βββ ββββββββββββββ ββββββββββ βββββββ ββββ βββ βββββββ βββ βββ
ββββββββββββββββββββ ββββββββββββββββββββββββββ ββββββββββββββββββββ
ββββββ ββββββ βββββββ βββββββββββ βββββββββ ββββββ βββ ββββββ
ββββββ ββββββ βββββ βββββββββββ ββββββββββββββββ βββ ββββββ
ββββ βββββββββββ βββ βββ βββββββββββββββ βββββββββββββββββββ βββ
βββ βββββββββββ βββ βββ βββ βββββββ βββ βββββ βββββββ βββ βββ
Security Tool Developer Β· Bug Bounty Hunter Β· Open Source
I build open-source security reconnaissance tools under the Openxos organization. Every tool I ship is validated against real production infrastructure before release β the goal is tools that find actual vulnerabilities, not demonstrate theoretical capabilities.
Currently building the Openxos ecosystem as a solo developer with no corporate backing. All tools are MIT licensed and will remain free forever.
The Openxos framework provides a two-stage reconnaissance methodology that mirrors how professional red teamers actually operate. Ghost handles surgical initial reconnaissance to understand defensive posture. Probe executes large-scale comprehensive analysis using that intelligence.
openxos-ghost v0.1.2
Low-noise, evasion-aware security probe that operates below detection thresholds. Standard scanners get blocked by WAFs and IDS systems before they find anything useful. Ghost uses randomized timing, header rotation, and path encoding variants to surface findings that noisy tools miss entirely. Every finding includes a detection gap report explaining what technique worked and why a standard tool would have missed it.
Two modes: web for probing applications through WAF and security controls, and net for infrastructure reconnaissance through IDS and firewalls. Three stealth profiles from slow maximum stealth to aggressive. The mandatory --authorized flag is required β not optional, not bypassable.
ghost web --target https://target.com --authorized --profile slow
ghost net --target 192.168.1.1 --authorized --profile mediumopenxos-probe v0.1.2
High-performance HTTP reconnaissance engine for large-scale security analysis. After ghost establishes safe operational parameters, probe executes comprehensive assessment across all discovered targets concurrently β mapping technology stacks, identifying misconfigurations, discovering API attack surface, and detecting vulnerabilities.
Built in Rust with async Tokio for maximum throughput. 200+ technology signatures using SIMD-accelerated Aho-Corasick matching. WAF detection for 7 providers. Cloud provider fingerprinting for 8 providers. Subdomain takeover detection. GraphQL introspection, WebSocket, and OpenAPI discovery. HTTP method enumeration including dangerous PUT, DELETE, and TRACE. Full SQLite persistence with continuous monitoring and webhook notifications.
openxos-probe -i subdomains.txt --fast
openxos-probe -i subdomains.txt --aggressive --format json -o results.json# Stage 1: Scout with ghost
ghost web --target target.com --authorized --profile medium
# Stage 2: Large-scale analysis with probe
openxos-probe -i subs.txt --format json -o results.jsonTools are tested against production infrastructure before every release. Results from testing across 10 major production domains.
| Target | Finding | Severity |
|---|---|---|
| sentry.io | Source maps exposed in production | HIGH |
| api.stripe.com | Security misconfiguration | HIGH |
| api.github.com | PUT, DELETE, TRACE methods enabled | MEDIUM |
| auth.docker.io | Sensitive endpoint caching | MEDIUM |
| microsoft.com | 36 findings across 7 subdomains in ~20s | MEDIUM |
| grafana.com | Missing security headers | LOW |
47 total findings discovered across 10 production targets during v0.1.0 testing. 144 tests passing across the probe tool suite.
All Openxos tools are built in Rust using the Tokio async runtime. The choice of Rust is deliberate β memory safety guarantees, performance characteristics suitable for high-throughput network scanning, and compiled binaries that run anywhere without runtime dependencies.
Key libraries used across the ecosystem include reqwest for HTTP with connection pooling and HTTP/2 support, DashMap for lock-free concurrent DNS caching, Aho-Corasick for SIMD-accelerated pattern matching in technology detection, rusqlite with WAL mode for non-blocking database persistence, and clap for CLI interfaces. All tools expose JSON output for programmatic consumption and pipeline integration.
Languages: Rust 100%
Tests: 144 passing
Tools: 2 active (v0.1.2)
Findings: 47 confirmed on production infrastructure
License: MIT β free forever
Backing: None β solo independent developer
If the Openxos tools have provided value in your security work, contributions help sustain continued development. Support is entirely voluntary.
Monero (XMR)
49DDzakQJoKKq5caPdeZMH1JoC1GERzbnTw7RFx5Zq4xFLiXgkNgxuEau4rXH3f5V29cbXPB4bxk1dy1YKxAiwZ9LvkaUCv
Openxosdev Organization Β· openxos-ghost Β· openxos-probe
For authorized security testing only