Menu
GitHubGet in touch

Beacon

AI-powered attack surface scanner

GoApache 2.0Open Source
1 stars0 forksv0.1.2
View on GitHub

Not a checklist scanner

Most attack surface scanners run a fixed list of checks and output a finding per item. Beacon does something different: it fingerprints your stack — identifying specific service versions, frameworks, and exposed interfaces — then feeds that context to an AI reasoning layer that connects findings across attack vectors.

The result is attack paths, not finding lists. Instead of "TLS 1.1 accepted (medium)" and "alg:none accepted (high)" as separate items, Beacon surfaces: "weak TLS on the auth endpoint hosting a JWT service with algorithm confusion — MITM to credential theft path."

Install

bash
$ go install github.com/stormbane-security/beacon@latest

Usage

bash
$ beacon scan --target api.example.com
[beacon] Resolving api.example.com...
[beacon] Running surface scan (passive)

[CORS]    api.example.com — wildcard origin (*) with credentials
[TLS]     api.example.com:443 — TLS 1.1 accepted (deprecated)
[HEADER]  api.example.com — missing Content-Security-Policy
[JWT]     /auth/token — alg:none accepted

[AI]  Analyzing findings across attack vectors...
[AI]  Attack path: CORS bypass → credential theft → /auth/token (alg:none)
[AI]  Confidence: high | Impact: full account takeover

4 findings  |  2 high  |  2 medium  |  1 attack path identified
bash
$ beacon scan --target api.example.com --deep --permission-confirmed
[beacon] Running deep scan (active probing)...

Scan modes

ScanSurface

Safe by default

Passive observation only. Makes only the requests any internet user could make. Safe to run against any target you own.

  • TLS version detection
  • Security header enumeration
  • CORS origin probing
  • DNS resolution
  • Web3 node fingerprinting

ScanDeep

--permission-confirmed

Active probing. Sends crafted requests to discover hidden endpoints and test specific behaviors. Requires explicit permission flag.

  • API endpoint discovery
  • Authentication bypass attempts
  • JWT algorithm testing
  • Version disclosure probing
  • AI/LLM endpoint enumeration

ScanAuthorized

--authorized

Exploitation-class checks requiring interactive acknowledgment. Reads cluster state, accesses internal APIs, or performs credentialed probing.

  • Kubernetes cluster RBAC audit
  • GCP IAM privilege escalation paths
  • GitHub org-wide CI/CD surface scan
  • Internal service mesh exposure

Scanner modules

ModuleAreaWhat it checks
corsWebCORS wildcard origins, credentialed cross-origin, preflight misconfig
tlsWebProtocol version, cipher strength, certificate validity, HSTS
headersWebCSP, X-Frame-Options, HSTS, Referrer-Policy, Permissions-Policy
jwtWebAlgorithm confusion, alg:none, weak signing secrets
apiversionsWebDeprecated API version exposure (v1, beta, legacy paths)
webcontentWebExposed .git, .env, backup files, directory listings
fingerprintWebFramework and server version disclosure — feeds AI attack path reasoning
githubactionsCI/CDGitHub Actions workflow security, secret injection, action pinning, OIDC trust
chainnodeWeb3Blockchain node RPC exposure, chain fingerprinting, unauthenticated access
aiapiAI/LLMExposed model endpoints, auth misconfig, API key leakage in responses