About Obexum

Built by auditors who got tired of false positives.

Obexum is named after obex — the Latin root for “barrier”. We build the barrier between a fresh install and the attacker who shows up months later. A deterministic, pericial-grade hardening audit for the full Windows, Linux and BSD fleet — and nothing it cannot prove.

620
Forensic checks
55
Remediation playbooks
20+
OS targets validated
0 FPs
In clean baseline

Every commercial scanner buried the truth in noise. So we wrote our own.

Obexum began in early 2026 as an internal tool. We were running pericial Active Directory audits for clients and kept hitting the same wall: every commercial scanner emitted dozens of “informational” findings on a clean forest, every report was a 200-page wall of CVE noise, and the actual adversary primitives — ESC1–15, ACL backdoors, Kerberos abuse — lived in separate playbooks, separate tools, separate vendors.

So we wrote a single Go binary that codified the checks we ran by hand, with one non-negotiable rule:

Zero false positives in a clean state — or the check does not ship.

Every probe has to pass a pericial round-trip — inject the misconfiguration, detect it, remediate it, re-scan clean — before it earns its rule_id. Check by check, that internal tool became a 620-probe framework spanning Windows Server 2016–2025, two dozen Linux distributions and the BSD family. The lab DC at obxlab.local still runs against every release; every commit references the engagement evidence; every check has a story you can reproduce.

The standard of an expert witness, applied to a scanner.

Pericial is what Spanish-speaking auditors call expert-witness forensic work — the kind that holds up in a courtroom. For a tool, that translates into four hard commitments.

Reproducibility

Same target, same answer, every time. Deterministic probes with explicit pass/fail logic — no LLM in detection, no fuzzy matching, no “maybe”. Identical inputs produce a byte-identical findings.json.

Evidence preservation

Raw probe output lives in the engagement directory: manifest, findings JSON, per-finding artifacts, branded report. We never summarise away the truth — an auditor can re-derive every conclusion.

Defensible severity

CRITICAL means a documented adversary primitive is open. HIGH adds an operator-controllable mitigation. Findings are risk-ranked against CVSS and the CISA KEV catalog. We do not inflate to pad a report.

Round-trip validation

Every check is provably bidirectional — it fires when the misconfiguration is present and stops firing the instant it is removed. That is how we earn “zero false positives” instead of claiming it.

Principles we will not trade away.

The wall, not the alarm

Defence in depth needs an audit at the foundation. We close the door before anyone tries it — we are not your EDR, we make its job smaller.

Operators, not dashboards

A CLI you can pipe into jq beats a SaaS tab you click through every morning. The portal is there when you want history — never a lock-in.

Open evidence

Every check is reviewable, every fix is auditable, severity is never a black box. If we cannot show our work, we do not ship the finding.

Yours, and offline

The scanner runs air-gapped with no telemetry. Your findings stay on your infrastructure unless you choose to upload them. No phone-home, ever.

Every finding gets a fix

A finding without remediation is half a job. Each one ships actionable guidance — commands, verification, rollback — so you can close the loop.

Zero false positives is a contract

Not an aspiration. On a clean baseline, a clean report — or the check goes back to the bench until it behaves.

One binary, validated across the fleet.

Each platform ships with its own scope file, validated by the round-trip protocol on a real host of that OS — not a generic rule set.

Windows AD

  • Server 2016 · 2019 · 2022 · 2025
  • ADCS ESC1–15, Kerberos abuse
  • ACL backdoors / DCSync / AdminSDHolder
  • GPO + SYSVOL, persistence surfaces
  • LSA + Credential Guard, Defender + ASR

Linux

  • Debian 11/12, Ubuntu 22.04/24.04
  • RHEL 7–10, Rocky & Alma 8/9
  • Oracle 9, SLES 15 / openSUSE, Alpine, Arch
  • identity, sudoers, SSH, sysctl, auditd
  • firewall, services, LUKS, malware + persistence

BSD

  • FreeBSD 14.2, OpenBSD 7.6, NetBSD 10.1
  • identity, sysctl / securelevel
  • sshd hardening, pf / ipfw firewall
  • pkg integrity, logging, persistence
  • OS-aware remediation routing

Built to CIS Benchmarks, NIST SP 800-53, DISA STIG, MITRE ATT&CK and CISA guidance. See the full check catalogue and lab results.

We are a small team, and we answer email personally.

Questions about coverage, methodology, or a platform you do not see? Talk to the people who wrote the checks.