Ariadne

Takes findings from security tools, builds a graph of how they connect, and produces ranked attack paths with MITRE ATT&CK mappings. Optionally generates operator playbooks with tool commands, OPSEC notes, and detection signatures for each path.

Inputs

Scanners: Nessus, OpenVAS, Qualys, Nuclei, Nmap, Masscan, RustScan, TestSSL, Shodan, Censys

Active Directory (enum): BloodHound, CrackMapExec/NetExec, Certipy, PingCastle, LDAPDomainDump, ADRecon, PlumHound, Grouper2, Enum4linux, SMBMap, windapsearch, ldeep, rpcclient

Active Directory (attack): Impacket, Rubeus, Mimikatz, Kerbrute, Responder, ntlmrelayx, mitm6, Snaffler

C2: Cobalt Strike, Sliver, Havoc, Mythic

Post-exploitation: Seatbelt, SharpUp, Watson, PowerView/SharpView

Recon: Amass, Subfinder, httpx, EyeWitness

Cloud: AzureHound, Metasploit

Correlation: Vinculum (deduplicated, EPSS-enriched findings)

Install

git clone https://github.com/Su1ph3r/ariadne.git && cd ariadne
python3 -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"

Or with Docker:

docker-compose up -d

Usage

# Ingest scan data and validate files
ariadne analyze ./scan_data/ --dry-run

# Run full analysis with HTML report
ariadne analyze ./scan_data/ --output report --format html

# Enable all features: playbooks, credential sprawl, privesc chaining
ariadne analyze ./scan_data/ --output report --format html --playbook --sprawl --privesc

# Export to JSON
ariadne analyze ./scan_data/ --output results --format json

# Start the web UI
ariadne web --port 8443

API:

# Upload findings
curl -X POST http://localhost:8443/api/ingest/upload \
  -F "files=@nmap_scan.xml" -F "files=@bloodhound_users.json"

# Build graph and generate attack paths
curl -X POST http://localhost:8443/api/analysis/synthesize \
  -H "Content-Type: application/json" \
  -d '{"session_id": "YOUR_SESSION_ID"}'

What it produces

• Attack paths: Ranked chains from initial access to high-value targets, scored by CVSS, exploit availability, network position, and detection likelihood.
• Knowledge graph: Unified graph of hosts, services, users, vulnerabilities, and their relationships. Exportable as GraphML or Neo4j Cypher.
• Operator playbooks: Step-by-step commands (Impacket, CrackMapExec, Certipy, etc.) with prerequisites, OPSEC notes, fallbacks, and detection signatures.
• MITRE ATT&CK mappings: Automatic technique IDs on every attack step and privilege escalation vector.
• Credential sprawl maps: Detects credential reuse across hosts and models the blast radius as lateral movement edges in the graph.

Configuration

# config.yaml
llm:
  provider: anthropic       # or openai, ollama, lm_studio
  model: claude-sonnet-4-20250514
  api_key: ${ANTHROPIC_API_KEY}
scoring:
  weights:
    cvss: 0.3
    exploit_available: 0.25
    network_position: 0.2
    privilege_required: 0.15
    detection_likelihood: 0.1
  max_path_length: 10
output:
  default_format: html
  max_paths: 20
sprawl:
  enabled: false
  min_reuse_count: 2
privesc:
  enabled: false
  min_confidence: 0.5
web:
  host: 127.0.0.1
  port: 8443

Environment variables use the ARIADNE_ prefix with double-underscore nesting (e.g., ARIADNE_LLM__PROVIDER=anthropic).

Testing

pytest
pytest --cov=ariadne --cov-report=html
ruff check src/ && ruff format --check src/ && mypy src/ariadne/

License

MIT