Skip to content

qinnovates/epic-security-toolbox

BranchesTags

Repository files navigation

                 _                                    _ _         
   ___ _ __ (_) ___       ___  ___  ___ _   _ _ __(_) |_ _   _ 
  / _ \ '_ \| |/ __|____ / __|/ _ \/ __| | | | '__| | __| | | |
 |  __/ |_) | | (_|_____|\__ \  __/ (__| |_| | |  | | |_| |_| |
  \___| .__/|_|\___|     |___/\___|\___|\__,_|_|  |_|\__|\__, |
      |_|                                         toolbox |___/

All-in-one security scanner
Red Team / Blue Team / Purple Team / BCI Threat Modeling / macOS Posture / GRC Compliance
One binary. One interface. Every finding normalized.

divider

What It Does

epic-security replaces a fragmented toolkit of separate scanners with one unified binary. You give it a target — a codebase, a URL, a vendor name, or nothing (for local system audit) — and it figures out what to scan, runs everything, and maps findings to compliance frameworks.

The Problem

Security scanning is fragmented:

  • SAST tools don't talk to your compliance checker
  • Port scanners don't feed into detection rule generators
  • BCI threat models live in a separate world from OWASP
  • macOS posture checks don't map to NIST controls
  • Red team findings don't automatically become blue team detection rules

The Solution

One binary. One interface. Every finding normalized to a unified schema with cross-references to NIST CSF, ISO 27001, SOC2, CIS Benchmarks, MITRE ATT&CK, and QIF TARA.

---

Quick Start

git clone https://github.com/qinnovates/epic-security-toolbox.git
cd epic-security-toolbox
cargo build --release

Install as Claude Code Plugin

# Symlink the plugin into Claude Code's marketplace directory
ln -s "$(pwd)/plugin" ~/.claude/plugins/marketplaces/epic-security-toolbox

# Restart Claude Code or run /reload-plugins
# Then use: /epic scan /path/to/project

As a Claude Code MCP Server

Add to your MCP config (claude_desktop_config.json or similar):

{
  "mcpServers": {
    "epic-security": {
      "command": "/path/to/epic-security-toolbox/target/release/epic-server",
      "env": {
        "EPIC_DATA_DIR": "/path/to/epic-security-toolbox/data"
      }
    }
  }
}

Use Cases

1. "Scan this codebase before I ship"

epic_scan { "target": "/path/to/my/project" }

epic-security detects the language (Rust, Python, JS, Go, Swift), finds dependency files, and auto-runs:

  • SAST (secrets, injection, XSS, command injection, path traversal)
  • Secret scanner (20+ credential patterns: AWS, GCP, GitHub, Stripe, etc.)
  • Dependency CVE scan (checks package.json / Cargo.toml / requirements.txt)
  • Compliance check (SOC2, PCI-DSS, HIPAA, GDPR controls)
  • Code quality (cyclomatic complexity, SOLID violations)

If it detects BCI-related files (.edf, pylsl imports, brainflow), it adds BCI-specific scans automatically.

2. "Assess this web app"

epic_scan { "target": "https://api.example.com" }

Auto-runs:

  • Security headers & TLS analysis (HSTS, CSP, X-Frame-Options, cipher suites)
  • Port scan via nmap (if installed)
  • Vulnerability scan via nuclei templates (if installed)
  • OWASP Top 10 mapping

3. "How secure is my Mac?"

epic_scan {}

No target = local system audit. Runs 13 macOS checks:

  • System Protection: SIP, FileVault, Gatekeeper, AMFI
  • Firewall: enabled, stealth mode
  • Sharing: SSH, Screen Sharing, AirDrop
  • Privacy: Analytics, Siri
  • File Hygiene: .env files, SSH key permissions

4. "Run a purple team exercise on our BCI system"

epic_purple { "target": "bci", "coverage_target": 0.9 }

Runs the closed-loop purple team engine:

  1. Simulate — selects TARA attack techniques applicable to the device
  2. Detect — checks which techniques have documented mitigations
  3. Gap analysis — identifies unmitigated attack surfaces
  4. Harden — generates detection rules and remediation recommendations
  5. Re-test — iterates until coverage target is met

For infrastructure targets, swap "bci" for "infra" to use MITRE ATT&CK instead of TARA.

5. "Evaluate a vendor's security"

epic_vendor_risk { "vendor_name": "Acme Corp" }

Generates a structured risk assessment checklist covering:

  • Security posture (SOC2, ISO 27001, pentest history)
  • Data handling (encryption, retention, DPA)
  • Incident response (IR plan, breach notification timeline)
  • Business continuity (SLA, DR plan, data portability)

If Drata, Vanta, or Secureframe MCP servers are configured, pulls live compliance data.

6. "Map my findings to compliance frameworks"

epic_comply { "findings_json": "[...]", "framework": "nist_csf" }

Takes any set of findings and maps them to:

  • NIST CSF 2.0 (Identify, Protect, Detect, Respond, Recover)
  • ISO 27001 Annex A controls
  • SOC2 Trust Services Criteria
  • CIS Benchmarks

7. "Look up a BCI attack technique"

epic_bci_tara { "query": "signal injection", "search_by": "keyword" }

Searches the TARA catalog (135 BCI attack techniques) with NISS severity scores, dual-use classification, therapeutic analogs, and mitigation recommendations.

8. "Extract IOCs from this incident report"

epic_ioc_extract { "text": "The attacker used 203.0.113.42 to exfiltrate data to evil.example.com..." }

Extracts IPs, domains, URLs, SHA-256/MD5 hashes, and email addresses from any text.

9. "Generate detection rules from my scan results"

epic_detect_rules { "findings_json": "[...]", "format": "sigma" }

Converts red team findings into Sigma or YARA detection rules that blue team can deploy.

10. "Show me what scans would run without executing"

epic_scan { "target": "/path/to/project", "plan_only": true }

Returns the smart scan plan — detected language, dependency files, recommended scanners — without running anything. Review before committing to a full scan.

---

Complete Tool Reference

Tool Module Description
epic_scan smart router Auto-detect target type and run all appropriate scanners. The main entry point.
epic_status server List all registered module tools and external tool availability
epic_module_call server Route a call to any registered module tool by name
epic_audit macshield macOS security posture audit (SIP, FileVault, Gatekeeper, firewall, sharing, privacy, file hygiene)
epic_recon red Attack surface reconnaissance: port scan (nmap), subdomain enum (subfinder), HTTP probe (httpx)
epic_vuln red Vulnerability scanning via Nuclei templates
epic_code_audit red Static analysis (SAST) via Semgrep — OWASP, security patterns
epic_dast red Dynamic app security testing: OWASP ZAP (active scan, spider, fuzz) + sqlmap (SQL injection)
epic_container_scan red Container & IaC: Trivy (images, filesystems, K8s, Terraform) + Checkov (IaC policy)
epic_gitleaks red Deep git history secret scanning via Gitleaks — catches secrets committed and later removed
epic_bci_tara bci Search TARA catalog of 135 BCI attack techniques by ID, keyword, severity, status, or tactic
epic_bci_niss bci Query NISS severity scores for BCI devices or techniques
epic_detect_rules blue Generate Sigma or YARA detection rules from security findings
epic_ioc_extract blue Extract IOCs (IPs, domains, hashes, URLs, emails) from text
epic_purple purple Purple team exercise: simulate attacks, measure detection, gap analysis, hardening recommendations
epic_vendor_risk vendor Third-party vendor risk assessment checklist (bridges to Drata/Vanta/Secureframe if configured)
epic_comply grc Map findings to NIST CSF 2.0, ISO 27001, SOC2, CIS Benchmarks

Scheduled Scanning

epic-security includes a daily remote trigger (epic-security-scan) that automatically:

  • Clones all project repos into a cloud sandbox
  • Runs dependency CVE scans on repos with package.json/Cargo.toml/requirements.txt/go.mod
  • Runs secret scanner and SAST across all repos
  • Compares against previous reports to flag new findings
  • Commits a dated report to reports/daily-scan-YYYY-MM-DD.md
  • Alerts on critical findings

Configure at: https://claude.ai/code/scheduled

---

Architecture

epic-security (2.4 MB binary)
├── epic-server         MCP server (rmcp v1.3, stdio transport)
├── epic-types          Unified finding schema + SecurityModule trait
├── epic-security-layer 7-layer defense stack on every tool call
├── epic-runner         Process execution (deadlock-safe, timeout-enforced)
├── epic-data           TARA/NISS JSON catalog loader
├── smart_scan          Auto-detect target → build scan plan → execute
│
├── mod-macshield       macOS posture (13 checks, 5 categories)
├── mod-bci             BCI threat modeling (TARA lookup, NISS scoring)
├── mod-red             Red team (nmap, nuclei, semgrep, subfinder, httpx)
├── mod-blue            Blue team (Sigma rules, YARA, IOC extraction)
├── mod-purple          Purple team (simulate → detect → gap → harden loop)
├── mod-vendor          Third-party risk (Drata/Vanta/Secureframe bridge)
├── mod-grc             GRC compliance (NIST CSF, ISO 27001, SOC2, CIS)
│
└── scripts/            7 bundled Python scanners (stdlib only)
    ├── security_scanner.py       SAST
    ├── secret_scanner.py         Credential detection
    ├── vulnerability_assessor.py Dependency CVEs
    ├── compliance_checker.py     SOC2/PCI-DSS/HIPAA/GDPR
    ├── threat_modeler.py         STRIDE + DREAD
    ├── web_scanner.py            Headers/TLS/endpoints
    └── code_quality_checker.py   Complexity/SOLID

Security Layer Stack

Every tool call passes through 7 layers (ported from bci-security):

  1. Input validation — length limits, depth limits, unsafe character stripping
  2. Injection detection — 30 trigger phrases, Unicode NFKC normalization
  3. Credential redaction — 10 regex patterns, zero-tolerance
  4. Output sanitization — paths, IPs, internal URLs, env details stripped
  5. Path guard — null byte, traversal, canonicalization, boundary check
  6. Audit logging — structured JSON to stderr, field sizes only
  7. Data integrity — file size limits, data poisoning scan, ReDoS validation

Unified Finding Schema

Every scanner, every module, every check produces findings in one format:

UnifiedFinding {
  id, module, check,
  status (pass/fail/warn/inconclusive),
  severity (info/low/medium/high/critical),
  category, detail, remediation, confidence,
  controls: [NIST CSF, ISO 27001, SOC2, CIS],
  attack_refs: [MITRE ATT&CK technique IDs],
  tara_refs: [QIF TARA technique IDs],
  cvss, niss_vector
}

External Tools (install separately)

epic-security orchestrates these tools when installed. It gracefully degrades if they're missing.

Tool Install Purpose
nmap brew install nmap Port scanning, service detection
nuclei go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest Template-based vuln scanning
semgrep pip install semgrep Static analysis (SAST)
subfinder go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest Subdomain enumeration
httpx go install github.com/projectdiscovery/httpx/cmd/httpx@latest HTTP probing
nikto brew install nikto Web server scanning
yara brew install yara IOC pattern matching
osquery brew install osquery System state queries

GRC Platform Integration

Configure these MCP servers alongside epic-security for live compliance data:

Platform MCP Server
Drata Official — SOC2, ISO 27001, HIPAA, GDPR
Vanta Official — SOC2, ISO 27001, HIPAA
Secureframe Official — SOC2, ISO 27001, CMMC, FedRAMP

Built On

Component Source What We Took
MacShield qinnovates macOS posture checks, scoring algorithm, ProcessRunner pattern
bci-security bci-security 7-layer security stack, TARA catalog, NISS scoring, neuroethics
rmcp MCP org Rust MCP SDK (v1.3.0)

Requirements

  • Rust 1.75+ (build)
  • Python 3.8+ (bundled scanners)
  • macOS 14+ (for MacShield module system checks)
  • External tools are optional — each gracefully degrades if not installed

License

MIT

About

All-in-one security scanner: red team, blue team, purple team, BCI threat modeling, macOS posture, third-party risk, GRC compliance. Single Rust MCP server.

Resources

Readme

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages