CASCAVEL.

v2.2.0 β€” Red Team Intelligence Engine

Quantum-grade offensive security framework for demanding Red Teams. Modular, extensible and brutally efficient. Zero tracking. Zero telemetry. Fully auditable code.

OpenSSF Best Practices Python 3.10+ MIT License 85 Plugins CI/CD Hardened SAST Stack
85Security Plugins
14Attack Categories
30+Recon Tools
3Report Formats
2.8KLines of Core
cascavel β€” v2.2.0 β€” zsh
# Full target scan
❯ python3 cascavel.py -t target.com
# List all 85 plugins
❯ python3 cascavel.py --list-plugins
# Check external tools
❯ python3 cascavel.py --check-tools
# CI/CD silent mode with JSON output
❯ python3 cascavel.py -t target.com --quiet --json
⚑ View on GitHub πŸ“– Plugin Docs

Arsenal

Elite capabilities for reconnaissance, exploitation and automated reporting.

πŸ”Œ

85 Security Plugins

14 attack categories covering injection, server-side, auth bypass, protocol-level, API, infrastructure and more. Standardized run(target, ip, ports, banners) interface.

πŸ›°οΈ

30+ Recon Tools

Native integration with Nmap, Subfinder, Amass, Katana, Nuclei, Shodan, Nikto, WHOIS/RDAP, Traceroute and the entire modern OSINT ecosystem.

πŸ–₯️

Cinematic Terminal UX

Cinematic boot sequence with ASCII art fade-in, typewriter effects, Rich progress bars, Live interactive panel and Security Intel tips during scans.

πŸ“Š

Multi-Format Reports

Automatic reports in PDF (ReportLab), Markdown and JSON with findings categorized by severity β€” CRITICAL, HIGH, MEDIUM, LOW, INFO.

πŸ”’

CI/CD Hardened

Armored pipeline: Bandit SAST, CodeQL, Ruff, pip-audit, Semgrep, OpenSSF Scorecard, pre-commit hooks. Pinned dependencies and token permissions.

🧠

Intelligence Engine

ANSI escape sanitizer against terminal injection, graceful shutdown (SIGINT/SIGTERM/SIGPIPE), findings correlation and smart deduplication.

Plugin Categories

85 security plugins organized across 14 specialized attack categories.

CategoryPluginsKey Techniques
πŸ’‰Injection & Code Execution7XSS polyglot, SQLi (time/error/union/blind), SSTI multi-engine, RCE, NoSQL ($gt/$ne/$regex), Log4Shell (12 headers + 5 WAF bypass)
🌐Server-Side Attacks4SSRF (IMDSv2, DNS rebinding, gopher://), XXE OOB exfiltration, LFI wrapper protocols, Path Traversal encoding bypass
πŸ”Authentication & Authorization6JWT none/key confusion/JWKS, OAuth PKCE/state/redirect, CSRF SameSite, IDOR sequential/UUID, Session Fixation
πŸ”„Protocol-Level Attacks4HTTP Smuggling (CL-TE/TE-CL/TE-TE), HTTP/2 desync + HPACK injection, WebSocket CSWSH, gRPC reflection
πŸ›‘οΈDefense Analysis & Bypass7CORS wildcard/null origin, CSP unsafe-inline/eval bypass, Clickjacking, Host Header, Cache Poison, Rate Limit, WAF bypass
🎯API Security4GraphQL introspection/batch/alias overload, API endpoint discovery, version detection, OpenAPI exposure
πŸ’£Advanced Web Attacks6Mass Assignment isAdmin, Race Condition TOCTOU, Prototype Pollution __proto__, Deserialization multi-lang, Open Redirect, CRLF
πŸ—οΈInfrastructure Exposure8Docker 2375/2376, K8s API/etcd/kubelet, Redis unauth RCE, MongoDB no-auth, Elastic/Kibana, CI/CD artifacts, Cloud IMDS
πŸ”Reconnaissance & OSINT11Subdomains CT/DNS brute/zone transfer, DNS deep (12 record types), WHOIS/RDAP, Shodan, Wayback, Email spoof SPF/DKIM/DMARC, Traceroute
πŸ•΅οΈInformation Gathering7Tech fingerprint Wappalyzer-style, JS API key extraction, Param miner, Info disclosure (.env/.git), Secrets scraper regex, Git dumper
🌐Web Scanning7Dir bruteforce wordlist, Nikto integration, Katana deep crawler, HTTP methods (OPTIONS/TRACE/PUT), WordPress, Nuclei templates
☁️Cloud & Storage2S3 bucket public ACL misconfiguration, SAML signature wrapping + assertion injection
πŸ“ŠAnalysis & Profiling5SSL/TLS cert + cipher audit, WAF fingerprint 30+ products, Nmap advanced scripts + OS fingerprint, Auto exploit CVE matching
πŸ”Brute Force & Auth Testing6SSH/FTP/SMB/SMTP brute force, Heartbleed CVE-2014-0160, DNS zone transfer AXFR

Architecture

Designed with defensive security principles at every layer.

🧬

ANSI Sanitizer

Anti-terminal injection: strips OSC/DCS/cursor sequences, preserves SGR colors

⚑

Signal Handling

Graceful shutdown SIGINT/SIGTERM/SIGPIPE with async-signal-safe os.write()

πŸ”Œ

Plugin API

Standard run(target, ip, ports, banners) β†’ dict interface with validated schema

🎬

Cinematic Boot

Fade-in logo with 256-color ramp, TTY detection, pipe/CI fallback

πŸ“¦

Dep Bootstrap

Auto lib check on import, friendly error messages, zero crash

πŸ”

Supply Chain

Version-pinned deps, pip-audit CI, pre-commit hooks, Scorecard 10/10

πŸ“Š

Severity Engine

5 levels β€” CRITICAL πŸ’€ HIGH πŸ”΄ MEDIUM 🟑 LOW πŸ”΅ INFO βšͺ with visual icons

πŸ§ͺ

Security Intel

40+ threat intelligence tips and facts shown during scan waits

Integrations

External tools with native integration for maximum attack surface coverage.

πŸ” Nmap🌐 SubfinderπŸ—ΊοΈ AmassπŸ•·οΈ Katana⚑ NucleiπŸ“‘ ShodanπŸ”’ NiktoπŸ“‹ WHOIS/RDAPπŸ›€οΈ Tracerouteβͺ Wayback MachineπŸ›‘οΈ Bandit SASTπŸ”¬ CodeQL🧠 Semgrep✨ RuffπŸ”Ž pip-auditπŸ“„ ReportLab PDF🎨 Rich TerminalπŸ”€ pyfigletπŸͺ pre-commitπŸ† OpenSSF Scorecard

Security Intel

Integrated intelligence engine β€” 40+ tips and facts displayed during scans in real time.

πŸ’€ FACTHackers compromise 93% of corporate networks in 2 days. Average data breach cost is $4.88M (2024).
πŸ” TIPAlways validate JWT with a fixed algorithm β€” never trust the 'alg' header. None algorithm = total auth bypass.
⚑ FACTLog4Shell (CVE-2021-44228) saw 10M+ exploit attempts per hour. 86% of attacks exploit vulns with available patches.
πŸ›‘οΈ TIPRedis without auth = RCE via CONFIG SET + crontab/SSH key injection. IMDSv2 on AWS prevents SSRF credential theft.
🧬 TIPRace conditions: use single-packet attack to bypass rate limiting. Prototype Pollution in Node.js escalates to RCE via gadget chains.
πŸ“‘ FACTShodan indexes 7+ billion devices. 95% of cloud security incidents are caused by misconfiguration.
πŸ’£ TIPGraphQL batching enables brute force of authenticated queries. Docker --privileged + docker.sock = trivial container escape.
πŸ•·οΈ FACTSolarWinds hack compromised 18,000 organizations via supply chain. iOS zero-days are worth up to $2M on the market.

Quick Install

Setup in 60 seconds. Requires Python 3.10+. Compatible with Linux, macOS and WSL.

# Clone and configure
git clone https://github.com/glferreira-devsecops/Cascavel.git
cd Cascavel
python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt

# Run
python3 cascavel.py --help
python3 cascavel.py -t target.com

Automated installer available: bash install.sh β€” 15+ environment checks including Python version, venv, external tools, connectivity.
Zero tracking. Zero data collection. Zero telemetry. 100% auditable code. MIT License.

Roadmap

Technical direction β€” open to contributions and community feedback.

v2.2.0 β€” STABLE

βœ… Current

  • 85+ plugins with 2026-grade intelligence
  • JSON, Markdown and PDF reports
  • Cinematic UX with TTY detection
  • --quiet mode for CI/CD pipelines
  • Installer with 15+ edge case checks
  • Full open-source governance
  • OpenSSF Best Practices Badge
v3.0.0 β€” Q4 2026

πŸš€ Next

  • Plugin API v2 with native CVSS scoring
  • SARIF output for IDE integration
  • Official Docker image (ghcr.io)
  • Async plugin engine (3-5x speed)
  • API mode --serve (REST/SOAR)
  • YAML custom scan profiles
  • Plugin test suite with pytest
v4.0.0 β€” 2027

🧠 Future

  • AI-assisted triage with LLM severity
  • Distributed multi-node scanning
  • Compliance mapping OWASP/NIST/PCI-DSS
  • Automatic SBOM generation
  • GitHub App (PR one-click audit)
  • Community plugin marketplace
  • Native man page

Governance & Community

Open-source project with transparent governance, full compliance and community-driven development.

πŸ“‹ Contributing πŸ”’ Security Policy 🀝 Code of Conduct πŸ›οΈ Governance πŸ“ Changelog πŸ—ΊοΈ Roadmap πŸ’¬ Support πŸ“– Citation πŸ‘₯ Authors βš–οΈ MIT License πŸ”Œ Plugin Docs