hosts and services discovered in the most recent Enumeration & Discovery run for this task.
Risky services breakdown
Hosts by protocol exposure
Top ports
Top services
Hosts with most open ports
⚠️ Services with anonymous (unauthenticated) access
These services responded to enumeration without credentials. The IT/security team should review each one and either disable the anonymous path or restrict access at the network layer.
Ports by service category
Top 10 ports
Top 10 services / products
Top 10 hosts (most exposed)
Artifacts collected
Detected operating systems
Protocol split (TCP / UDP)
Finding coverage
⚠️ Risky services
Services where deep recon confirmed concrete exposure (anonymous access, weak auth, banner evidence). Click any bar to see the matching tool output.
All hosts (click for detail)
CVEs by severity
Score distribution
Top 10 vulnerable hosts
Most affected services
Top CVEs across infrastructure
Critical CVEs (CVSS ≥ 9.0)
CVEs by publication year
Top vulnerable products
⚠️ Known exploits
CVEs that vulners flagged as having public exploit code (Metasploit, ExploitDB, etc.).
All vulnerable hosts (click for detail)
Pick an existing analysis or create a new one. Each analysis is tied to one type of engagement and tracks its own findings inside the task.
Recorded findings
Recorded verdicts
Spawns OWASP ZAP via its official Quick Start CLI (zap.sh -cmd -quickurl ...) per scan. ZAP must be installed on the host (https://www.zaproxy.org/download/). The 5 aggressivity levels map to actual CLI flags (-zapit, -quickurl with -config overrides). For host inspection without the UI, run python raven.py --zap-diagnostics.
Full URL with scheme. ZAP will spider from this entry point. Stays in scope of the host you provide.
SPA target? If your target is an Angular / React / Vue app (e.g. juice-shop, modern dashboards), use Insane — the classic spider cannot enumerate client-side routes, leaving the active scan with very few URLs to probe. Standard against a SPA typically yields 5-10 findings instead of the real 50+.
Runs raven_codeaudit against a target directory tree. Combines 181 native detectors with up to 14 soft-optional bridges. Read-only — no shell execution, no network calls.
Absolute path to a local source tree. The scan walks the tree once and emits findings per detected language/framework.
Files larger than this are skipped (default 10 MB).
Comma-separated. Matched against directory basenames anywhere in the tree.
Comma-separated fnmatch patterns. Matched against file basenames.
Advanced — Detectors (soft-optional)
Each bridge lazy-imports its library. Missing libraries degrade gracefully. Disable bridges to shorten a scan or limit detector overlap.
Industry-standard vulnerability verification. Runs check on exploit modules — confirms the vulnerable condition WITHOUT delivering payload.
Live verification feed
Aggregated metrics across every manual analysis registered under this task.
Findings by severity
By exercise type
By box type
Top findings (severity / score)
Aggregated verdicts across every hardening / sanity check analysis registered under this task. Excludes controls left in the default Not tested state.
Findings by severity
By verdict
By scope
By category
Top verdicts (severity / score)
Run passive OSINT against domains and/or IPs. Each target is classified automatically — domain targets get the full domain toolkit (DNS records, subdomains via 4 sources, emails, DMARC/SPF, typosquats, GitHub leaks, brand impersonation, takeover detection); IP targets get the IP-only toolkit (ipwhois, Shodan, Censys, GitHub leak search by IP).
Mix domains and IPs freely. Lines starting with `#` are ignored. URLs (https://...) are accepted; only the host portion is used.
KPIs from the latest OSINT run.
Hallazgos críticos
Items de mayor impacto — actuar primeroDetalle por objetivo
Subdominios por fuente
Archivos indexados (dorks) por severidad
Top hallazgos (severidad)
Alerts by category
Phase status
Top affected URLs (click to drill)
Vulnerable libraries
Top alerts (severity)
Findings by category
Severity distribution
Findings by language
Top rules (click to drill)
Top affected files (click to drill)
Coverage by detector / bridge
SBOM (CycloneDX)
CycloneDX bridge did not run. Enable it in the scan to produce a Software Bill of Materials.
Vulnerable hosts
By service
Top confirmed findings
All verification runs (click for full evidence)
Visual evidence captured during scans: every host with a screenshot is listed below. Click a thumbnail to open the viewer.
Toggle which deep-scan and CVE plugins are active. Disabled modules are skipped automatically by every scan. Modules requiring a higher license tier appear locked.
Offensive Metasploit testing requires a signed engagement on record. Each engagement defines the client + contract reference + target scope + authorized-until date. No offensive scan can run without an active engagement; targets outside scope are rejected; every scan writes to an immutable audit log.
Loading…
Register offensive engagement
All fields except notes are required. Attach the signed PDF — RAVEN stores only its SHA-256 hash as the cryptographic anchor that ties every audit row to this contract version. The raw PDF stays in your document management.
Run offensive Metasploit scan
Local calculators and utilities. Every operation runs in the browser — no input is sent over the network.
Options
Generated password
—
Metric selection
Result
—
—
—
Metric selection
Result
—
—
New client
Client detail
Delete client
This action is IRREVERSIBLE. It will permanently remove:
Look up known default credentials shipped with network appliances, IoT devices, web apps and management portals. Read-only reference data — useful when you spot a fingerprinted login portal during a pentest.
Create and manage RAVEN users (administrators, pentesters, analysts), set each role, and scope which clients they can work on. Each user sets their own password on first login.
| Name | Surnames | Roles | Clients | MFA | Active | Actions |
|---|
New user
You set this password and share it with the user; they must change it on first login.
Pick the client(s) this user belongs to. Administrators manage only users within their own client(s).
Configure what each role can access. Tick the sidebar blocks, sections and functions a role may use. The built-in Operator and Administrator have full, immutable access. Changes take effect on each user's next page load.
New role
Lowercase letters, numbers and underscores. Cannot match a built-in role.
Manage the catalog of clients tied to your engagements. Full CRUD with cascade delete protection (typed-name confirmation), CSV export, and associated tasks listed in the detail view.
| Name | Slug | Phone | RUT | Industry | Tasks | Created | Actions |
|---|
Searchable local mirror of the public CVE catalog. Click "Sync now" to populate or refresh from the NVD JSON 2.0 feeds (no API key, no per-request rate limit). The DB lives at raven_cve.db.
Searchable local mirror of the Exploit-DB catalog (metadata only — no payload code is downloaded). Click "Sync now" to populate or refresh from the official Exploit-DB GitLab CSV. The DB lives at raven_exploits.db.
Configure third-party intelligence service keys here. When a key is set, RAVEN uses the paid tier for richer data; when empty, it falls back to the free path (still functional, lower coverage). Keys are stored locally and never shipped in a distribution.
Tune internal RAVEN defaults — timeouts, dimensions, intervals, parallelism. RAVEN uses its shipped defaults for every variable until you set an override; reset returns the variable to default. The "Reset all" button wipes every override at once.
Host detail
Choose target directory
Detail
Detail
Control
Select a client
Choose the client you want to work with.
Add vulnerability
New analysis
Detail
New task
Loading task creation context…
Delete task
This will permanently remove the task, all its runs in the database, and the entire folder on disk including every Excel, log, screenshot and exported state. This action cannot be undone.
This RAVEN install requires authentication. Enter your email and password to continue.
Your account uses a temporary password. Set a new one to continue.
Configure a session password and Multi-Factor Authentication (TOTP) for the local UI. Both are stored in raven.db. When MFA is enabled, you will need an authenticator app (Google Authenticator, Microsoft Authenticator, 1Password, etc.) and one of the recovery codes shown at setup time.
Loading…
My account
RAVEN
Reconnaissance, Attack-surface Visibility & Evidence Navigator
by TRUSTTECH Cybersecurity
Version
—