Obexum is named after obex — the Latin root for “barrier”. We build the barrier between a fresh install and the attacker who shows up months later. A deterministic, pericial-grade hardening audit for the full Windows, Linux and BSD fleet — and nothing it cannot prove.
Obexum began in early 2026 as an internal tool. We were running pericial Active Directory audits for clients and kept hitting the same wall: every commercial scanner emitted dozens of “informational” findings on a clean forest, every report was a 200-page wall of CVE noise, and the actual adversary primitives — ESC1–15, ACL backdoors, Kerberos abuse — lived in separate playbooks, separate tools, separate vendors.
So we wrote a single Go binary that codified the checks we ran by hand, with one non-negotiable rule:
Zero false positives in a clean state — or the check does not ship.
Every probe has to pass a pericial round-trip — inject the
misconfiguration, detect it, remediate it, re-scan clean — before it
earns its rule_id. Check by check, that internal tool became a
620-probe framework spanning Windows Server 2016–2025, two dozen Linux
distributions and the BSD family. The lab DC at obxlab.local
still runs against every release; every commit references the engagement
evidence; every check has a story you can reproduce.
Pericial is what Spanish-speaking auditors call expert-witness forensic work — the kind that holds up in a courtroom. For a tool, that translates into four hard commitments.
Same target, same answer, every time. Deterministic probes with explicit pass/fail logic — no LLM in detection, no fuzzy matching, no “maybe”. Identical inputs produce a byte-identical findings.json.
Raw probe output lives in the engagement directory: manifest, findings JSON, per-finding artifacts, branded report. We never summarise away the truth — an auditor can re-derive every conclusion.
CRITICAL means a documented adversary primitive is open. HIGH adds an operator-controllable mitigation. Findings are risk-ranked against CVSS and the CISA KEV catalog. We do not inflate to pad a report.
Every check is provably bidirectional — it fires when the misconfiguration is present and stops firing the instant it is removed. That is how we earn “zero false positives” instead of claiming it.
Defence in depth needs an audit at the foundation. We close the door before anyone tries it — we are not your EDR, we make its job smaller.
A CLI you can pipe into jq beats a SaaS tab you click through every morning. The portal is there when you want history — never a lock-in.
Every check is reviewable, every fix is auditable, severity is never a black box. If we cannot show our work, we do not ship the finding.
The scanner runs air-gapped with no telemetry. Your findings stay on your infrastructure unless you choose to upload them. No phone-home, ever.
A finding without remediation is half a job. Each one ships actionable guidance — commands, verification, rollback — so you can close the loop.
Not an aspiration. On a clean baseline, a clean report — or the check goes back to the bench until it behaves.
Each platform ships with its own scope file, validated by the round-trip protocol on a real host of that OS — not a generic rule set.
Built to CIS Benchmarks, NIST SP 800-53, DISA STIG, MITRE ATT&CK and CISA guidance. See the full check catalogue and lab results.