HawkEye

// workflow

Seven phases. One tool.

Most vuln scanners stop at "here's a finding." HawkEye takes you from raw port to professional report with ATT&CK context and MSF commands at every step.

PHASE 01

Scan Engine

Nmap NSE vuln scripts over five profiles — Quick, Full, Web App, Stealth, Custom. Live output. Auto CVE extraction from script output.

›

PHASE 02

CVE Intelligence

Every CVE ID enriched in real time from NVD API v2 — CVSS score, description, CPE. OWASP Top 10 category. Keyword CVE search built in.

›

PHASE 03

ATT&CK Mapping

Findings automatically mapped to MITRE ATT&CK techniques across all 14 tactics. Coverage heatmap. Metasploit module suggested per finding.

›

PHASE 04

PoC Intelligence

Chain findings into a kill chain. Fetch live ExploitDB PoC code per CVE. Generate MSF resource scripts. Launch msfconsole directly. Python exploit scaffolds pre-filled with target data.

›

PHASE 05

Professional Report

One click → branded HTML report. SVG donut chart, severity grid, ATT&CK coverage table, full findings with MSF commands and remediation steps.

// capabilities

Everything in the loop.

No tab-switching between five different tools. No copy-pasting CVE IDs into NVD. No writing reports by hand.

⚡

Nmap NSE Vuln Scanning

Runs the full nmap vuln script category plus HTTP, SSL, SMB, and service-specific scripts. Parses XML output into structured findings automatically.

200+ NSE scripts

🗄

Live NVD CVE Enrichment

Every CVE extracted from scan output is looked up in real time via NVD API v2. CVSS v3 score, full description, affected CPEs, and references pulled automatically.

NVD API v2

🎯

MITRE ATT&CK Mapping

Findings mapped to ATT&CK techniques across all 14 tactics. Direct CVE→technique map for 30+ high-value CVEs. Keyword fallback for everything else. Click to open MITRE.

STIX-aligned

🔫

Metasploit Module Suggestions

23+ curated CVE→MSF module mappings. One click copies the ready-to-run Metasploit command block. EternalBlue, BlueKeep, ZeroLogon, ProxyLogon, Log4Shell and more.

One-click MSF

⛓

Kill Chain Scenario Builder

Chain findings into an ordered kill chain. Each step shows the MSF command and ATT&CK context. Launch the whole chain in msfconsole with one click.

Kill chain builder

💣

PoC Intelligence

Fetch live ExploitDB PoC code for any CVE. Auto-generate MSF resource scripts (LHOST/LPORT pre-filled). Python3 exploit scaffolds written to disk, ready to customise.

ExploitDB + MSF + Python

🔬

9,000+ Nuclei Templates

Runs the full projectdiscovery/nuclei-templates library natively — no nuclei binary required. CVEs, misconfigurations, exposed panels, default logins, and technology fingerprints.

Auto-sync on launch

📄

Professional HTML Report

Dark-themed, print-ready HTML report. SVG donut chart, per-severity counts, MITRE ATT&CK coverage table, every finding with CVSS, CVE link, MSF, OWASP, and remediation.

PDF-quality output

// mitre att&ck

Know your coverage.

The ATT&CK tab shows which techniques were triggered across all findings — grouped by tactic, counted, and linked directly to MITRE. Know exactly where the attack surface is before you write a word.

Initial
Access
T1190

Execution

T1059

Persistence

—

Priv Esc

T1068

Def Evasion

—

Cred Access

T1003

Discovery

T1083

Lateral Mov

T1210

Collection

—

C2

T1071

Exfil

—

Impact

T1498

Recon

—

Res Dev

—

// phase 4

Report in one click.

Fill in client name, author, and classification. Click Generate. An HTML report opens in your browser — print to PDF or send as-is. Same format your clients expect.

✓ SVG severity donut + per-category counts
✓ MITRE ATT&CK coverage table by tactic
✓ Every finding: CVSS, CVE link, techniques, MSF commands, OWASP, remediation
✓ Classification banner (CONFIDENTIAL, RESTRICTED, etc.)
✓ Auto-opens in browser, print-to-PDF ready

hawkeye-report-1749703200.html

⚠ CONFIDENTIAL ⚠

EXECUTIVE SUMMARY

3

CRITICAL

7

HIGH

12

MEDIUM

4

LOW

MITRE ATT&CK COVERAGE

Initial Access · Execution · Privilege Escalation · Lateral Movement · Credential Access

FINDINGS

CRITICAL · CVE-2021-44228 · Log4Shell on 10.0.1.5:8080

HIGH · CVE-2017-0144 · EternalBlue on 10.0.1.12:445

+24 more findings…

// competitive analysis

Where does HawkEye fit?

Nessus and OpenVAS find network vulnerabilities. Acunetix leads in browser-based web app DAST. Neither gives you automated kill chains, PDF reports, Jira/Slack push, or scan history diffing. HawkEye does all of it — 7 phases, browser-engine DAST (DOM XSS, CSTI, prototype pollution), OOB blind injection, CMS scanning, OSV dependency scanning, JWT/CSRF/LDAP checks, EPSS + CISA KEV enrichment, automated MITRE ATT&CK kill chains, and 9K+ Nuclei templates — in a single operator-grade desktop tool. No subscription. No cloud. Your data stays yours.

Capability	◈ HawkEye	Nessus	OpenVAS	Acunetix	Intruder	Indusface	ManageEngine	SiteLock	Tripwire
Network / infrastructure scanning	✓ Nmap NSE	✓ 185K plugins	✓ 80K NVTs	basic	✓	partial	✓ agent	✗	✓ enterprise
Web app scanning (DAST)	✓ + 9K templates	basic plugins	basic	✓ best-in-class	✓	✓ OWASP	web agent	malware only	✗
JavaScript / SPA scanning	✓ Phase 6 CDP	✗	✗	✓ Chromium	partial	partial	✗	✗	✗
API scanning (OpenAPI / GraphQL)	✓ spec + GraphQL	✗	✗	✓ spec import	partial	partial	✗	✗	✗
Live NVD CVE enrichment (real-time)	✓ NVD API v2	vendor cycle	vendor cycle	web CVEs only	✓	✓	✓	✗	✓
MITRE ATT&CK auto-mapping	✓ 14 tactics	✗	✗	✗	✗	✗	partial	✗	✗
Metasploit module suggestions	✓ per-CVE	✗	✗	✗	✗	✗	✗	✗	✗
ExploitDB PoC fetch + scaffold	✓ live fetch	✗	✗	✗	✗	✗	✗	✗	✗
Kill chain / scenario builder	✓	✗	✗	✗	✗	✗	✗	✗	✗
OWASP Top 10 mapping	✓	partial	✗	✓	partial	✓	✗	✗	✗
Stealth / custom scan profiles	✓ 5 profiles	partial	partial	✗	✗	✗	✗	✗	✗
Professional report (one click)	✓ built-in	✓	✓	✓	✓	✓	✓	basic	✓
Native desktop GUI	✓ Rust/egui	✗ web UI	✗ web UI	✗ SaaS	✗ SaaS	✗ SaaS	✗ web UI	✗ SaaS	✗ web UI
Open source	✓ GitHub	✗	✓	✗	✗	✗	✗	✗	✗
Price	€100/mo	$4,390/yr	Free	$4,995/yr+	$101/mo+	$59/app/mo	$695/yr	$15/mo+	Enterprise

// pricing

Built for operators, priced for operators.

One seat per operator. Licensed per operator year — usage is registered server-side for compliance and audit purposes.

COMMUNITY

Open Source

Free

GitHub — always

Full source code
Scan + CVE lookup + ATT&CK
HTML report generation
Community support (GitHub Issues)

View on GitHub

OPERATOR

HawkEye Pro

^€100

per operator / month

Everything in Community
Priority feature requests
Pre-built binary releases
Email support
Future: PoC interpreter + auto-exploit stubs
Future: continuous scan + delta alerting

Get License

ARSENAL

All 9 Tools

^€499

per operator / month

HawkEye Pro
Email Pentest Sidekick
AD Pentester Sidekick
PrivEsc Pentester Sidekick
InfraScan Pentester Sidekick
CredDump, DFIR, NHH Crack Server

Get Arsenal License

// shipped in v0.7

Phase 6: Browser-Engine DAST — Live

Chromium headless engine with Chrome DevTools Protocol (CDP). Detects vulnerabilities invisible to static HTTP scanners: DOM-based XSS (URL param → dangerous sink, fragment injection), client-side template injection (Angular/Vue/React), prototype pollution via JSON.parse, postMessage origin bypass, open redirects in JS routing, sensitive data in localStorage/sessionStorage, SPA framework dev-mode detection, and dynamic form endpoint discovery.

DOM XSS CSTI (Angular/Vue) Prototype Pollution PostMessage Bypass localStorage PII SPA Forms Discovery

// shipped in v0.8

Phase 7: Exploit Chaining & Report Engine — Live

Automated kill-chain engine with 15+ MITRE ATT&CK patterns. Detects multi-step attack paths from your findings: SQLi→credential dump→pivoting, XSS→session hijack→account takeover, SSRF→cloud metadata→IAM theft, subdomain takeover→phishing, prototype pollution→RCE, and more. Includes remediation priority roadmap (CVSS + EPSS + CISA KEV), scan history with delta comparison, and push integrations for Jira, Linear, Slack, and generic webhooks. One-click PDF export via headless Chromium.

15+ Kill Chain Patterns Remediation Roadmap Scan History & Delta Jira / Linear / Slack PDF Export