# OpenBash > Offensive security platform that combines automated cloud-based scanners with certified human-led penetration testing. Operated by ThorCybsec under the motto "Real security. No noise." OpenBash provides two complementary delivery models: 1. **Self-service automated scans** — cloud-executed reconnaissance, vulnerability and resilience tests, launched from a web dashboard, a REST API, or an interactive ChatGPT assistant. Each scan is a predefined profile of feature flags (Nmap recon, web discovery, crawling, screenshots, WAF detection, DoS simulation, ASV/PCI compliance checks, BurpSuite analysis, etc.). 2. **Managed professional engagements** — manual-first, certified, OWASP/NIST/PTES-aligned penetration tests and resilience exercises delivered by human experts, with reproducible PoCs, executive + technical reports, evidence packs, and a free retest within ≤60 days. The catalog evolves continuously. Each service has a dedicated technical documentation page under `/docs/` that describes scope, workflow, feature-flag matrix (for automated scans) or methodology, deliverables, timeline and pricing (for managed engagements). The pages below are the authoritative source of truth — when a new service ships, a corresponding `/docs/.html` page is added and referenced from this index. ## For AI agents: structured markdown tree If you are an LLM or agent runtime (Claude Code, Claude Desktop, Cursor, Zed, DeepSeek, custom MCP/LangChain/OpenAI tool-use clients) and you need to **operate** OpenBash autonomously (not just describe it), use the agent-ready markdown tree under `/llms/`. Each leaf is a self-contained `.md` file with curl-ready examples, JSON shapes, error semantics and integration recipes. - [/llms/index.md](/llms/index.md) — full tree map and decision guide. - [/llms/api/overview.md](/llms/api/overview.md) — REST API entry point: base URL, auth model, response envelope. - [/llms/api/scan-types.md](/llms/api/scan-types.md) — catalog of `scanTypeId` values with credit cost. - [/llms/services/index.md](/llms/services/index.md) — every service mirrored in agent-friendly markdown. - [/llms/onboarding/](/llms/onboarding/) — signup, first scan, polling pattern, free tier, contact for managed. - [/llms/recipes/](/llms/recipes/) — Claude Code, MCP server, LangChain, OpenAI tool-use, GitHub Actions, GitLab CI, curl/Python/Node SDK patterns. ## Automated Cloud Scans (self-service, API + Dashboard) Cloud-executed scan profiles. Each profile enables a curated subset of OpenBash modules. Triggered via the OpenBash dashboard, the REST API (`scanTypeId`), or the Offensive Scanner GPT. Output: structured findings, screenshots, graphs, executive report, downloadable artifacts. - [Basic Scan](/docs/basic.html): Fast, stealthy external reconnaissance — Nmap top 10,000 TCP ports, SSL/cipher inspection, web service fingerprinting, leaked-email enumeration, distributed screenshots, WAF and shared-hosting detection. Use for CI/CD pre-deploy hardening, cloud perimeter discovery, quick exposure awareness. `scanTypeId: 1005`. - [Surface Scan](/docs/surface.html): Full attack-surface mapping from a root domain — passive + active subdomain enumeration (5M-entry dictionary), SSL-cert pivoting, per-subdomain service and technology fingerprinting, distributed screenshots. Use to surface abandoned assets, legacy software, unattended entry points. `scanTypeId: 1000`. - [Professional Scan](/docs/professional.html): Deep single-host diagnostic — three crawling engines, large discovery dictionaries, rotating proxies, BurpSuite-assisted behavioral analysis, ASV checks. Targets hidden folders, debug files, forgotten interfaces, non-standard ports. `scanTypeId: 1006`. - [ASV Scan](/docs/asv.html): PCI-DSS-aligned full TCP port scan + vulnerability and misconfiguration detection on a single host. Suitable for compliance and general production vulnerability assessment. `scanTypeId: 1009`. - [DoS Scan](/docs/dos.html): Controlled application-layer denial-of-service simulation — Slowloris (slow headers), Slow Read, Slow Body (RUDY), Range Header (Apache Killer), plus distributed multi-IP emulation, with parallel passive latency monitoring on ports 80/443. `scanTypeId: 1001`. ## Managed Professional Engagements (human-led, by ThorCybsec) Certified manual security engagements with formal scoping, rules of engagement, reproducible PoCs, executive + technical reports, and a free retest. Pricing is per engagement; figures below are starting points. - [Pentest – Certified Manual](/docs/pentest.html): General-purpose penetration test, 80% manual / 20% targeted automation. Covers web, mobile, API (REST/GraphQL/SOAP), infrastructure (on-prem/cloud/hybrid), SAP landscapes, SSO/OAuth/SAML auth flows, admin backends, CI/CD. OWASP / NIST SP 800-115 / PTES aligned. From $1,500. - [Web Application Pentest](/docs/pentest_web.html): Authenticated web app pentest following OWASP WSTG, aligned with PCI DSS 11.3 and NIST SP 800-115. 5 weekly phases (scoping → blackbox discovery → greybox authenticated testing → exploitation → reporting) + retest ≤60 days. Compliance traceability included. - [Mobile Application Pentest](/docs/pentest_mobile.html): Android/iOS pentest following OWASP MASVS and MSTG. SAST → DAST + API traffic → OS/device + local storage analysis → reporting. Frida/objection runtime hooks, TLS pinning bypass on test builds, deep-link/IPC review. Retest ≤60 days. - [DoS / DDoS Simulation (managed)](/docs/pentest_ddos.html): Multi-week coordinated resilience exercise with safety envelope (max RPS/bandwidth caps, abort criteria, real-time war-room). Custom Python attack modules, rotating proxies, WAF/CDN behavior profiling, time-aligned evidence and mitigation playbook. NIST SP 800-115 style execution. - [Professional DoS Attack Simulation](/docs/dos_pro.html): Expert-led DoS resilience engagement with a "Seek & Destroy" phase targeting high-cost modules (auth, search, reporting, complex filters) via distributed parallelized flows. Application-layer vectors: Slowloris, Slow Read, RUDY, Range Abuse, Targeted API Overload. From $1,200. - [Professional Attack Surface Analysis](/docs/surface_pro.html): Certified manual mapping of infrastructure, application surface, OSINT exposure, TLS posture and identity exposure. Delivers a prioritized Attack Plan to feed a follow-up pentest. Non-intrusive (no exploitation). From $1,400. ## Annual Programs (Packs) Recurring offensive-security coverage across 12 numbered periods, mixing baseline compliance scans, scheduled pentests and continuous retests. Designed to replace one-off testing with a year-long security partnership. - [Offensive Universal Pack](/docs/universal.html): Baseline annual coverage — 1× initial Surface Scan, 4× quarterly ASV, 2× external pentests, 1× internal pentest, 3× retests, year-end executive summary. - [Pentest Hours Pack 6](/docs/pack6.html): 360-hour flexible bank (~6× 60h pentests), allocatable to any offensive scenario (web/API/mobile/SAP/cloud/internal/DoS/surface). Includes 4× quarterly ASV and a continuous Retest line. - [Pentest Hours Pack 12](/docs/pack12.html): 720-hour bank (~12× 60h pentests). Same flexible allocation as Pack 6, doubled capacity for larger organizations or higher-frequency programs. ## Developer Platform Programmatic access for integrating OpenBash into pipelines, security automation, and chat assistants. - [API – Developers tab](/docs/api.html): Base URL `https://api.openbash.com/v1/` (legacy/community endpoint also exposed at `https://community.api.openbash.com/v1/`). Bearer-token auth (API key from `/account/api`). Primary endpoints: `POST /scans`, `GET /scans/{id}`, `GET /reports/{id}`, `GET /credits`. Credit-based pricing per scan profile. - [Postman Collection](https://documenter.getpostman.com/view/28842638/2s9Xxtxabr#intro): Full request reference and examples. - [Offensive Scanner GPT (ChatGPT)](https://chatgpt.com/g/g-oaZfvEKYO-offensive-scanner-gpt): Interactive scan execution from inside ChatGPT — paste your API key and run any scan profile by name with contextual prompts. - [Full API Documentation](https://docs.openbash.com): Detailed endpoint reference, scan-type catalog, webhooks, scopes. ## Scanning Policy & Identification OpenBash discloses how its probes behave on the public internet so target operators can identify, attribute or opt out of OpenBash traffic. - [Scan Policy (machine-readable)](/scan-policy.txt): Operator, engagement model (passive external observation of publicly-served data), User-Agent prefix (`OpenBash-/`), opt-out mechanics, attribution and contact channels. - [Scan Policy (human-readable)](/scan-policy): Same content formatted for browser reading. - Abuse / opt-out / impersonation: `abuse@openbash.com` (response within 24h, opt-out applied platform-wide and permanent). - Commercial / general enquiries: `hello@openbash.com`. ## Public Reports & Sitemap - [Public Reports Index](/reports/public/): Browseable corpus of public scan reports — useful for sampling output format and depth before purchasing or integrating. - [Reports Sitemap](/reports/public/sitemap.xml): Machine-readable index of public reports. - [Site Sitemap](/sitemap.xml): Top-level sitemap index. ## Optional - [OpenBash Dashboard (web app)](https://www.openbash.com/): Angular SPA — scan launch, live progress, report viewer, account/API management. - [Account → API Keys](/account/api): Generate, rotate and scope API keys. - [Contact](/contact): Request a tailored proposal for managed engagements or custom scopes.