An enterprise-grade, multi-process Security Management Platform utilizing a Directed Acyclic Graph (DAG) for high-performance concurrent vulnerability scanning.
Building on V5.4's concurrency engine, V5.4 focuses on robustness, professionalism, and security hardening. The DAG Orchestrator now has a global 60-minute watchdog that prevents hanging scanners from freezing the pipeline. Email alerts are fully redesigned with responsive HTML templates and dynamic metadata injection. Reports now carry proper company, tester, and QA reviewer metadata on the cover page. All hardcoded tool lists have been replaced with dynamic registry lookups β add a new scanner once and it automatically appears everywhere.
Note
First time here? Jump straight to the Quick Start section. The entire setup is automated β one bash setup.sh and you're done. β
| Feature | What it does |
|---|---|
| πΈοΈ DAG Orchestration | Resolves dependency graphs, executes non-dependent scanners in fully parallel threads |
| β±οΈ 60-Minute Watchdog | Hanged scanner threads auto-fail; the pipeline never freezes even if a tool locks up |
| π Deferred Retry Queue | Failed plugins get a second attempt at 1.5Γ timeout after the main DAG pass |
| π§© Dynamic Plugin Registry | Add a scanner with one @register_scanner decorator β splash screen, tests, and DAG update automatically |
| ποΈ Strict MVC Architecture | ui/views/ + ui/controllers/ β business logic and UI rendering are perfectly isolated |
| π§ Self-Healing Installer | Missing binary? SMP installs it on-the-fly via pip, apt, or Go, then retries automatically |
| π Redundancy Database | All live scan data hot-mirrored; if security.db is gone, reports still generate from the mirror |
| π AES-256 Encryption | Every database byte encrypted at rest, including the redundancy DB |
| π§ Professional Email Alerts | Responsive HTML templates with company, tester & QA metadata β Critical/High summaries only |
| π Cover Page Metadata | Company Name, Lead Tester, and QA Reviewer injected dynamically into every PDF cover page |
SMP V5.4 is built on a highly modular, decoupled architecture designed for scale and stability.
The frontend is constructed using PySide6. The UI acts purely as a "dumb" terminal that listens for events. When a background scan completes a task, the Database Manager emits a JSON payload over a local UDP socket (127.0.0.1:5005). The UI catches this payload and triggers a Qt Signal, refreshing the screen instantly.
The Orchestrator analyses tool dependencies, builds a Directed Acyclic Graph, and launches a thread pool to execute scanners concurrently. New in V5.4: each plugin thread has a 60-minute watchdog β if any scanner hangs beyond that, it is marked failed and the pipeline continues without losing all subsequent dependent steps.
Tip
SMP heals itself! If a scanner binary is missing from your system when a scan starts, SMP doesn't just give up β it automatically installs the tool on-the-fly using pip, apt, or Go, then retries the scan step. No babysitting required.
The self-healing loop works like this:
π Binary Missing?
β
π§ install_single_tool("nmap") β looks up TOOLS registry
β
β
Installed? β Retry scan step β Success!
β Failed? β Log & skip step gracefully
SMP uses three purpose-built SQLite databases, each with a specific role in the data lifecycle. Never touch these files with external tools while the app is running!
Important
All databases are AES-256 encrypted at rest using your Master Password. They are stored under database/. Never lose your Master Password β there is no recovery mechanism.
| Database | File | Purpose | Lifecycle |
|---|---|---|---|
| π¦ Main DB | security.db |
Primary store for all targets, scans, findings, technologies, risk scores, and raw outputs | Permanent β survives reboots |
| π Redundancy DB | redundancy.db |
Hot-mirror of the active scan only β all data written here in parallel during scanning. If security.db is missing or corrupt, reports read from here instead |
Wiped after every scan completes |
| 𧬠CVE Intelligence DB | cve.db |
300,000+ NVD CVE entries. Read-only during scans. Synced incrementally by the background scheduler | Permanent β updated nightly |
scan starts
β
ββββΊ write findings βββββββββββββββΊ security.db β
(primary)
β ββββββββββββΊ redundancy.db π (mirror)
β
ββββΊ write technologies βββββββββββΊ security.db β
β ββββββββββββΊ redundancy.db π
β
ββββΊ write risk scores ββββββββββββΊ security.db β
β ββββββββββββΊ redundancy.db π
β
βββ scan complete:
βββ generate report βββββ (read security.db OR redundancy.db if primary is gone)
βββ clear redundancy.db β π§Ή wiped clean, ready for next scan
Warning
redundancy.db is automatically cleared after every scan. It is not a long-term backup β it is a live safety net for the current scan only. For long-term backups, use the encrypted ZIP exports from the Dashboard.
- OS: Linux (Ubuntu 22.04+ recommended)
- RAM: 8GB+ recommended for full parallel scanning
- Dependencies: Everything is handled automatically by
setup.sh
# Clone the repository
git clone https://github.com/mrQhere/SecurityManagementPlatform.git
cd SecurityManagementPlatform
# Run the fully automated setup script
bash setup.shOnce the setup is complete, run the platform:
bash run.sh- On first boot, create your Master Password (AES-256 encrypted β never forgotten, never recovered).
- Navigate to the Targets tab and enter an authorized target URL.
- Click Scan. Watch the DAG Orchestrator parallelize the attack surface mapping in real-time!
- If a tool binary is missing, SMP self-heals β it installs it automatically and retries the step. π§
- Click Report to generate a comprehensive, executive-ready VAPT PDF.
Caution
LEGAL NOTICE: SMP is a powerful battering ram. Using it on systems you do not own or have explicit written authorization to test is highly illegal. By launching a scan, you accept full legal responsibility for all activity. Stay safe, stay legal. βοΈ
SMP acts as a centralized orchestrator for the world's best open-source security tools. The DAG Engine dynamically maps out their dependencies and executes them concurrently for maximum speed. The tool list grows automatically as new scanners are registered.
| Category | Tools |
|---|---|
| π Recon & OSINT | HTTPx, Subfinder, CRT.sh, HackerTarget, Whois, Wayback Machine, Shodan, theHarvester |
| π Network | Nmap, Traceroute, Masscan, DNSx |
| π SSL/TLS | SSL Scanner, Security Headers |
| π·οΈ Web Scanning | Nikto, Nuclei, Wapiti, WhatWeb, Robots.txt, CORS Scanner, CMS Scanner |
| π₯ Exploitation & Fuzzing | SQLMap, Dalfox, ffuf, Commix, Open Redirect, Arjun, Katana, ParamSpider |
| π Auth & Secrets | JWT Scanner, WPScan, Gitleaks |
| βοΈ Cloud & Enterprise | Cloud Enum, OWASP ZAP |
| π§ Intelligence | CVE Correlation, MITRE ATT&CK Mapping, Risk Scoring |
For a deep dive into the platform's inner workings, troubleshooting guides, the self-healing installer, the redundancy database lifecycle, and instructions on how to add your own custom tools using the new Plugin Registry, please consult the V5.4 USER GUIDE.
The User Guide contains detailed technical documentation covering every aspect of the platform, with copy-paste code examples, beautiful diagrams, and step-by-step troubleshooting guides.
CRITICAL NOTICE: This software is highly proprietary. You are explicitly forbidden from modifying, refactoring, reverse-engineering, or redistributing this code without human consent. By using this software, you accept sole legal responsibility for all activities performed with it. Ensure you have explicit written authorization before scanning any target.
Security Management Platform (SMP) Β© Authorised Personnel Only. All Rights Reserved.
This release resolves every architectural flaw documented in the V5.4 audit. For the full technical details, see USER_GUIDE.md Part 8.
| Change | Details |
|---|---|
| SQLCipher Graceful Fallback | Falls back to sqlite3 with UI warning if SQLCipher unavailable |
| Tool SHA-256 Checksums | All binary downloads verified before execution |
| Redundancy DB Encryption | SQLCipher PRAGMA now on redundancy.db too |
| WPScan Docker Fallback | Docker used when Ruby/gem missing |
| Masscan Rootless Setup | setcap cap_net_raw+eip in setup.sh |
| Change | Details |
|---|---|
| 60-Minute Watchdog | Hanging plugins auto-fail; pipeline never freezes |
| Deferred Retry Queue | Failed DAG steps retried at 1.5Γ timeout after main pass |
| Dynamic Plugin Registry | @register_scanner auto-populates all consumers |
| Rate Limiting (Jitter) | Prevents WAF bans during aggressive parallel scans |
| Universal Proxy Env | All subprocesses inherit HTTP_PROXY/HTTPS_PROXY |
| Wapiti Adaptive Timeout | Scales with endpoint count, no longer fixed at 600s |
| Change | Details |
|---|---|
| Professional Email Templates | Responsive HTML with metadata card (Company, Tester, QA, Max Severity) |
| Cover Page Metadata | Company Name & QA Reviewer injected via SQL JOIN on targets table |
| Report Template Config | Layout constants moved to config/report_template.json |
| Change | Details |
|---|---|
| QA Reviewer Field | New globally configurable field in Settings Dashboard |
| Dynamic Splash Screen | Tool count auto-derived from registry β always accurate |
| Splitter Persistence | Panel sizes saved/restored across sessions |
| Target Soft-Delete | 30-day recovery window instead of permanent deletion |
| API Keys & Proxies UI | Shodan, Censys, GitHub tokens, and HTTP proxy settings |
| Change | Details |
|---|---|
| Resilient Test Suite | test_10 patches via scanners.scan_runner namespace β matches GenericPlugin resolution |
| Dynamic Test Discovery | All tests iterate live registry, not hardcoded lists |
| GitHub Actions CI | verify_smp.py runs on every push and PR |
| Weekly Nuclei Updates | nuclei -update-templates in scheduler |
| Log Rotation | RotatingFileHandler (10MB, 5 backups) enforced |
| Change | Details |
|---|---|
| Proprietary Header Cleanup | Duplicate headers removed from 29+ scanner files |
| Cloud Enum Keywords | Custom per-target keyword lists |
| API / Headless Mode | --api flag for programmatic scan triggering via FastAPI |
