← Back to blog

Introducing Obexum 0.9 — 569 forensic checks, 0 false positives

Today we are publishing Obexum 0.9, the first release that closes the original 13-phase audit roadmap. Five months ago we sat down with a clean Go module and one rule: zero false positives in a clean baseline, or the check does not ship. As of this commit, 569 out of 569 checks have passed that bar.

What is in the box

• 569 forensic checks across Linux and Windows AD — 11 phases of base coverage (F1-F11) plus the F12 Windows hardening pack and the F13 AD-Depth set (12 batches: ADCS, Kerberos, ACLs, privileged groups, forest hygiene, LDAP/SMB, GPO, DC hardening, trusts, persistence T1547 / T1546 / T1574 / T1543 / T1053, privesc + UAC bypass).
• 55 remediation playbooks — PowerShell + bash, dry-run by default, rollback hints baked in, MITRE ATT&CK + CIS references throughout.
• Engagement-grade output — per-scan directory with manifest.json, findings.json, branded findings.html, raw probe artefacts.
• UX commands — obexum init, obexum targets add, obexum scan run <name>, obexum findings show <rule_id>, obexum diff.
• Single binary — 30 MB, no agent on the target, no mandatory cloud.

Why “zero false positives” matters

Every commercial scanner we evaluated emitted dozens of "informational" findings on a freshly-promoted Server 2022 DC. After the third or fourth audit, the operator stops reading the report. By then, the actual adversary primitives — ESC1-15 certificate templates, ACL backdoors, Kerberos abuse paths — are buried under "Anonymous-FTP-Allowed-On-IPv6-Loopback-Maybe" noise.

Zero false positives is not just a quality bar. It is a contract. It means the operator can hand the report to management, sign it pericial-grade, and be confident that every CRITICAL flag corresponds to a documented adversary primitive that is genuinely open right now.

How we got there

Every check passed a four-step round-trip before it earned its rule_id:

• Inject — a synthetic harness creates the exact misconfiguration the check looks for.
• Detect — the check fires 1:1 with the injection, no extras, no misses.
• Remediate — the harness reverts the misconfiguration. The check returns PASS.
• Re-inject — the harness reapplies. The check fires again, identically.

The full lab evidence trail is on /results. Every commit references its engagement transcript; every probe is reviewable Go code.

What is next

• Sprint C — this site, the SaaS portal scaffold, the docs you are reading now. Q3 2026.
• Validation phase — opt-in secondary probes that confirm exploitability (deterministic, not LLM-driven). We talked about it on the ADCS post.
• Pipeline-as-YAML — let MSSPs author custom checks without recompiling.
• REST API + GUI — for multi-tenant operations.

Get it

curl -fsSL https://get.obexum.com | sh
obexum init

14-day Team trial, no credit card. Pricing here. Talk to us at hello@obexum.com.

— The Obexum team