I built CASM (Continuous Attack Surface Monitoring) to solve attack surface monitoring problems I faced in my work.
Commercial EASM tools are very expensive and are black boxes. You get dashboards but no evidence trail, no transparency, and no way to verify findings. Manual scripting with dig/curl/nmap works but is time-consuming and error-prone.
CASM is an open source EASM tool that:
- Discovers DNS subdomains (passive + active sources)
- Verifies HTTP security (headers, TLS, redirects)
- Tracks changes (automatic baseline comparison)
- Provides evidence (complete audit trail in JSONL)
- Generates professional reports (PDF, SARIF to be integrated to CI pipeline, Markdown)
It's licensed AGPL v3 so you can verify what it does and use it freely.
For the technical stack, I used Python for orchestration, Go for scanning tools. It works on Linux/macOS. It's designed to be scriptable and automation-friendly.
As a DevSecOps engineer, I often needed to answer: "Do we know our complete external attack surface?". I needed something transparent, evidence-based, and accessible. So I built it.
I built CASM (Continuous Attack Surface Monitoring) to solve attack surface monitoring problems I faced in my work.
Commercial EASM tools are very expensive and are black boxes. You get dashboards but no evidence trail, no transparency, and no way to verify findings. Manual scripting with dig/curl/nmap works but is time-consuming and error-prone.
CASM is an open source EASM tool that: - Discovers DNS subdomains (passive + active sources) - Verifies HTTP security (headers, TLS, redirects) - Tracks changes (automatic baseline comparison) - Provides evidence (complete audit trail in JSONL) - Generates professional reports (PDF, SARIF to be integrated to CI pipeline, Markdown)
It's licensed AGPL v3 so you can verify what it does and use it freely.
For the technical stack, I used Python for orchestration, Go for scanning tools. It works on Linux/macOS. It's designed to be scriptable and automation-friendly.
As a DevSecOps engineer, I often needed to answer: "Do we know our complete external attack surface?". I needed something transparent, evidence-based, and accessible. So I built it.
GitHub: https://github.com/g2cv/casm
Thank you for taking the time to read me, I hope you'll like it and I'd be happy to answer questions or hear feedback!