Four capability areas. Twenty-plus modules. All of them run automatically, on a schedule you configure once.
The defensive pipeline runs on schedule. Assets get discovered automatically, vulnerabilities get correlated against live threat data, and only the findings that actually matter reach your inbox.
Certificate Transparency log sweep + nmap CIDR ping sweep. Configure a domain or IP range once. Horus maps everything reachable from it, including subdomains you forgot existed.
CRUD for domains, IPs, APIs, services. Tag assets as production / internal / third-party. Track last-detected technologies per host. Full scan history per asset.
nmap port + service enumeration, nuclei template execution, header/SSL/TLS analysis. Multi-agent pipeline persists an executive summary per scan.
The Risk Manager agent runs a deterministic SSVC Deployer decision tree. No LLMs, no hallucinations, no per-query cost. Inputs: Exploitation state (KEV-active → active, EPSS > 0.9 → likely), Exposure (public vs internal), Technical Impact (CVSS), Automatable heuristic. Output: Act / Attend / Track* / Track.
A CVSS 9.8 on an internal host with no public exploit → TRACK. An actively exploited 7.5 on a public API → ACT. SSVC reflects real risk, not inflated scores.
Daily sync of CISA KEV + FIRST EPSS. Re-correlates your persisted software inventory against new entries without re-scanning. Detects EPSS spikes (0.2+ overnight) before KEV publication. Extends to dark web IOC feeds.
Group related findings into tracked cases. Assign owners, set SLA, add timeline notes. Auto-created from SSVC:Act findings. Bidirectional links to findings.
Deterministic risk score per org, snapshotted daily. Stacked area chart by severity. Annotated events (remediations, incidents). Trend line: improving / degrading / stable.
Cron jobs for recurring scans, discovery, CVE intel sync, Watchtower, posture snapshots. Full job execution history. Auto-retry on failure.
Horus doesn't just find vulnerabilities. It argues about them. Red and Blue team AI agents debate each other, simulate attacks, run phishing campaigns and test credential hygiene automatically.
For ambiguous findings (confidence 0.2–0.9, no known exploit): Red Team agent argues why it's a real risk. Blue Team argues why it's a false positive. A Judge LLM weighs both sides, calibrates a confidence score, and delivers a verdict. KEV-active findings skip the debate. They're auto-confirmed. Verdicts are stored: future scans of the same finding inherit the decision without re-debating.
Full adversarial cycles against your live infrastructure. Red Team generates attack findings across multiple categories. Blue Team generates defensive responses. Results feed into the main findings pipeline with SSVC prioritization.
Anonymous aggregation of verdicts across all Horus orgs. k-anonymity guarantee: only published if ≥3 distinct orgs with ≥60% majority. New customers benefit from industry-learned FP suppression from day one.
4-step wizard: configure campaign → select assets for context → add targets → review. PhishingAgent uses your actual asset inventory to craft credible lures. Click tracking via public token URLs.
Simulates credential and MFA/OTP phishing flows. Captures who entered real credentials into a fake login prompt, who completed the fake MFA step. Produces per-employee awareness reports.
Have I Been Pwned domain search for your organization's employees. Breach lookup with karma score (times appeared in public breaches). Sensitive badge for breaches containing passwords or tokens.
The intelligence layer is entirely deterministic. No LLM involved. CVE correlation, SSVC inputs, and Watchtower alerts are all computed from structured data sources, not generated.
338,000+ CVEs from NVD API 2.0. ~25 CPE product alias mappings (Apache → httpd, OpenSSH → openbsd/openssh…). Version normalization: "2.4.41" and "2.4.41-1ubuntu1" treated as equal. No false CVEs. Deterministic only.
CISA KEV catalog synced daily. KEV match = Exploitation:active in SSVC → Act priority guaranteed. KEV findings bypass the Red/Blue debate. They're auto-confirmed.
Exploit Prediction Scoring System from FIRST.org. EPSS > 0.9 → Exploitation:likely in SSVC. Daily score updates. Watchtower detects spikes (0.2+ overnight) before the CVE reaches KEV.
ThreatFox malware IOC feed + URLhaus malicious URL feed, checked against your domains and IPs daily. Ransomware victim list cross-referenced against your industry. Domain/email dark web search.
The deterministic core (CVE correlation, SSVC, Watchtower, posture) never calls an LLM. When LLM agents run, you choose the data flow: No-cloud (LLM disabled, 100% local/deterministic) · Local model (Ollama/vLLM in your VPC) · Cloud + redacted (hosts/IPs/emails pseudonymized before any prompt, de-pseudonymized in response) · Cloud (no redaction). GDPR and HIPAA ready.
Granular permission policies define exactly what agents can automate. Every action (human or AI) is logged in an append-only audit trail. Compliance-ready out of the box.
Define what agents can do automatically. Conditions: asset_tags, is_internal_only, severity_max. Modes: suggest_only / approval_required / auto. Actions: update_library, apply_firewall_rule, restart_service, rotate_credentials, and more.
Append-only, org-scoped log of every action: user actions, agent decisions, system events. Actor types: user / agent / system. Filter by action, actor, entity. Exportable for regulators.
Invite by email, assign Admin / Analyst / Viewer roles. Admins control everything. Analysts create assets, trigger scans, approve AI suggestions, view findings. Viewers are read-only.
Push findings to where your team already works. Severity-filtered: only send what you configured. KEV-active always notifies regardless of filter. False positives never notify.
Act Now counter (SSVC:Act, pulsing if >0), KEV Exposure, Asset Coverage %, MTTR Critical. 11 toggleable widgets. Posture timeline, top risky assets, recent scans. Personalizes per user via localStorage.
Programmatic access with scoped API keys. Create keys for CI/CD pipelines, automation scripts, or third-party integrations. Revoke without restart. Scoped to the issuing user's role.
The live demo has 30 days of history, real CVE findings, Red/Blue debate transcripts and phishing campaign results.