Obexum documentation

Welcome. Obexum is a deterministic, pericial-grade hardening audit framework. These docs walk you from fresh laptop to signed audit report in under an hour.

Where to start

• Quickstart — install, register a target, run your first scan, open the HTML report.
• Check catalogue — the full list of 569 checks with rule_id, severity, MITRE mapping.
• Playbook catalogue — the 55 remediation playbooks with risk + reboot + advisory.

What Obexum is

Obexum sits in a different layer than your pentest tooling and your EDR. Pentesters look for what works now; EDRs detect what is happening now; Obexum finds the configurations that would let an attack succeed if someone tried, before anyone does.

Every probe is determinístic Go code with explicit pass/fail logic, every finding ships with raw evidence, and every CRITICAL/HIGH gets a remediation playbook with built-in rollback hints.

What Obexum is not

• It is not a vulnerability scanner. It does not parse CPE strings or chase CVEs as a primary mode.
• It is not an EDR. It does not run continuously, does not hook syscalls, does not block.
• It is not a pentest tool. It does not exploit, brute-force or pivot.
• It is not a SaaS-only product. The complete check catalogue runs from a single binary on your laptop.

Architecture (in one diagram)

┌─────────────────────────────────────────────────────────────┐
│  Your jump-box (laptop / CI runner / dedicated audit VM)    │
│                                                              │
│   obexum scan run prod-dc-01                                 │
│        │                                                     │
│        ├─► SSH / WinRM ──► target host                       │
│        │     │                                               │
│        │     ├─ run probe (PowerShell base64 encoded)        │
│        │     │  └─ collect stdout + stderr + manifest        │
│        │     └─ no agent, no persistence on target           │
│        │                                                     │
│        ├─► engagement directory ~/.obexum/scans/<id>/        │
│        │     ├─ manifest.json                                │
│        │     ├─ findings.json                                │
│        │     ├─ findings.html (branded report)               │
│        │     └─ artifacts/<rule_id>/...                      │
│        │                                                     │
│        └─► SQLite ~/.obexum/obexum.db (history, diff)        │
│                                                              │
└─────────────────────────────────────────────────────────────┘

Get started in 30 seconds

curl -fsSL https://get.obexum.com | sh
obexum init
obexum targets add my-dc --type windows-dc --host 10.0.0.5
obexum scan run my-dc

Continue with the Quickstart guide →