Every breach is a door someone forgot to bolt.

Obexum is the deterministic, pericial-grade hardening audit for the full Windows, Linux and BSD fleet — built to CIS Benchmarks, NIST SP 800-53, DISA STIG, MITRE ATT&CK and CISA guidance. Every finding ships with auditable evidence + a ready-to-run remediation playbook. Zero false positives in clean baseline.

620
Forensic checks
55
Remediation playbooks
5
Compliance frameworks aligned
0 FPs
In clean baseline state
Live threat intelligence

What happened while you weren't auditing.

Real incidents pulled live from the most reliable public threat sources. These are the kinds of compromises Obexum surfaces before they make headlines.

incidents tracked
updated
CISA KEV HIBP MSRC Unit 42 Krebs DataBreaches BleepCom

loading…

loading…

loading…

loading…

Auto-rotating 1 /
Pause on hover
The cost of doing nothing

When prevention fails, the bill comes due.

Every figure below is from a public SEC filing, government court record, or reported insurance claim. Indirect costs (regulatory fines, share-price drop, customer churn, NDA settlements) are usually not disclosed — the real numbers are higher.

in publicly disclosed losses across incidents
loading…

loading…

loading…

loading…

loading…

Most of these incidents started with one missed hardening control — an unpatched VPN, an over-permissioned service account, a forgotten SMBv1 endpoint. Obexum surfaces all three in under two minutes per host.

Live ransomware victim map · showing

The threats are everywhere.

Each marker is a real ransomware victim from a threat-actor leak site — the map plots the 400 most recently listed. The full 24-month and all-time totals are shown at right. Click a country on the left to filter, hover any marker to see the gang and the leak-site post.

loading…

Map: Leaflet + Natural Earth (no third-party tile servers) · Victim data: ransomware.live

Breaking Last 5 ransomware victims worldwide
loading…

loading…

Source: ransomware.live · rebuilt every 24 hours from leak-site postings of 333 ransomware groups

Pentest tools find bugs. EDRs catch attacks. Obexum closes the door.

We sit on a different layer than Nessus, Tenable or your EDR. Our job is to find the misconfigurations that would let an attack succeed, before anyone tries. Every result is reproducible, every fix is auditable.

Deterministic by design

No LLM, no fuzzy matching, no “maybe”. Each check is a code-coded probe with explicit pass/fail logic and full evidence preservation. Same target, same answer, every time.

Zero false positives

Every check passes a pericial round-trip: inject → detect → remediate → re-detect clean. We test every probe against a real lab — Windows AD, Linux and BSD — before we ship it.

Ready-to-run fixes

55 PowerShell & bash playbooks ship in the box. Each one is dry-run by default, includes a rollback section, advisory notes for change-management, and a post-fix validation hook.

CISA-grade coverage

ADCS ESC1-15, Kerberos abuse paths, BloodHound ACL backdoors, GPO tampering, persistence T1546/T1574/T1543/T1053, UAC bypass surface — all mapped to MITRE ATT&CK and CIS benchmarks.

Engagement-grade evidence

Every scan produces a structured engagement directory: manifest, findings JSON, branded HTML report, raw probe output, and per-finding artifacts. Defensible in front of auditors and management alike.

Single binary, on-prem first

Obexum is a self-contained Go binary (~41 MB). No agent on the target. No mandatory cloud. Run it from a jump-box, your laptop, or your CI. A hosted portal adds dashboards, scan history and shared engagements when you want them.

This is what a real Obexum scan finds out of the box.

These are representative findings from a default Server 2025 domain-controller promotion in our AD lab (obxlab.local, Enterprise CA, synthetic adversary fixtures). The full HTML report is browsable on /demo.

29
Critical
64
High
12
Important
35
Medium
6
Low

Top critical findings on a default Server 2025 promotion

Rule IDTitleSeverityPlaybook
AUD-WIN-ADCS-001 ADCS ESC1: SAN-supply template enrollable by low-priv user CRITICAL pb-windows-dc-adcs-001
AUD-WIN-ACL-001 DCSync extended right granted to non-Tier0 principal CRITICAL pb-windows-dc-acl-001
AUD-WIN-DCH-001 Print Spooler service running on Domain Controller (PrintNightmare) CRITICAL pb-windows-dc-dch-001
AUD-WIN-DCH-010 WDigest UseLogonCredential enabled (cleartext in LSASS) CRITICAL pb-windows-dc-dch-010
AUD-WIN-PRIV-009 LSASS RunAsPPL not enabled (Mimikatz dump exposure) HIGH pb-windows-dc-priv-009
AUD-WIN-FH-007 dSHeuristics anonymous LDAP bind bit set HIGH pb-windows-dc-fh-007

From install to fix in under 5 minutes.

One binary, one config file, one engagement directory per scan. No agent on the target, no cloud roundtrip.

Terminal — obexum demo flow
# 1. Get your build — sign in at obexum.com, Account → Builds (signed, scoped to your OS)

# 2. Bootstrap (creates ~/.obexum/, generates ssh key)
obexum init

# 3. Register your target
obexum targets add prod-dc-01 --type windows-dc --host 10.0.0.5

# 4. Scan (620 checks · ~3 minutes on a typical DC)
obexum scan --target prod-dc-01

# 5. Review the engagement
obexum findings list
obexum findings show AUD-WIN-ADCS-001
firefox ~/.obexum/scans/<scan-id>/findings.html

# 6. Render a remediation playbook for offline review
obexum playbook render pb-windows-dc-adcs-001 \
    --target prod-dc-01 \
    --item OBX_ESC1_AltSAN \
    -o fix-ADCS-001.ps1

# 7. After the change-management owner runs the script:
obexum scan --target prod-dc-01
# → finding clears. Audit-trail closed.

We are not Tenable, Qualys or your EDR. We are the layer underneath.

Obexum complements your existing stack — it does not replace it.

Layer Tool family What they do What Obexum does instead
Discovery Semgrep, CodeQL Find new vulnerabilities in code / drivers Consume that intel (e.g. loldrivers list)
Pentest BloodHound, Certify, Cobalt Strike Try to exploit, simulate the adversary Find what would let them succeed first
Defensive audit Obexum Close the door before someone tries it
Live detection Defender, CrowdStrike, Sentinel Detect attacks while they are happening Reduce what they have to detect

“Obexum is the inspector that finds the cracks in the wall while there is still time to fix them. Not a shield, not an alarm — the audit you should have run before you bought the alarm.”

— Pericial methodology, baked in.

Ready to find what you would have missed?

620 checks. 55 playbooks. Zero false positives. Free for 14 days, no credit card.