Introduction
Fleetfolio — an operational security platform combining penetration testing and threat exposure management into a continuous, compliance-ready workflow.
Fleetfolio
Fleetfolio is a specialized service layer inside the broader Opsfolio and Opsfolio Compliance-as-a-Service (CaaS) ecosystem. It is built for organizations that need a repeatable, evidence-driven approach to discovering, evaluating, and remediating their external-facing digital assets — compressing traditional penetration testing timelines from weeks to hours, while producing audit-ready evidence at every step.
Fleetfolio is built around two tightly integrated capabilities:
- Fleetfolio Pentest — The technical assessment engine that runs structured penetration testing and asset discovery workflows using 34+ open-source tools.
- Fleetfolio Threat Exposure — The reporting, dashboards, and communications layer that transforms raw findings into actionable workflows and executive insights.
Together, they form the foundation for continuous threat exposure management — making it accessible to both non-technical users running assessments and security professionals interpreting, validating, and acting on results.
- Fleetfolio Pentest provides the technical assessment engine — containerized, portable, and schedulable.
- Fleetfolio Threat Exposure delivers real-time reporting, dashboards, and workflow automation.
Both feed directly into Opsfolio CaaS POA&M workflows, ensuring every vulnerability is traceable, actionable, and tied to compliance obligations.
Fleetfolio Pentest
Fleetfolio Pentest is the core assessment capability of the platform. It provides a reusable, auditable, and compliance-aligned engine for discovering, evaluating, and documenting external-facing enterprise assets — running continuously or on-demand without significant operational overhead.
What Makes It Different
- Non-technical friendly: Even users without a security background can trigger assessments. Security professionals then review, validate, and interpret results — with automated report generation reducing manual effort and human error.
- Fast: Traditional penetration testing can take weeks. Fleetfolio reduces this to hours while still producing comprehensive, structured outputs.
- Portable: Docker-based deployment means it runs anywhere — on-premises, in CI/CD pipelines, or scheduled via cron jobs.
- Open and extensible: Leverages 34+ open-source security tools, reducing dependency on expensive proprietary solutions. Results from third-party or paid tools can also be imported and unified in the same dashboard.
How It Works
Deploy the container
- Based on
kalilinux/kali-last-release:latestwith Spry runbook installed. - Mounts
/{pwd}/resultsas the working evidence directory.
Configure targets
- Provide domains, IP ranges, and key URLs/APIs via environment variables.
- Excludes may be set to respect customer scoping and authorization boundaries.
Run the assessment
- A pre-configured Spry runbook (
eaa-pentest-lite.spry.md) orchestrates a sequence of lightweight, authorized tests. - Outputs are generated consistently under
/{pwd}/results/<timestamp>/<tool>/…in JSON, JSONL, XML, or text formats.
Review artifacts
- Each run generates a SQLite database consolidating all findings.
- Results are visualized through the Surveilr web UI for easy analysis and decision-making.
- Analysts can also directly inspect structured outputs or feed them into the Fleetfolio reporting pipeline.
Result Structure
Every assessment produces a consistent, timestamped directory of artifacts:
results/
├── 2026-03-04T10-20-10/
│ └── *.sqlite.db
├── 2026-03-04T11-05-30/
│ └── *.sqlite.dbEach run generates a SQLite database storing all findings, which powers visual dashboards via the Surveilr web UI. External findings from paid or open-source tools can be imported by placing outputs in markdown, JSON, JSONL, or TXT format into a timestamped folder and regenerating the database — no complex pipelines required.
Why use Fleetfolio Pentest?
- Consistent structure: Every run produces predictable artifacts, making it easy to compare results over time.
- Audit-ready: JSON/JSONL-first evidence formats are machine-readable and correlatable across tools, stored with timestamps for traceability.
- Schedulable: Supports cron-based scheduling for continuous, unattended security assessments.
- Import-friendly: Bring in findings from third-party tools by dropping them into a timestamped folder — Fleetfolio handles the rest.
- Compliance fit: Findings feed directly into Opsfolio CaaS, linking evidence to compliance controls and POA&M workflows.
- Scope Authorization: Fleetfolio Pentest assumes all provided targets have been explicitly authorized for testing by the customer.
- Lightweight by Default: The included runbook runs "lite" tests suited for continuous assessments. Deeper scans should be handled by specialized teams.
- Artifacts Are Evidence, Not Conclusions: Raw outputs require analyst interpretation, triage, and prioritization.
- Performance Controls: Apply rate limiting, exclusions, and scheduling thoughtfully to avoid unintended impact on production systems.
Assessment Tools
The Spry runbook (fleetfolio-eaa-pentest-lite.spry.md) orchestrates 34+ tools across the following stages:
- Subfinder → JSONL — Discovered subdomains and sources.
- dnsx → JSONL — DNS resolution results. Confirm live hosts and prune dead subdomains.
- httpx → JSONL — HTTP probing. Identify live web services, technologies, and response metadata.
- WhatWeb → JSON — Web technology fingerprinting. Review CMS, frameworks, and server components.
- Naabu → JSONL — Fast port scan results. Feed into Nmap for deeper service enumeration.
- Nmap (+ xq) → XML + JSON — Service and version detection. Use for attack surface and exposure mapping.
- OpenSSL → text — Raw certificate details. Review expiry, issuer, and certificate chain issues.
- Nuclei → JSONL — Template-based vulnerability findings. Sort by severity and validate high-impact issues.
- Katana (optional) → JSONL — Crawled endpoints. Look for hidden APIs, admin paths, and sensitive resources.
- Dirsearch → JSON — Discovered directories and files. Review response codes for exposed paths.
- wafw00f → text — Detected WAFs.
- Testssl → JSON — TLS configuration analysis. Identify weak ciphers, protocols, and compliance gaps.
- sqlmap → text — SQL injection findings.
- Subzy → text — Subdomain takeover candidates.
- Corsy → text — CORS misconfiguration analysis.
- Nikto → text — Web server misconfigurations and outdated components.
- WPScan → JSON — WordPress core, plugin, and theme vulnerabilities.
- RustScan → text — High-speed port discovery.
- Amass → text — Comprehensive subdomain and DNS discovery.
- DNSEnum → XML — DNS record enumeration and AXFR attempts.
- TheHarvester → JSON — OSINT data (emails, hosts, subdomains).
- Paramspider → text — URL parameters for injection testing.
- Ghauri → text — Advanced SQL injection detection.
- cdncheck → JSONL — CDN identification. Look for exposed origin IPs.
- ffuf → JSON — Fuzzing results for endpoints and parameters.
- Dalfox → JSONL — XSS findings and reflection points.
- SSLyze → JSON — SSL/TLS posture assessment.
- SMTP-User-Enum → text — SMTP user enumeration.
- Fierce → text — DNS reconnaissance.
- VirusTotal → JSON — Domain and file intelligence.
- VulnAPI → text — API security findings.
- Commix → text — Command injection testing.
- WAF-Bypass → text — WAF evasion attempts.
- Trivy → text — Vulnerabilities in code, dependencies, images, and IaC.
Fleetfolio Threat Exposure
Security assessments are only as valuable as the actions they drive. Traditional pentest reports often end up as static PDFs disconnected from day-to-day workflows — leading to delayed remediation, limited leadership visibility, and compliance gaps when auditors ask for proof.
Fleetfolio Threat Exposure solves this with a real-time, evidence-driven reporting and communications layer that transforms technical findings into actionable dashboards, automated workflows, and executive insights.
How Pentest & Threat Exposure Work Together
Ingest Evidence
Fleetfolio Pentest executes authorized penetration testing workflows. All findings are normalized into the evidence warehouse via Surveilr-based ingestion pipelines, structured into SQL tables.
Centralize & Visualize
SQLPage dashboards surface evidence consistently across domains, assets, and runs. Analysts get an Evidence Explorer, Findings Viewer, and Runbook Log Viewer — no more hunting through files or spreadsheets.
Deliver & Automate
Real-time dashboards show vulnerabilities as soon as they're found. Findings are automatically routed into IT workflows using severity, ownership, and asset-type rules — delivered to Jira, ServiceNow, Slack, or Teams.
Remediate & Track
Issues follow a consistent lifecycle: Open → In Progress → Remediated → Validated → Closed. Stakeholders are notified and remediation progress is visible to both technical teams and leadership.
Validate & Close the Loop
When a POA&M item is marked remediated, Fleetfolio Threat Exposure automatically triggers Pentest retests to confirm closure. Results are archived for compliance audits.
Customer Benefits
| Audience | What They Get |
|---|---|
| CISOs & Security Leaders | Dashboards for exposure trends, MTTR, and compliance posture across environments |
| DevOps & IT Operations | Pentest findings delivered directly to Jira/ServiceNow — no tool switching |
| Compliance & Audit Teams | Auto-generated POA&M items mapped to SOC2, ISO, CMMC, and more |
| MSPs / MSSPs | Multi-tenant support with standardized dashboards per customer |
Relationship to Opsfolio
- Fleetfolio Pentest contributes structured artifacts (JSON, JSONL, XML, SQLite) to the Opsfolio evidence warehouse.
- Fleetfolio Threat Exposure provides the customer-facing UI/UX for reporting, dashboards, and workflow automation.
- Opsfolio CaaS uses both to generate Plans of Actions and Milestones (POA&M) for regulated industries — linking threat evidence directly to compliance frameworks including SOC2, ISO, CMMC, HIPAA, and FedRAMP.
How is this guide?
Last updated on