Find the holes
before they find you.
Verilax is a self-hosted weapons system for authorized offensive security. Chain certificate-transparency, DNS, subdomain-takeover, and email-security checks against an apex domain in one click — every dispatch gated by a written rules-of-engagement scope.
No credit card. No third-party login. No data leaves your workspace.
Built for operators who have to defend their methodology in writing.
Verilax is opinionated about authorization. Every action a module takes is traceable to a documented scope, a named operator, and a signed Rules of Engagement — not a vibe.
Quick Scan
One click chains certificate-transparency, DNS, subdomain takeover, and email security audit against an apex domain — ranked, deduplicated, and ready for triage.
Scope enforcement at the route layer
Every module dispatch is checked against your written Rules of Engagement. Out-of-scope work is refused with a 403 before it ever touches a target. Auditors love it.
Audit log with SHA-256 anchors
Every authorization decision, scope change, and module dispatch is recorded with the actor, the ROE document hash, and the timestamp. Export for compliance review at any time.
Defense-in-depth auth
Argon2id-hashed passwords (OWASP 2024 params), opaque DB-backed sessions, TOTP MFA with single-use recovery codes, per-IP rate limiting on every anonymous endpoint.
Workspace tenancy
Invite teammates with role-scoped access (admin, lead, operator, observer). Every list query is filtered to your organization. Workspaces are sealed: zero cross-tenant leakage.
Findings triage and export
Severity-ranked findings with deduplication fingerprints, history, comments, and tags. Export to proposal-ready PDF when the engagement closes.
From engagement to report, in one console.
- 01
Open an engagement
Name the client, set the intrusiveness ceiling (passive / active / exploit), and upload the signed Rules of Engagement PDF. The SHA-256 hash is anchored in the audit log on the spot.
- 02
Declare scope
Author allow / deny rules at each intrusiveness tier. Out-of-scope dispatch is refused at the route layer; no module gets to even attempt a request against a target the scope forbids.
- 03
Run modules
Quick Scan chains the recon modules in one click. Or dispatch individual modules — CT log enumeration, DNS, subdomain takeover, email security audit, more shipping every release.
- 04
Triage and export
Findings arrive ranked and deduplicated. Confirm the real ones, dismiss the noise, tag for follow-up, then export a proposal-ready report for the client.
We pentest. We also defend.
Verilax ships with the auth primitives we'd want in any product we trust with offensive tooling. Seven self-audit rounds. Zero high / medium findings open at launch.
Argon2id passwords
OWASP 2024 params (t=3, m=64 MiB, p=4). Auto-rehash on parameter upgrades. No bcrypt, no SHA-anything alone.
TOTP MFA, recovery codes
RFC 6238 with ±1 step drift. 10 single-use recovery codes per account. Self-hosted — no SMS, no push provider.
Self-hosted, no third-party identity
Email + password + TOTP. No Auth0, Clerk, or Cloudflare Access. Your operator identities never leave your workspace.
Tenant isolation enforced at the query layer
Every list and search query is filtered by organization_id. Admin bypass is the only path across tenants, and it's audited.
Stand up an authorized engagement in under five minutes.
Create a workspace, upload your first Rules of Engagement, and run a Quick Scan against your own apex domain. Free while we're in beta.