Every engagement starts the same way: figure out what's actually exposed. Not what the architecture diagram says is exposed. Not what the team thinks is public. What's actually reachable, what's responding, and — critically — what it's saying about itself.
I've run this process dozens of times against GKE clusters, GCP-hosted APIs, GitHub Actions workflows, and CI/CD pipelines. And every time, I was stitching together the same ad hoc scripts: check TLS, probe CORS, look for alg:none on JWT endpoints, enumerate security headers, poke at the CI surface. The tooling was fragmented, inconsistent, and painful to hand off.
So we built Beacon.
What makes it different
Most attack surface scanners run a checklist. They check 40 things, output 40 rows, and hand you a spreadsheet. That's fine for compliance. It's useless for finding what an attacker would actually do.
Beacon fingerprints your stack first — it identifies specific service versions, frameworks, and exposed interfaces across your whole surface. Then it feeds that context to an AI reasoning layer that connects findings across attack vectors. Instead of "TLS 1.1 accepted (medium)" sitting unrelated next to "alg:none accepted on /auth/token (high)", Beacon surfaces the path: weak TLS on the endpoint hosting a JWT service with algorithm confusion means a MITM can steal credentials that are also bypassing algorithm validation.
That's the difference between a finding list and an attack path.
What it covers
Beacon currently scans across five vectors:
Network and web surface — TLS versions and ciphers, CORS origin handling, security headers, JWT endpoint behavior, API version exposure, server fingerprinting, exposed files and directories.
CI/CD pipelines — GitHub Actions workflow security: unpinned actions, untrusted input injection, overly broad OIDC trust, secret scope misconfigs.
Infrastructure as Code — Terraform state exposure, misconfigured storage backends, IaC drift indicators.
Web3 / blockchain nodes — Exposed RPC endpoints, unauthenticated node access, chain fingerprinting.
AI/LLM APIs — Exposed model endpoints, authentication misconfigs, API key leakage in responses.
It runs in three modes. ScanSurface (the default) makes only the requests any internet user could make — no active payloads, no exploitation attempts. ScanDeep adds active probing. ScanAuthorized is exploitation-class and requires interactive acknowledgment.
Why open source?
Security tooling has a trust problem. When a scanner tells you there's a CORS misconfiguration, you're trusting that the tool actually understands how CORS works — not just that it found the header and flagged a regex match. With closed-source tools, you can't verify that. I've seen "high severity" findings from commercial scanners that were complete false positives because the tool didn't understand that credentialed CORS requires a specific request pattern to be exploitable.
Beacon is Apache 2.0. Read the check logic. If you think we're wrong about how something works, open an issue. We'd rather be corrected publicly than confidently wrong.
Getting started
go install github.com/stormbane-security/beacon@latest
beacon scan --target api.example.com
Output is human-readable by default. Add --json for machine-readable output.
Always run surface mode first to understand baseline exposure before you go deeper. ScanDeep should only be used with explicit permission from whoever owns the target.
The code is on GitHub. Issues and PRs welcome — especially for modules we haven't built yet.