April 6th, 2026
New
Capability
Map Any API Attack Surface — No Documentation Required
Penetration testers know the problem: the client says "test our APIs" but hands you a login and nothing else. No OpenAPI spec. No Postman collection. No documentation. Vespasian — now open source — solves this. It captures live traffic from web applications, classifies API calls, and generates structured specifications for REST (OpenAPI 3.0), GraphQL (SDL), and SOAP (WSDL) — giving you a complete map of the API attack surface from nothing but a URL.
How It Works
Vespasian uses a two-stage pipeline that separates traffic capture from specification generation:
Capture — Drive a headless browser through the target application with full JavaScript execution and authentication injection. Every HTTP request the frontend makes is recorded. Alternatively, import existing traffic from Burp Suite XML, HAR archives, or mitmproxy captures.
Generate — Classify captured requests as API calls using content-type, path heuristics, HTTP methods, and response structure. Auto-detect the API type — or specify it explicitly. Probe discovered endpoints for enrichment. Output structured specifications in the native format for each type.
This separation means you capture once, generate many. Run different generators against the same capture without re-scanning. The capture file is inspectable JSON you can review and debug.
Three Output Formats
OpenAPI 3.0 for REST — Path normalization (
/users/42becomes/users/{id}), schema inference from response bodies, parameter extraction from query strings.GraphQL SDL — Tiered introspection with 3 query levels to bypass WAF-protected servers. Falls back to traffic-based schema inference when introspection is disabled entirely.
WSDL for SOAP — Identifies SOAP services via SOAPAction headers and envelope detection, fetches and parses WSDL documents.
Key Capabilities
API Type Auto-Detection — Automatically determines REST, GraphQL, or SOAP from captured traffic. No manual selection needed.
Multi-Source Import — Reuse traffic from Burp Suite XML, HAR 1.2, and mitmproxy. No re-scanning needed.
Active Probing — OPTIONS discovery, JSON schema inference, WSDL document fetching, and GraphQL introspection enrich discovered endpoints.
SSRF Protection — Blocks probing of private and loopback addresses by default. Use
--dangerous-allow-privatefor internal targets.Confidence Scoring — Configurable classification confidence thresholds filter noise from legitimate API calls.
Vespasian + Hadrian = Complete API Security
Vespasian discovers the attack surface. Hadrian tests it for vulnerabilities. Together they form a pipeline that takes you from "no documentation" to "proven authorization vulnerabilities" — without asking the client for anything beyond a login.
Open Source
Vespasian is fully open source at github.com/praetorian-inc/vespasian. Install with a single command:
go install github.com/praetorian-inc/vespasian/cmd/vespasian@latestOr scan an application end-to-end:
vespasian scan https://app.example.com -o api.yamlHow It Fits Into Guard
Vespasian runs as a Guard Platform capability, feeding discovered API endpoints and generated specifications directly into your attack surface inventory. When paired with Hadrian, the complete API discovery-to-testing pipeline operates within Guard — endpoints discovered, specs generated, authorization tested, findings triaged — all in one platform.
Documentation
https://docs.praetorian.com/en/articles/2168486-vespasian-api-discovery-and-specification-generation
April 5th, 2026
New
Capability
The Cloud Has a Visibility Problem — Aurelian Fixes It
We are thrilled to announce Aurelian, our open-source multi-cloud security reconnaissance framework — now powering cloud assessments directly inside the Praetorian Guard Platform.
Cloud environments are sprawling, fragmented, and full of hidden risk. Secrets buried in Lambda environment variables. S3 buckets that look private but aren't. IAM policies that silently grant privilege escalation paths nobody mapped. Until now, finding all of this required stitching together a patchwork of single-cloud, compliance-focused tools that weren't built for offensive security.
Aurelian changes that — completely.
One Framework. Three Clouds. Zero Blind Spots.
Aurelian delivers a unified command-line interface for security reconnaissance across AWS, Azure, and GCP — with 25+ purpose-built modules designed by Praetorian's offensive security team. Whether you're hunting secrets, mapping IAM attack paths, or identifying publicly exposed resources, Aurelian gives you a single, consistent workflow across every major cloud provider.
What Makes Aurelian Different
- Real Policy Evaluation, Not Checkbox Compliance — Aurelian doesn't just check config flags. It evaluates actual IAM policies including condition keys, SCPs, and resource ARN patterns to determine true exposure. This is how penetration testers think — and now it's automated.
- Secrets Discovery Across 30+ Sources — EC2 user data, Lambda code, CloudFormation templates, CloudWatch logs, Azure Key Vaults, GCP storage blobs — Aurelian extracts and scans them all using the Titus secrets detection engine, with optional live validation to confirm active credentials.
- IAM Privilege Escalation Graphing — Export IAM relationships to Neo4j and run Cypher queries to visualize multi-hop escalation paths. See exactly how an attacker moves from a low-privilege role to domain dominance.
- Public Resource Detection That Actually Works — Combines resource enumeration, property enrichment, and access evaluation to find resources that are genuinely accessible — even when configuration appears private but resource-based policies tell a different story.
- Subdomain Takeover Detection — Identify dangling CNAMEs across CloudFront, S3, Elastic Beanstalk, CDK staging buckets, and managed DNS services before attackers do.
- OPSEC-Aware Reconnaissance — Built-in awareness of CloudTrail logging with configurable OPSEC levels. The
whoamimodule identifies your caller identity without generating a single audit log entry.
Already Inside the Guard Platform
Aurelian isn't a standalone tool you bolt on — it's already integrated into the Praetorian Guard Platform. That means its reconnaissance capabilities feed directly into your attack surface management workflows. Discovered secrets, public resources, and IAM risks surface as actionable findings alongside everything else Guard already tracks.
Combined with Titus for secrets scanning and Trajan for CI/CD pipeline testing, Aurelian completes a powerful trifecta of cloud security capabilities that give your team comprehensive visibility across your entire cloud footprint.
Open Source and Extensible
Aurelian is fully open source under the Apache 2.0 license. Its plugin architecture makes adding new modules straightforward — implement the plugin.Module interface, call plugin.Register(), and the CLI wiring happens automatically. The streaming pipeline architecture handles backpressure and concurrency out of the box.
Whether you're a Praetorian Guard customer benefiting from Aurelian's capabilities automatically, or a security researcher extending the framework with custom modules — Aurelian is built for you.
Check out the project on GitHub: github.com/praetorian-inc/aurelian
Read the full deep dive: Aurelian: Open-Source Cloud Security Tool
April 3rd, 2026
New
Capability
Autonomous Source Code Vulnerability Discovery — From Clone to Confirmed Finding to Tested Patch
What if you could point an AI at a source code repository and get back confirmed, exploitable vulnerabilities — with patches that have been verified to actually fix the bugs? Constantine does exactly that. Inspired by the strategies that won the DARPA AIxCC competition, Constantine runs a six-stage autonomous pipeline that finds vulnerabilities, proves they're real, and generates validated fixes.
The Pipeline
Constantine mirrors how an expert security researcher works — but runs end-to-end with no human intervention:
Ingest — Clone the repo, score every file for security relevance using LLM-based semantic analysis, and prioritize the code that matters most. Supports 18 languages and handles repositories of any size.
Detect — Five detection modules run in parallel. The primary two-pass scanner uses Haiku for fast triage across all code, then Opus/Sonnet for deep CWE-specific validation on flagged areas. An adversarial actor-skeptic scanner adds a second perspective — one model proposes findings, another challenges them.
Review — An agentic LLM verifier with code exploration tools autonomously reads files, searches code, and traces data flows to confirm each finding. Taint-aware verification uses tree-sitter AST parsing to pre-compute call graphs, reducing false positives further.
Exploit — For every verified finding, an agentic LLM generates proof-of-vulnerability code and executes it in a sandboxed environment. An internal write-test-retry loop iterates until the bug is demonstrably triggered — up to 250 tool calls per finding.
Patch — Generates fixes using a tiered strategy: dependency bumps, targeted fixes, then structural refactors. Every patch is validated by re-running the exploit. Only patches that provably fix the bug get reported.
Report — Complete evidence chains from detection through exploitation through patching, with CVSS scores, CWE classifications, and cost breakdowns.
Benchmarked Against 28 Real CVEs
Constantine is validated against vulnerabilities including Log4Shell, Heartbleed, Dirty Pipe, Baron Samedit, regreSSHion, Psychic Signatures, Looney Tunables, and runc Container Escape — spanning memory safety, auth bypass, path traversal, cryptographic flaws, and web vulnerabilities across C, Java, Python, Go, Rust, and JavaScript.
Two Operating Modes
Customer engagement — Connect to a client's private repository. Findings flow into Guard as Risks with full evidence chains.
Zero-day hunting — Point at any public repository. Constantine finds vulnerabilities. A human reviews and coordinates disclosure.
Cost Control
Three pipeline tiers — Premium (250 findings reviewed), Medium (150), Basic (75) — with real-time budget tracking and configurable spend caps. Per-module, per-stage cost breakdowns in every report.
How It Fits Into Guard
Constantine runs natively inside the Praetorian Guard Platform. Findings flow directly into your Guard dashboard as Risks — complete with severity ratings, evidence chains, and validated patches. Source code security joins your attack surface management, vulnerability scanning, and penetration testing in one unified view.
Documentation
https://docs.praetorian.com/articles/1856234-constantine-locates-fatal-security-bugs-in-software
April 3rd, 2026
New
Capability
API Security Testing That Proves Authorization Is Broken — Not Just Suspects It
Your APIs are your largest attack surface, and authorization flaws are the hardest bugs to find with traditional scanners. Hadrian is now open source and available in the Praetorian Guard Platform. It tests your REST, GraphQL, and gRPC APIs for OWASP API Top 10 vulnerabilities using role-based authorization testing and a mutation testing pattern that proves exploitability — not just flags suspicion.
In its first run against OWASP crAPI, Hadrian found 3 critical BOLA vulnerabilities in under 60 seconds.
What Makes Hadrian Different
Most API security tools send malformed requests and check for error codes. Hadrian does something fundamentally harder: it tests whether one user can access another user's resources. It logs in as each role you define, executes every endpoint, and detects when authorization boundaries fail.
The mutation testing pattern is where Hadrian truly separates from other tools. It uses a three-phase approach: create a resource as a privileged user, attempt to modify or delete it as an unprivileged user, then verify whether the attack actually succeeded. This eliminates false positives from APIs that return 200 OK but silently ignore unauthorized requests. When Hadrian reports a finding, it has proof.
30 Built-In Templates Across Three Protocols
Hadrian ships with 30 security test templates — 8 for REST, 13 for GraphQL, and 9 for gRPC — covering the most critical API security risks:
BOLA (API1) — Broken Object Level Authorization across all three protocols
Broken Authentication (API2) — Token handling, session management, and auth bypass
BOPLA (API3) — Broken Object Property Level Authorization — mass assignment and field-level access
Unrestricted Resource Consumption (API4) — GraphQL query depth and complexity attacks
BFLA (API5) — Broken Function Level Authorization with mutation testing proof
Security Misconfiguration (API8) — CORS, verbose errors, introspection exposure
Improper Inventory Management (API9) — Undocumented and deprecated endpoints
Every template is a YAML file you can customize, extend, or replace for your organization's specific API patterns.
Works With Vespasian
Don't have API documentation? Vespasian discovers the API surface from live traffic, generates OpenAPI specs, and hands them directly to Hadrian for security testing. Together they form a complete API security pipeline: discover endpoints → generate specs → test for authorization vulnerabilities. No documentation required from the client.
Claude Code Integration
Hadrian includes a Claude Code skill that auto-generates auth.yaml and roles.yaml from your API specification — no manual config writing needed. Point it at an OpenAPI spec, GraphQL SDL schema, or gRPC proto file, and it produces the configuration Hadrian needs to start testing immediately.
CI/CD Ready
Hadrian outputs JSON and Markdown reports and returns a non-zero exit code when vulnerabilities are found, making it suitable for CI/CD security gates. Adaptive rate limiting with reactive backoff on 429/503 responses keeps your pipelines reliable.
Open Source
Hadrian is fully open source at github.com/praetorian-inc/hadrian. Install with a single command:
go install github.com/praetorian-inc/hadrian/cmd/hadrian@latestHow It Fits Into Guard
Hadrian runs as a Guard Platform capability. Findings flow into your Guard dashboard as Risks alongside your other security data — complete with proof of exploitability from the mutation testing pattern. API authorization testing joins your attack surface management, vulnerability scanning, and penetration testing in a single unified view.
Documentation
https://docs.praetorian.com/en/articles/2293307-hadrian-api-security-testing
April 3rd, 2026
New
Integration
Two new Cloudflare integrations bring DNS asset discovery and automated WAF scanner bypass to the Praetorian Guard platform.
Cloudflare DNS — Zone and Record Discovery
Full Zone Enumeration — Discovers all Cloudflare zones accessible to your API token and imports A, AAAA, and CNAME DNS records as Guard assets
Automatic Pagination — Handles accounts with hundreds of zones and thousands of records without manual intervention
DNS Name Normalization — CNAME targets are normalized to consistent DNS format for accurate asset deduplication
Cloudflare WAF — Scanner Bypass Configuration
Automatic Bypass Rules — Creates custom WAF rules marked "(Managed by PGP)" that allow Guard scanner traffic through your Cloudflare firewall without triggering blocks
Dual Identification Modes — Static IP matching for environments with fixed egress, or combined IP + custom header + user agent identification for dynamic environments
Comprehensive WAF Skip — Bypass rules skip zone lockdown, UA blocking, browser integrity checks, hotlink protection, rate limiting, and managed firewall rulesets
Zone Filtering — Optionally specify which zones to configure, or leave empty to apply across all zones. Processes zones in parallel for fast setup
Idempotent Updates — Detects existing Chariot rules and only updates them when the configuration has changed, preventing duplicate rules
Get Started
Cloudflare DNS — Go to Integrations > Managed DNS Providers > Cloudflare DNS, then connect with your API token (requires zone and DNS read permissions)
Cloudflare WAF — Go to Integrations > Firewall > Cloudflare WAF, then connect with your API token (requires Account Rulesets Read, Zone WAF Edit, and Zone Settings Read permissions)
Documentation
April 3rd, 2026
New
Integration
Three new Snyk integrations bring static analysis, dynamic testing, and application risk posture data from across your Snyk environment into the Praetorian Guard platform.
Snyk Code — Static Application Security Testing
Import SAST findings from Snyk Code to track application security vulnerabilities discovered through static analysis. The integration connects to the Snyk REST API, discovers all organizations in your Snyk Group, fetches SAST projects and their code analysis issues, and maps them as risks against their associated repository assets.
Repository Asset Mapping — Each Snyk project's source repository is imported as a Guard asset with automatic origin detection for GitHub, GitLab, Bitbucket, and Azure Repos
CWE-Enriched Findings — Every finding includes CWE classification, file path, line number, and priority score for precise remediation targeting
Smart Filtering — Automatically excludes ignored and resolved findings so your dashboard reflects active risk
Snyk DAST — Dynamic Application Security Testing
Import DAST findings from Snyk API & Web (powered by Probely) to track web application and API security vulnerabilities discovered through dynamic testing. The integration discovers verified domains, web and API targets, and their associated vulnerability findings.
Web and API Coverage — Discovers both web application targets and API targets, importing domains, web apps, and their findings into your attack surface inventory
Rich Evidence — Findings include full HTTP request/response pairs, injection parameters, insertion points, and CVSS scores for detailed proof of exploitability
State-Aware Filtering — Skips archived assets and findings marked as fixed, accepted, or false positive
Snyk AppRisk — Application Security Posture
Validate connectivity with the Snyk AppRisk platform. This integration confirms that your Snyk AppRisk environment is reachable and authentication is valid, laying the groundwork for future application risk posture data import.
Get Started
Each Snyk integration connects via your Snyk API token and Group ID:
Snyk Code — Go to Integrations > Secure Code Scanning > Snyk Code, then connect with your API token and Snyk Group ID
Snyk DAST — Go to Integrations > Application Security Testing > Snyk DAST, then connect with your Probely JWT token
Snyk AppRisk — Go to Integrations > Application Security Posture > Snyk AppRisk, then connect with your API token and Group ID
Documentation
April 3rd, 2026
New
Integration
Import security ratings, risk factors, and active issues from SecurityScorecard into the Praetorian Guard platform, giving you continuous third-party risk visibility alongside your own attack surface data.
Highlights
Portfolio-Wide Vendor Monitoring — Automatically discovers all companies across your SecurityScorecard portfolios, imports their domains as Guard assets, and tracks their security posture over time
10 Risk Factor Scores — Tracks network security, DNS health, patching cadence, endpoint security, IP reputation, application security, cubit score, hacker chatter, information leak, and social engineering scores for every vendor
Active Issue Import — Syncs active security issues as Guard Risks with severity mapping, so third-party vulnerabilities appear in your existing triage workflows
6-Month Score History — Monthly score trends are imported and visualized in dedicated dashboard widgets, showing whether vendor security posture is improving or degrading
5 Dashboard Widgets — Portfolio score overview, score trends, risk factor comparison, active issue severity distribution, grade distribution, and lowest-scoring vendor tables — all available in the Guard Metrics Dashboard
Get Started
To integrate, go to Integrations > SecurityScorecard, then connect with your SecurityScorecard API token. The integration validates your token and begins importing portfolio data immediately.
Documentation
https://docs.praetorian.com/en/articles/2211088-securityscorecard
April 3rd, 2026
New
Integration
Connect your Fastly account to the Praetorian Guard platform for automated CDN domain discovery and Next-Gen WAF asset enumeration across all your Fastly services.
Highlights
CDN Domain Discovery — Automatically enumerates domains attached to all Fastly CDN services, importing them as Guard assets with full pagination support across large service inventories
Next-Gen WAF Asset Discovery — Discovers domains and backend server addresses from Fastly NGWAF-enabled services, giving you visibility into WAF-protected infrastructure
Private IP Filtering — Automatically excludes RFC 1918 private addresses, link-local, and loopback addresses from backend discovery, preventing internal infrastructure from appearing in your external attack surface
Modular Feature Control — Independent checkboxes for CDN asset discovery and WAF whitelisting, so you enable only what you need
Get Started
To integrate, go to Integrations > Content Delivery Solutions > Fastly, then connect with your Fastly API token. Asset discovery requires global:read scope.
Documentation
April 3rd, 2026
New
Integration
Import web application vulnerability scan results from Invicti (formerly Netsparker) into the Praetorian Guard platform, consolidating your DAST findings alongside your attack surface data in a single unified view.
Highlights
Comprehensive Vulnerability Import — Imports present and revived vulnerabilities from Invicti's AppSec platform, including XSS, SQL injection, server misconfiguration, and hundreds of other web application security findings
8 Compliance Framework Mappings — Every finding is enriched with CWE, OWASP Top 10 (2017 and 2021), OWASP API Top 10, PCI DSS 4.0, NIST SP 800-53, HIPAA, and DISA STIG classifications — ready for compliance reporting out of the box
Dual CVSS Scoring — Supports both CVSS 3.1 and CVSS 4.0 scores and vector strings, with Invicti's certainty percentage preserved for confidence-aware triage
Smart Filtering — Automatically excludes fixed, closed, and accepted-risk findings, and skips issues not seen in the last 30 days so your dashboard reflects current risk, not historical noise
Asset and Webpage Modeling — Discovered vulnerable domains are imported as Guard assets, with individual vulnerable URLs tracked as Webpage entities for precise remediation targeting
Get Started
To integrate, go to Integrations > Application Security Testing > Invicti, then connect with your API Base URL, User ID, and API Token (found on your Invicti account page). Invicti authenticates via HTTP Basic Auth — the integration validates your credentials before syncing.
Documentation
March 24th, 2026
Improved
Capability
Your Attack Surface Now Includes LLM Infrastructure. Julius Finds It.
Julius nearly doubles its detection coverage with 30 new probes, bringing the total to 63 LLM services across self-hosted engines, cloud APIs, gateways, and RAG platforms. Every new probe was live-tested against real instances via Shodan and customer infrastructure — and the testing uncovered 14 detection bugs in existing probes that are now fixed.
New Service Detection (30 probes)
Cloud-Managed APIs (10)
Julius can now fingerprint major cloud AI providers without valid credentials.
- AWS Bedrock — Detects both control plane and runtime endpoints via 403 response
- Azure OpenAI — Microsoft Foundry deployment detection
- Google Vertex AI — aiplatform.googleapis.com endpoint fingerprinting
- Groq, Fireworks AI, Together AI, Replicate, Modal — Provider-specific error signatures
- Cloudflare AI Gateway — Detected via unique cf-aig-event-id response header
- Databricks Model Serving — Real-time ML inference endpoint detection
Self-Hosted Engines (10)
- SGLang — High-performance LLM serving via /server_info and /model_info
- NVIDIA TensorRT-LLM, Triton Inference Server — Enterprise GPU inference
- BentoML, Baseten Truss, Ray Serve — ML serving frameworks
- DeepSpeed-MII, MLC LLM, Petals, PowerInfer — Specialized inference engines
Gateways (5)
- Bifrost, Helicone, OmniRoute, Portkey AI Gateway, TensorZero — LLM proxy and routing layers
RAG and Orchestration (5)
- Langflow, h2oGPT, PrivateGPT, Quivr, RAGFlow — Document QA and workflow platforms
Bug Fixes From Live Testing (14 probes fixed)
Cross-Version Compatibility
- SGLang — Fixed /server_info match for older versions
- Dify — Newer JS-rendered versions now detected via data attributes
- Flowise — Updated title match for current versions
False Positive Elimination
- Ollama — SGLang and Ollama-compat servers no longer trigger false matches
- Bifrost — Removed overly generic /api/version block
- DeepSpeed-MII — Removed /health block that matched every FastAPI app
- Groq — Removed generic block that matched KoboldCpp
Systemic header.contains Bug (5 probes)
AWS Bedrock, Cloudflare AI Gateway, Fireworks AI, Modal, and OmniRoute all had header matching rules that never worked on HTTP/2. All five are now fixed.
Get Started
go install github.com/praetorian-inc/julius/cmd/julius@latestjulius probe https://your-target.example.comJulius is open source at github.com/praetorian-inc/julius.