The Ultimate All-in-One Security Research & Exploitation Framework
ProjectDiscovery meets CodeQL meets OffSec-labs, packed into one static binary (< 35 MB)
PolyScope is a revolutionary cybersecurity tool that combines automated research, reconnaissance, exploitation, and reporting into a single powerful binary. Perfect for security researchers, red teamers, and penetration testers who need comprehensive security assessments with minimal setup.
PolyScope is an advanced security framework that automatically:
- 🔬 Researches technology stacks and CVEs by mining OSS projects and vulnerability databases
- 🎯 Scans targets with comprehensive reconnaissance pipelines
- 💥 Generates custom exploits using local AI and rule-based heuristics
- 📊 Correlates findings with research data to identify root causes
- 📝 Creates beautiful reports with actionable mitigation strategies
Think of it as having an entire security team in a single binary that works completely offline after initial setup.
- Mines GitHub repositories for vulnerability patterns
- Builds knowledge graphs linking technologies to CVEs
- Analyzes patch history and security patterns
- Creates searchable vulnerability databases
- Subdomain enumeration with multiple techniques
- Port scanning and service detection
- Technology stack fingerprinting
- Automated vulnerability discovery using Nuclei
- Local LLM integration (CodeLlama 7B) for payload generation
- Template-based exploit creation
- Custom PoC generation in Python and Bash
- Evasion technique suggestions
- Maps live findings to research knowledge graph
- Identifies potential root causes and attack chains
- Suggests prioritized remediation strategies
- Tracks vulnerability lifecycle and patches
- Beautiful Markdown and HTML reports
- Executive summaries with risk scoring
- Technical details with evidence
- Actionable mitigation recommendations
- Blue team replay kits
- Faster reconnaissance with automated tool orchestration
- Custom exploit development without manual coding
- Comprehensive attack surface mapping
- Professional client deliverables
- Vulnerability research automation with pattern discovery
- Knowledge graph construction for technology analysis
- PoC generation for responsible disclosure
- Research documentation with detailed reports
- Target analysis with technology fingerprinting
- Exploit template generation for common vulnerabilities
- Automated scanning with custom nuclei integration
- Finding correlation across multiple targets
- Asset discovery and attack surface monitoring
- Vulnerability assessment with prioritization
- Threat intelligence through research correlation
- Compliance reporting with detailed documentation
# Clone repository
git clone https://github.com/Dr-yato/Polyscope.git
cd Polyscope
# Run installer
./install.sh
# Or build manually
go mod tidy
go build -o polyscope ./cmd/polyscope# Pull and run
docker pull ghcr.io/dr-yato/polyscope:latest
docker run -it --rm ghcr.io/dr-yato/polyscope:latest
# Or build locally
git clone https://github.com/Dr-yato/Polyscope.git
cd Polyscope
docker build -t polyscope .
docker run -it --rm polyscope./polyscope init# Research a technology
./polyscope research --tech laravel
# Scan a target
./polyscope scan --target example.com
# Generate exploits
./polyscope exploit --use graph.db
# Full automated pipeline
./polyscope autopwn --target lab.yamlResearch technology stacks and build knowledge graphs:
# Research specific technologies
./polyscope research --tech "nginx"
./polyscope research --tech "wordpress"
./polyscope research --tech "laravel"
# Research with verbose output
./polyscope research --tech "django" --verboseOutput: Creates graph.db with vulnerability relationships and results/graphs/ with JSON research data.
Comprehensive target scanning and enumeration:
# Basic scan
./polyscope scan --target example.com
# Scan with custom threads and HTML report
./polyscope scan --target example.com --threads 100 --html
# JSON output for automation
./polyscope scan --target 192.168.1.0/24 --json --verboseOutput:
results/scans/- Raw scan dataresults/reports/- Markdown and HTML reports
Generate custom exploits from research data:
# Generate exploits from research graph
./polyscope exploit --use graph.db
# Generate with custom LLM prompt
./polyscope exploit --use graph.db --llm-prompt "Focus on web application vulnerabilities"
# Generate for specific CVE
./polyscope exploit --use graph.db --cve CVE-2023-1234Output:
results/exploits/- Exploit templates (JSON)results/poc/- Ready-to-use PoC scripts (Python/Bash)
Fully automated security assessment:
# Complete pipeline against a target
./polyscope autopwn --target lab.yaml
# Unsafe mode (disable security restrictions)
./polyscope autopwn --target internal.company.com --unsafeOutput: Complete assessment with research, scanning, exploitation, and reporting.
Launch the beautiful terminal UI:
./polyscope tui--verbose, -v- Detailed output--threads, -t- Concurrent operations (default: 50)--timeout- Operation timeout in seconds (default: 30)--json- JSON output format--html- Generate HTML reports--no-color- Disable colored output--unsafe- Disable security restrictions
PolyScope includes a local CodeLlama 7B model for offline exploit generation:
# Custom LLM prompts
./polyscope exploit --use graph.db --llm-prompt "Generate SQL injection payloads for MySQL"
# The LLM enhances exploit templates with:
# - Evasion techniques
# - Alternative payloads
# - Bypass methods
# - Custom attack vectorsExtend PolyScope with custom modules:
# List available plugins
./polyscope list-modules
# Plugins are auto-loaded from plugins/*.so
# Build custom plugins implementing the Module interfacepolyscope/
├── results/
│ ├── graphs/ # Research knowledge graphs
│ ├── scans/ # Raw scan results (JSON)
│ ├── reports/ # Markdown/HTML reports
│ ├── exploits/ # Generated exploit templates
│ └── poc/ # Proof-of-concept scripts
├── assets/
│ ├── models/ # Local LLM models
│ ├── templates/ # Report templates
│ └── nuclei/ # Custom nuclei templates
└── graph.db # Knowledge graph database
- Runs in isolated network namespaces
- Drops privileges automatically
- Firewall rules prevent data exfiltration
- Use
--unsafeonly in controlled environments
- 100% offline after initial setup
- No external API dependencies during scans
- Local LLM for exploit generation
- Cached vulnerability databases
- No telemetry or data collection
- All processing happens locally
- Encrypted knowledge graph storage
- Secure temporary file handling
- OS: Linux (amd64/arm64), macOS (Intel/Apple Silicon)
- Memory: 8GB RAM minimum (16GB recommended)
- Storage: 10GB free space
- Network: Internet for initial setup only
PolyScope automatically installs:
- Go security tools (nuclei, httpx, subfinder, etc.)
- System utilities (nmap, curl, jq)
- Local LLM model (CodeLlama 7B quantized)
PolyScope generates professional security reports:
# PolyScope Security Assessment Report
**Target**: example.com
**Risk Level**: HIGH
**Findings**: 15 vulnerabilities found
## Executive Summary
Security assessment revealed critical SQL injection and XSS vulnerabilities...
## Vulnerabilities Found
### SQL Injection (Critical)
- **Impact**: Complete database compromise possible
- **Recommendation**: Implement parameterized queriesBeautiful web-based reports with:
- 📊 Interactive charts and metrics
- 🎨 Color-coded severity levels
- 📱 Mobile-responsive design
- 🔗 Clickable references and links
Create custom modules implementing the Module interface:
type Module interface {
Name() string
Init(*Config) error
Run(context.Context, interface{}) (interface{}, error)
}# 1. Research target technology stack
./polyscope research --tech "nginx"
# 2. Comprehensive reconnaissance
./polyscope scan --target company.com --html
# 3. Generate custom exploits
./polyscope exploit --use graph.db
# 4. Execute full assessment
./polyscope autopwn --target company.com# Automated recon pipeline
./polyscope scan --target *.bugcrowd.com --threads 200
# Technology-specific research
./polyscope research --tech "wordpress"
./polyscope research --tech "react"
# Generate targeted exploits
./polyscope exploit --use graph.db --target api.example.com# Research emerging technologies
./polyscope research --tech "nextjs"
# Analyze vulnerability patterns
./polyscope research --tech "laravel" --verbose
# Generate research reports
./polyscope scan --target testlab.local --jsonPolyScope is designed for authorized security testing only. Users are responsible for:
- ✅ Obtaining proper authorization before testing
- ✅ Complying with applicable laws and regulations
- ✅ Using the tool ethically and responsibly
- ❌ Never testing systems without explicit permission
The authors are not responsible for misuse of this tool.
| Feature | PolyScope | Traditional Tools |
|---|---|---|
| Setup Time | 5 minutes | Hours/Days |
| Tool Integration | ✅ Built-in | ❌ Manual scripting |
| Offline Operation | ✅ 100% offline | ❌ Requires internet |
| AI Enhancement | ✅ Local LLM | ❌ Manual exploit dev |
| Professional Reports | ✅ Auto-generated | ❌ Manual creation |
| Knowledge Correlation | ✅ Intelligent linking | ❌ Manual analysis |
| Binary Size | < 35 MB | Multiple GB |
- 🐛 Issues: GitHub Issues
- 📧 Contact: root@hunter3.ninja
- 🎓 Training: Available upon request
PolyScope is released under the MIT License. See LICENSE for details.
Created by dr-yato
🌐 Site: hunter3.ninja
📧 Contact: root@hunter3.ninja
🐙 GitHub: @Dr-yato
Happy Hacking! 🔍
"Because security should be simple, powerful, and accessible to everyone."