██╗ ██╗██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗
██║ ██║██║██╔════╝██╔═══██╗██╔══██╗██╔════╝ ██╔══██╗██╔══██╗██╔══██╗██║ ██║
██║ ██║██║███████╗██║ ██║██████╔╝██║ ███╗██████╔╝███████║██████╔╝███████║
╚██╗ ██╔╝██║╚════██║██║ ██║██╔══██╗██║ ██║██╔══██╗██╔══██║██╔═══╝ ██╔══██║
╚████╔╝ ██║███████║╚██████╔╝██║ ██║╚██████╔╝██║ ██║██║ ██║██║ ██║ ██║
╚═══╝ ╚═╝╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝
THE SANDBOXED RECON ENGINE
High-Performance, Sandboxed Infrastructure Mapping at Google Scale.
VisorGraph's engine is built with a reactive Goroutine Worker Pool, moving past the limitations of Python's GIL.
- Scale: Efficiently manages 10,000+ concurrent workers.
- Control: Native Rate Limiting (
-rps) to prevent IP-banning and WAF triggers. - Real-time: Emits a JSONL Stream for live graph updates and easy tool-chaining.
VisorGraph is the first open-source recon tool to implement native OCI-compliant sandboxing.
- The Shield: Active probes (TLS, HTTP, L7 handshakes) are programmatically orchestrated through gVisor (
runsc). - Zero-Trust Recon: Untrusted discovered endpoints are trapped in a sandboxed "bubble," protecting the researcher from SSRF, malicious callbacks, and exploit payloads.
VisorGraph is integrated directly with the Google Go Vulnerability Database (OSV).
- Precision: Automatically fingerprints Go-based infrastructure (Ollama, vLLM, LocalAI, etc.).
- Intelligence: Performs real-time reachability analysis to identify actually exploitable CVEs in discovered binaries.
| Component | Technology | Role |
|---|---|---|
| Engine | Go 1.22 + Goroutines | High-speed task orchestration |
| Shield | gVisor (runsc) |
Native OCI Sandboxing |
| Brain | Google OSV API | Precision Vulnerability Intelligence |
| Map | Pointer-based Graph | Rapid relationship mapping & deduplication |
cmd/visorgraph/ CLI entrypoint
internal/
engine/ Dispatcher + fixed-point loop (goroutine pool + inFlight atomic)
graph/ RWMutex pointer graph — UpsertNode is atomic check+insert
probe/ ProbeFunc registry: ct_logs, tls_clienthello, http_head, ...
vulncheck/ OSV REST API + govulncheck integration
sandbox/ MITM/intercept detection + gVisor runsc OCI harness
exposure/ Rule-based exposure classifier (legacy/mgmt/accidental/intended)
stream/ Thread-safe JSONL encoder
l7/ Raw TCP probe ladder + cloud-provider signature matching
budget/ Hard caps: cost, wallclock, /24, ASN
types/ Seed, Node, Edge, Finding — typed string enums throughout
VisorGraph is distributed as a single static binary. No pip install, no venv, zero runtime dependencies.
# 1. Clone the repository
git clone https://github.com/Nicholas-Kloster/VisorGraph
cd VisorGraph
# 2. Automated Environment Setup (installs gVisor and Go deps)
make setup-deps
# 3. Build the 6.7MB static binary
make buildHigh-Speed Discovery:
./bin/visorgraph -domain target.com -workers 1000 -rps 50Secure Active Recon (Sandboxed):
./bin/visorgraph -ip 1.2.3.4 -sandbox-checkReal-time Chaining:
./bin/visorgraph -domain example.com | grep "finding" > findings.jsonlThis is what VisorGraph does that a port scanner cannot.
Input: a single IP with no open ports on 80 or 443.
./bin/visorgraph -ip 34.18.94.178 -no-streamWhat VisorGraph found:
The Prometheus probe detected an unauthenticated Prometheus instance on :9090. From there, the Prometheus API became a passive oracle — no packets were sent to any internal IP:
[service] 34.18.94.178
service: prometheus 2.22.2
scrape_targets_count: 197
lifecycle_enabled: true ← /-/quit and /-/reload exposed (DoS vector)
k8s_namespaces: ars, ars-v2, ars-core-api-reports, iam, external-secrets,
falcon-kac, falcon-system, kube-system, monitoring, common
ingress_domains: a112.appranix.net, a112-signin.appranix.net,
a112-monitoring.appranix.net, a112-external-hooks.appranix.net
exposure_reason: unauthenticated Prometheus monitoring plane exposed to internet;
/-/quit and /-/reload DoS endpoints active;
leaks topology of 195 internal endpoints across RFC-1918 space
[domain] a112.appranix.net ← org attributed: Appranix (cloud BCDR vendor)
[domain] a112-signin.appranix.net
[domain] a112-monitoring.appranix.net
[domain] a112-external-hooks.appranix.net
[domain] appranix.net ← discovered via TLS SAN follow-on probe
Internal topology leaked without touching a single internal IP:
- K8s API server:
10.30.0.17:443 - 17 GKE nodes across
10.30.0.x+10.30.15.x— kubelet read-only port:10255up on all - Pod network:
10.194.x.x— Istio sidecar mesh + Spring Boot actuators - Cassandra cluster:
10.21.x.x(separate VPC) - ZooKeeper: same subnet as Cassandra
- Full container inventory: 60+ named services including multi-cloud discovery workers (AWS/Azure/GCP), IAM, protection controllers, Hazelcast, Redis, PostgreSQL per-service pools
The chain: IP → Prometheus oracle → internal topology + ingress hostnames → TLS follow-on → parent domain → org attribution in a single run.
This is the class of finding that nmap misses entirely. The Prometheus probe runs automatically whenever VisorGraph encounters an IP or domain — no flags needed.
| Flag | Default | Description |
|---|---|---|
-ip |
— | Seed IP address |
-domain |
— | Seed FQDN |
-workers |
256 | Goroutine pool size |
-rps |
0 (unlimited) | Max requests/sec across all probes |
-no-active |
false | Disable active probes (passive-only mode) |
-sandbox-check |
false | Detect MITM/intercept before scanning |
-no-stream |
false | Suppress JSONL stream; emit only final graph |
VisorGraph was built for security researchers and infrastructure engineers. The native sandboxing is designed to protect the user, but the speed of the engine means you should always respect the Rate Limit and the terms of service of the targets you are analyzing.
MIT License. Built by Nicholas Kloster.