The Pack

Nine modules.
One mission.

Every module is live with a real-time dashboard. Reconnaissance, penetration testing, network monitoring, hardening, forensics, log analysis, and AI — all running on your hardware, no cloud required.

Cyber Guard Dog
Live

The command center that ties the whole pack together. Guard Dog discovers every module, monitors their health, and gives you one screen to see everything.

  • Module discovery — reads romp.json, polls health every 15 seconds
  • Live SSE stream — module up/down/exit events in real time
  • Status grid — color-coded cards for every module with uptime and last seen
  • Module management — start or stop any module from the dashboard
  • Aggregated findings — pulls findings from all modules into one view
  • Event log — rolling log of all module state changes
  • Platform summary — total modules, online/offline count, version at a glance
  • AI chat — ask questions about your server’s security posture, powered by a local AI model
Continuous Monitoring
  • File integrity — watches /etc/passwd, shadow, sudoers, sshd_config, crontab, and more every 5 minutes
  • Port watch — detects new listening ports every 60 seconds, alerts on unexpected services
  • Log threat detection — tracks spikes in critical/high events and brute force patterns every 5 minutes
  • Hardening drift — re-audits every 30 minutes, alerts on score drops or new critical findings
Security Reports

Full security assessment combining data from all modules — risk level, hardening score, network state, alert summary, and monitoring status. Run from the CLI with romp report.

Red Otter
Live

Offensive red team toolkit. 12 security tools with full API and dashboard panel, plus SnoopBot 4000 for live network monitoring.

  • DNS Recon — A, AAAA, MX, NS, TXT lookups
  • Subdomain Enumeration — brute-force 50+ common subdomains
  • Port Scanner — TCP connect, up to 200 ports, preset profiles
  • HTTP Inspector — full header dump, redirect tracing, fingerprinting
  • SSL/TLS Inspector — cert details, SANs, expiry, key size
  • Header Security Audit — HSTS, CSP, X-Frame, info leak detection
  • Cookie & Tracker Killer — privacy grade A-F, 40 trackers, 38 domains
  • IP Geolocation — ASN, org, city, country
  • WHOIS — domain registration data
  • Ping / Host Discovery — ICMP with packet loss and RTT
  • Traceroute — network path, up to 20 hops
  • Local Network — all interfaces, MACs, listening ports
Quick Scan

One-click full recon pass — ping + DNS + SSL + headers + common ports on any target with live results.

SnoopBot 4000
  • Live SSE feed updating every 2 seconds
  • Parses /proc/net/tcp, tcp6, udp, udp6 directly
  • Delta detection — flags new and dropped connections as they happen
  • Reverse DNS resolution with caching
  • Per-interface bandwidth monitoring (RX/TX rates, packets, errors)
  • ARP cache for LAN device discovery
  • Rolling 500-event sniff log
  • Filterable by protocol and state
White Otter
Live

Central nervous system for the whole platform. Every module sends alerts here. 10,000 alert buffer in memory, no cloud, no external dependencies.

  • Alert ingestion — any module fires alerts via HTTP
  • Live SSE feed — alerts appear instantly as they fire
  • Severity filtering — query by severity, source, or time window
  • Acknowledge — mark alerts handled, acknowledged alerts dim
  • Statistics — total counts, 24-hour counts, breakdown by severity
  • Severity chart — visual bar chart of alert distribution
  • Source breakdown — which modules generate the most alerts
  • Export — dump all alerts as JSON or CSV with one click
Grey Otter
Live

Server hardening and config scanner. 9 security audits that read the actual state of the machine. Already finding real issues on a live Debian 13 server.

  • OS Info — distro, kernel, hostname, CPU, RAM, uptime
  • User Audit — flags non-root UID 0 accounts, lists sudo members
  • SSH Config Audit — checks PermitRootLogin, PasswordAuth, empty passwords, X11, MaxAuthTries
  • File Permission Audit — checks 7 critical files (/etc/passwd, shadow, sudoers, sshd_config, crontab, root ssh, gshadow)
  • Running Services Audit — flags 8 risky services (telnet, rsh, vsftpd, tftpd, etc.)
  • Cron Job Audit — flags 10 suspicious patterns (curl pipes, base64, eval, /dev/tcp, netcat)
  • Package Update Audit — lists upgradable packages, highlights security-critical ones
  • Firewall Audit — reads iptables/nftables, flags default ACCEPT or missing firewall
  • Kernel Parameter Audit — checks 8 sysctl values (IP forwarding, SYN cookies, ICMP redirects, ASLR, etc.)
Full Audit

Runs all 9 checks and produces a hardening score (0–100) with a letter grade (A through F). Every finding is severity-rated.

Black Otter
Live

Active penetration testing. Fires real payloads at your targets to confirm vulnerabilities are actually exploitable, not just theoretical. Full dashboard with one-click exploit reports.

  • SQL Injection — 26 payloads across 6 techniques: error-based, union, stacked, boolean-blind, time-blind, NoSQL
  • XSS — 18 payloads: script tags, event handlers, attribute breakout, encoded variants, SSTI template injection
  • Path Traversal — 15 LFI payloads with encoding variants, PHP filter chains, file:// protocol
  • Command Injection — 14 payloads: time-based and output-based detection across Unix and Windows
  • CRLF Injection — header injection testing with encoded and raw CRLF sequences
  • Default Credentials — 72 username/password combos covering admin panels, databases, web apps, IoT devices, and service accounts
  • Security Headers Check — audits HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, and info leak headers
  • Exploit Report — one-click full scan combining all probes into a single vulnerability report
Yellow Otter
Live

Real-time network monitoring. Reads /proc directly to track every connection on your server — TCP, UDP, IPv4, IPv6. Alerts on new connections, dropped connections, and unexpected listeners.

  • Connection tracking — parses /proc/net/tcp, tcp6, udp, udp6 every 2 seconds
  • Delta detection — flags new and dropped connections as they happen via SSE
  • Port watchlist — define ports to monitor, get alerted on state changes
  • Interface stats — per-interface RX/TX rates, packets, errors, bandwidth monitoring
  • ARP cache — LAN device discovery and tracking
  • Snapshot API — point-in-time capture of all connections, interfaces, and ARP state
Blue Otter
Live

Dynamic application security testing. Points at a running web app and probes it for misconfigurations and vulnerabilities that only show up at runtime.

  • CORS checking — tests origin policies with multiple probe origins
  • Form scanning — discovers and catalogs all forms on a page
  • Redirect testing — follows redirect chains, flags open redirects
  • HTTP method enumeration — tests which methods each endpoint accepts
  • Info disclosure — server fingerprinting, version detection, technology stack identification
  • Rate limit testing — measures how endpoints respond under rapid requests
Green Otter
Live

Digital forensics and incident response. Scans running processes for malware signatures, tracks file integrity with SHA-256 baselines, and creates AES-256 encrypted backups of critical evidence.

  • Process forensics — scans running processes against 15 malware signatures (crypto miners, reverse shells, rootkits)
  • File integrity — SHA-256 baselines for critical system files, alerts on unexpected changes
  • Encrypted backups — AES-256-CBC encrypted snapshots of logs and config files
  • Login history — parses wtmp/btmp for successful and failed logins
  • Cron forensics — audits all scheduled tasks for suspicious patterns
  • Network forensics — captures connection state and listening ports for incident timeline
  • Snapshot API — point-in-time forensic capture combining all checks into one report
Orange Otter
Live

Log analysis and threat detection. Monitors auth logs, syslog, web access logs, and kernel events in real time. Pattern-matches against known attack signatures and streams findings live.

  • Live log monitoring — tails auth, syslog, web access, and kernel logs every 3 seconds
  • Attack pattern detection — matches against brute force, privilege escalation, service manipulation, and kernel exploits
  • Event classification — each event tagged with severity, category, and source file
  • AI threat analysis — feeds log patterns to the local AI model for deeper analysis and attack signature identification
  • Full analysis API — on-demand deep scan of all log sources with structured results
  • Event persistence — stores events to disk, survives module restarts
  • SSE streaming — live event feed for the dashboard
See pricing →