Changelog

Map Any API Attack Surface — No Documentation Required

Penetration testers know the problem: the client says "test our APIs" but hands you a login and nothing else. No OpenAPI spec. No Postman collection. No documentation. Vespasian — now open source — solves this. It captures live traffic from web applications, classifies API calls, and generates structured specifications for REST (OpenAPI 3.0), GraphQL (SDL), and SOAP (WSDL) — giving you a complete map of the API attack surface from nothing but a URL.

How It Works

Vespasian uses a two-stage pipeline that separates traffic capture from specification generation:

1. Capture — Drive a headless browser through the target application with full JavaScript execution and authentication injection. Every HTTP request the frontend makes is recorded. Alternatively, import existing traffic from Burp Suite XML, HAR archives, or mitmproxy captures.

2. Generate — Classify captured requests as API calls using content-type, path heuristics, HTTP methods, and response structure. Auto-detect the API type — or specify it explicitly. Probe discovered endpoints for enrichment. Output structured specifications in the native format for each type.

This separation means you capture once, generate many. Run different generators against the same capture without re-scanning. The capture file is inspectable JSON you can review and debug.

Three Output Formats

• OpenAPI 3.0 for REST — Path normalization (/users/42 becomes /users/{id}), schema inference from response bodies, parameter extraction from query strings.

• GraphQL SDL — Tiered introspection with 3 query levels to bypass WAF-protected servers. Falls back to traffic-based schema inference when introspection is disabled entirely.

• WSDL for SOAP — Identifies SOAP services via SOAPAction headers and envelope detection, fetches and parses WSDL documents.

Key Capabilities

• API Type Auto-Detection — Automatically determines REST, GraphQL, or SOAP from captured traffic. No manual selection needed.

• Multi-Source Import — Reuse traffic from Burp Suite XML, HAR 1.2, and mitmproxy. No re-scanning needed.

• Active Probing — OPTIONS discovery, JSON schema inference, WSDL document fetching, and GraphQL introspection enrich discovered endpoints.

• SSRF Protection — Blocks probing of private and loopback addresses by default. Use --dangerous-allow-private for internal targets.

• Confidence Scoring — Configurable classification confidence thresholds filter noise from legitimate API calls.

Vespasian + Hadrian = Complete API Security

Vespasian discovers the attack surface. Hadrian tests it for vulnerabilities. Together they form a pipeline that takes you from "no documentation" to "proven authorization vulnerabilities" — without asking the client for anything beyond a login.

Open Source

Vespasian is fully open source at github.com/praetorian-inc/vespasian. Install with a single command:

go install github.com/praetorian-inc/vespasian/cmd/vespasian@latest

Or scan an application end-to-end:

vespasian scan https://app.example.com -o api.yaml

How It Fits Into Guard

Vespasian runs as a Guard Platform capability, feeding discovered API endpoints and generated specifications directly into your attack surface inventory. When paired with Hadrian, the complete API discovery-to-testing pipeline operates within Guard — endpoints discovered, specs generated, authorization tested, findings triaged — all in one platform.

Documentation

https://docs.praetorian.com/en/articles/2168486-vespasian-api-discovery-and-specification-generation

The Cloud Has a Visibility Problem — Aurelian Fixes It

We are thrilled to announce Aurelian, our open-source multi-cloud security reconnaissance framework — now powering cloud assessments directly inside the Praetorian Guard Platform.

Cloud environments are sprawling, fragmented, and full of hidden risk. Secrets buried in Lambda environment variables. S3 buckets that look private but aren't. IAM policies that silently grant privilege escalation paths nobody mapped. Until now, finding all of this required stitching together a patchwork of single-cloud, compliance-focused tools that weren't built for offensive security.

Aurelian changes that — completely.

One Framework. Three Clouds. Zero Blind Spots.

Aurelian delivers a unified command-line interface for security reconnaissance across AWS, Azure, and GCP — with 25+ purpose-built modules designed by Praetorian's offensive security team. Whether you're hunting secrets, mapping IAM attack paths, or identifying publicly exposed resources, Aurelian gives you a single, consistent workflow across every major cloud provider.

What Makes Aurelian Different

• Real Policy Evaluation, Not Checkbox Compliance — Aurelian doesn't just check config flags. It evaluates actual IAM policies including condition keys, SCPs, and resource ARN patterns to determine true exposure. This is how penetration testers think — and now it's automated.
• Secrets Discovery Across 30+ Sources — EC2 user data, Lambda code, CloudFormation templates, CloudWatch logs, Azure Key Vaults, GCP storage blobs — Aurelian extracts and scans them all using the Titus secrets detection engine, with optional live validation to confirm active credentials.
• IAM Privilege Escalation Graphing — Export IAM relationships to Neo4j and run Cypher queries to visualize multi-hop escalation paths. See exactly how an attacker moves from a low-privilege role to domain dominance.
• Public Resource Detection That Actually Works — Combines resource enumeration, property enrichment, and access evaluation to find resources that are genuinely accessible — even when configuration appears private but resource-based policies tell a different story.
• Subdomain Takeover Detection — Identify dangling CNAMEs across CloudFront, S3, Elastic Beanstalk, CDK staging buckets, and managed DNS services before attackers do.
• OPSEC-Aware Reconnaissance — Built-in awareness of CloudTrail logging with configurable OPSEC levels. The whoami module identifies your caller identity without generating a single audit log entry.

Already Inside the Guard Platform

Aurelian isn't a standalone tool you bolt on — it's already integrated into the Praetorian Guard Platform. That means its reconnaissance capabilities feed directly into your attack surface management workflows. Discovered secrets, public resources, and IAM risks surface as actionable findings alongside everything else Guard already tracks.

Combined with Titus for secrets scanning and Trajan for CI/CD pipeline testing, Aurelian completes a powerful trifecta of cloud security capabilities that give your team comprehensive visibility across your entire cloud footprint.

Open Source and Extensible

Aurelian is fully open source under the Apache 2.0 license. Its plugin architecture makes adding new modules straightforward — implement the plugin.Module interface, call plugin.Register(), and the CLI wiring happens automatically. The streaming pipeline architecture handles backpressure and concurrency out of the box.

Whether you're a Praetorian Guard customer benefiting from Aurelian's capabilities automatically, or a security researcher extending the framework with custom modules — Aurelian is built for you.

Check out the project on GitHub: github.com/praetorian-inc/aurelian

Read the full deep dive: Aurelian: Open-Source Cloud Security Tool

Autonomous Source Code Vulnerability Discovery — From Clone to Confirmed Finding to Tested Patch

What if you could point an AI at a source code repository and get back confirmed, exploitable vulnerabilities — with patches that have been verified to actually fix the bugs? Constantine does exactly that. Inspired by the strategies that won the DARPA AIxCC competition, Constantine runs a six-stage autonomous pipeline that finds vulnerabilities, proves they're real, and generates validated fixes.

The Pipeline

Constantine mirrors how an expert security researcher works — but runs end-to-end with no human intervention:

• Ingest — Clone the repo, score every file for security relevance using LLM-based semantic analysis, and prioritize the code that matters most. Supports 18 languages and handles repositories of any size.

• Detect — Five detection modules run in parallel. The primary two-pass scanner uses Haiku for fast triage across all code, then Opus/Sonnet for deep CWE-specific validation on flagged areas. An adversarial actor-skeptic scanner adds a second perspective — one model proposes findings, another challenges them.

• Review — An agentic LLM verifier with code exploration tools autonomously reads files, searches code, and traces data flows to confirm each finding. Taint-aware verification uses tree-sitter AST parsing to pre-compute call graphs, reducing false positives further.

• Exploit — For every verified finding, an agentic LLM generates proof-of-vulnerability code and executes it in a sandboxed environment. An internal write-test-retry loop iterates until the bug is demonstrably triggered — up to 250 tool calls per finding.

• Patch — Generates fixes using a tiered strategy: dependency bumps, targeted fixes, then structural refactors. Every patch is validated by re-running the exploit. Only patches that provably fix the bug get reported.

• Report — Complete evidence chains from detection through exploitation through patching, with CVSS scores, CWE classifications, and cost breakdowns.

Benchmarked Against 28 Real CVEs

Constantine is validated against vulnerabilities including Log4Shell, Heartbleed, Dirty Pipe, Baron Samedit, regreSSHion, Psychic Signatures, Looney Tunables, and runc Container Escape — spanning memory safety, auth bypass, path traversal, cryptographic flaws, and web vulnerabilities across C, Java, Python, Go, Rust, and JavaScript.

Two Operating Modes

• Customer engagement — Connect to a client's private repository. Findings flow into Guard as Risks with full evidence chains.

• Zero-day hunting — Point at any public repository. Constantine finds vulnerabilities. A human reviews and coordinates disclosure.

Cost Control

Three pipeline tiers — Premium (250 findings reviewed), Medium (150), Basic (75) — with real-time budget tracking and configurable spend caps. Per-module, per-stage cost breakdowns in every report.

How It Fits Into Guard

Constantine runs natively inside the Praetorian Guard Platform. Findings flow directly into your Guard dashboard as Risks — complete with severity ratings, evidence chains, and validated patches. Source code security joins your attack surface management, vulnerability scanning, and penetration testing in one unified view.

Documentation

https://docs.praetorian.com/articles/1856234-constantine-locates-fatal-security-bugs-in-software

API Security Testing That Proves Authorization Is Broken — Not Just Suspects It

Your APIs are your largest attack surface, and authorization flaws are the hardest bugs to find with traditional scanners. Hadrian is now open source and available in the Praetorian Guard Platform. It tests your REST, GraphQL, and gRPC APIs for OWASP API Top 10 vulnerabilities using role-based authorization testing and a mutation testing pattern that proves exploitability — not just flags suspicion.

In its first run against OWASP crAPI, Hadrian found 3 critical BOLA vulnerabilities in under 60 seconds.

What Makes Hadrian Different

Most API security tools send malformed requests and check for error codes. Hadrian does something fundamentally harder: it tests whether one user can access another user's resources. It logs in as each role you define, executes every endpoint, and detects when authorization boundaries fail.

The mutation testing pattern is where Hadrian truly separates from other tools. It uses a three-phase approach: create a resource as a privileged user, attempt to modify or delete it as an unprivileged user, then verify whether the attack actually succeeded. This eliminates false positives from APIs that return 200 OK but silently ignore unauthorized requests. When Hadrian reports a finding, it has proof.

30 Built-In Templates Across Three Protocols

Hadrian ships with 30 security test templates — 8 for REST, 13 for GraphQL, and 9 for gRPC — covering the most critical API security risks:

• BOLA (API1) — Broken Object Level Authorization across all three protocols

• Broken Authentication (API2) — Token handling, session management, and auth bypass

• BOPLA (API3) — Broken Object Property Level Authorization — mass assignment and field-level access

• Unrestricted Resource Consumption (API4) — GraphQL query depth and complexity attacks

• BFLA (API5) — Broken Function Level Authorization with mutation testing proof

• Security Misconfiguration (API8) — CORS, verbose errors, introspection exposure

• Improper Inventory Management (API9) — Undocumented and deprecated endpoints

Every template is a YAML file you can customize, extend, or replace for your organization's specific API patterns.

Works With Vespasian

Don't have API documentation? Vespasian discovers the API surface from live traffic, generates OpenAPI specs, and hands them directly to Hadrian for security testing. Together they form a complete API security pipeline: discover endpoints → generate specs → test for authorization vulnerabilities. No documentation required from the client.

Claude Code Integration

Hadrian includes a Claude Code skill that auto-generates auth.yaml and roles.yaml from your API specification — no manual config writing needed. Point it at an OpenAPI spec, GraphQL SDL schema, or gRPC proto file, and it produces the configuration Hadrian needs to start testing immediately.

CI/CD Ready

Hadrian outputs JSON and Markdown reports and returns a non-zero exit code when vulnerabilities are found, making it suitable for CI/CD security gates. Adaptive rate limiting with reactive backoff on 429/503 responses keeps your pipelines reliable.

Open Source

Hadrian is fully open source at github.com/praetorian-inc/hadrian. Install with a single command:

go install github.com/praetorian-inc/hadrian/cmd/hadrian@latest

How It Fits Into Guard

Hadrian runs as a Guard Platform capability. Findings flow into your Guard dashboard as Risks alongside your other security data — complete with proof of exploitability from the mutation testing pattern. API authorization testing joins your attack surface management, vulnerability scanning, and penetration testing in a single unified view.

Documentation

https://docs.praetorian.com/en/articles/2293307-hadrian-api-security-testing

Two new Cloudflare integrations bring DNS asset discovery and automated WAF scanner bypass to the Praetorian Guard platform.

Cloudflare DNS — Zone and Record Discovery

• Full Zone Enumeration — Discovers all Cloudflare zones accessible to your API token and imports A, AAAA, and CNAME DNS records as Guard assets

• Automatic Pagination — Handles accounts with hundreds of zones and thousands of records without manual intervention

• DNS Name Normalization — CNAME targets are normalized to consistent DNS format for accurate asset deduplication

Cloudflare WAF — Scanner Bypass Configuration

• Automatic Bypass Rules — Creates custom WAF rules marked "(Managed by PGP)" that allow Guard scanner traffic through your Cloudflare firewall without triggering blocks

• Dual Identification Modes — Static IP matching for environments with fixed egress, or combined IP + custom header + user agent identification for dynamic environments

• Comprehensive WAF Skip — Bypass rules skip zone lockdown, UA blocking, browser integrity checks, hotlink protection, rate limiting, and managed firewall rulesets

• Zone Filtering — Optionally specify which zones to configure, or leave empty to apply across all zones. Processes zones in parallel for fast setup

• Idempotent Updates — Detects existing Chariot rules and only updates them when the configuration has changed, preventing duplicate rules

Get Started

• Cloudflare DNS — Go to Integrations > Managed DNS Providers > Cloudflare DNS, then connect with your API token (requires zone and DNS read permissions)

• Cloudflare WAF — Go to Integrations > Firewall > Cloudflare WAF, then connect with your API token (requires Account Rulesets Read, Zone WAF Edit, and Zone Settings Read permissions)

Documentation

• Cloudflare DNS
• Cloudflare WAF

Three new Snyk integrations bring static analysis, dynamic testing, and application risk posture data from across your Snyk environment into the Praetorian Guard platform.

Snyk Code — Static Application Security Testing

Import SAST findings from Snyk Code to track application security vulnerabilities discovered through static analysis. The integration connects to the Snyk REST API, discovers all organizations in your Snyk Group, fetches SAST projects and their code analysis issues, and maps them as risks against their associated repository assets.

• Repository Asset Mapping — Each Snyk project's source repository is imported as a Guard asset with automatic origin detection for GitHub, GitLab, Bitbucket, and Azure Repos

• CWE-Enriched Findings — Every finding includes CWE classification, file path, line number, and priority score for precise remediation targeting

• Smart Filtering — Automatically excludes ignored and resolved findings so your dashboard reflects active risk

Snyk DAST — Dynamic Application Security Testing

Import DAST findings from Snyk API & Web (powered by Probely) to track web application and API security vulnerabilities discovered through dynamic testing. The integration discovers verified domains, web and API targets, and their associated vulnerability findings.

• Web and API Coverage — Discovers both web application targets and API targets, importing domains, web apps, and their findings into your attack surface inventory

• Rich Evidence — Findings include full HTTP request/response pairs, injection parameters, insertion points, and CVSS scores for detailed proof of exploitability

• State-Aware Filtering — Skips archived assets and findings marked as fixed, accepted, or false positive

Snyk AppRisk — Application Security Posture

Validate connectivity with the Snyk AppRisk platform. This integration confirms that your Snyk AppRisk environment is reachable and authentication is valid, laying the groundwork for future application risk posture data import.

Get Started

Each Snyk integration connects via your Snyk API token and Group ID:

• Snyk Code — Go to Integrations > Secure Code Scanning > Snyk Code, then connect with your API token and Snyk Group ID

• Snyk DAST — Go to Integrations > Application Security Testing > Snyk DAST, then connect with your Probely JWT token

• Snyk AppRisk — Go to Integrations > Application Security Posture > Snyk AppRisk, then connect with your API token and Group ID

Documentation

• Snyk Code
• Snyk DAST
• Snyk AppRisk

Import security ratings, risk factors, and active issues from SecurityScorecard into the Praetorian Guard platform, giving you continuous third-party risk visibility alongside your own attack surface data.

Highlights

• Portfolio-Wide Vendor Monitoring — Automatically discovers all companies across your SecurityScorecard portfolios, imports their domains as Guard assets, and tracks their security posture over time

• 10 Risk Factor Scores — Tracks network security, DNS health, patching cadence, endpoint security, IP reputation, application security, cubit score, hacker chatter, information leak, and social engineering scores for every vendor

• Active Issue Import — Syncs active security issues as Guard Risks with severity mapping, so third-party vulnerabilities appear in your existing triage workflows

• 6-Month Score History — Monthly score trends are imported and visualized in dedicated dashboard widgets, showing whether vendor security posture is improving or degrading

• 5 Dashboard Widgets — Portfolio score overview, score trends, risk factor comparison, active issue severity distribution, grade distribution, and lowest-scoring vendor tables — all available in the Guard Metrics Dashboard

Get Started

To integrate, go to Integrations > SecurityScorecard, then connect with your SecurityScorecard API token. The integration validates your token and begins importing portfolio data immediately.

Documentation

https://docs.praetorian.com/en/articles/2211088-securityscorecard

Connect your Fastly account to the Praetorian Guard platform for automated CDN domain discovery and Next-Gen WAF asset enumeration across all your Fastly services.

Highlights

• CDN Domain Discovery — Automatically enumerates domains attached to all Fastly CDN services, importing them as Guard assets with full pagination support across large service inventories

• Next-Gen WAF Asset Discovery — Discovers domains and backend server addresses from Fastly NGWAF-enabled services, giving you visibility into WAF-protected infrastructure

• Private IP Filtering — Automatically excludes RFC 1918 private addresses, link-local, and loopback addresses from backend discovery, preventing internal infrastructure from appearing in your external attack surface

• Modular Feature Control — Independent checkboxes for CDN asset discovery and WAF whitelisting, so you enable only what you need

Get Started

To integrate, go to Integrations > Content Delivery Solutions > Fastly, then connect with your Fastly API token. Asset discovery requires global:read scope.

Documentation

https://docs.praetorian.com/en/articles/6523083-fastly