This content originally appeared on DEV Community and was authored by Glenn Rodney
Hey everyone, Kuwguap here.
It’s been a minute(literally just a day or two lol) since we last talked about the journey with RAWPA. The feedback has been amazing, and watching the community engage with the tool has been the most rewarding part of this whole process. Gained 30 users and about 30% of them active daily. But a question has been nagging at me, keeping me up at night: How can I push this further? How can RAWPA help the cybersecurity community even more?
I kept coming back to one word: Orchestrate.
orchestrate – plan or coordinate the elements of (a situation) to produce a desired effect, especially surreptitiously.
That’s it. That’s the next step. It’s not enough for an AI to just suggest pathways; it needs to coordinate the elements. It needs to be an orchestrator. And from that idea, the next major feature for RAWPA was born: the Pentest Orchestrator.
Not My First Rodeo with Automation
Some of you might know about another tool I built called AAweRT (An Awesome Reconnaissance Tool). It’s a Bash-based framework I created to automate a ton of the initial information-gathering stages.
(For anyone interested, AAweRT is open-source on GitHub, and I’ll be doing a deep-dive on it soon over at my personal blog, Rodney’s Intuition).
AAweRT is great for automated recon, but what I’m building now is on a different level. The Pentest Orchestrator isn’t just a sequence of scripts; it’s a thinking, adaptive agent.
What Makes the RAWPA Orchestrator Different?
This isn’t just AAweRT with a new coat of paint. The Orchestrator is a goal-oriented AI agent that builds upon RAWPA’s neural pathway foundation.
Here’s the breakdown:
- Massive Toolchain: It leverages 19 integrated pentesting tools (and counting!) to conduct a deep and detailed analysis of a target. This isn’t just subdomain enumeration; we’re talking full-spectrum vulnerability scanning and analysis.
- AI-Driven Strategy: This is the game-changer. After running its toolchain, the Orchestrator feeds the findings into its neural network. It cross-references the output with known CVEs, public writeups, and learned attack patterns to build the most effective initial approach to compromise the target. It doesn’t just give you data; it gives you a strategy.
The Current State: It Works… On My Machine
Now, for the classic developer reality check. The Pentest Orchestrator is fully functional and works flawlessly on my local development server. The AI generates its plan, executes the toolchain, analyzes the results, and presents a strategic pathway.
Output:
Starting multi-page scrape of: https://example.com
Scraping: https://example.com
Found 0 internal links
================================================================================
MULTI-PAGE ANALYSIS RESULTS FOR: https://example.com
Pages scraped: 1
================================================================================
Based on the analysis of the provided HTML content from the single scraped page (https://example.com), here is a comprehensive report:
---
Comprehensive Web Scraping & Security Analysis
==
1. COMPANY/SITE DESCRIPTION
--
This website does not represent a commercial company or provide any direct service or product. The content explicitly states its purpose:
� Primary Purpose: The site is an "Example Domain" intended "for use in illustrative examples in documents."
� Usage Guidance: It explicitly permits users to "use this domain in literature without prior coordination or asking for permission."
� Information Source: It provides a link to https://www.iana.org/domains/example for "More information..." which points to the Internet Assigned Numbers Authority (IANA), confirming its role as a reserved domain for examples.
Conclusion: This domain serves purely as a placeholder or an informational page for educational and documentation purposes, as defined by IANA. It is not an active business or service provider.
2. TECHNOLOGY STACK
--
The technology stack for this page is extremely minimal and client-side focused:
� Core Technologies:
* HTML5: Indicated by <!doctype html>.
* CSS3: Used for styling, all implemented via an inline <style> block within the <head> section.
� Frameworks/Libraries: No discernible front-end frameworks (e.g., React, Angular, Vue, jQuery) or CSS frameworks (e.g., Bootstrap, Tailwind CSS) are detected.
� Backend Technologies: No server-side technology can be inferred from the provided client-side HTML. It appears to be a static page.
� Specific Libraries/Tools: None detected.
� Possible Security or Business Flaws Visible in the Code:
* Inline CSS: While not a security flaw, embedding all CSS inline in the HTML (as seen with the <style> tag) is generally poor practice for larger, multi-page websites as it prevents browser caching of stylesheets and increases HTML file size. For a single, static example page, its impact is negligible.
* Given the page's static and illustrative nature, there are no obvious functional or business logic flaws visible from the client-side code.
3. SECURITY ANALYSIS & SENSITIVE DATA
--
The security posture of this specific page is very strong due to its minimalist and static nature.
� Security-Relevant Details:
* No Forms or Authentication Mechanisms: The page contains no input fields, login forms, registration forms, or any other interactive elements that would typically handle user data or authentication.
* No API Endpoints: No fetch calls, XMLHttpRequest, or other JavaScript code that would interact with backend APIs are present.
* Meta Tags: Standard charset="utf-8", Content-type="text/html; charset=utf-8", and viewport meta tags are used.
* External Links: Only one external link is present, pointing to the official IANA website (https://www.iana.org/domains/example).
� Potential Vulnerabilities or Misconfigurations:
* Client-Side Vulnerabilities: Due to the absence of JavaScript, user input fields, and dynamic content, common client-side vulnerabilities like Cross-Site Scripting (XSS) are highly unlikely to originate from this page's content itself.
* Server-Side Vulnerabilities: Cannot be assessed from the provided HTML. However, as it appears to be a static page, the attack surface for server-side vulnerabilities (e.g., SQL Injection, RCE) originating from web application logic is minimal.
* Misconfigurations: No obvious misconfigurations are visible in the HTML.
� CRITICAL: Analysis of Hardcoded API Keys, Tokens, or Credentials:
* NONE FOUND. There are absolutely no hardcoded API keys, authentication tokens, usernames, passwords, email addresses, or any other credentials or sensitive strings present within the provided HTML content.
� Assessment of Security Implications of Exposed Sensitive Data:
* None. Since no sensitive data, credentials, or personally identifiable information (PII) was found exposed within the HTML, there are no security implications stemming from sensitive data exposure on this page.
4. SITE STRUCTURE
--
� Types of Pages Found: Only one page (main_page) was provided, which is a static informational page.
� Content of Pages: The page contains a main heading, two paragraphs explaining its purpose as an example domain, and a single external link to the IANA website for more information.
� How the Site is Organized: Based on the single page, the site organization is extremely simplistic, effectively a single, standalone static HTML file. There are no navigation menus, sitemaps, or complex inter-page relationships evident.
5. SENSITIVE DATA ASSESSMENT
--
� Severity of any Exposed Credentials: N/A (Not Applicable). No credentials or sensitive API keys were found exposed within the HTML content.
� Identify Potential Attack Vectors from Exposed Data: N/A. As no sensitive data was exposed, there are no attack vectors specifically related to exposed data from this page's content.
� Recommend Security Improvements:
* For this specific page and its stated purpose, no critical security improvements related to sensitive data exposure are necessary, as it presents no such data.
* General Best Practices (if this were a larger, dynamic website):
* Separate CSS: For scalability and maintainability, move inline CSS into external .css files.
* Content Security Policy (CSP): Implement a robust CSP header to mitigate potential injection attacks (though less relevant for a static page without scripts).
* HTTPS Enforcement: While the URL shows https, ensuring strict HTTPS enforcement (e.g., HTTP Strict Transport Security - HSTS) would be crucial for any production site to prevent downgrade attacks.
* Server-Side Security: For any actual web application, comprehensive server-side security measures (input validation, secure session management, secure database practices, regular patching) would be paramount.
---
================================================================================
END OF ANALYSIS
================================================================================
The big hurdle right now is infrastructure. RAWPA is currently hosted on Vercel, which is fantastic for serverless applications. However, the Orchestrator needs a persistent Node.js/Express server to manage the long-running tool executions and stateful sessions. That means I need to migrate the backend to a cloud service like Digital Ocean or something similar.
So, while the feature is built, it’s not yet live. Once I conquer the infrastructure challenge, the Pentest Orchestrator will be fully available to all RAWPA users.
How It Works: A Glimpse Under the Hood
For those who love the technical details, here’s the workflow:
- Input: You give the Orchestrator a target (like
example.com) and a goal (like “Find vulnerabilities leading to RCE”). - Planning: The AI generates a dynamic, multi-phase plan, starting with reconnaissance and moving through vulnerability assessment.
- Execution: It autonomously runs tools like
subfinder,httpx, andnucleiin sequence. The output of one tool becomes the input for the next. - Analysis & Adaptation: Here’s the magic. After each step, the AI analyzes the results. If it finds a login panel, it might dynamically decide to prioritize deeper testing there. If it finds a critical CVE, it adjusts its strategy to focus on that vector.
- Reporting: Finally, it compiles the findings, vulnerabilities, and evidence into a comprehensive report.
This new feature represents the next evolution of RAWPA—moving from a knowledgeable assistant to an active, intelligent partner in your security assessments.
As always, RAWPA is built for and by the community. If you have ideas, methodologies, or want to contribute, hit up the “Contribute” feature on the RAWPA site or connect with me on LinkedIn.
The journey continues, and I can’t wait to get the Orchestrator into your hands. Stay tuned.
This content originally appeared on DEV Community and was authored by Glenn Rodney