Obexum is the deterministic, pericial-grade hardening audit for the full Windows, Linux and BSD fleet — built to CIS Benchmarks, NIST SP 800-53, DISA STIG, MITRE ATT&CK and CISA guidance. Every finding ships with auditable evidence + a ready-to-run remediation playbook. Zero false positives in clean baseline.
obexum scan for the terminal, obexum gui for a browser-rendered console on 127.0.0.1:7070.
obexum diff shows the finding cleared and its audit trail closed. You prove the door is bolted — Obexum doesn't take your word for it. Most scanners flag and forget.
Real incidents pulled live from the most reliable public threat sources. These are the kinds of compromises Obexum surfaces before they make headlines.
loading…
loading…
loading…
loading…
Every figure below is from a public SEC filing, government court record, or reported insurance claim. Indirect costs (regulatory fines, share-price drop, customer churn, NDA settlements) are usually not disclosed — the real numbers are higher.
loading…
loading…
loading…
loading…
Most of these incidents started with one missed hardening control — an unpatched VPN, an over-permissioned service account, a forgotten SMBv1 endpoint. Obexum surfaces all three in under two minutes per host.
Each marker is a real ransomware victim from a threat-actor leak site — the map plots the 400 most recently listed. The full 24-month and all-time totals are shown at right. Click a country on the left to filter, hover any marker to see the gang and the leak-site post.
Map: Leaflet + Natural Earth (no third-party tile servers) · Victim data: ransomware.live
loading…
We sit on a different layer than Nessus, Tenable or your EDR. Our job is to find the misconfigurations that would let an attack succeed, before anyone tries. Every result is reproducible, every fix is auditable.
No LLM, no fuzzy matching, no “maybe”. Each check is a code-coded probe with explicit pass/fail logic and full evidence preservation. Same target, same answer, every time.
Every check passes a pericial round-trip: inject → detect → remediate → re-detect clean. We test every probe against a real lab — Windows AD, Linux and BSD — before we ship it.
55 PowerShell & bash playbooks ship in the box. Each one is dry-run by default, includes a rollback section, advisory notes for change-management, and a post-fix validation hook.
ADCS ESC1-15, Kerberos abuse paths, BloodHound ACL backdoors, GPO tampering, persistence T1546/T1574/T1543/T1053, UAC bypass surface — all mapped to MITRE ATT&CK and CIS benchmarks.
Every scan produces a structured engagement directory: manifest, findings JSON, branded HTML report, raw probe output, and per-finding artifacts. Defensible in front of auditors and management alike.
Obexum is a self-contained Go binary (~41 MB). No agent on the target. No mandatory cloud. Run it from a jump-box, your laptop, or your CI. A hosted portal adds dashboards, scan history and shared engagements when you want them.
These are representative findings from a default Server 2025 domain-controller
promotion in our AD lab (obxlab.local, Enterprise CA, synthetic
adversary fixtures). The full HTML report is browsable on
/demo.
| Rule ID | Title | Severity | Playbook |
|---|---|---|---|
AUD-WIN-ADCS-001 |
ADCS ESC1: SAN-supply template enrollable by low-priv user | CRITICAL | pb-windows-dc-adcs-001 |
AUD-WIN-ACL-001 |
DCSync extended right granted to non-Tier0 principal | CRITICAL | pb-windows-dc-acl-001 |
AUD-WIN-DCH-001 |
Print Spooler service running on Domain Controller (PrintNightmare) | CRITICAL | pb-windows-dc-dch-001 |
AUD-WIN-DCH-010 |
WDigest UseLogonCredential enabled (cleartext in LSASS) | CRITICAL | pb-windows-dc-dch-010 |
AUD-WIN-PRIV-009 |
LSASS RunAsPPL not enabled (Mimikatz dump exposure) | HIGH | pb-windows-dc-priv-009 |
AUD-WIN-FH-007 |
dSHeuristics anonymous LDAP bind bit set | HIGH | pb-windows-dc-fh-007 |
One binary, one config file, one engagement directory per scan. No agent on the target, no cloud roundtrip.
# 1. Get your build — sign in at obexum.com, Account → Builds (signed, scoped to your OS)
# 2. Bootstrap (creates ~/.obexum/, generates ssh key)
obexum init
# 3. Register your target
obexum targets add prod-dc-01 --type windows-dc --host 10.0.0.5
# 4. Scan (620 checks · ~3 minutes on a typical DC)
obexum scan --target prod-dc-01
# 5. Review the engagement
obexum findings list
obexum findings show AUD-WIN-ADCS-001
firefox ~/.obexum/scans/<scan-id>/findings.html
# 6. Render a remediation playbook for offline review
obexum playbook render pb-windows-dc-adcs-001 \
--target prod-dc-01 \
--item OBX_ESC1_AltSAN \
-o fix-ADCS-001.ps1
# 7. After the change-management owner runs the script:
obexum scan --target prod-dc-01
# → finding clears. Audit-trail closed.
Obexum complements your existing stack — it does not replace it.
| Layer | Tool family | What they do | What Obexum does instead |
|---|---|---|---|
| Discovery | Semgrep, CodeQL | Find new vulnerabilities in code / drivers | Consume that intel (e.g. loldrivers list) |
| Pentest | BloodHound, Certify, Cobalt Strike | Try to exploit, simulate the adversary | Find what would let them succeed first |
| Defensive audit | Obexum | Close the door before someone tries it | — |
| Live detection | Defender, CrowdStrike, Sentinel | Detect attacks while they are happening | Reduce what they have to detect |
“Obexum is the inspector that finds the cracks in the wall while there is still time to fix them. Not a shield, not an alarm — the audit you should have run before you bought the alarm.”
— Pericial methodology, baked in.