This document provides a high-level overview of the ProRT-IP WarScan development roadmap. For detailed sprint planning, task breakdowns, and technical specifications, see docs/01-ROADMAP.md.
Goal: Create a modern, high-performance network scanner that combines:
- Speed of Masscan: 1M+ packets/second stateless scanning
- Depth of Nmap: Comprehensive service detection and OS fingerprinting
- Safety of Rust: Memory safety, concurrency safety, and modern error handling
Target Users: Security professionals, penetration testers, network administrators, red teams
Phase: Phase 4 COMPLETE ✅ (Sprints 4.1-4.19) → Phase 5 Kickoff Version: v0.3.8 (NUMA + Zero-Copy foundation) Last Updated: 2025-10-13
-
✅ M0: Documentation Complete (2025-10-07)
- Comprehensive documentation suite (237 KB across 13 documents)
- Architecture design finalized
- 8-phase development roadmap with 122+ tracked tasks
- GitHub repository initialized and public
-
✅ M1: Basic Scanning Capability (2025-10-07)
- 4 crates implemented (core, network, scanner, cli)
- 215 tests passing (100% success rate)
- TCP connect scanning fully functional
- CLI with JSON/XML/Text output
- Cross-platform packet capture abstraction
- Rate limiting and host discovery
- SQLite storage with async support
-
✅ M2: Advanced Scanning Complete (2025-10-08)
- 3,551 lines of production code added
- 278 tests passing (49 core + 29 network + 114 scanner + 49 cli + 37 integration)
- 7 scan types implemented (Connect, SYN, UDP, FIN, NULL, Xmas, ACK)
- 8 protocol-specific UDP payloads (DNS, NTP, NetBIOS, SNMP, RPC, IKE, SSDP, mDNS)
- 6 timing templates (T0-T5 paranoid to insane)
- Adaptive rate limiter (Masscan-inspired, 422 lines)
- Connection pool (RustScan-inspired, 329 lines)
-
✅ M3: Comprehensive Detection (2025-10-08)
- 2,372 insertions, 1,093 deletions (net: ~1,279 lines)
- 391 tests passing after Phase 3 + Enhancement Cycles 1-5
- 6 new detection modules (os_db, service_db, os_probe, os_fingerprinter, service_detector, banner_grabber)
- OS fingerprinting with 16-probe sequence (2,000+ signatures)
- Service version detection (500+ protocol probes)
- Banner grabbing with protocol-specific handlers
- CLI flags: -O, --sV, --version-intensity, --banner-grab
-
✅ Enhancement Cycles 1-8 Complete (2025-10-08)
- Cycle 1: Cryptographic foundation (SipHash, Blackrock)
- Cycle 2: Concurrent scanning (FuturesUnordered)
- Cycle 3: Resource management (ulimit detection, interface selection) - 345 tests
- Cycle 4: CLI integration and ulimit awareness - 352 tests
- Cycle 5: Progress tracking and error categorization - 391 tests
- Cycle 6: Port filtering infrastructure - 441 tests
- Cycle 7: Advanced filtering and exclusion lists - 504 tests
- Cycle 8: Performance & stealth (sendmmsg, CDN detection, decoy scanning) - 547 tests
- Total enhancements: 4,077 lines added across 8 cycles
- Final test count: 547 tests (100% pass rate)
-
✅ Phase 4: Performance Optimization Complete (2025-10-13)
- Lock-free scheduler, NUMA-aware execution, and zero-copy packet pipelines across SYN/UDP/stealth scanners
- sendmmsg/recvmmsg batching, adaptive progress bridge, and streaming result writer
- Benchmark uplift: 10x faster large subnet scans, 17x faster filtered network scenarios, <0.5% overhead increase
- Test coverage expanded to 803 passing checks with zero clippy warnings
Timeline: Weeks 1-3 Status: ✅ COMPLETE (2025-10-07)
Key Deliverables:
- ✅ Cross-platform packet capture (Linux/Windows/macOS)
- ✅ Basic TCP connect scanning
- ✅ CLI with argument parsing
- ✅ Privilege management (drop after socket creation)
- ✅ SQLite result storage
- ✅ Rate limiting with token bucket
- ✅ Host discovery (ICMP, TCP ping)
- ✅ Multiple output formats (JSON, XML, Text)
Milestone: ✅ M1 - Basic scanning capability (Achieved)
Timeline: Weeks 4-6 Status: ✅ COMPLETE (2025-10-08)
Key Deliverables:
- ✅ TCP SYN scanning (stateless) - syn_scanner.rs (437 lines)
- ✅ UDP scanning with protocol-specific probes - udp_scanner.rs (258 lines), protocol_payloads.rs (199 lines)
- ✅ Stealth scan variants (FIN, NULL, Xmas, ACK) - stealth_scanner.rs (388 lines)
- ✅ Timing templates (T0-T5) - timing.rs (441 lines)
- ✅ Rate limiting and adaptive throttling - adaptive_rate_limiter.rs (422 lines)
- ✅ Packet builder infrastructure - packet_builder.rs (790 lines)
- ✅ Connection pool for efficiency - connection_pool.rs (329 lines)
Milestone: ✅ M2 - Advanced scanning complete (Achieved)
Timeline: Weeks 7-10 Status: ✅ COMPLETE (2025-10-08)
Key Deliverables:
- ✅ OS fingerprinting (16-probe sequence) - os_probe.rs, os_fingerprinter.rs, os_db.rs
- ✅ Service version detection (nmap-service-probes format) - service_detector.rs, service_db.rs
- ✅ Banner grabbing with protocol-specific handlers - banner_grabber.rs
- ✅ Application-level protocol identification (HTTP, FTP, SSH, SMTP, POP3, IMAP)
- ✅ Database parsers for 2,000+ OS signatures and 500+ service probes
Milestone: ✅ M3 - Comprehensive detection (Achieved)
Timeline: Weeks 11-13 Status: ✅ COMPLETE (2025-10-13)
Highlights:
- Lock-free work-stealing scheduler with NUMA-aware thread placement (
--numa/--no-numa) - Zero-copy packet pipeline spanning SYN, UDP, and stealth scanners plus streaming result writer
- sendmmsg/recvmmsg batching, adaptive progress bridge, and Masscan-compatible output
- Comprehensive profiling suite (perf, flamegraph, massif, hyperfine) with 10x–17x scan speed gains
- Regression guardrail: 803 tests passing, clippy clean, and CI 7/7 green
Milestone: ✅ Phase 4 - High-performance scanning (Achieved)
Timeline: Weeks 14-16 Status: 🚧 In Planning (kickoff pending Phase 5 Sprint 5.1)
Key Deliverables:
- Idle (zombie) scanning for complete anonymity
- Decoy scanning with configurable placement
- Packet fragmentation support
- Lua plugin system for custom probes
- Audit logging and compliance features
- Error recovery and resilience
Milestone: M5 - Enterprise features
Timeline: Weeks 17-18 Status: Planned
Key Deliverables:
- Terminal User Interface (TUI) with real-time progress
- Interactive result exploration
- Live packet statistics dashboard
- Export in multiple formats (JSON, XML, CSV, Nmap-compatible)
Milestone: M6 - Enhanced usability
Timeline: Weeks 19-20 Status: Planned
Key Deliverables:
- Security audit and penetration testing
- Cross-platform testing (Linux, Windows, macOS)
- Performance benchmarking suite
- Complete documentation review
- Binary releases for major platforms
- Package repository submissions (apt, homebrew, chocolatey)
Milestone: M7 - Version 1.0 release
Timeline: Beyond Week 20 Status: Future planning
Potential Features:
- Web UI with browser-based interface
- Desktop GUI (Tauri or Iced)
- IPv6 full support with extension headers
- Distributed scanning across multiple hosts
- Machine learning for service classification
- Integration with vulnerability databases (CVE, ExploitDB)
- IDS/IPS evasion techniques (advanced fragmentation, timing randomization)
| Metric | Target | Stretch Goal |
|---|---|---|
| Stateless TCP SYN | 1M+ pps | 10M+ pps |
| Stateful Connect | 50K+ pps | 100K+ pps |
| UDP Scanning | 10K+ pps | 50K+ pps |
| OS Fingerprint Accuracy | >90% | >95% |
| Service Detection Accuracy | >85% | >90% |
| Memory Usage | <500MB for /16 scan | <200MB |
| Code Coverage | >80% overall | >90% |
| Core Module Coverage | >90% | >95% |
| Feature | Nmap | Masscan | RustScan | ProRT-IP (Target) |
|---|---|---|---|---|
| Speed (max pps) | ~10K | 10M+ | ~10K | 1M+ (stateless) |
| OS Fingerprinting | ✅ Excellent | ❌ No | ❌ No | ✅ Implemented (Phase 3) |
| Service Detection | ✅ Excellent | ❌ No | ✅ Implemented (Phase 3) | |
| Stealth Scans | ✅ Yes | ✅ Implemented (Phase 2) | ||
| IPv6 Support | ✅ Full | |||
| Lua Scripting | ✅ NSE | ❌ No | ❌ No | ✅ Planned (Phase 5) |
| Memory Safety | ✅ Rust | ✅ Rust | ||
| License | NPSL/GPLv2 | AGPL-3.0 | GPL-3.0 | GPLv3 |
Core Language: Rust 1.70+ Async Runtime: Tokio (multi-threaded scheduler) Packet Libraries: pnet, etherparse, pcap CLI Framework: clap v4 Database: SQLite (sqlx) with PostgreSQL support Testing: cargo test, Criterion benchmarks, cargo-tarpaulin Performance Tools: perf, flamegraph, cargo-bench
See docs/00-ARCHITECTURE.md for detailed architecture.
- 0.1.0: ✅ Phase 1-3 complete (basic scanning + advanced scanning + detection systems)
- 0.2.0: Phase 4 complete (performance optimization) - Planned
- 0.3.0: Phase 5 complete (advanced features) - Planned
- 0.4.0: Phase 6 complete (TUI) - Planned
- 1.0.0: Phase 7 complete
- All planned features implemented
- Security audit passed
- Cross-platform binaries
- Production-ready documentation
-
80% test coverage
- Web UI and desktop GUI
- Advanced IPv6 support
- Distributed scanning
- ML-based service detection
- Establish active contributor base
- Regular development updates
- Community-driven feature prioritization
- GitHub Discussions for Q&A
- Monthly community calls
- Conference presentations (DEF CON, Black Hat, BSides)
- Academic paper on performance innovations
- 100+ stars on GitHub
- Industry adoption for penetration testing
- Integration with security tool suites (Kali Linux, etc.)
- Training materials and certifications
- Commercial support options
We welcome contributions at all stages! See CONTRIBUTING.md for guidelines.
Current Priorities:
- Phase 1 Implementation: Core infrastructure (packet capture, CLI, privilege management)
- Testing Infrastructure: Unit tests, integration tests, Docker test environments
- Documentation: Improvements, examples, tutorials
Good First Issues: Check GitHub Issues for beginner-friendly tasks.
Current Status: Community-driven, no funding
Future Considerations:
- GitHub Sponsors for core maintainers
- OpenCollective for transparent community funding
- Commercial support services
- Grant applications for security research
- Cross-platform compatibility: Mitigated by abstraction layers and extensive testing
- Performance targets: Requires careful optimization and profiling
- Security vulnerabilities: Addressed through Rust's safety, code review, and security audits
- Contributor availability: Seeking multiple active maintainers
- Scope creep: Strict phase boundaries and feature prioritization
- Competition: Differentiating through modern architecture and Rust ecosystem
- ✅ Packet capture working on all 3 platforms
- ✅ Basic TCP connect scan completing successfully
- ✅ Advanced scanning (SYN, UDP, stealth scans)
- ✅ Detection systems (OS fingerprinting, service detection, banner grabbing)
- ✅ Performance optimization (lock-free, adaptive parallelism, sendmmsg batching)
- ✅ 789 unit/integration tests with 61.92% coverage (exceeds 60% target)
- ✅ Testing infrastructure (cargo-tarpaulin, Criterion.rs benchmarks, baselines)
- ✅ CLI parsing complete with validation
- ✅ ~25,097 lines of Rust code (production + tests)
- All 7 phases complete
- 1M+ pps stateless scanning achieved
- >90% OS fingerprint accuracy
- Security audit passed
- 100+ GitHub stars
- 10+ active contributors
- 1000+ GitHub stars
- Kali Linux package inclusion
- Conference presentation accepted
- Published academic paper or whitepaper
Month 1-3: Phase 1 - Core Infrastructure
Month 4-6: Phase 2 - Advanced Scanning
Month 7-10: Phase 3 - Detection Systems
Month 11-13: Phase 4 - Performance Optimization
Month 14-16: Phase 5 - Advanced Features
Month 17-18: Phase 6 - User Interfaces
Month 19-20: Phase 7 - Release Preparation
Month 20+: Version 1.0 Release & Phase 8 Planning
For comprehensive roadmap details, including:
- Sprint-by-sprint task breakdowns
- 122+ tracked implementation tasks
- Technical specifications for each phase
- Risk assessment and mitigation strategies
- Resource allocation and dependencies
Last Updated: 2025-10-13 Next Review: Phase 5 Sprint 5.1 (Advanced Features)
Questions? See SUPPORT.md or ask in GitHub Discussions.