Skip to content

EASM Platform — Overview

What is it?

EASM Platform is a prototype External Attack Surface Management system. It discovers, normalises, correlates, and analyses internet-facing assets of organisations, integrating multiple reconnaissance and vulnerability-scanning tools through a plugin-based architecture, and enriching results with rule-based agent logic for risk scoring and attack-path analysis.

Architecture

React Frontend (port 3000)
        │
        │ REST API (JSON / Bearer JWT)
        ▼
Go API Server (port 8080)  ── modular monolith
        │
  ┌─────┼──────────────────────────────────┐
  │     │                                  │
Auth  OrgModule  ScopeModule  ScanEngine   │
  │                                        │
  │              Redis Queue               │
  │                  │                     │
  │             Go Workers ────► Plugin Runtime
  │                  │           (subfinder/httpx/
  │                  │            nmap/nuclei)
  │                  ▼
  │        Normalization → Deduplication → Correlation
  │                  ▼
  │            PostgreSQL
  │       (assets/edges/vulns/scans)

Key design decisions

Decision Rationale
Modular monolith (not microservices) Simpler deployment, sufficient for prototype scale
Redis queue for scan jobs Decouples HTTP API from long-running scanner processes
Upsert-based deduplication Same asset found by multiple plugins → one DB record
PostgreSQL asset graph assets + asset_edges tables model the graph; no separate graph DB needed at this scale
Plugin interface Each scanner is a Go struct implementing Plugin; adding new tools requires only one file
Test mode EASM_TEST_MODE=true uses mock data — no real scanner binaries needed during dev
JWT auth Access token (15 min) + refresh token (7 days); also supports API key auth

Component map

backend/
├── cmd/api/        Main API binary
├── cmd/worker/     Background scan worker binary
├── internal/
│   ├── auth/           JWT, RBAC, API keys
│   ├── organizations/  Multi-org management
│   ├── scopes/         Scope CRUD + approval workflow
│   ├── scans/          Scan creation, job tracking, worker
│   ├── plugins/        Plugin interface + subfinder/httpx/nmap/nuclei
│   ├── assets/         Asset storage, deduplication, graph
│   ├── vulnerabilities/Vuln lifecycle, severity, status workflow
│   └── audit/          Audit log
└── migrations/     SQL schema (goose)

frontend/
└── src/
    ├── pages/      LoginPage, Dashboard, Organizations, Scans…
    ├── api/        Typed Axios wrappers for every endpoint
    ├── store/      Zustand auth store
    └── types/      Shared TypeScript types