Verified scanning
Every target is proven yours via a token at /.well-known/cyberscan-<token>.txt — intrusive scans require a fresh proof.
Open source · v0.2 enterprise foundations
Vulnerability scanning that
Vulnerability scanning that
ships findings, not noise.
Paste a URL, prove you own it, and get a prioritized list of findings — CVE-enriched, KEV-flagged, with remediation — in minutes. Built on best-of-breed OSS scanners and an enterprise-grade workflow.
- 6integrated scanners
- 4compliance frameworks
- <5 mintypical first scan
- RLSmulti-tenant by default
cybershake.net /scans/8c3a…
api.acme.example
Scan complete · 23 findings
Verified
94
KEV
Spring4Shell — RCE via SpEL injection
CVE-2022-22965 · KEV · OWASP A06 · PCI 6.5.6
81
High
Exposed .git directory at /.git/HEAD
CWE-538 · OWASP A05 · NIST CM-7
73
High
TLS 1.0 enabled on edge listener
sslyze · OWASP A02 · PCI 4.2.1
52
Medium
Missing Content-Security-Policy header
ZAP baseline · OWASP A05 · CIS 16.10
22
Low
Cookie set without Secure flag
Built-in check · OWASP A05
Orchestrating the open-source security toolchain
- Naabu
- httpx
- Katana
- Nuclei
- sslyze
- OWASP ZAP
- NVD
- EPSS
- CISA KEV
Features
Everything you need to ship security, in one workflow.
Discovery, scanning, enrichment, prioritization, compliance mapping and reporting — wired together so a finding lands with the context to act on it.
Composite risk score
CVSS · EPSS · KEV · exposure · exploit availability — fused into one 0–100 score so the highest-risk issue is always at the top.
Compliance mapping
Findings auto-tagged against OWASP Top 10, PCI-DSS v4, NIST 800-53 r5 and CIS Controls v8 — filterable in the UI, exported in every report.
Multi-tenant & RBAC
Postgres row-level security keyed to app.tenant_id; four roles (owner, admin, analyst, viewer) enforced per endpoint.
OIDC single sign-on
Federate with Google, Entra ID, Apple or Keycloak. Auto-provision users, map roles from claims, mint API tokens for CI.
Diff & deduplication
SHA-256 fingerprints across asset, template, CVEs and location — every scan tells you what's new, what's fixed and what's still open.
Authenticated scans
Cookies, bearer tokens, basic auth and custom headers — Fernet-encrypted at rest, decrypted on-the-fly, never logged.
Notifications, your way
Email, Slack and Microsoft Teams — each channel filtered by minimum severity, so the right people hear about the right issues.
Immutable audit log
Tenant-scoped record of every administrative action with user, IP, target and context — ready for SOC 2 and ISO 27001 evidence.
Scanner toolchain
Best-of-breed open source, orchestrated.
Cybershake doesn't reinvent the scanners — it composes them into a pipeline, normalizes their output, and turns raw signals into prioritized findings.
NaabuDiscovery
Top-1000 port discovery with configurable rate limiting. Feeds the rest of the pipeline a clean list of live services.
httpxFingerprint
Probes every discovered endpoint, identifies tech stack, status and titles — the map the vuln stage uses.
KatanaCrawl
Recursive crawler — links, JS bundles, sitemaps, robots — critical for SPA discovery and surface mapping.
NucleiVuln
Template-driven vulnerability scanning, sharded across four workers. CVEs, exposures, default logins, panels, JS leaks.
sslyzeTLS
Deep TLS inspection — weak protocols, Heartbleed, ROBOT, weak DH, missing HSTS — with hard rules per PCI-DSS.
OWASP ZAPPassive
Security-header baseline (CSP, X-Frame, Referrer-Policy). Intrusive mode unlocks SQLi, XSS, SSRF and LFI checks.
Built-in fallbacks keep scans honest.
If an external tool isn't on the worker, Cybershake falls back to hard-coded header and cookie-flag checks — you never get a silent gap in coverage.
Workflow
From URL to triaged findings in three steps.
-
01
Add the asset
Paste a URL into the dashboard. Cybershake mints a verification token bound to the asset and your tenant.
POST /api/v1/assets { "url": "https://api.acme.example" } -
02
Prove ownership
Drop the token at the well-known path. Verification is checked before any scan starts and re-checked for intrusive runs.
PUT /.well-known/cyberscan-9f2e….txt ok -
03
Scan & triage
Pipeline runs naabu → httpx → katana → nuclei → sslyze → ZAP, then enriches with NVD, EPSS and KEV before scoring.
POST /api/v1/scans { "asset_id": "a-9f2e", "profile": "standard" }
Risk scoring
One score. Five signals. The right thing at the top.
Severity isn't the same as risk. Cybershake fuses CVSS, exploit probability (EPSS), CISA KEV membership, exposure and exploit availability into a single composite score so triage isn't a guessing game.
- ≥85 Critical
- ≥70 High
- ≥40 Medium
- ≥15 Low
- <15 Info
KEV findings are floored to High — known exploitation in the wild always gets attention.
Composite risk score
0.45CVSSnorm
+
0.25EPSS
+
0.15KEV
+
0.10Exposure
+
0.05Exploit avail.
Compliance
Map every finding to the framework auditors actually ask about.
Each finding's CWE is resolved against four lookup tables, so the same vulnerability shows up tagged for the framework your team is being measured on.
OWASP Top 10:2021
A01–A10Web-app risk classes — broken access control, cryptographic failures, injection, insecure design.
PCI-DSS v4.0
4.x · 6.5.xCardholder data protection — TLS, secure development, input validation, vulnerability management.
NIST SP 800-53 r5
SC · IA · CMFederal control families — system & communications protection, identification & authentication.
CIS Controls v8
IG1–IG3Prioritized defensive controls — secure configuration, account management, application software security.
Example:
CWE-79 Cross-site scripting
OWASP A03:2021
PCI-DSS 6.5.7
NIST SI-10
CIS 16.10
Architecture
A modern stack designed for Kubernetes from day one.
Next.js for the UI, FastAPI for the API, Celery on Redis for orchestration, Postgres with row-level security for tenancy, MinIO for raw artifacts. Helm charts ship per-pool worker deployments — scale recon, vuln, TLS and passive workloads independently.
Frontend
Next.js 15 · App Router
Backend API
FastAPI · SQLAlchemy 2 · Alembic
PostgreSQL 16
Row-level security · per-tenant GUC
Redis + Celery
Broker · result backend · beat
Worker pools
recon · vuln · tls · passive · feeds
MinIO
S3-compatible artifact storage
recon 1–5 replicas · KEDA-scaled
vuln 1–8 replicas · Nuclei sharded ×4
tls 1–4 replicas · sslyze
passive 1–4 replicas · ZAP baseline
feeds NVD · EPSS · KEV every 6h
Deploy
Run it on a laptop, run it on a cluster.
Single-command local stack with a benign Juice Shop target, or a production Helm install with KEDA autoscaling and Prometheus metrics.
Docker Compose
The fastest way to try Cybershake — full stack plus a built-in OWASP Juice Shop test target.
# clone, then
make up
make seed
make e2e
open http://localhost:3000
Kubernetes (Helm)
Per-pool worker deployments, KEDA autoscaling, Prometheus ServiceMonitor, optional cert-manager.
helm repo add cybershake https://albal.github.io/cyber helm install cs cybershake/cyberscan \ -n cyberscan --create-namespace
kind (local k8s)
Bootstrap a full Kubernetes deployment on your laptop — the same chart that runs in production.
cd deploy/kind ./bootstrap.sh kubectl get pods -n cyberscan
FAQ
Common questions.
Is Cybershake really open source?
Yes — MIT licensed, end to end. No paywalled scanner integrations, no telemetry, no upgrade gates between the OSS edition and what you'd self-host in production.
Do you support intrusive scanning?
Yes, but only on assets verified within the last 7 days. Intrusive checks (SQLi, XSS, SSRF, LFI, brute-force) require explicit re-verification so you can't accidentally hit a target you don't own.
How are CVEs and exploit data kept fresh?
A scheduled feed worker pulls NVD, EPSS and CISA KEV every 6 hours. Findings reference the snapshot they were enriched against, so you can replay why a score moved.
Can I plug in my own identity provider?
Yes — OIDC works with Google, Microsoft Entra ID, Apple, Keycloak and anything that speaks the standard. Roles can be derived from IdP claims.
What about logical flaws and business-logic bugs?
Cybershake is honest about its limits. Authorization bypasses, multi-step auth, race conditions and stored XSS that requires privileged context are out of scope — you still need humans for those. The scanner-coverage doc spells it out.
How do I export findings to my SIEM or ticketing tool?
CSV, JSON and PDF exports include the full compliance tag set. Webhook-style integrations are on the roadmap; today most teams pipe the JSON export.
Stop chasing severity. Start fixing risk.
Spin up Cybershake locally in a single command and have a triaged scan of your first asset before your coffee gets cold.