English | 한국어
SCOUT is an AEG-first firmware analysis platform that transforms raw firmware blobs into evidence-anchored exploitability chains, lab-bounded Proof-of-Vulnerability modules, and audit-ready dossiers. Now featuring a Hybrid Analysis Engine for both Binary and Shell Script auditing.
While traditional scanners prioritize bulk and speed, SCOUT acts as a high-fidelity AEG copilot: it reconstructs exploit chains across ELF binaries and shell scripts, explains its reasoning with evidence trails, and generates lab-bounded PoV/PoC modules rather than raw public-PoC copies.
-orange?style=for-the-badge){kind=icon}
| 1,123 Corpus Targets |
98.8% Analysis Success |
1,300+ Scripts Scanned |
99.3% FP Reduction (LLM) |
v3.0.0-rc1 Hybrid Engine |
- Hybrid Triage: Audit both ELF binaries and shell scripts in a single unified pipeline.
- Deep Exploit Discovery: Find complex
Web -> IPC -> Config -> DaemonorShell -> Binarychains. - AEG-first AutoPoC: Leverage the Exploit Pattern RAG to generate lab-ready Proof-of-Vulnerability modules from firmware evidence.
- SCOUT now includes a metadata-only PoC-in-GitHub importer and a human-review-required draft pattern-card promoter for firmware-relevant CVE seeds before AutoPoC retrieval.
- SCOUT does not clone, execute, or prompt-inject raw public PoC repositories for copy-based exploitation. A platform-level AEG claim must pass the E2E dynamic/FP gate in
docs/aeg_e2e_validation.md. See alsodocs/exploit-pattern-rag.md.
- Evidence Investigation: Use the Glassmorphism Web Dashboard to walk through decompiled P-code and shell logic.
- Audit/compliance-compatible reporting: Generate SARIF, CycloneDX 1.6 SBOM+VEX, and SLSA L2 attestations.
[1] Hybrid Analysis Engine (v3) Bridges the gap between binary-level execution and high-level shell logic, expanding coverage into script-driven firmware attack surfaces that binary-only pipelines miss.
[2] Hash-Anchored Evidence Lineage Every finding is tied to a specific file path, byte offset, and SHA-256 hash. No black-box guesses.
[3] Intelligent Analyst Copilot Built-in LLM tribunal (Advocate/Critic) reduces false positives by 99.3% on the historical Tier-2 benchmark using the registered multi-stage triage pipeline.
[4] Zero Dependency (Pure Stdlib) No
pip installnightmares. Deploy instantly in air-gapped labs or restricted environments.
# Analyze a firmware image (Hybrid mode enabled by default)
./scout analyze firmware.bin
# Explore findings in the Web Dashboard
./scout serve aiedge-runs/<run_id> --port 8080
# Deep dive in the Terminal UI
./scout ti
# Seed Exploit Pattern RAG candidates from PoC-in-GitHub metadata only
python scripts/import_poc_in_github_candidates.py --dry-run
# Draft a human-review-required pattern card from one candidate
python scripts/draft_exploit_pattern_card.py data/exploit_references/candidates/poc_in_github/cve-2024-1781.json --print-json
# After a real authorized lab run, enforce dynamic proof + FP/FPR evidence
./scout aeg-e2e-gate aiedge-runs/<run_id>
# CI-safe AEG regression: vulnerable lab service must pass, patched control must fail closed
python scripts/run_aeg_synthetic_pair.py --work-root /tmp/scout-aeg-synthetic-pair
python scripts/run_aeg_synthetic_pair.py --pattern cgi_param_cmd_injection --work-root /tmp/scout-aeg-cgi-pair
python scripts/run_aeg_synthetic_pair.py --pattern config_derived_cmd_injection --work-root /tmp/scout-aeg-config-pair
# Inspect which Exploit Pattern RAG cards have vulnerable/control evidence
python scripts/check_exploit_pattern_evidence.py
python scripts/check_exploit_pattern_evidence.py --require-real-firmware-pair
# Audit AEG platform readiness from card evidence + stable real-firmware pair proof
./scout aeg-readiness --out docs/pov/aeg_platform_readiness.json
# Run/reuse an official known-vulnerable/patched firmware pair and emit the fail-closed gate report.
./scout aeg-real-pair --pair-id <manifest-pair-id> --fetch --no-llm \
--pattern-id <pattern-id> --out docs/pov/<stable-pair-evidence>.json
# Record real known-vulnerable/patched firmware pair evidence on a pattern card.
python scripts/record_pattern_pair_evidence.py <pattern-id> --kind real_firmware_pair \
--vulnerable-run-dir aiedge-runs/<known-vulnerable-run> \
--control-run-dir aiedge-runs/<patched-control-run> \
--artifact docs/pov/<stable-pair-evidence>.json \
--vulnerable-firmware-sha256 <sha256> \
--control-firmware-sha256 <sha256> \
--cve CVE-YYYY-NNNN --apply| Feature | Description | |
|---|---|---|
| 📦 | Hybrid SBOM & CVE | CycloneDX 1.6 + VEX + NVD scan + 2,528 local CVE DB + Integrated Shell Script auditing |
| 🔍 | Binary Analysis | Ghidra P-code SSA dataflow taint + ELF hardening detection + 28 sink symbols |
| 🐚 | Script Analysis | Heuristic auditing of 1,000+ scripts for insecure eval, backticks, and unquoted variable usage |
| 🎯 | Attack Surface | Source→sink tracing, web server auto-detection, cross-binary IPC chains (5 types) |
| 🧠 | Taint Analysis | HTTP-aware inter-procedural taint, P-code SSA dataflow, call chain visualization |
| 🤖 | LLM Engine | 4 backends + centralized system prompts + structured JSON output + 5-stage parser |
| 📚 | Exploit Pattern RAG | Curated pattern-card retrieval plus PoC-in-GitHub metadata seeds and reviewed draft promotion for firmware-relevant AEG candidates |
| ⚔️ | LLM-Adjudicated Debate | Advocate/Critic LLM debate for high-fidelity FPR reduction |
| 📊 | Web Viewer | Glassmorphism dashboard with KPI bar, IPC map, risk heatmap, and evidence navigation |