Skip to content
+91-9915718004 info@toshiconsulting.com Monday – Friday · 10:00 AM – 6:00 PM IT Park Panchkula, Haryana
Request Callback
Shipped product Live demo available

Cyber Security

Continuous, automated black-box penetration testing with on-demand reports

Request Demo View Live Site Explore features ↓
  • Multi-tenant ready
  • Production deployed
  • Web + mobile

Overview

Cyber Security (Toshi Pentest Scanner v2.1) is a scheduled, automated penetration-testing pipeline with a login-protected web report viewer, deployed live at pentest.sentinal-ai.in. It runs a multi-stage black-box audit against a configured set of web targets, diffs each run against the previous baseline, and renders a polished HTML and PDF report for every scan.

The service is a single FastAPI application packaged as a hardened Docker container. The stack includes:

  • FastAPI + Uvicorn (Python 3.12) for the API and web viewer
  • httpx as the async HTTP engine for every probe; Jinja2 for report templating; WeasyPrint for paginated A4 PDF output
  • Docker Compose for deployment, with the container bound to the internal Docker bridge so an external scheduler (n8n) can call scan endpoints from the host while the public dashboard sits behind a reverse proxy
  • Cookie-based auth using an env-driven HMAC token

Scans persist to a mounted /data/reports/ volume, so report history survives container restarts. A scheduled run fires on a recurring cadence (every 12 hours on the dashboard), and an operator can also trigger an immediate scan from the dashboard or via the API.

Problem Statement

Traditional penetration tests are point-in-time engagements: expensive, scheduled quarterly or annually, and stale the moment infrastructure changes. Between engagements, infrastructure drifts — a new deploy reintroduces a missing security header, a TLS certificate slides toward expiry, a debug /.env route gets shipped, or a freshly built JS bundle leaks an API key.

Cyber Security was built to close that gap with continuous automated scanning: cheap to run, repeatable, and producing reports a non-specialist can read. The motivation was to give a small portfolio of production sites ongoing, low-cost security regression coverage rather than relying on one-off audits.

The diff-against-baseline model means each report highlights what is new since the last run, turning a scanner into a security-regression tripwire rather than a wall of repeated noise.

Case Study

The scan pipeline

The audit is composed of ten stages, each exposed as its own POST /scan/{stage} endpoint and also runnable together via the composite POST /scan:

  1. recon — DNS A-record resolution plus subdomain enumeration via Certificate Transparency logs (crt.sh)
  2. tls — TLS protocol version and certificate-expiry checks (flags expired, <14-day, and weak TLS 1.0/1.1)
  3. headers — security-header audit (HSTS, CSP, X-Frame-Options, etc.) and Server/X-Powered-By fingerprint leaks
  4. cookiesSet-Cookie flag analysis for missing Secure / HttpOnly / SameSite
  5. methods — HTTP method enumeration, flagging TRACE (XST risk) and other dangerous verbs
  6. js-secrets — fetches /_next/static/ JS chunks and regex-sweeps them for hard-coded credentials and live API keys (OpenAI, Groq, Stripe, AWS, Slack, GitHub, Google)
  7. api-docs — detection of exposed Swagger/OpenAPI/Redoc schemas
  8. paths — sensitive-path disclosure probes (.env, .git/config, SQL dumps, server-status, etc.)
  9. auth-probes — login-endpoint rate-limit and user-enumeration sanity checks
  10. cves — tech-stack fingerprinting (e.g. Next.js build-ID disclosure)

Every stage is pure async Python over httpx — there is no external nmap/nuclei dependency; the scanner implements its own probes. The composite /scan runs all ten stages concurrently with asyncio.gather, then aggregates.

Scheduling & auth

Targets default to a configurable DEFAULT_TARGETS env list. A recurring scheduled run drives the pipeline, and POST /scan/run-now lets an operator kick off a scan from the dashboard. UI routes are gated by HTTP middleware with HMAC-SHA256 cookie auth (HttpOnly, Secure, SameSite=Lax); scan API and health probes bypass auth so the internal scheduler can reach them without a session.

Report generation & dashboard

Each aggregate diffs current findings against a persisted last-findings.json baseline to compute new and resolved counts. Reports group findings by target and severity (CRITICAL→INFO), rendered as HTML via Jinja2 and PDF via WeasyPrint under /data/reports/. The dashboard lists every stored report with date, target count, severity breakdown, and new/resolved deltas.

Hardening

Following an earlier incident, the container runs as a non-root user with cap_drop: ALL, no-new-privileges, noexec tmpfs, and strict memory/PID limits.

Screenshots

Secure login screen for pentest dashboard
Role-based authentication for security analysts and administrators.
Scan dashboard with report history
Central dashboard listing completed scans and downloadable reports.
Generated penetration test report
Structured pentest findings with severity, evidence, and remediation guidance.

Interested in Cyber Security?

Talk to our team about deployment, customization, or a demo for your organization.

Contact Us View Live Demo