Ghostwyre is a modular security scanning system combining a fast Go-based scanner engine with an AI-driven analysis layer for reasoning, prioritization, and reporting.
GhostWyre/
βββ scanner/ # Go scanning engine
β βββ cmd/
β β βββ main.go # CLI entrypoint
β β βββ scan.go # `ghostwyre scan` command
β β
β βββ internal/
β β βββ crawler/ #
β β βββ probe/ # HTTP, TLS, DNS, security header checks
β β βββ injector/ # XSS, SQLi, open redirect payloads
β β βββ fingerprint/ # Tech stack detection
β β βββ reporter/ # JSON/HTML report generation
β β
β βββ pkg/
β βββ config/ # YAML + env configuration loader
β βββ httpclient/ # Shared HTTP client, retries, tracing
β
βββ agent/ # Python AI orchestration layer
β βββ orchestrator.py # LangGraph workflow
β β
β βββ tools/
β β βββ scan_tool.py # Execute Go scanner
β β βββ vuln_lookup.py # CVE/NVD enrichment
β β βββ report_tool.py # Findings summarization
β β
β βββ prompts/
β βββ planner.md
β βββ analyst.md
β βββ scorer.md
β βββ reporter.md
β
βββ api/ # Service layer
β βββ server.py # FastAPI endpoints
β
βββ output/ # Generated reports
β βββ scans/
β βββ reports/
β βββ exports/
β
βββ configs/
β βββ config.yaml
β βββ rules.yaml
β
βββ docs/
β βββ architecture.md
β βββ roadmap.md
β
βββ Makefile
βββ go.mod
βββ go.sum
βββ requirements.txt
βββ README.md
Ghostwyre is designed as a hybrid architecture:
- Go CLI Scanner β fast, deterministic, low-level scanning
- Python AI Orchestrator β reasoning, CVE mapping, risk scoring
- Web/API Layer β visualization, automation, scheduling
User Prompt: "Scan example.com and tell me what's risky"
β
LangGraph Orchestrator
βββ Planner Agent
β β decides scan strategy
βββ Scanner Tool (Go CLI)
β β returns structured JSON findings
βββ Analyst Agent
β β interprets vulnerabilities + CVEs
βββ Risk Scorer
β β assigns severity / CVSS-like score
βββ Reporter Agent
β generates human-readable report
Build a stable, fast scanning CLI with structured output.
| Component | Description |
|---|---|
| CLI Framework | Add cobra β ghostwyre scan --target https://example.com --depth 3 |
| Config System | YAML config + environment variable overrides |
| Output Format | Replace logs with structured JSON findings |
| HTTP Probe Module | Extract headers, TLS cert info, CORS, CSP, HSTS |
| Basic Crawler | BFS-based link discovery with configurable depth |
Introduce security detection capabilities.
| Component | Description |
|---|---|
| Fingerprinting | Detect CMS, frameworks, server versions via headers + response body |
| Passive Vulnerability Checks | Match detected versions with known CVEs |
| Injection Probes | Basic XSS, SQL error-based detection, open redirects |
| Rate Limiting | Prevent target overload with configurable delays |
Add reasoning, prioritization, and explanation.
Go Scanner β JSON Output β AI Orchestrator β Risk Analysis β Report
| Agent | Responsibility |
|---|---|
| Planner Agent | Chooses scan modules based on user prompt |
| Scanner Tool | Executes Go binary and returns structured results |
| Analyst Agent | Interprets findings, maps CVEs |
| Risk Scorer | Assigns severity (CVSS-like scoring) |
| Reporter Agent | Generates human-readable security report |
User: "Scan example.com and tell me what's risky"
β Planner selects modules
β Go scanner executes crawl + probes
β JSON findings returned
β AI analyzes vulnerabilities
β Final report generated
Make Ghostwyre usable in real environments (UI + API + scheduling)
- Web dashboard for scan history
- REST API for programmatic scanning
- Scheduled scans (cron / Temporal integration)
- Export reports (JSON β HTML/PDF)
| Layer | Tech | Reason |
|---|---|---|
| CLI Engine | Go (cobra, viper) |
Fast, production-ready CLI tooling |
| HTTP / Crawling | net/http or colly |
Reliable web crawling support |
| AI Orchestration | LangGraph (Python) | Structured multi-agent workflows |
| LLM | Claude (Sonnet) | Strong reasoning + security analysis |
| API Layer | FastAPI | Async, simple integration |
| Output Format | JSON β HTML templates | Portable + diff-friendly reports |
All scanner outputs must be:
- Structured (JSON)
- Machine-readable
- Agent-friendly
- Versionable
- Diff-trackable
Example:
{
"target": "https://example.com",
"findings": [
{
"type": "missing_header",
"name": "CSP",
"severity": "medium"
}
]
}- Go handles speed + correctness
- Python handles reasoning + intelligence
- AI never directly scans β it interprets results
- Scanner remains deterministic and reproducible
- Authenticated scanning modules
- Plugin system for custom checks
- Distributed scanning workers
- Real-time attack surface monitoring
- SIEM integrations (Splunk, ELK)