Playbooks Catalog

Uses IBM's OpenAPI Validator to check OpenAPI 3.x and Swagger 2.0 specifications for correctness, best practices, and security issues. Detects missing authentication schemes, insecure endpoints, and spec violations.

satori run satori://api/openapi-validator.yml -d SPEC_URL="https://petstore3.swagger.io/api/v3/openapi.json" --report --output

Runs a read-only AWS security assessment using several complementary tools (ScoutSuite for posture, Prowler for compliance/CIS checks, a jq-based IAM over-privilege analysis in the spirit of Cloudsplaining, plus best-effort pulls of native AWS sources: GuardDuty, Security Hub and IAM Access Analyzer). Each source is reduced to a compact findings JSON under /data (captured by --files), merged, and handed to Google Gemini Flash (via OpenRouter) which correlates them across tools into a prioritized report. The AI step is grounded: it summarizes only the merged findings JSON and is instructed never to invent resources. Credentials are written to disk once (read-only audit user) so they are never passed on command lines.

satori run satori://cloud/aws-assessment-ai.yml -d AWS_ACCESS_KEY=$AWS_ACCESS_KEY -d AWS_SECRET_KEY=$AWS_SECRET_KEY -d OPENROUTER=$OPENROUTER --files --report --output

Prowler is an open-source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.

satori run satori://cloud/aws-prowler.yml -d AWS_ACCESS_KEY=key -d AWS_SECRET_KEY=secret --report --output

Runs ScoutSuite (read-only) against AWS, verifies the scan actually produced data, asserts on flagged danger/warning findings, and uses Google Gemini Flash (via OpenRouter) to summarize the real findings into a markdown table. The AI step is grounded: it summarizes only the extracted findings JSON and is instructed never to invent resources.

satori run satori://cloud/aws-scoutsuite-ai.yml -d AWS_ACCESS_KEY=$AWS_ACCESS_KEY -d AWS_SECRET_KEY=$AWS_SECRET_KEY -d OPENROUTER=$OPENROUTER --files --report --output

ScoutSuite is a multi-cloud security auditing tool that identifies and analyze potential misconfigurations and vulnerabilities across various cloud environments, including AWS, Azure, GCP, and more. It uses read-only credentials to collect configuration data, then generates a comprehensive report highlighting key security findings and suggesting remediation steps. Built for simplicity and scalability, ScoutSuite offers an agentless approach that allows security teams to efficiently evaluate their cloud infrastructure without the complexity of additional software or persistent agents. Its web-based interactive reports provide a clear overview of risk areas, enabling faster and more informed decision-making to strengthen overall cloud security posture.

satori run satori://cloud/aws-scoutsuite.yml -d AWS_ACCESS_KEY=TBC -d AWS_SECRET_KEY=TBC --files --report --output

Read-only Azure / Entra ID compliance & posture assessment. Imports two tools - azure-scoutsuite (Azure/Entra posture: flagged misconfigurations) and azure-prowler (CIS/compliance: failed critical/high checks) - each authenticating as an Entra service principal and writing a compact findings JSON under /data. This playbook merges them and Google Gemini Flash (via OpenRouter) correlates them into a prioritized report. The AI step is grounded: it summarizes only the merged findings JSON and never invents resources.

satori run satori://cloud/azure-compliance-ai.yml -d AZURE_CLIENT_ID=$AZURE_CLIENT_ID -d AZURE_CLIENT_SECRET=$AZURE_CLIENT_SECRET -d AZURE_TENANT_ID=$AZURE_TENANT_ID -d OPENROUTER=$OPENROUTER --output --test correlate:summary:gemini_flash:report:stdout 2>/dev/null | glow -w 200

Read-only Azure / Entra ID hackability assessment focused on real exploitability (not compliance padding). Imports two complementary tools - azurehound (BloodHound collector: maps the tenant graph, surfaces who holds Global Administrator and other high-impact roles, privileged-object owners) and m365-maester (280+ Entra ID tests: account-takeover entry points like missing MFA, legacy auth, risky app consent, weak Conditional Access). Both run in one PowerShell container (AzureHound is a self-contained linux binary), each writes a summary JSON under /data; this playbook merges them and Google Gemini Flash (via OpenRouter) correlates into a report ranked by EXPLOITABILITY. The AI step is grounded: it summarizes only the merged findings and never invents resources.

satori run satori://cloud/azure-exploitability-ai.yml -d AZURE_CLIENT_ID=$AZURE_CLIENT_ID -d AZURE_CLIENT_SECRET=$AZURE_CLIENT_SECRET -d AZURE_TENANT_ID=$AZURE_TENANT_ID -d AZURE_SUBSCRIPTION_ID=$AZURE_SUBSCRIPTION_ID -d OPENROUTER=$OPENROUTER --output --test correlate:summary:gemini_flash:report:stdout 2>/dev/null | glow -w 200

Runs Prowler against Azure authenticating as an Entra service principal (--sp-env-auth, client secret), returning failed critical/high checks. Reduces the OCSF output to a compact findings JSON under /data/out/prowler.json (captured by --files) grouped by check, and surfaces the critical findings. Read-only. Prowler 5.x requires Python <3.13.

satori run satori://cloud/azure-prowler.yml -d AZURE_CLIENT_ID=$AZURE_CLIENT_ID -d AZURE_CLIENT_SECRET=$AZURE_CLIENT_SECRET -d AZURE_TENANT_ID=$AZURE_TENANT_ID --files --report --output

Runs ScoutSuite against Azure / Entra ID authenticating as an Entra service principal (client secret), across all subscriptions. Extracts the flagged findings (service, level, description, count) to /data/out/scoutsuite.json (captured by --files) and surfaces the danger-level findings. Read-only, agentless.

satori run satori://cloud/azure-scoutsuite.yml -d AZURE_CLIENT_ID=$AZURE_CLIENT_ID -d AZURE_CLIENT_SECRET=$AZURE_CLIENT_SECRET -d AZURE_TENANT_ID=$AZURE_TENANT_ID --files --report --output

Collects the Entra ID / Azure tenant graph with AzureHound (the BloodHound data collector) authenticating as an Entra service principal via client secret, and writes the full typed JSON (identities, roles, role assignments, apps, service principals, ownerships, ARM resources) to /data/azurehound.json. A jq analysis layer then summarizes the collection (object counts by kind) and surfaces attack-path-relevant signals without needing neo4j/BloodHound: principals holding privileged directory roles (Global Administrator, Privileged Role Administrator, Application Administrator, etc.), counts of apps / service principals, and owners of privileged objects. All outputs are written under /data (captured by --files).

satori run satori://cloud/azurehound.yml -d AZURE_CLIENT_ID=$AZURE_CLIENT_ID -d AZURE_CLIENT_SECRET=$AZURE_CLIENT_SECRET -d AZURE_TENANT_ID=$AZURE_TENANT_ID -d AZURE_SUBSCRIPTION_ID=$AZURE_SUBSCRIPTION_ID --files --report --output

Runs Maester (https://github.com/maester365/maester) — a PowerShell/Pester framework with 280+ Microsoft 365 / Entra ID security tests (EIDSCA, CISA SCuBA, CIS M365). Authenticates to Microsoft Graph as an Entra service principal (app-only, client secret), installs the Maester/Pester/Microsoft.Graph modules, runs the full Entra ID test suite and writes JSON/HTML/Markdown results under /data (captured by --files). Tests requiring Exchange Online / Teams / SharePoint / Intune permissions are skipped when those scopes are not granted to the service principal.

satori run satori://cloud/m365-maester.yml -d AZURE_CLIENT_ID=$AZURE_CLIENT_ID -d AZURE_CLIENT_SECRET=$AZURE_CLIENT_SECRET -d AZURE_TENANT_ID=$AZURE_TENANT_ID --files --report --output

Analyze ABAP (Advanced Business Application Programming) code for potential security vulnerabilities, code quality issues, and best practice violations

satori run ./ --playbook satori://code/abap/abap-code-scanner.yml --report --output

Bearer is a static application security testing (SAST) tool designed to scan your source code and analyze data flows to identify, filter, and prioritize security and privacy risks.

satori run ./ --playbook=satori://code/bearer.yml --report --output

Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications. It scans application code for known vulnerabilities, security issues, and configuration problems.

satori run ./ --playbook satori://code/ruby/brakeman.yml --report --output

CLOC counts blank lines, comment lines, and physical lines of source code in many programming languages.

satori local ./ --playbook satori://code/cloc.yml --report --output

Lightweight COBOL scanner can provide meaningful security coverage

satori run satori://code/cobol.yml --repo meyfa/CobolCraft --report --output

CodeQL is a semantic code analysis engine that finds security vulnerabilities in JavaScript, Python, and Ruby codebases using database queries.

satori run ./ --playbook satori://code/codeql.yml --report --output

Cppcheck is a static analysis tool for detecting bugs, undefined behavior, and potential security vulnerabilities in C and C++ code.

satori run ./ --playbook satori://code/cppcheck.yml --report --output

Stylelint is a mighty, modern linter that helps you avoid errors and enforce conventions in your styles. It understands the latest CSS syntax including custom properties and level 4 selectors.

satori run ./ --playbook satori://code/css/lint/stylelint.yml --report --output

Gato-X is a scanning and attack tool for GitHub Actions pipelines. You can use it to identify Pwn Requests, Actions Injection, TOCTOU Vulnerabilities, and Self-Hosted Runner takeover at scale using just a single API token. Gato-X is an operator focused tool that is tuned to avoid false negatives. It will have a higher false positive rate than SAST tools like CodeQL, but Gato-X will give you everything you need to quickly determine if something is a true positive or not.

satori run satori://code/github/gato-x.yml -d GITHUB_PAT=TBC -d REPO=udacity/deep-reinforcement-learning --report --output

ghwfauditor, based on GitHub Workflow Auditor, identifies vulnerability in GitHub Workflows. It does so by scanning the workflow files for anti-patterns such as ingesting user inputs in an unsafe manner or using malicious commits in build process. The tool supports scanning individual repositories or all accessibe repositories of a user or organization.

satori run satori://code/github/ghwfauditor.yml -d GITHUB_PAT=TBC --repo All-Hands-AI/OpenHands --report --output

GitVerify analyzes GitHub repositories to assess their trustworthiness by evaluating metadata, contributors, issues, pull requests, and associated domains. It gathers data from the GitHub API and can optionally perform VirusTotal checks on associated domains. The results are presented in various formats, including text, JSON, and CSV.

satori run satori://code/github/gitverify.yml -d REPO="https://github.com/repo" --report --output

Gitxray (short for Git X-Ray) is a multifaceted security tool designed for use on GitHub repositories. It serves various use cases, including OSINT, forensics, and security teams, as well as developers looking to secure their repositories, organizations, and related contributors. Gitxray leverages public GitHub REST APIs to gather information that would otherwise be very time-consuming to obtain manually. Additionally, it seeks out information in unconventional places.

satori run satori://code/github/gitxray.yml -d REPO=satorici/playbooks --report --output

Octoscan is a reconnaissance tool that automates the process of scanning GitHub organizations and repositories for potential security issues in Github Workflows.

satori run ./ --playbook satori://code/github/octoscan.yml --report --output

Semgrep is a static code analysis tool with stable support for C#, Go, Java, JavaScript, JSON, Python, PHP, Ruby, and Scala. It has experimental support for nineteen other languages, as well as a language agnostic mode. The following playbook focuses on Github Workflows

satori run ./ --playbook satori://code/github/semgrep.yml --report --output

CI-Friendly static linter with autofix, SAST, semantic analysis for GitHub Actions

satori run --playbook satori://code/github/sisakulint.yml --repo satorici/satori-cli --report --output

Gosec inspects Go source code for security problems by scanning the Go AST. It detects hardcoded credentials, SQL injection, command injection, path traversal, weak cryptography, and other common security issues in Go code.

satori run satori://code/go/gosec.yml --repo securego/gosec --report --output

Horusec is an open-source static application security testing tool that identifies vulnerabilities in source code across 18+ languages including Python, JavaScript, Java, Go, C#, Ruby, PHP, Kotlin, and Dart. It integrates 20+ security analysis engines.

satori run ./ --playbook satori://code/horusec.yml --report --output

HoundDog.ai's Privacy by Design Code Scanner helps organizations proactively detect and prevent the overexposure of sensitive data in high risk mediums, which could lead to privacy violations. The scanner embeds privacy into every stage of development, from IDE to CI. It discovers third party and AI integrations, including shadow AI, detects exposures of Personally Identifiable Information (PII), Protected Health Information (PHI), and authentication tokens in LLM prompts and other often overlooked surfaces such as logs, files, and third party SDKs, blocks unapproved data types before any code reaches production, and generates audit ready Privacy Impact Assessments prefilled with detected data flows and privacy risks.

satori run ./ --playbook satori://code/hounddog.yml --report --output

SpotBugs is a static analysis tool that looks for bugs in Java code. It uses the Find Security Bugs plugin to detect security vulnerabilities including SQL injection, XSS, cryptographic weaknesses, and other OWASP Top 10 issues.

satori run satori://code/java/spotbugs.yml --repo OWASP-Benchmark/BenchmarkJava --report --output

OWASP DependencyCheck is a multi-language Software Composition Analysis (SCA) tool. While it is commonly used in Java projects, it also supports scanning dependencies for other ecosystems, including .NET, Node.js, Python, Ruby, PHP, and more.

satori run ./ --playbook satori://code/javascript/dependencycheck.yml --report --output

Biome is a fast formatter and linter for JavaScript, TypeScript, JSX, and JSON that scores 97% compatibility with Prettier. It features fast, native performance and requires zero configuration to get started.

satori run ./ --playbook satori://code/javascript/lint/biome.yml --report --output

ESLint statically analyzes your code to quickly find problems. It finds and fixes problems in your JavaScript code, from style issues to bugs and potential errors.

satori run ./ --playbook satori://code/javascript/lint/eslint.yml --report --output

JSCPD is a copy/paste detector for programming source code, supporting many languages including JavaScript, TypeScript, and more. It helps identify duplicated code that should be refactored.

satori run ./ --playbook satori://code/javascript/lint/jscpd.yml --report --output

JSDoc is a markup language used to annotate JavaScript source code files and an API documentation generator for JavaScript. It allows developers to document their code using comments formatted in a particular way.

satori run ./ --playbook satori://code/javascript/lint/jsdoc.yml --report --output

JSHint is a community-driven tool that detects errors and potential problems in JavaScript code. It is more flexible than JSLint and allows developers to configure many options to fit their coding style and needs.

satori run ./ --playbook satori://code/javascript/lint/jshint.yml --report --output

Prettier is an opinionated code formatter that supports many languages and integrates with most editors. It removes all original styling and ensures that all outputted code conforms to a consistent style.

satori run ./ --playbook satori://code/javascript/lint/prettier.yml --report --output

StandardJS is a JavaScript style guide, linter, and formatter. It enforces a consistent style with no configuration required, helping teams avoid bikeshedding over code style and focus on what matters.

satori run ./ --playbook satori://code/javascript/lint/standard.yml --report --output

The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of known vulnerabilities. If any vulnerabilities are found, then the impact and appropriate remediation will be calculated. It may be useful in CI environments to include the --audit-level parameter to specify the minimum vulnerability level that will cause the command to fail. This option does not filter the report output, it simply changes the command's failure threshold.

satori run ./ --playbook satori://code/javascript/npmaudit.yml --report --output

Scan a web app or node app for use of known vulnerable JavaScript libraries and/or Node.JS modules

satori run ./ --playbook satori://code/javascript/retirejs.yml --report --output

Semgrep is a static code analysis tool with stable support for C#, Go, Java, JavaScript, JSON, Python, PHP, Ruby, and Scala. It has experimental support for nineteen other languages, as well as a language agnostic mode. The following playbook focuses on JavaScript files.

satori run satori://code/javascript/semgrep.yml --report --output

Open-source code analysis platform for C/C++/Java/Binary/Javascript/Python/Kotlin based on code property graphs.

satori run satori://code/joern.yml --repo satorici/satori-cli --report --output

APKLeaks scans Android APK files to find sensitive information like URLs, API keys, secrets, endpoints, and other potentially sensitive strings that could expose security issues.

satori run ./ --playbook satori://code/mobile/apkleaks.yml --report --output

MobSFScan can find insecure code patterns in Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. It uses MobSF static analysis rules and is powered by semgrep and libsast pattern matcher. ## Example: ```satori run ./ --playbook="satori://code/mobsfscan.yml" --report --output```

satori run ./ --playbook satori://code/mobile/mobsfscan.yml --report --output

OSV-Scanner by Google scans project dependencies for known vulnerabilities using the OSV.dev database. It supports 11+ language ecosystems including Go, Python, JavaScript, Java, Rust, Ruby, and more.

satori run ./ --playbook satori://code/osv-scanner.yml --report --output

pip-audit scans Python dependencies for security vulnerabilities using the Python Packaging Advisory Database (PyPI). It helps ensure secure package management by identifying and reporting issues in installed dependencies.

satori run ./ --playbook satori://code/python/pip-audit.yml --report --output

Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report about the security issues found.

satori run ./ --playbook satori://code/python/bandit.yml --report --output

Bloky detects blocking operations in Python async code that could cause performance issues.

satori run satori://code/python/bloky.yml --repo satorici/satori-cli --report --output

Autopep8 automatically formats Python code to conform to the PEP 8 style guide.

satori run ./ --playbook satori://code/python/lint/autopep8.yml --report --output

BasedMypy is an enhanced Python static type checker built on mypy with improved type system features including intersection types, better type inference, and gradual adoption through baseline functionality. Note: Project deprecated July 2025, consider BasedPyright as alternative.

satori run ./ --playbook satori://code/python/lint/basedmypy.yml --report --output

BasedPyright is a fork of Microsoft's Pyright with enhanced type checking improvements, integrated Pylance features, and better VSCode support. Provides advanced Python type analysis with additional features beyond the original pyright implementation.

satori run ./ --playbook satori://code/python/lint/basedpyright.yml --report --output

Black is an uncompromising Python code formatter that enforces a consistent style. It reformats code automatically and minimizes diff noise by using strict formatting rules.

satori run ./ --playbook satori://code/python/lint/black.yml --report --output

Flake8 is a wrapper around PyFlakes, pycodestyle, and Ned Batchelder's McCabe script. Flake8 runs all the tools by launching the single flake8 command. It displays the warnings in a per-file, merged output.

satori local ./ --playbook satori://code/python/lint/flake8.yml --report --output

Isort is a Python utility for sorting imports. It automatically sorts and organizes imports in your Python files, making them easier to read and maintain.

satori run ./ --playbook satori://code/python/lint/isort.yml --report --output

Mypy is a static type checker for Python that helps enforce type annotations. It can detect type errors and inconsistencies before runtime, improving code safety and maintainability.

satori run ./ --playbook satori://code/python/lint/mypy.yml --report --output

Prospector runs a collection of Python analysis tools like pylint, mypy, and pep8. It offers an aggregated view of code quality issues in a unified report.

satori run ./ --playbook satori://code/python/lint/prospector.yml --report --output

Pycodestyle checks Python code against the PEP 8 style guide. It's useful for maintaining consistent formatting and identifying common stylistic issues.

satori run ./ --playbook satori://code/python/lint/pycodestyle.yml --report --output

Pydocstyle checks compliance with Python docstring conventions as specified in PEP 257.

satori run ./ --playbook satori://code/python/lint/pydocstyle.yml --report --output

Pyflakes analyzes Python source files to detect errors such as unused imports and undefined variables. It focuses on correctness rather than style.

satori run ./ --playbook satori://code/python/lint/pyflakes.yml --report --output

Pylama is a code audit tool that aggregates results from multiple linters and static analyzers. It's ideal for batch linting and unified output during CI/CD workflows.

satori run ./ --playbook satori://code/python/lint/pylama.yml --report --output

It analyses your code without actually running it. It checks for errors, enforces a coding standard, looks for code smells, and can make suggestions about how the code could be refactored.

satori run ./ --playbook satori://code/python/pylint.yml --report --output

Pyrefly is a static analysis tool for Python that helps identify potential issues in code made by Facebook.

satori run --playbook satori://code/python/lint/pyrefly.yml --repo satorici/satori-cli --output --report

Pyright is a full-featured, standards-based static type checker for Python. It is designed for high performance and can be used with large Python source bases.

satori run ./ --playbook satori://code/python/lint/pyright.yml --report --output

Pytype is a static type checker for Python that can catch type errors in your code before you run it.

satori run ./ --playbook satori://code/python/lint/pytype.yml --report --output

Radon provides various code metrics for Python, including cyclomatic complexity, raw metrics, and maintainability index.

satori run ./ --playbook satori://code/python/lint/radon.yml --report --output

Ruff is a fast Python linter and formatter that enforces code quality by detecting style violations, unused imports, and potential errors. It provides an alternative to traditional Python linters with a focus on speed and efficiency.

satori run --playbook satori://code/python/ruff.yml --repo satorici/satori-cli --output --test ruff.run --report

An extremely fast Python type checker and language server, written in Rust.

satori run ./ --playbook satori://code/python/lint/ty.yml --report --output

Vulture scans Python code to find unused variables, functions, and classes. It helps identify dead code that can be removed to improve code quality and maintainability.

satori run ./ --playbook satori://code/python/lint/vulture.yml --report --output

Generate random python code to test linter/formatter/and other tools. pysource-codegen is able to generate random python code which can be compiled

satori run satori://code/python/pysource-codegen.yml --report --output

PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. It leverages a powerful Rust core to deliver high-speed, accurate vulnerability scanning, wrapped in a developer-friendly Python CLI.

satori run satori://code/python/pyspector.yml --repo satorici/satori-cli --report --output

Safety detects known vulnerabilities in Python dependencies by scanning installed packages against a vulnerability database. It helps identify insecure libraries and provides insights into potential security risks in software projects.

satori run ./ --playbook satori://code/python/safety.yml --report --output

Runs pytest to discover and execute unit tests in Python projects with automatic dependency installation.

satori run ./ --playbook satori://code/python/test/pytest.yml --report --output

Runs Python's built-in unittest framework to discover and execute unit tests.

satori run ./ --playbook satori://code/python/test/unittest.yml --report --output

RuboCop is a Ruby static code analyzer (a.k.a. linter) and code formatter. It enforces many of the guidelines outlined in the community Ruby Style Guide, finds code smells, and can auto-fix many issues.

satori run ./ --playbook satori://code/ruby/rubocop.yml --report --output

Embedded Ruby (.erb) into Embedded Puppet (.epp)

satori run ./ --playbook satori://code/ruby/erb-to-epp.yml --report --output

Checks Rust projects for security vulnerabilities and unsafe code. Uses cargo-audit to detect known security issues in dependencies. Ensures no advisories are present.

satori run ./ --playbook satori://code/rust/audit.yml --report --output

Checks Rust projects for unsafe code

satori run ./ --playbook satori://code/rust/geiger.yml --report --output

Semgrep is a code analysis tool that searches for patterns in source code to detect vulnerabilities, enforce best practices, and identify code structure issues. It supports multiple programming languages and allows users to define custom rules for static analysis.

satori run ./ --playbook satori://code/semgrep.yml --report --output

4naly3er is a Solidity static analyzer built for competitive audits and bug bounties. It scans for gas optimizations, quality assurance issues, and low-severity findings commonly reported in Code4rena, Sherlock, and other audit contest platforms. Ideal for pre-audit preparation of DeFi protocols.

satori run satori://code/solidity/4naly3er.yml --repo smartbugs/smartbugs-curated --report --output

Aderyn is a Rust-based Solidity AST analyzer built by Cyfrin. It walks the Abstract Syntax Tree to detect vulnerability patterns with high speed and accuracy. It supports Foundry and Hardhat projects and detects reentrancy, centralization risks, unchecked returns, and other smart contract issues.

satori run satori://code/solidity/aderyn.yml --repo crytic/not-so-smart-contracts --report --output

Full DeFi static analysis security testing suite combining Slither, Semgrep with Solidity rules, and Solhint. Covers vulnerability detection, code quality, and DeFi-specific security patterns including reentrancy, flash loan attacks, oracle manipulation, access control, and token standard compliance.

satori run satori://code/solidity/defi-sast.yml --repo SunWeb3Sec/DeFiVulnLabs --report --output

Mythril is a security analysis tool for EVM bytecode. It detects security vulnerabilities in smart contracts built for Ethereum, Hedera, Quorum, Vechain, Rootstock, Tron, and other EVM-compatible blockchains using symbolic execution, SMT solving, and taint analysis.

satori run satori://code/solidity/mythril.yml --repo crytic/not-so-smart-contracts --report --output

Semgrep with Solidity-specific security rulesets for detecting common smart contract vulnerabilities including reentrancy, unchecked calls, price oracle manipulation, flash loan attacks, access control issues, and DeFi-specific anti-patterns.

satori run satori://code/solidity/semgrep-solidity.yml --repo crytic/not-so-smart-contracts --report --output

Slither is a Solidity & Vyper static analysis framework that runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. It is the industry standard for smart contract SAST, detecting reentrancy, unprotected upgrades, unchecked low-level calls, and 90+ other vulnerability patterns.

satori run satori://code/solidity/slither.yml --repo crytic/not-so-smart-contracts --report --output

Solhint is an open-source Solidity linter providing both security and style guide validations. It checks for security vulnerabilities such as use of tx.origin, low-level calls, and missing visibility modifiers, as well as code quality and naming conventions.

satori run satori://code/solidity/solhint.yml --repo SunWeb3Sec/DeFiVulnLabs --report --output

Wake is a Python-based Solidity development and testing framework with built-in vulnerability detectors and printers. It performs cross-contract analysis detecting reentrancy, unsafe delegatecall, selfdestruct, tx.origin usage, and other vulnerability classes across the entire project dependency graph.

satori run satori://code/solidity/wake.yml --repo crytic/not-so-smart-contracts --report --output

Creates Abstract Syntax Tree (AST) of all .swift files in JSON format. The AST is created by using SwiftSyntax.

satori run ./ --playbook satori://code/swift/swiftasgen.yml --report --output

Enforces Swift style and conventions by analyzing code and flagging violations based on predefined or custom rules, helping maintain consistency and best practices in Swift projects.

satori run ./ --playbook satori://code/swiftlint.yml --report --output

Syft by Anchore generates Software Bills of Materials (SBOMs) from container images and filesystems. It identifies packages and dependencies across dozens of ecosystems and outputs in standard formats like CycloneDX and SPDX.

satori run ./ --playbook satori://code/syft.yml --report --output --files

Trivy has scanners that look for security issues, and targets where it can find those issues. Targets (what Trivy can scan): - Container Image - Filesystem - Git Repository (remote) - Virtual Machine Image - Kubernetes Scanners (what Trivy can find there): - OS packages and software dependencies in use (SBOM) - Known vulnerabilities (CVEs) - IaC issues and misconfigurations - Sensitive information and secrets - Software licenses

satori run ./ --playbook satori://code/trivy.yml --report --output

The TypeScript compiler (tsc) performs static type checking on TypeScript and JavaScript files. It can catch type errors at build time and provides excellent IDE support for large codebases.

satori run ./ --playbook satori://code/typescript/lint/tsc.yml --report --output

yamllint checks YAML files for syntax errors, formatting issues, and best practices by enforcing indentation, key ordering, and structure consistency. It helps prevent misconfigurations and ensures YAML files remain readable and valid.

satori run ./ --playbook satori://code/yamllint.yml --report --output

Queries the UK Companies House API to map corporate structure, directors, filing history, subsidiaries, charges, and insolvency. Requires COMPANIES_HOUSE_API_KEY (free registration at developer.company-information.service.gov.uk). Only acts on a confident name match — fuzzy/unrelated search hits are rejected (NO_MATCH) so downstream consumers never see the wrong company.

satori run satori://compliance/companies-house.yml -d COMPANY="Example Ltd" -d COMPANIES_HOUSE_API_KEY="your_key" --report --output

Checks if a company is a CREST-accredited member by querying the CREST Marketplace supplier directory (marketplace.crest.org). Returns membership details including accreditation types, specialisms, and years of membership.

satori run satori://compliance/crest-membership.yml -d COMPANY="Quorum Cyber" --report --output

Checks if a company holds UK Cyber Essentials or Cyber Essentials Plus certification by searching the IASME certificate database.

satori run satori://compliance/cyber-essentials.yml -d COMPANY="Quorum Cyber" -d CAPTCHA_KEY="your_2captcha_key" --report --output

Checks for past GDPR enforcement actions against a company using the GDPR Enforcement Tracker dataset.

satori run satori://compliance/gdpr-fines.yml -d COMPANY="Meta Platforms" --report --output

Checks UK Information Commissioner's Office (ICO) data controller registration status by searching the ICO register.

satori run satori://compliance/ico-registration.yml -d COMPANY="Quorum Cyber" --report --output

Runs a vulnerability scan using Nuclei with OWASP Top 10 templates to detect common web application security issues including injection, broken authentication, sensitive data exposure, XXE, broken access control, security misconfiguration, XSS, insecure deserialization, vulnerable components, and insufficient logging.

satori run satori://compliance/owasp-top10.yml -d URL="http://testphp.vulnweb.com/" --report --output

Runs a PCI-DSS compliance assessment against a web endpoint checking for TLS configuration, security headers, and common vulnerabilities required by PCI-DSS. Combines TLS checks with Nuclei compliance templates.

satori run satori://compliance/pci-dss.yml -d HOST="satori.ci" --report --output

Searches SEC EDGAR for cybersecurity incident disclosures (8-K Item 1.05) and risk management descriptions (10-K Item 1C) for US public companies.

satori run satori://compliance/sec-filings.yml -d COMPANY="SolarWinds" --report --output

Performs basic SOC2-relevant security checks on a web endpoint including TLS configuration, security headers, open ports, and DNS configuration. Covers Trust Services Criteria for security availability and confidentiality.

satori run satori://compliance/soc2.yml -d HOST="satori.ci" --report --output

Checks if a company is publicly traded by searching Yahoo Finance. Returns exchange, ticker symbol, sector, and trading status. A delisted or absent stock is a signal of company distress, acquisition, or private status.

satori run satori://compliance/stock-check.yml -d COMPANY="Cloudflare" --report --output

Dockle audits Docker container images against CIS Benchmarks and best practices. Unlike Hadolint which checks Dockerfiles, Dockle analyzes the built image to find security issues like running as root, missing HEALTHCHECK, and exposed credentials.

satori run satori://container/dockle.yml -d IMAGE="python:3.4-alpine" --report --output

Grype is a vulnerability scanner for container images and filesystems. Easily install the scanner, integrate it into your project, and quickly identify known vulnerabilities in your packages and dependencies.

satori run satori://container/grype.yml -d IMAGE="python:3.4-alpine" --report --output

Hadolint is a smarter Dockerfile linter that helps you build best practice Docker images. It checks for syntax errors, validates inline bash code, identifies common mistakes in Dockerfile instructions, and verifies that your Dockerfile follows best practices.

satori run ./ --playbook satori://container/hadolint.yml --report --output

Checkov scans cloud infrastructure configurations (Terraform, CloudFormation, Kubernetes, Helm, Azure Resource Manager, Google Deployment Manager) to find misconfigurations and ensure cloud security best practices.

satori run ./ --playbook satori://iac/checkov.yml --report --output

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in Infrastructure as Code. Supports Terraform, Dockerfile, CloudFormation, Kubernetes, Helm, and more.

satori run ./ --playbook satori://iac/kics.yml --report --output

Static analysis of Kubernetes YAML files for security issues and misconfigurations.

satori run ./ --playbook satori://iac/kubescape.yml --report --output

Terrascan is a static code analyzer for Infrastructure as Code. It detects security vulnerabilities and compliance violations across Infrastructure as Code. Supports multiple cloud providers including AWS, Azure, GCP, and Kubernetes.

satori run ./ --playbook satori://iac/terrascan.yml --report --output

tfsec uses static analysis of your terraform code to spot potential security issues. Along with basic rule checking, tfsec also checks for sensitive information in terraform state files. Scans HCL2 and json formatted terraform configuration files.

satori run ./ --playbook satori://iac/tfsec.yml --report --output

Scans filesystems and container images for vulnerabilities

satori run satori://container/trivy.yml -d IMAGE=python:3.4-alpine --report --output

John the Ripper is a password cracking tool that tests password strength and recovers lost credentials by performing dictionary attacks, brute-force attacks, and cryptanalysis on various password hash types.

satori run satori://crack/john.yml -d PASS='$2b$10$heqvAkYMez.Va6Et2uXInOnkCT6/uQj1brkrbyG3LpopDklcq7ZOS' --cpu 16384 --memory 32768 --report --output

Detects vulnerable GoAnywhere MFT instances by extracting version numbers from the login page and matching against affected version ranges.

satori run satori://cve/CVE-2025-10035.yml -d HOST=127.0.0.1 --report --output

A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow the following: An authenticated, remote attacker with low privileges could cause a denial of service (DoS) condition on an affected device that is running Cisco IOS Software or Cisco IOS XE Software. To cause the DoS, the attacker must have the SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials. An authenticated, remote attacker with high privileges could execute code as the root user on an affected device that is running Cisco IOS XE Software. To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks. This vulnerability is due to a stack overflow condition in the SNMP subsystem of the affected software. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system. Note: This vulnerability affects all versions of SNMP.

satori run satori://cve/CVE-2025-20352.yml -d HOST=127.0.0.1 --report --output

SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.

satori run satori://cve/CVE-2025-26339.yml -d HOST=127.0.0.1 --report --output

Oracle E-Business Suite remote code execution vulnerability without authentication. Detects vulnerable instances by checking for E-Business Suite Home Page text and comparing Last-Modified header timestamp against October 4, 2025 to identify unpatched systems.

satori run satori://cve/CVE-2025-61882.yml -d HOST=127.0.0.1 --report --output

Oracle E-Business Suite Configurator Runtime UI vulnerability that allows unauthenticated attackers with network access via HTTP to access critical data. Affects Oracle Configurator in versions 12.2.3-12.2.14. Detects vulnerable instances by checking for E-Business Suite Home Page text and comparing Last-Modified header timestamp against October 11, 2025 to identify unpatched systems.

satori run satori://cve/CVE-2025-61884.yml -d HOST=127.0.0.1 --report --output

Educational proof-of-concept for hypothetical unauthenticated Remote Code Execution vulnerability in Citrix NetScaler ADC/Gateway API endpoint. Tests for command injection patterns in /api/v1/configuration endpoint. This is a simulated vulnerability for training and detection validation purposes only.

satori run satori://cve/CVE-2025-7775.yml -d HOST=127.0.0.1 --output --test CVE-2025-7775.run --report

Cross-references CVE IDs against the CISA Known Exploited Vulnerabilities (KEV) catalog to identify critical-priority vulnerabilities that are actively exploited in the wild.

satori run satori://cve/cisa-kev.yml -d CVES="CVE-2021-44228,CVE-2023-0669,CVE-2024-3400" --report --output

ThreatTracer identifies CVE details by querying vulnerability databases with CVE identifiers.

satori run satori://cve/search.yml -df CVE=cves.txt --report --output

assetfinder discovers subdomains and related assets by querying public sources, certificate transparency logs, and APIs. It helps in reconnaissance and security assessments by identifying domain associations efficiently.

satori run satori://dns/assetfinder.yml -d DOMAIN="satori.ci" --report --output

Checks if a domain has DNS CAA records configured. CAA records restrict which Certificate Authorities can issue certificates for the domain, preventing unauthorized certificate issuance and reducing the risk of man-in-the-middle attacks.

satori run satori://dns/caa.yml -d DOMAIN="satori.ci" --report --output

cdncheck identifies whether IP addresses belong to known Content Delivery Networks (CDNs) or cloud providers. It helps distinguish between origin servers and CDN-protected assets during reconnaissance and security assessments.

satori run satori://dns/cdncheck.yml -d HOST="satori.ci" --report --output

Maps the target's full DNS footprint using dig for record resolution and crt.sh certificate transparency logs for subdomain discovery. Passive reconnaissance only.

satori run satori://dns/dns-enum.yml -d DOMAIN="tesla.com" --report --output

The script will first try to perform a zone transfer using each of the target domain's nameservers. If this fails, it will lookup TXT and MX records for the domain, and then perform a recursive subdomain scan using the supplied wordlist.

satori run satori://dns/dnscan.yml -d DOMAIN="satori.ci" --report --output

This tool provides the ability to perform. - Check all NS Records for Zone Transfers; - Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT); - Perform common SRV Record Enumeration; Top Level Domain (TLD) Expansion; Check for Wildcard Resolution; - Brute Force subdomain and host A and AAAA records given a domain and a wordlist; Perform a PTR Record lookup for a given IP Range or CIDR; - Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check.

satori run satori://dns/dnsrecon.yml -d DOMAIN="satori.ci" --report --output

Checks if a domain has DNSSEC enabled by verifying the presence of DNSKEY and RRSIG records. DNSSEC protects against DNS spoofing and cache poisoning by cryptographically signing DNS responses.

satori run satori://dns/dnssec.yml -d DOMAIN="satori.ci" --report --output

dnsx is a DNS toolkit for performing DNS queries and collecting DNS-related information. It supports subdomain enumeration, wildcard filtering, and DNS resolution. The tool allows users to customize queries and extract specific DNS records.

satori run satori://dns/dnsx.yml -d DOMAIN="satori.ci" --report --output

It takes a list of subdomains, permute them using a wordlist, insert indexes, numbers, dashes and generates potential subdomains.

satori run satori://dns/goaltdns.yml -d DOMAIN="satori.ci" --report --output

Gobuster performs brute-force enumeration of URLs, DNS subdomains, and virtual host names. It supports wordlist-based scanning for directories and files on web servers, subdomains in DNS, and virtual hosts. The tool allows users to specify extensions, HTTP methods, and authentication options.

satori run satori://dns/gobuster-dns.yml -d DOMAIN="satori.ci" --report --output

Gotator generates permutations, alterations, and mutations of subdomains to enhance subdomain enumeration. It helps discover additional subdomains by modifying known ones, aiding in reconnaissance and security assessments.

satori run satori://dns/gotator.yml -d DOMAIN="satori.ci" --report --output

hakrevdns performs fast and large-scale reverse DNS lookups by resolving IP addresses to hostnames. It helps identify associated domains, uncover network infrastructure, and assist in reconnaissance tasks.

satori run satori://dns/hakrevdns.yml -d IP="54.210.33.205" -d IP="3.93.207.195" --report --output

Knockpy performs subdomain enumeration by querying DNS records, brute-forcing potential subdomains, and checking for wildcard DNS configurations. It helps identify hidden or misconfigured subdomains for reconnaissance and security assessments.

satori run satori://dns/knockpy.yml -d DOMAIN="hackerone.com" --report --output

MassDNS is a DNS resolver that performs bulk domain lookups, supports recursive queries, and conducts brute-force subdomain enumeration using multiple resolvers for query execution.

satori run satori://dns/massdns.yml -d DOMAIN="satori.ci" --report --output

subfinder discovers subdomains by querying public sources, certificate transparency logs, APIs, and brute-force techniques. It is designed for reconnaissance and security assessments, providing a comprehensive list of subdomains associated with a target domain.

satori run satori://dns/subfinder.yml  -d DOMAIN="satori.ci" --report --output

Sublist3r automates subdomain enumeration by querying search engines, certificate transparency logs, and other sources to gather subdomains for a given domain, aiding in security assessments and reconnaissance.

satori run satori://dns/passive/sublist3r.yml -d DOMAIN="satori.ci" --report --output

puredns performs recursive DNS resolution and wildcard filtering to validate subdomains. It filters out wildcard subdomains and poisoned entries to reduce false positives in security assessments.

satori run satori://dns/puredns.yml -d DOMAIN="satori.ci" --report --output

shuffledns resolves and filters subdomains by combining wordlist-based brute forcing with mass DNS resolution using multiple resolvers. It helps identify active subdomains efficiently during reconnaissance and security assessments.

satori run satori://dns/shuffledns.yml -d DOMAIN="satori.ci\nquorumcyber.com" --report --output

subzy detects and exploits subdomain takeover vulnerabilities by identifying misconfigured DNS records pointing to external services. It automates checks for abandoned subdomains that attackers could hijack for phishing, data theft, or malicious content hosting.

satori run satori://dns/subzy.yml -d DOMAIN="nonexistent-app-12345.herokuapp.com" --report --output

tko-subs detects and exploits subdomain takeover vulnerabilities by scanning for misconfigured DNS records that point to external services no longer in use. It helps identify security risks that could allow attackers to hijack abandoned subdomains.

satori run satori://dns/tko-subs.yml -d DOMAIN="example.com" --report --output

Checks domain WHOIS data including registration date, expiry date, registrar, and domain status. Expired or soon-to-expire domains are a strong signal of company distress or abandonment.

satori run satori://dns/whois-check.yml -d DOMAIN="cloudflare.com" --report --output

Knowing how much traffic your web server can handle when under stress is essential for planning future grow of your website or application. By using tool called siege, you can run a load test on your server and see how your system performs under different circumstances. You can use siege to evaluate the amount of data transferred, response time, transaction rate, throughput, concurrency and how many times the server returned responses. The tool has three modes, in which it can operate – regression, internet simulation and brute force. Siege must only be ran against servers you own or on such you have explicit permission to test.

satori run satori://dos/siege.yml -d URL="satori.ci" --report --output

Tests: - Slowloris - Slow HTTP POST - Slow Read attack (based on TCP persist timer exploit) by draining concurrent connections pool - Apache Range Header attack by causing very significant memory and CPU usage on the server.

satori run satori://dos/slowhttptest.yml -d URL="satori.ci" --report --output

Framework entrypoint for automated self-phishing campaigns. Discovers a target organisation's email addresses by running every email-harvesting source - theHarvester (search-engine/OSINT), GitHub commit emails, and website spidering - then unions and de-duplicates their outputs into one clean roster of addresses on the organisation domain. Each imported source prints only the matching emails; the final step merges them. Output: email addresses only, one per line.

satori run satori://email/all.yml -d DOMAIN="satori.ci" --report --output

Gitxray (short for Git X-Ray) is a multifaceted security tool designed for use on GitHub repositories. It serves various use cases, including OSINT, forensics, and security teams, as well as developers looking to secure their repositories, organizations, and related contributors. Gitxray leverages public GitHub REST APIs to gather information that would otherwise be very time-consuming to obtain manually. Additionally, it seeks out information in unconventional places.

satori run satori://email/auth/gitxray-repo.yml -d REPO=satorici/playbooks -d GITHUB_PAT=TBC --report --output

Gitxray (short for Git X-Ray) is a multifaceted security tool designed for use on GitHub repositories. It serves various use cases, including OSINT, forensics, and security teams, as well as developers looking to secure their repositories, organizations, and related contributors. Gitxray leverages public GitHub REST APIs to gather information that would otherwise be very time-consuming to obtain manually. Additionally, it seeks out information in unconventional places.

satori run satori://email/auth/gitxray-user.yml -d REPO=org/repo -d USER=whatever -d GITHUB_PAT=TBC --report --output

Checks email authentication and anti-spoofing configuration by querying SPF, DMARC, and DKIM DNS records. Assesses strictness levels and provides an overall email security rating. Passive DNS lookups only.

satori run satori://email/email-security.yml -d DOMAIN="quorumcyber.com" --report --output

Extracts URLs from a domain using Gauplus and searches for email addresses with Nuclei. Retrieves historical and indexed URLs, then scans them for email patterns using predefined Nuclei templates to aid in reconnaissance and OSINT investigations.

satori run satori://email/gauplus-nuclei.yml -d DOMAIN="satori.ci" --report --output

Given only a DOMAIN, resolves its most likely GitHub org and harvests committer/author emails from the org public repositories, printing ONLY the email addresses on the organisation domain (one per line). Self-contained (resolves the org inline, no imports). No API key required; runs unauthenticated using the Satori container IP.

satori run satori://email/github.yml -d DOMAIN=satori-ci.com --report --output

gitSome is an OSINT tool that extracts email addresses and other information from various GitHub sources. It can target user accounts, organizations, or specific domains to gather associated emails, list organization members, and identify user affiliations. The tool integrates with FireProx to create rotating endpoints, enhancing anonymity during data collection. Users can authenticate with a GitHub personal access token to increase rate limits and access private resources. Additional features include proxy support, JSON output, and exclusion of specific repositories or accounts from searches.

satori run satori://email/gitsome.yml -d USER=octocat --report --output

Gitxray (short for Git X-Ray) is a multifaceted security tool designed for use on GitHub repositories. It serves various use cases, including OSINT, forensics, and security teams, as well as developers looking to secure their repositories, organizations, and related contributors. Gitxray leverages public GitHub REST APIs to gather information that would otherwise be very time-consuming to obtain manually. Additionally, it seeks out information in unconventional places.

satori run satori://email/gitxray-repo.yml -d REPO="satorici/playbooks" --report --output

Gitxray (short for Git X-Ray) is a multifaceted security tool designed for use on GitHub repositories. It serves various use cases, including OSINT, forensics, and security teams, as well as developers looking to secure their repositories, organizations, and related contributors. Gitxray leverages public GitHub REST APIs to gather information that would otherwise be very time-consuming to obtain manually. Additionally, it seeks out information in unconventional places.

satori run satori://email/gitxray-user.yml -d REPO=satorici/playbooks -d USER=satoridev01 --report --output

Discovers professional email addresses associated with a domain using Hunter.io's database. Returns email addresses, their sources, confidence scores, and the organisation's email naming pattern (e.g. {first}.{last}@domain.com). Free tier: 25 searches/month.

satori run satori://email/hunter.yml -d DOMAIN="quorumcyber.com" -d HUNTER_API_KEY="your_key" --report --output

Creates a phishing email template in PhishingBox (api/v2/template/create) using the lure produced by template-ai (read from /tmp/satori/out/tpl_* artifacts: subject, HTML body, from name/email). TPL_DOMAIN is the hook-link CNAME (an authorized/verified domain on the account). If TPL_LANDING_ID is provided (a landing page UUID, e.g. from the library), the template is set to type=landing so a click leads to a credential-capture page; otherwise type=none (click only tracked). Prints TEMPLATE_UUID for chaining into launch-campaign.

satori run satori://email/phishingbox/create-template.yml -d PHISHINGBOX="$PHISHINGBOX" -d TPL_DOMAIN="satori-ci.com" -d TPL_NAME="IT Security Notice" -d TPL_LANDING_ID="" --report --output

Creates and schedules a phishing campaign in PhishingBox (api/v2/campaign/create) against one or more groups using one or more phishing templates. This is the launch step: with SEND_TYPE=immediate and DATE_STARTED in the present, PhishingBox SENDS the phishing emails to the targets and tracks their actions (opened, page-load/click, etc.). PhishingBox only delivers inside a send window: BUSINESS_DAYS (comma list of 3-letter days) between SEND_START and SEND_END in the account timezone; DATE_STARTED must fall on an enabled day or the API returns 412. Defaults mimic office hours (mon-fri 08:00-17:00); pass all 7 days + 00:00:00-23:59:59 to send right now. The target domain must be authorized on the account (domain/authorize). Prints CAMPAIGN_UUID for monitoring (campaign/actions, see report.yml).

satori run satori://email/phishingbox/launch-campaign.yml -d PHISHINGBOX="$PHISHINGBOX" -d CAMPAIGN_NAME="Satori click test" -d GROUP_IDS="<group-uuid>" -d TEMPLATE_IDS="<template-uuid>" -d DATE_STARTED="2026-06-10 09:00:00" -d SEND_TYPE="scheduled" --report --output

Creates a PhishingBox group (api/v2/group/create) and bulk-loads recipients into it (api/v2/target/addBatch), parsing first/last name from {first}.{last}@domain email patterns. Verifies the loaded targets (api/v2/group/targets). Feeds a phishing exercise whose test is then created/launched from the PhishingBox portal (the API does not create or launch tests). Emails are passed via -d EMAILS or read from a shared artifact written by an upstream harvester.

satori run satori://email/phishingbox/load-targets.yml -d PHISHINGBOX="$PHISHINGBOX" -d GROUP_NAME="Satori Exercise" -d EMAILS="andrius.korsakas@quorumcyber.com,jacob.connell@quorumcyber.com" --report --output

One-run harness: imports template-ai (spiders the DOMAIN and generates a brand-matched lure into /tmp/satori/out/tpl_*) and create-template (reads those artifacts and creates the template in PhishingBox). Runs both in the same container so the lure artifacts persist. TYPE defaults to none (click tracking only, no credential capture). Prints TEMPLATE_UUID for launch-campaign.

satori run satori://email/phishingbox/make-template.yml -d DOMAIN="satori-ci.com" -d OPENROUTER="$OPENROUTER" -d PHISHINGBOX="$PHISHINGBOX" -d TPL_DOMAIN="satori-ci.com" -d TPL_NAME="IT Security Notice" -d TPL_LANDING_ID="" -d TYPE="none" --report --output

Measures a phishing campaign's success: pulls api/v2/campaign/actions for a CAMPAIGN_ID and reports the tracked actions - how many targets opened the email and how many clicked the link (page-load), broken down by type and listed per target. Use it to monitor a running or finished campaign launched by launch-campaign.

satori run satori://email/phishingbox/report.yml -d PHISHINGBOX="$PHISHINGBOX" -d CAMPAIGN_ID="<campaign-uuid>" --report --output

For AUTHORIZED phishing-simulation / security-awareness exercises only. Spiders the target organization public website (text + brand assets: logo, theme color, palette), builds a recon context, and asks an LLM (via OpenRouter) to dynamically pick the most credible lure angle for that specific company and generate a brand-matched phishing email (subject + self-contained HTML body with the company logo/colors and a single hook link). Writes artifacts (subject/body/from) for chaining into create-template, and emits a base64 preview of the body. Impersonates the target DOMAIN itself (sender at @DOMAIN).

satori run satori://email/phishingbox/template-ai.yml -d DOMAIN="quorumcyber.com" -d OPENROUTER="$OPENROUTER" --output

Lightweight crawler that fetches a target website (homepage internal links + common pages like /contact /privacy /terms + sitemap) and extracts email addresses with grep. Filters results by the domain core label so it keeps the organisation emails (e.g. both satori.ci and satori-ci.com) while dropping theme/placeholder junk (example.com, wordpress@, etc.). No API key, unauthenticated. Builds a phishing-exercise target roster from a company public site.

satori run satori://email/spider.yml -d DOMAIN="satori.ci" --report --output

theHarvester collects OSINT (Open-Source Intelligence) data from public sources to gather emails, subdomains, IPs, and other information related to a target domain. It queries search engines, certificate transparency logs, and other sources for reconnaissance and security assessments.

satori run satori://email/theharvester.yml -d DOMAIN="umd.edu" --report --output

Queries a remote Ollama server at a specified IP:PORT with a given model using Aider. Verifies the server is reachable and executes the query.

satori run satori://llm/aider.yml -d HOST="103.48.43.25:11434" -d MODEL="ollama/qwen2.5-coder:32b" -d INPUT="Hello World" --report --output

Queries all LLM models with the provided input. Ensures the Ollama server runs correctly, pulls the specified model, and executes the query.

satori run satori://llm/all.yml -d INPUT="Hello World" --report --output

Queries deepseek-r1 with the provided input. Ensures the Ollama server runs correctly, pulls the specified model, and executes the query.

satori run satori://llm/deepseek-r1.yml -d INPUT="Hello World" --report --output

Uses Google Gemini CLI to query a cloned repository with an AI prompt.

satori run satori://llm/gemini.yml -d REPO="owner/repo" -d PROMPT="Analyze this code" -d GEMINI_API_KEY=$GEMINI_API_KEY --report --output

Queries Llama 3.2 uncensored with the provided input. Ensures the Ollama server runs correctly, pulls the specified model, and executes the query.

satori run satori://llm/llama3.2-uncensored.yml -d INPUT="Hello World" --report --output

Queries Llama 3.2 with the provided input. Ensures the Ollama server runs correctly, pulls the specified model, and executes the query.

satori run satori://llm/llama3.2.yml -d INPUT="Hello World" --report --output

Runs the OpenAI gpt-oss:20b model locally using Ollama to query with custom input.

satori run satori://llm/openai.yml -d INPUT="Hello World" --report --output

Sends a prompt plus the contents of a local file to an OpenRouter model via its OpenAI-compatible API and returns the model's answer.

satori local ./ -p satori://llm/openrouter.yml -d FILE="./main.py" -d PROMPT="Review this file for bugs" -d MODEL="google/gemini-2.5-flash" -d OPENROUTER=$OPENROUTER --output

Queries Qwen with the provided input. Ensures the Ollama server runs correctly, pulls the specified model, and executes the query.

satori run satori://llm/qwen.yml -d INPUT="Hello World" --report --output

Queries a GitHub repository using Llama 3.2 with Ollama. Clones the specified repository, compiles its file contents into a prompt, and queries the Llama model with the provided input. Ensures the Ollama server runs correctly, pulls the specified model, and executes the query.

satori run satori://llm/tools/repo-by-file.yml -d INPUT="Identify security vulnerabilities on the following file referencing the line number." -d REPO="hardik05/Damn_Vulnerable_C_Program" --report --output

Queries a GitHub repository using Llama 3.2 with Ollama. Clones the specified repository, compiles its file contents into a prompt, and queries the Llama model with the provided input. Ensures the Ollama server runs correctly, pulls the specified model, and executes the query.

satori run satori://llm/tools/repo.yml -d INPUT="What does example.c and attack.c do?" -d REPO="royleekiat/overflow-example" --report --output

ApacheBench (ab) is a tool for benchmarking HTTP servers. It shows how many requests per second your server is capable of serving, along with detailed connection times, transfer rates, and percentile latency breakdown. It is included with the Apache HTTP server package and is one of the most widely used load testing utilities.

satori run satori://load/ab.yml -d URL="https://satori.ci/" --report --output

Hey is a tiny program that sends load to a web application. It supports HTTP/2 and provides detailed latency distribution, status code breakdown, and throughput metrics. Useful for quick benchmarks and smoke-testing endpoint performance under concurrent load.

satori run satori://load/hey.yml -d URL="https://satori.ci" --report --output

wrk is a modern HTTP benchmarking tool capable of generating significant load when run on a single multi-core CPU. It uses multithreaded design and scalable event notification systems like epoll and kqueue to produce detailed latency statistics including average, stdev, max, and percentile distribution.

satori run satori://load/wrk.yml -d URL="https://satori.ci" --report --output

Checks for open listening ports on the system. Identifies potential unauthorized services, malware, or misconfigurations that could expose the system to network attacks or unauthorized access.

satori run satori://malware/are_ports_open.yml --report --output

ClamAV is an open-source antivirus engine designed to detect a wide range of malicious threats, including trojans, viruses, and malware. It supports multiple file formats and is commonly used for scanning emails on mail gateways. ClamAV is cross-platform, running on various operating systems such as Unix, Linux, and Windows. The project is maintained by Cisco’s Talos Security Intelligence and Research Group.

satori run ./ --playbook satori://malware/clamav.yml --report --output

Finds IP addresses within files by searching for numerical patterns matching IPv4 addresses. Identifies potential hardcoded connections, malware command-and-control servers, or network configuration leaks.

satori run ./ --playbook satori://malware/ip_addresses.yml --report --output

Checks if the uvcvideo module is loaded, indicating that video functionality has been enabled. Detects potential malware activity that secretly activates webcams for unauthorized surveillance or data collection.

satori run satori://malware/is_video_enabled.yml --report --output

Queries DNS records (A, AAAA, MX, NS, TXT, CNAME) for a domain and asserts that expected records are present. Useful for detecting DNS hijacking, unauthorized changes, or misconfigurations.

satori run satori://monitor/dns-changes.yml -d HOST="satori.ci" -d EXPECTED_IP="1.2.3.4" --report --output

This playbook checks if a host resolves to a specified IP address. It installs dnsutils, runs the host command on a given hostname, and verifies that the output matches that the host has a certain IP address.

satori run satori://monitor/host.yml -d HOST="host_name" -d IP="ip_adress" --report --output

This playbook checks for packet loss, running a ping command with four packets to a specified host, and verifying that the output contains that there is no packet loss.

satori run satori://monitor/ping.yml -d HOST="satori.ci" --report --output

Checks the SSL certificate of a host and asserts that it is not expiring within 30 days. Reports the certificate issuer, validity dates, and days until expiration.

satori run satori://monitor/ssl-expiry.yml -d HOST="expired.badssl.com" --report --output

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild.

satori local satori://ms/CVE-2025-53770.yml -d HOST=127.0.0.1 --report --output

Alerts a domain owner if their domain or subdomains appear on public phishing/malware blocklists (URLhaus, OpenPhish, Phishunt, PhishStats). A hit means the domain is likely compromised and serving malicious content, or has been flagged and is damaging its reputation/deliverability. No API key required. Designed to run as a daily monitor.

satori local osint/blocklist-check.yml -d DOMAIN="example.com" --report --output

Searches Google News for a company alongside a compromise lexicon (hack, ransomware, breach, data leak, phishing, compromised, exposed, stolen data) and asks an OpenRouter LLM (Google Gemini 2.5 Flash) to judge whether the headlines credibly indicate THAT company was itself breached/compromised. Returns a scorable verdict (BREACH_NEWS_FOUND vs CLEAN). Unlike osint/google-news.yml (which lists any mention without filtering or scoring), this filters by the compromise lexicon and discards false positives such as a security vendor merely reporting on someone else's incident.

satori run satori://osint/breach-news.yml -d COMPANY="Acme Corp" -d DOMAIN="acme.com" -d OPENROUTER=$OPENROUTER --report --output

Checks if a company has a public bug bounty or vulnerability disclosure program on HackerOne, Bugcrowd, Intigriti, or via security.txt. Having a bug bounty program indicates security maturity and proactive vulnerability management.

satori run satori://osint/bug-bounty.yml -d DOMAIN="cloudflare.com" -d COMPANY="cloudflare" --report --output

Searches crt.sh certificate transparency logs by Organization name (not domain) to discover all domains with SSL certificates issued to a specific company. CA-validated org names are high confidence. No API key required.

satori run satori://osint/cert-org-search.yml -d COMPANY="Quorum Cyber" -d DOMAIN="quorumcyber.com" --report --output

Detects phishing infrastructure at provisioning time by watching Certificate Transparency logs (crt.sh) for newly issued certificates whose hostname contains your brand keyword but is NOT on your legitimate domain. Catches attacker lookalike/impersonation domains the moment they get a TLS cert, often before they are weaponized. Complements typosquat detection. No API key required. Designed to run as a daily monitor.

satori run osint/crt.yml -d DOMAIN="coinbase.com" --report --output

Solves Cloudflare challenge via CapSolver and extracts company profile, funding rounds, key people, and products from Crunchbase using a residential proxy.

satori run satori://osint/crunchbase.yml -d COMPANY="Quorum Cyber" -d PROXY_URL="http://user:pass@geo.iproyal.com:12321" -d CAPSOLVER="your_key" --report --output

Find the most likely main GitHub org/account for a domain

satori run satori://osint/domain-to-github.yml -d DOMAIN=satori.ci --report --output

Searches Google News for recent mentions of a company in the last 30 days via RSS. Returns titles, sources, and publication dates. Useful for identifying recent incidents, acquisitions, press coverage, or negative news.

satori run satori://osint/google-news.yml -d COMPANY="Quorum Cyber" -d DOMAIN="quorumcyber.com" --report --output

Checks if employee credentials from the target domain have appeared in known data breaches using the Have I Been Pwned API. Requires HIBP_API_KEY.

satori run satori://osint/haveibeenpwned.yml -d DOMAIN="linkedin.com" -d COMPANY="LinkedIn" -d HIBP_API_KEY="your_key" --report --output

Identifies security team gaps by searching for open security-related hiring positions via the Adzuna Jobs API. Requires ADZUNA_ID and ADZUNA_KEY.

satori run satori://osint/job-board-recon.yml -d COMPANY="NCC Group" -d ADZUNA_ID="your_id" -d ADZUNA_KEY="your_key" --report --output

Enriches company data via Proxycurl (nubela.co, LinkedIn data) and Adzuna Jobs API. Returns company profile, specialties, funding history, and open security roles.

satori run satori://osint/linkedin-company.yml -d DOMAIN="quorumcyber.com" -d COMPANY="Quorum Cyber" -d PROXYCURL="your_key" -d ADZUNA_ID="your_id" -d ADZUNA_KEY="your_key" --report --output

Checks whether a domain is named in any AlienVault OTX threat-intelligence pulse (tracked IOC sets, malware campaigns, incident reports). A match means the domain has been referenced in community/vendor threat reporting. Uses the public OTX domain endpoint (no API key required). Note: well-known brands appear in many benign monitoring pulses, so treat matches as a review signal.

satori run osint/otx.yml -d DOMAIN="example.com" --report --output

Checks if a company or domain has been published as a ransomware victim, using the ransomware.live v2 API which indexes victims across ~100 ransomware leak sites (live, fresher than a static dump). Returns ransomware group, dates, country, sector, and whether the victim also appeared in infostealer logs. No API key required.

satori run osint/ransomware-check.yml -d DOMAIN="colonialkc.org" -d COMPANY="Colonial" --report --output

Resolves the organisation's own IPs (domain A records + each MX host) and checks them against IP reputation blocklists: DNS blocklists for spam/policy/exploit (Spamhaus ZEN, Barracuda, SORBS, SpamCop) and the abuse.ch Feodo Tracker for active botnet C2. A live hit means an IP in the org's space is sending spam or is a compromised/C2 host — the IP-axis complement to the domain-axis blocklist-check. No API key required.

satori local osint/rbl-check.yml -d DOMAIN="example.com" --report --output

Searches SEC EDGAR full-text search for Exhibit 21 (subsidiary listings) and 8-K (acquisition announcements) to discover legally disclosed subsidiaries. US public companies only. No API key required.

satori run satori://osint/sec-subsidiaries.yml -d COMPANY="CrowdStrike" --report --output

Query TheCompaniesAPI for company info by hostname/domain

satori local satori://osint/thecompaniesapi.yml -d HOST="stripe.com" -d THECOMPANIESAPI="$THECOMPANIESAPI" --test TheCompaniesAPI.run.stdout --output 2>/dev/null | jq -r .about.name

Detects attacker-registered lookalike domains impersonating your brand (typosquats, homoglyphs, TLD swaps, bitsquats). Uses dnstwist to generate permutations, keeps only the ones that are registered and resolve, checks for MX records (mail-capable = BEC/phishing risk), and ages each via WHOIS so freshly registered impostors are flagged as high risk. No API key required. Designed to run as a daily monitor.

satori run osint/typosquat.yml -d DOMAIN="paypal.com" --report --output

Checks the Wayback Machine (archive.org) for a domain's archive history. Reports first snapshot, last snapshot, and recent activity. A domain with no recent snapshots or only error codes suggests the company is inactive or dead.

satori run satori://osint/wayback-check.yml -d DOMAIN="cloudflare.com" --report --output

Onapsis Scanner for Vulnerability CVE-2025-31324 (SAP Security 3594142) - CVSS 10 (Critical). This tool checks for the presence of the vulnerability and known webshells in the SAP system. DISCLAIMER: This tool is provided from Onapsis via open source license Apache 2.0, as a contribution to the security, incident response, and SAP communities to aid in response to active exploitation of CVE-2025-31324. This tool is under development and will continue to iterate rapidly as more information becomes available either from Onapsis Research Labs or publicly. This is a best-effort development and offered as-is with no warranty or liability.

satori run satori://sap/Onapsis_CVE-2025-31324.yml -d IP=127.0.0.1 -d PORT=50000 --report --output

Scans an IP range for open ports using ZMap and ZGrab2 with sharding support, then aggregates banner results.

satori run satori://scan.yml -d RANGE=52.0.0.0/8 -d PORT=80 -d SATORI_TOKEN=$SATORI_TOKEN -d SHARDS=500 --output --visibility public

Grabs banners from a list of IP addresses on a specified port using concurrent connections.

satori run satori://scan/banner-scanner.yml -i input.txt -d CONCURRENCY=100 -d TIMEOUT=5 -d PORT=80 --report --output

Scans bug bounty target hosts from public domain lists using a specified playbook and port list in parallel.

satori run playbook.yml -d SATORI_TOKEN=$SATORI_TOKEN -d PLAYBOOK=satori://cve/CVE-2025-10035.yml -d PORT="443 80 8009 8443 8001 8000 8010 8080 10443 4443 9443 8080" --output

Scans an IP range for open HTTP ports using ZMap and ZGrab2 with sharding support, then aggregates banner results.

satori run satori://scan/http.yml -d RANGE=52.0.0.0/8 -d PORT=80 -d SATORI_TOKEN=$SATORI_TOKEN -d SHARDS=250 --output --visibility public

Scans an IP range for open HTTPS ports using ZMap and ZGrab2 with sharding support, then aggregates banner results.

satori run satori://scan/https.yml -d RANGE=52.0.0.0/8 -d PORT=443 -d SATORI_TOKEN=$SATORI_TOKEN -d SHARDS=250 --output --visibility public

IPerf3 is a network performance measurement tool that tests bandwidth, jitter, and packet loss between hosts.

satori run satori://scan/iperf3.yml --report --output --test iperf3.run.client.stdout --cpu 2048 --memory 4096

This playbook uses masscan to scan a target host for a specific port and rate, both defined by the user.

satori run ./ --playbook=./masscan.yml -d HOST="192.168.0.1" -d PORT="80" -d RATE="1000" --report --output

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT/UDP scans on the host/list of hosts and lists all ports that return a reply.

satori run satori://scan/naabu.yml -d HOST="satori.ci" --report --output

Nmap is short for Network Mapper. It is an open-source Linux command-line tool that is used to scan IP addresses and ports in a network and to detect installed applications. Nmap allows network admins to find which devices are running on their network, discover open ports and services, and detect vulnerabilities.

satori run satori://scan/nmap.yml -d HOST="mytestsite.com" --report --output

RustScan is a modern port scanner that rapidly scans all 65,535 ports in approximately 3 seconds. It features a scripting engine supporting languages like Python, Lua, and Shell, allowing users to automate tasks such as piping results into Nmap for detailed analysis. RustScan also employs adaptive learning to optimize its scanning process based on the environment.

satori run satori://scan/rustscan.yml -d HOST="satori.ci" --report --output

Queries Shodan API to identify exposed services, open ports, software versions, and known CVEs on the target's infrastructure and subdomains. Requires SHODAN_API_KEY.

satori run satori://scan/shodan.yml -d DOMAIN="scanme.nmap.org" -d SHODAN_API_KEY="your_key" --report --output

smap is a network scanner that functions as a faster, more efficient alternative to Nmap by leveraging masscan for high-speed host discovery and integrating Nmap’s service and vulnerability detection capabilities. It supports asynchronous scanning and provides detailed network insights.

satori run satori://scan/smap.yml -d HOST="satori.ci" --report --output

ssh-audit analyzes SSH server configurations to identify weak algorithms, outdated protocols, and security misconfigurations. It checks key exchanges, ciphers, MACs, and host key algorithms against known vulnerabilities and best practices.

satori run satori://scan/ssh-audit.yml -d HOST="satori.ci" --report --output

SSHamble is an SSH security testing tool that identifies misconfigurations, weak credentials, and unexpected exposures in SSH services.

satori run satori://scan/sshamble.yml -d IPS="192.168.1.1" --report --output

ZGrab2 is a modular application-layer network scanner that grabs banners and metadata from services on specified ports.

satori run satori://scan/zgrab2.yml -i input.txt -d PORT=80 --output --test run --files

Orchestrates ZMap scans across IP ranges using sharding, collects results, and uploads them to a repository.

satori run satori://scan/zmap-scanner.yml -d RANGE=0.0.0.0/8 -d PORT=80 -d SHARDS=500 -d SATORI_TOKEN=TBC -d GITHUB_TOKEN=TBC --output --visibility public

Scans IP ranges using ZMap to discover hosts with open ports.

satori run satori://scan/zmap-webbanner.yml --output --count 3 -d PORT=80 -d RANGE=1.1.1.0/29

Combines ZMap for fast port scanning with ZGrab2 for HTTPS banner grabbing across IP ranges.

satori run satori://scan/zmap-zgrab2-https.yml --count 60000 -d PORT=443 -d RANGE=0.0.0.0/0 --report --output --files

Combines ZMap for fast port scanning with ZGrab2 for HTTP banner grabbing across IP ranges.

satori run satori://scan/zmap-zgrab2.yml --count 60000 -d PORT=80 -d RANGE=0.0.0.0/0 --report --output --files

ZMap is a fast single-packet network scanner optimized for Internet-wide network surveys. On a computer with a gigabit connection, ZMap can scan the entire public IPv4 address space on a single port in under 45 minutes. With a 10gigE connection and PF_RING, ZMap can scan the IPv4 address space in 5 minutes.

satori run satori://scan/zmap.yml -d PORT="1234" -d HOST="host" --report --output

Exposing hardcoded secrets, such as API keys, passwords, cryptographic keys, and authentication credentials, increases the risk of unauthorized access, data breaches, and privilege escalation. Attackers can exploit these vulnerabilities to access private repositories, decrypt sensitive data, impersonate users, or compromise secure systems. Detection tools help identify and mitigate these risks by scanning code repositories, analyzing patterns, and enforcing security best practices across multiple programming languages.

satori run satori://secrets/all.yml --repo BonJarber/SecretsTest --report --output

detect-secrets identifies and prevents accidental exposure of secrets in code repositories by scanning for sensitive information such as API keys, passwords, and credentials using pattern matching and heuristics.

satori run ./ --playbook satori://secrets/detect-secrets.yml --report --output

Gitleaks is a fast, light-weight secret scanner for repos, directories, and files. It detects potential secrets like API keys, passwords, tokens, private keys and much more.

satori run ./ --playbook satori://secrets/gitleaks.yml --report --output

Semgrep is a static code analysis tool with stable support for C#, Go, Java, JavaScript, JSON, Python, PHP, Ruby, and Scala. It has experimental support for nineteen other languages, as well as a language agnostic mode.

satori run ./ --playbook satori://secrets/semgrep.yml --report --output

trufflehog scans repositories, files, and logs for hardcoded secrets such as API keys, passwords, and cryptographic credentials. It uses pattern matching and entropy analysis to detect exposed sensitive data, helping prevent unauthorized access and security breaches.

satori run ./ --playbook satori://secrets/trufflehog.yml --report --output

This playbook is designed to test the output of two commands to ensure it contains the phrase **Hello World**. It defines a parent test named `test`, which includes an assertion on two echoes. The assertion, `assertStdoutContains: Hello World`, checks that the standard output from the executed commands contains the string **Hello World**. The playbook defines two command blocks: `hello` and `whatever`. The `hello` block executes the command `echo Hello World`, which prints **Hello World**. Similarly, the `whatever` block executes the command `echo ${{INPUT}}`, which prints whatever the value of the `INPUT` variable is. For example, if `INPUT` is set to **Hello World**, the commands will again output *Hello World* and the parent assertion will pass.

satori run satori://test.yml -d INPUT="Hello World" --report --output

Test playbook that validates severity level assertions from Blocker (0) to Informational (5).

satori local satori://test/severity.yml -d BLOCKER=True -d CRITICAL=True -d HIGH=True -d MEDIUM=True -d LOW=True -d INFO=True --report --output

APIFuzzer is a fuzzing tool that tests API endpoints defined in OpenAPI/Swagger specifications to find potential vulnerabilities.

satori run satori://web/apifuzzer.yml --report --output

Arjun is an HTTP parameter discovery suite. It's used to find query parameters, path parameters, POST data fields, and request headers in web applications through intelligent brute force probing.

satori run satori://web/arjun.yml -d URL="https://api.satori.ci" --report --output

CloudScraper spiders and scrapes target websites to identify exposed cloud resources, such as AWS S3 buckets, Azure Blobs, and DigitalOcean Spaces. By inputting a URL, it recursively searches through the site’s pages, extracting links and scanning for patterns indicative of cloud storage locations.

satori run satori://web/cloudscraper.yml -d URL="http://example.com" --report --output

Scan WordPress, Joomla, Drupal and over 180 other CMSs

satori run satori://web/cmseek.yml -d URL="https://satori.ci" --report --output

CORStest identifies misconfigurations in Cross-Origin Resource Sharing (CORS) implementations. It tests whether arbitrary origins are accepted, credentials are allowed, and methods beyond the standard ones are permitted. The tool helps detect security risks related to improperly configured CORS policies that could lead to unauthorized data access.

satori run satori://web/corstest.yml -d URL="https://satori.ci" --report --output

Corsy scans for misconfigurations in Cross-Origin Resource Sharing (CORS) settings. It detects vulnerabilities like origin reflection, wildcard values, and various bypass techniques. The tool supports scanning multiple URLs, exporting results, and using custom headers.

satori run satori://web/corsy.yml -d URL="https://satori.ci" --report --output

Dalfox detects and exploits XSS (Cross-Site Scripting) vulnerabilities by analyzing parameters, injecting payloads, and automating security testing. It supports reflection-based detection, DOM analysis, and blind XSS payload delivery for comprehensive web application security assessments.

satori run satori://web/dalfox.yml -d URL="http://testphp.vulnweb.com/listproducts.php?cat\=123&artist=123&asdf=ff" --report --output

DIRB is a command-line web content scanner that performs dictionary-based attacks to discover hidden directories and files on web servers. It works by systematically requesting URLs from a provided wordlist and analyzing the server’s HTTP responses to identify existing or hidden web objects. DIRB comes with preconfigured wordlists but also allows the use of custom lists.

satori run satori://web/enum/dirb.yml -d URL="http://example.com" --report --output

Fast web fuzzer for discovering hidden endpoints and parameters

satori run satori://web/enum/ffuf.yml -d URL="https://example.com" --report --output

Checks if a domain is registered on the HSTS Preload List, which is hardcoded into Chrome, Firefox, Safari, Edge, and other browsers. Domains on the list are always accessed via HTTPS, eliminating the possibility of SSL stripping attacks on the first visit.

satori run satori://web/hsts-preload.yml -d DOMAIN="satori.ci" --report --output

Identify and analyze web server configurations, verify HTTP responses, and diagnose potential vulnerabilities or misconfigurations

satori run satori://web/httpx.yml -d URL="satori.ci" --report --output

Katana is a web crawling and spidering tool that supports headless browsing, JavaScript execution, automatic form filling, and regex-based scope control. It processes input from standard input, URLs, or file lists and outputs to standard output, files, or JSON. Passive crawling from external sources has been moved to a separate tool called URLFinder.

satori run satori://web/katana.yml -d URL="satori.ci" --report --output

Lotus is a web security scanner written in Rust that automates dynamic application security testing (DAST) using Lua scripts. It provides a comprehensive Lua API to streamline web security scripting, enabling efficient automation of security processes.

satori run satori://web/lotus.yml -d URL="http://testphp.vulnweb.com/listproducts.php?cat=1" --report --output

Nikto is a web server scanner that detects vulnerabilities, misconfigurations, and outdated software by testing against a database of known security issues. It performs comprehensive checks, including identifying default files, server options, and insecure configurations.

satori run satori://web/nikto.yml -d URL="http://example.com" --report --output

A feature-rich vulnerability scanner that uses templates to detect security issues including CVEs, misconfigurations, and exposed sensitive data.

satori run satori://web/nuclei.yml -d URL="http://testphp.vulnweb.com/artists.php?artist=1" --report --output

Some HTTP parameter names are more commonly associated with one functionality than the others. For example, the parameter ?url= usually contains URLs as the value and hence often falls victim to file inclusion, open redirect and SSRF attacks. Parth can go through your burp history, a list of URLs or it's own discovered URLs to find such parameter names and the risks commonly associated with them. Parth is designed to aid web security testing by helping in prioritization of components for testing.

satori run satori://web/parth.yml -d HOST="geeksforgeeks.org" --report --output

Fetch known URLs from sources like AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl.

satori run satori://web/passive/gauplus.yml -d DOMAIN="example.com" --report --output

socialhunter crawls a given website to identify broken social media links that could be hijacked, potentially allowing attackers to conduct phishing attacks or damage a company’s reputation. It supports platforms like Twitter, Facebook, Instagram, and TikTok without requiring API keys.

satori run satori://web/passive/socialhunter.yml -d URL="https://www.satori.ci" --report --output

Tool for searching URLs exposed through URL shortener services by analyzing collections of previously brute-forced and published shortened URLs. It allows users to filter results using keywords and define date ranges for analysis.

satori run satori://web/passive/urlhunter.yml -d URL="satori.ci" --report --output

waybackurls extracts URLs from the Wayback Machine for a given domain, helping identify historical endpoints, parameters, and potential attack surfaces for security assessments and reconnaissance.