Every breach is a door someone forgot to bolt.

Obexum is the deterministic, pericial-grade hardening audit for the full Windows and Linux fleet — built to CIS Benchmarks, NIST SP 800-53, DISA STIG, MITRE ATT&CK and CISA guidance. Every finding ships with auditable evidence + a ready-to-run remediation playbook. Zero false positives in clean baseline.

✓ 569 forensic checks — 395 Linux + 174 Windows. Cross-host validation cycle: zero false positives in clean baseline (verified).
✓ Windows (Server 2016 → 2025, Win10 / Win11) — full AD depth: ADCS ESC1–15 · Kerberos primitives · ACL backdoors / DCSync / AdminSDHolder · GPO + SYSVOL · persistence surfaces (registry Run keys, scheduled tasks, WMI subscribers, services, drivers, IFEO) · LSA + Credential Guard · Defender + ASR · LDAP / SMB hardening. Pericial-validated on Server 2022 DC; other SKUs on customer-host validation cycle.
✓ Linux servers — identity + sudoers + SSH · sysctl + kernel hardening · UFW / nftables + fail2ban · SMB / NFS / Samba · auditd + logging · LUKS + data protection · services (PostgreSQL, MariaDB, Redis, Mongo, Elastic, Postfix, Docker, k8s) · malware + persistence. Validated on Debian 12 + Ubuntu 22.04 / 24.04. RHEL / Rocky / Alma 8+, Fedora, openSUSE / SLES, Alpine, Arch, Amazon / Oracle Linux on customer-host validation cycle.
✓ CLI + self-hosted Web GUI — single Go binary, no agent, no SaaS lock-in. obexum scan for the terminal, obexum gui for a browser-rendered console on 127.0.0.1:7070.
✓ 92 remediation playbooks — 55 PowerShell (Windows hardening) + 37 bash (Linux: Debian, Ubuntu, RHEL, Alpine + common & defense templates). Dry-run by default, rollback bundled.

569

Forensic checks

Remediation playbooks

Compliance frameworks aligned

0 FPs

In clean baseline state

Live threat intelligence

What happened while you weren't auditing.

Real incidents pulled live from the most reliable public threat sources. These are the kinds of compromises Obexum surfaces before they make headlines.

— incidents tracked

updated —

CISA KEV HIBP MSRC Mandiant Krebs DataBreaches BleepCom

loading…

Auto-rotating 1 / —

Pause on hover

The cost of doing nothing

When prevention fails, the bill comes due.

Every figure below is from a public SEC filing, government court record, or reported insurance claim. Indirect costs (regulatory fines, share-price drop, customer churn, NDA settlements) are usually not disclosed — the real numbers are higher.

—

in publicly disclosed losses across — incidents

loading…

Most of these incidents started with one missed hardening control — an unpatched VPN, an over-permissioned service account, a forgotten SMBv1 endpoint. Obexum surfaces all three in under two minutes per host.

Live ransomware victim map · — showing

The threats are everywhere.

Every marker is a real ransomware victim posted on a threat-actor leak site in the last 24 months. Click a country on the left to filter, hover any marker to see the gang and the leak-site post.

loading…

—

Map: Leaflet + Natural Earth (no third-party tile servers) · Victim data: ransomware.live

Breaking Last 5 ransomware victims worldwide

loading…

Source: ransomware.live · rebuilt every 24 hours from leak-site postings of 333 ransomware groups

Why Obexum

Pentest tools find bugs. EDRs catch attacks. Obexum closes the door.

We sit on a different layer than Nessus, Tenable or your EDR. Our job is to find the misconfigurations that would let an attack succeed, before anyone tries. Every result is reproducible, every fix is auditable.

⊞

Deterministic by design

No LLM, no fuzzy matching, no “maybe”. Each check is a code-coded probe with explicit pass/fail logic and full evidence preservation. Same target, same answer, every time.

▤

Zero false positives

Every check passes a pericial round-trip: inject → detect → remediate → re-detect clean. We test every probe against a real AD lab before we ship it. 569 / 569.

▶

Ready-to-run fixes

55 PowerShell & bash playbooks ship in the box. Each one is dry-run by default, includes a rollback section, advisory notes for change-management, and a post-fix validation hook.

◇

CISA-grade coverage

ADCS ESC1-15, Kerberos abuse paths, BloodHound ACL backdoors, GPO tampering, persistence T1546/T1574/T1543/T1053, UAC bypass surface — all mapped to MITRE ATT&CK and CIS benchmarks.

★

Engagement-grade evidence

Every scan produces a structured engagement directory: manifest, findings JSON, branded HTML report, raw probe output, and per-finding artifacts. Defensible in front of auditors and management alike.

⌗

Single binary, on-prem first

Obexum is a 30-MB Go binary. No agent on the target. No mandatory cloud. Run it from a jump-box, your laptop, or your CI. SaaS portal on the way for those who want it.

Live lab results

This is what a real Obexum scan finds out of the box.

We run our own AD lab (obxlab.local, Server 2022, Enterprise CA, synthetic adversary fixtures) on every release. Below are the actual numbers from the latest scan. The full HTML report is browsable on /demo.

Critical

104

High

Medium

Low

Top critical findings on a default Server 2022 promotion

Rule ID	Title	Severity	Playbook
`AUD-WIN-ADCS-001`	ADCS ESC1: SAN-supply template enrollable by low-priv user	CRITICAL	`pb-windows-dc-adcs-001`
`AUD-WIN-ACL-001`	DCSync extended right granted to non-Tier0 principal	CRITICAL	`pb-windows-dc-acl-001`
`AUD-WIN-DCH-001`	Print Spooler service running on Domain Controller (PrintNightmare)	CRITICAL	`pb-windows-dc-dch-001`
`AUD-WIN-DCH-010`	WDigest UseLogonCredential enabled (cleartext in LSASS)	CRITICAL	`pb-windows-dc-dch-010`
`AUD-WIN-PRIV-009`	LSASS RunAsPPL not enabled (Mimikatz dump exposure)	HIGH	`pb-windows-dc-priv-009`
`AUD-WIN-FH-007`	dSHeuristics anonymous LDAP bind bit set	HIGH	`pb-windows-dc-fh-007`

See the full results & methodology →

How it works

From install to fix in under 5 minutes.

One binary, one config file, one engagement directory per scan. No agent on the target, no cloud roundtrip.

Terminal — obexum demo flow

# 1. Install
curl -fsSL https://get.obexum.com | sh

# 2. Bootstrap (creates ~/.obexum/, generates ssh key)
obexum init

# 3. Register your target
obexum targets add prod-dc-01 --type windows-dc --host 10.0.0.5

# 4. Scan (569 checks · ~3 minutes on a typical DC)
obexum scan run prod-dc-01

# 5. Review the engagement
obexum findings list
obexum findings show AUD-WIN-ADCS-001
firefox ~/.obexum/scans/<scan-id>/findings.html

# 6. Render a remediation playbook for offline review
obexum playbook render pb-windows-dc-adcs-001 \
    --target prod-dc-01 \
    --item OBX_ESC1_AltSAN \
    -o fix-ADCS-001.ps1

# 7. After the change-management owner runs the script:
obexum scan run prod-dc-01 --only AUD-WIN-ADCS-001
# → finding clears. Audit-trail closed.

Different layer of defence

We are not Tenable, Qualys or your EDR. We are the layer underneath.

Obexum complements your existing stack — it does not replace it.

Layer	Tool family	What they do	What Obexum does instead
Discovery	DeepZero, custom semgrep	Find new vulnerabilities in code / drivers	Consume that intel (e.g. loldrivers list)
Pentest	RedTeam-Agent, BloodHound, Certify	Try to exploit, simulate the adversary	Find what would let them succeed first
Defensive audit	Obexum	Close the door before someone tries it	—
Live detection	Defender, CrowdStrike, Sentinel	Detect attacks while they are happening	Reduce what they have to detect

Full comparison →

“Obexum is the inspector that finds the cracks in the wall while there is still time to fix them. Not a shield, not an alarm — the audit you should have run before you bought the alarm.”

— Pericial methodology, baked in.

What happened while you weren't auditing.

When prevention fails, the bill comes due.

The threats are everywhere.

Pentest tools find bugs. EDRs catch attacks. Obexum closes the door.

Deterministic by design

Zero false positives

Ready-to-run fixes

CISA-grade coverage

Engagement-grade evidence

Single binary, on-prem first

This is what a real Obexum scan finds out of the box.

Top critical findings on a default Server 2022 promotion

From install to fix in under 5 minutes.

We are not Tenable, Qualys or your EDR. We are the layer underneath.

Ready to find what you would have missed?