| Detail | |
|---|---|
| linkedin.com/in/nisarg-chasmawala | |
| 🐙 GitHub | github.com/nishu2402 |
| 📦 PyPI | pypi.org/project/heaven-pentest |
| 🎯 Role | Offensive Security Engineer · Penetration Tester |
- 👾 Authors
- 🧠 What is HEAVEN?
- 📊 Project Summary
- ⚡ Capabilities
- ⚙️ Architecture
- 🚀 Quick Start
- 🔑 API Keys & Configuration
- ⌨️ CLI Reference
- 🖥️ Web UI
- 🌐 REST API
- 📄 Reports & Export
- 🔌 Integrations
- 📊 Risk Scoring (ML)
- 🔒 Security Controls
- 📁 Project Structure
- 🛠️ Development
- 📚 Documentation
⚠️ Legal & Disclaimer
HEAVEN is a production-grade penetration-testing platform that automates the repeatable, time-consuming parts of a professional engagement — reconnaissance, vulnerability detection, exploitation proof, risk triage, and reporting — so the operator can focus on the judgment work only a human can do.
It runs three ways from the same engagement dataset:
- CLI — 38 commands for scriptable, CI-friendly workflows.
- Web UI — a 21-page React command centre (scan launcher, live findings, kill-chain, reports).
- REST + WebSocket API — 55 RBAC-protected routes for automation and integration.
| Metric | Value |
|---|---|
| 🧪 Tests | 370 passing, 2 skipped (pytest matrix: Python 3.11 / 3.12) |
| 📈 Benchmark | Verified against live DVWA — autonomous authenticated SQLi/LFI/cmdi detection → Results |
| 🧩 Modules | 136 |
| ⌨️ CLI Commands | 38 |
| 🌐 API Routes | 55 RBAC-protected routes |
| 🖥️ UI Pages | 21 (React + Vite, dark glassmorphic) |
| 🗄️ Database | PostgreSQL (async, 29-table schema) + zero-config SQLite fallback |
| 🤖 AI / LLM | Observe→plan→act loop · recon agent · attack-chain planner · FP review · knowledge graph |
| 🧠 LLM Providers | Anthropic · OpenAI · Gemini · deterministic fallback (no API key needed) |
| 📊 CVSS Predictor | ExtraTreesRegressor · R²=0.9925 · 13 features · trained on NVD |
| 🗺️ Threat Intel | MITRE ATT&CK mapping · Lockheed Kill Chain · TAXII feed |
| 📄 Report Formats | 8 (PDF · HTML · Markdown · CSV · JSON · SARIF · Burp XML · proxy-JSONL) |
| 🔒 Security | JWT RBAC · AES-256-GCM vault · HMAC-signed audit log · LLM credential redaction |
| 📦 Install | ./install.sh |
| 🐳 Container | docker compose up (bundles PostgreSQL) |
| 🔁 CI | ruff · mypy · pytest · pip-audit · Bandit · self-audit · Docker smoke-test |
| Area | What It Does |
|---|---|
| 🔍 Reconnaissance | nmap · web crawling · DNS brute-force · cert transparency · Shodan · AD enumeration · cloud (AWS/GCP/Azure) · containers & Kubernetes (Docker socket / K8s API / RBAC) · IoT/SCADA · wireless · Git secrets · email OSINT · honeypot detection |
| 🎯 Vuln Detection | SQLi (error/boolean/time-blind) · XSS · SSRF · XXE · CORS · CRLF · open redirect · IDOR · mass assignment · dir/file fuzzing · JWT attacks · race conditions · request smuggling · GraphQL introspection · default creds · subdomain takeover · Nuclei templates |
| 🧬 API Security | OWASP API Top 10 — BOLA/IDOR · broken auth · mass assignment · excessive data exposure (REST + GraphQL) |
| 💥 Verified Exploitation | Active proof, not guesses — sqlmap SQLi dump · RCE canary file drop/read · SSRF out-of-band callback listener |
| 🔓 Post-Exploitation | linPEAS privesc enum · BloodHound AD collection · SSH/SMB/PsExec lateral movement · credential reuse / pass-the-hash |
| 🤖 Autonomous AI | LLM observe→plan→act loop · recon agent · attack-chain planner · LLM FP review · cross-engagement knowledge graph · provider-agnostic (Anthropic / OpenAI / Gemini) · deterministic fallback needs no API key |
| 📊 Risk Scoring | CVSS-v3 ML predictor (R²=0.9925, 13-feature ExtraTrees) · EPSS · CISA KEV · asset-criticality multiplier · empirical Bayesian priors |
| 🗺️ Threat Mapping | Every finding mapped to MITRE ATT&CK techniques + Lockheed Cyber Kill Chain phases · TAXII threat-intel feed |
| 🔁 DevSecOps | Scheduled re-scans with differential alerts (watch) · Semgrep SAST · SBOM · Jira / Linear ticketing · Splunk / Elastic SIEM forwarding |
| 📄 Reporting | 8 formats from CLI and web UI — PDF · HTML · compliance HTML (OWASP/NIST) · Markdown · CSV · JSON · SARIF · Burp XML · proxy-JSONL |
| 🔇 FP Suppression | Two-stage confirmation pass · sub-0.40-confidence results discarded · optional LLM second opinion |
┌───────────────────────────────────────────────────────┐
CLI ──────┤ ORCHESTRATOR (async dependency-aware task graph) │
Web UI ───┤ resumable · checkpointed │
REST API ─┤ stealth timing 1–5 │
└───────────────────────────┬───────────────────────────┘
│
┌─────────────┬──────────────┬───────┴──────┬──────────────┬──────────────┐
│ RECON │ VULN DETECT │ EXPLOIT/POST │ AI / ML │ REPORTING │
│ nmap · web │ SQLi/XSS/ │ sqlmap proof │ CVSS model │ PDF · HTML │
│ DNS · cloud │ SSRF/IDOR │ RCE canary │ recon agent │ SARIF · Burp │
│ AD · K8s │ fuzz · API │ linPEAS · BH │ attack plan │ compliance │
│ IoT · OSINT │ Nuclei · FP │ lateral move │ knowledge gr │ ticketing │
└─────────────┴──────────────┴───────┬──────┴──────────────┴──────────────┘
│
┌────────────────────────────────────┴────────────────────────────────────────┐
│ STORAGE — PostgreSQL (async, 29-table schema, partitioned audit log) │
│ with a zero-config SQLite fallback (same interface, file = one engagement) │
│ SECURITY — JWT RBAC · AES-256-GCM credential vault · HMAC-signed audit log │
└─────────────────────────────────────────────────────────────────────────────┘
- Python 3.11+ ·
git·nmap - Optional (richer output when present, degrades gracefully without):
nuclei·ffuf·sqlmap·searchsploit
git clone https://github.com/nishu2402/HEAVEN-Autonomous-Penetration-Testing.git
cd HEAVEN-Autonomous-Penetration-Testing
chmod +x install.sh && ./install.sh # venv + deps + builds the web UIinstall.sh installs everything from requirements.txt. If you instead install
the package with pip, the base install is intentionally lean and each feature
group is an optional extra (the feature degrades gracefully when its extra
isn't installed):
pip install -e . # core: CLI, API, web UI, scanning, SQLite, auth
pip install -e ".[recon]" # dnspython / nmap / whois / shodan passive recon
pip install -e ".[reports]" # PDF report rendering (reportlab — pure Python)
pip install -e ".[lateral]" # SSH/SMB/AD lateral movement (impacket, asyncssh…)
pip install -e ".[mitre]" # MITRE ATT&CK / STIX enrichment
pip install -e ".[llm]" # all three LLM SDKs (or [gemini]/[anthropic]/[openai])
pip install -e ".[all]" # every feature extra at onceOr try it without cloning:
pipx install heaven-pentest # isolated global CLI
docker run -p 8443:8443 ghcr.io/nishu2402/heaven:latest # full stack in a container
One command takes a fresh clone to a populated dashboard — nothing is scanned:
heaven quickstart # ensures .env + loads sample data (a critical→info spread)
heaven serve # → http://localhost:8443 · the dashboard is now populated
# or in one step: heaven quickstart --serveIn the web UI you can also click Load sample data on the dashboard, watch a
Run demo scan play the full loop on the Scans page, and open System
Health (under System) to see which tools and API keys are active — the web
equivalent of heaven doctor.
The animation above is a lightweight SVG cast (it plays on GitHub). To swap in a real screen recording, drop a
docs/assets/demo.gifand point the<img>at it.
The friendliest path is the interactive wizard — it prompts for the admin
password and any API keys you want, then writes a .env for you:
heaven initPrefer to do it by hand? Only the admin password is needed to start:
# Web UI login (admin/admin on first run → forced change). Set this to skip that.
export HEAVEN_ADMIN_PASSWORD="your-strong-password"
# Optional — turn on the AI layers (Gemini has a generous free tier):
export GEMINI_API_KEY="your-gemini-key" # from https://aistudio.google.com/apikey
pip install -e ".[gemini]" # install the Gemini SDKNo LLM key needed. Every AI feature falls back to a deterministic heuristic, or pass
--no-llm:heaven autonomous -t 10.0.0.5 --no-llm --i-have-authorization
👉 Full key reference (Gemini / Anthropic / OpenAI / NVD / Shodan, and the three ways to set them) is in API Keys & Configuration below.
heaven --version
heaven engage init my-engagement
heaven use my-engagement # set it active — no more --engagement
heaven scan -u https://target.example.com -m web --i-have-authorization
heaven scan -t 10.0.0.0/24 -m network --i-have-authorization
heaven serve # → http://localhost:8443HEAVEN runs with zero API keys. Scanning, the web UI, reports, and ML risk scoring all work offline. Keys only unlock optional enrichments — most importantly the AI layers (autonomous mode, AI attack plans, LLM false-positive review). Add only what you want.
| Env var | Unlocks | Required? | Where to get it |
|---|---|---|---|
GEMINI_API_KEY |
AI layers via Google Gemini (free tier) | Optional | https://aistudio.google.com/apikey |
ANTHROPIC_API_KEY |
AI layers via Claude | Optional | https://console.anthropic.com |
OPENAI_API_KEY |
AI layers via GPT | Optional | https://platform.openai.com/api-keys |
NVD_API_KEY |
30× faster CVE-feed ingestion | Optional | https://nvd.nist.gov/developers/request-an-api-key |
SHODAN_API_KEY |
Passive recon (exposed-host intel) | Optional | https://account.shodan.io |
WEBHOOK_URL |
Slack / Teams / Discord alerts | Optional | Your workspace's incoming-webhook URL |
HEAVEN_ADMIN_USERNAME |
Web UI login name (shown in the header badge) | Optional (defaults to admin) |
You choose it |
HEAVEN_ADMIN_PASSWORD |
Web UI login (skips the admin/admin forced-change) | Recommended | You choose it |
You only need one of the three LLM keys. HEAVEN auto-detects whichever is set (Anthropic → OpenAI → Gemini), or pin one with
HEAVEN_LLM_PROVIDER.
- Get the key — open https://aistudio.google.com/apikey, sign in with a Google account, click Create API key, and copy it.
- Install the Gemini SDK:
pip install -e ".[gemini]" # or: pip install google-genai
- Give it to HEAVEN (pick one):
heaven init # a) wizard — writes .env for you echo 'GEMINI_API_KEY=your-key' >> .env # b) .env file export GEMINI_API_KEY="your-key" # c) shell (this session only)
Confirm it's active:
heaven doctor # shows ✓ LLM gemini (gemini-1.5-pro) when working| Method | How | Best for |
|---|---|---|
| Web UI | Settings page → paste key → Save | Easiest — no terminal; persists to .env, live immediately |
| CLI | heaven config set GEMINI_API_KEY |
Scriptable; same keys as the Settings page |
| Wizard | heaven init |
First-time setup — prompts for everything, writes .env |
.env file |
copy .env.example → .env, edit |
Persistent local / dev |
| Shell export | export GEMINI_API_KEY=… |
One-off / CI |
The Web UI, CLI and wizard all write the same .env, so a key
set in any one is live for the CLI, the API and the web UI at once — set it
once, it works everywhere and survives a restart. The web UI's Settings
page lists every key with a “how to get it” link and shows which are already
configured (secrets masked). HEAVEN auto-loads .env from the working
directory. Never commit .env — it's already in .gitignore.
export HEAVEN_LLM_PROVIDER=gemini # force a provider (else auto-detected)
export HEAVEN_LLM_MODEL=gemini-1.5-pro # override the default modelDefault models: Claude claude-sonnet-4-6 · OpenAI gpt-4o · Gemini
gemini-1.5-pro. With no key set anywhere, every AI feature falls back to a
deterministic heuristic (or pass --no-llm).
38 commands. Run heaven <command> --help for full options.
| Command | Purpose |
|---|---|
scan |
Launch a vulnerability scan (-m web|network|full, --stealth 1-5, --auto-prove, --autonomous) |
serve |
Start the API server + web UI |
engage · scope · use |
Manage engagements · in-scope targets · select the active engagement (stops repeating --engagement) |
findings · show · mark |
List findings · full detail · set triage status |
export · report |
Export findings (8 formats) · generate compliance HTML/PDF |
kill-chain · coverage |
Kill-chain phase coverage · OWASP coverage grade |
autonomous |
LLM-driven observe→plan→act loop (bounded budget) |
watch |
Continuous monitoring — diffs each run, alerts only on change |
diff |
Compare two scans (new / resolved / regressed / unchanged) |
sast |
Semgrep static analysis + curated OWASP rule pack |
lateral · knowledge |
Lateral movement · cross-engagement knowledge graph |
exploitdb · mitre-report |
Exploit-DB lookup · ATT&CK Navigator layer |
tickets |
Push findings to Jira / Linear |
pause · resume · replay |
Pause · resume · deterministically replay a scan |
train-model · train-priors |
Retrain the CVSS model · learn Bayesian priors |
quickstart · demo |
Zero→ready in one command · load sample data to explore |
init · init-db · update |
Setup wizard · PostgreSQL schema · refresh CVE/Nuclei feeds |
config |
Manage API keys & integrations (same keys as the web Settings page) |
self-audit · doctor · info |
Security self-audit · deployment health check · platform info |
completion |
Shell-completion script (bash / zsh / fish) |
# Verified exploitation + autonomous LLM loop
heaven scan -u https://app.example.com --auto-prove --i-have-authorization
heaven autonomous -t 10.0.0.5 --engagement test --i-have-authorization
# Fully deterministic — no API key required
heaven autonomous -t 10.0.0.5 --no-llm --i-have-authorizationStealth levels:
| Level | Description |
|---|---|
| 1 — Ghost | Maximum evasion · randomised timing · slowest |
| 2 — Cautious | Slow · randomised · honeypot avoidance |
| 3 — Normal | Balanced speed/stealth |
| 4 — Aggressive | Faster · minimal evasion |
| 5 — Loud | Full speed · no evasion (lab / CTF only) |
heaven serve → open http://localhost:8443. A dark, glassmorphic React console (Inter + JetBrains Mono) with a command palette (⌘K), live log streaming, and a 3D network-topology view.
21 pages:
| Page | Description |
|---|---|
| Dashboard | Severity distribution · MITRE ATT&CK heat-map |
| Engagement | Active engagement · in-scope targets · asset criticality |
| Scans | Launch · history · live progress |
| Findings | Filter · triage · download report |
| Finding Detail | Description · impact · remediation · CWE/OWASP/MITRE · evidence · curl repro |
| Reports | Severity snapshot · one-click download in all 8 formats |
| Kill Chain | Lockheed phase coverage · attack-path summary |
| Watch | Continuous monitoring · differential alert feed |
| Scan Diff | New / resolved / regressed / unchanged findings |
| SAST | Semgrep results + OWASP rule pack |
| Autonomous | LLM observe→plan→act loop with bounded budget |
| AI Plans | Saved attack plans from autonomous sessions |
| Coverage | OWASP coverage grade per engagement |
| Post-Ex | linPEAS + BloodHound results |
| Lateral | SSH/SMB/PsExec lateral movement paths |
| Knowledge | Cross-engagement knowledge graph |
| Tickets | Jira / Linear sync status |
| Benchmark | DVWA precision/recall numbers |
| Methodology | OWASP Testing Guide v4 · NIST SP 800-115 · PTES reference |
| System Health | doctor in the browser — tools / keys / module status + install hints |
| Settings | API keys & integrations — paste keys, masked state, how-to-get links |
First login: ships with
admin/adminand forces a password change on first sign-in. SetHEAVEN_ADMIN_PASSWORD(and optionallyHEAVEN_ADMIN_USERNAME) beforehand to skip the prompt. A password changed in the Web UI is persisted to.env, so it survives a server restart (.envis the source of truth thatheaven servere-reads on boot). JWTs are held in memory only — neverlocalStorage.
55 RBAC-protected routes on port 8443. Interactive docs at /docs.
# Health (no auth)
curl http://localhost:8443/api/health
# Login → JWT
curl -X POST http://localhost:8443/api/auth/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"your-password"}'
# Use the token
curl http://localhost:8443/api/engagement/findings \
-H "Authorization: Bearer <token>"| Endpoint | Permission | Purpose |
|---|---|---|
POST /api/scans · GET /api/scans |
scan.create / scan.view |
Launch / list scans |
GET /api/engagement/findings |
vuln.view |
Findings (filterable) |
GET /api/engagement/findings/{id}/evidence |
vuln.view |
Full evidence package |
POST /api/findings/{id}/prove |
vuln.validate |
Verified exploitation proof |
POST /api/autonomous/run |
scan.create |
Iterative LLM pen-test loop |
GET /api/scans/{id}/diff?baseline=… |
scan.view |
Differential scan |
POST /api/sast/scan |
scan.create |
Semgrep SAST |
POST /api/lateral/run · /api/postex/{module}/run |
admin | Lateral / post-ex modules |
GET /api/report/export?format=… |
report.view |
Download report (8 formats) |
POST /api/auth/change-password |
session | Change password |
GET · POST /api/settings |
config.modify |
API keys & integrations (secrets masked) |
GET /api/engagement/top-findings |
vuln.view |
"Fix this first" — highest-risk findings + remediation |
GET /api/system/health |
scan.view |
System health (tools / keys / modules) — web doctor |
POST /api/demo/seed · /api/demo/scan |
scan.create |
Load sample data · run an animated demo scan |
GET /api/ws/logs · /api/ws/scan/{id} |
token (query) | WebSocket live streams |
Generate from the CLI or the web UI (Findings → Download report) — identical output, eight formats:
| Format | Use Case |
|---|---|
Client / executive deliverable (requires reportlab) |
|
| HTML | Self-contained · compliance-mapped (OWASP Top 10 / NIST CSF) |
| Markdown | Wiki / Git |
| CSV | Spreadsheet / bulk triage |
| JSON | Automation / re-import |
| SARIF | GitHub code scanning |
| Burp XML | Import into Burp Suite |
| proxy-JSONL | Replay via mitmproxy / Caido |
heaven export -o report.sarif --format sarif
heaven report --framework OWASP_TOP10 -o compliance.html
heaven report --framework NIST_CSF -o nist.htmlEvery finding carries a defensible evidence package: request/response, copy-pasteable curl repro, detection rationale, remediation, and CWE/OWASP/MITRE references sourced from the built-in vulnerability knowledge base.
| Tool | How |
|---|---|
| Nuclei | Auto-run when on PATH · nuclei -update-templates |
| sqlmap | Auto-runs on confirmed SQLi candidates |
| searchsploit / Exploit-DB | CVE → PoC · product/version → PoC lookup |
| Shodan | export SHODAN_API_KEY=… → merged into recon |
| Metasploit | msfrpcd + HEAVEN_MSF_* env · --enable-exploitation |
| Jira / Linear | HEAVEN_JIRA_* / HEAVEN_LINEAR_* env → heaven tickets |
| Splunk / Elastic | SIEM forwarding via HEAVEN_SPLUNK_HEC_* / HEAVEN_ELASTIC_* |
HEAVEN predicts a CVSS-v3 base score for every finding using a 13-feature ExtraTreesRegressor trained on the NVD (held-out R²=0.9925), then layers on:
- EPSS exploit-probability and CISA KEV membership
- An asset-criticality multiplier (
scope add --criticality crown_jewel) - Empirical Bayesian priors learned from your past engagements (
heaven train-priors)
Model provenance and caveats are documented in data/models/NVD_model.MODEL_CARD.md. Retrain anytime with heaven train-model.
| Control | Implementation |
|---|---|
| JWT RBAC | admin / operator / viewer / auditor roles · brute-force lockout with exponential backoff |
| Default-credential protection | admin/admin seed forces password change on first login · self-audit flags it as critical until changed |
| AES-256-GCM vault | All stored secrets encrypted at rest |
| HMAC-signed audit log | Append-only · every operator action recorded |
| LLM credential redaction | Operator credentials scrubbed before any prompt reaches a third-party LLM endpoint |
| Authorization gate | Destructive actions refuse to run without --i-have-authorization |
| Self-audit | heaven self-audit scores your own installation and surfaces misconfigurations |
heaven/ ← Python package (136 modules)
├── recon/ network · web · DNS · cloud · containers/K8s · AD · IoT · wireless · Git · email
├── vulnscan/ injection · IDOR · API · SSL · Nuclei · exploit-proof · exploitdb · SAST · FP-suppress
├── postex/ linPEAS · BloodHound · lateral movement · credential reuse
├── ai/ LLM gateway · recon agent · attack-chain planner · FP review · knowledge graph
├── ml/ CVSS model · feature engine · Bayesian priors · training pipeline
├── mitre/ ATT&CK mapping · kill chain · TAXII threat-intel
├── devsecops/ PDF/compliance reports · vuln KB · SBOM · diff · alerting · ticketing
├── db/ PostgreSQL (async ORM, 29-table schema) + SQLite fallback
├── security/ JWT RBAC · AES-256-GCM vault · HMAC audit log
├── api/ FastAPI server + WebSocket (55 routes)
└── cli/ Click CLI — one module per command group (38 commands)
heaven-ui/ React + Vite web console (21 pages)
tests/ 372 pytest tests + DVWA benchmark suite
docs/ QUICKSTART · methodology (OWASP/NIST/PTES) · runbooks
data/models/ NVD_model.pkl · MODEL_CARD.md
pip install -e ".[dev]"
ruff check heaven/ tests/ # lint
mypy heaven/ # type-check
pytest tests/ # full suite, ~8 s
heaven self-audit # security self-checkCI pipeline (every push to main):
rufflintmypytype-checkpytestmatrix (Python 3.11 / 3.12)pip-auditdependency CVE scanbanditSASTheaven self-audit- Docker image build + smoke-test
See CONTRIBUTING.md · CODE_OF_CONDUCT.md.
| Document | Purpose |
|---|---|
docs/QUICKSTART.md |
5-minute end-to-end walkthrough |
docs/FAQ.md |
FAQ & troubleshooting — common fixes |
docs/BENCHMARK_HOWTO.md |
Reproduce DVWA precision/recall numbers |
docs/COMPARISON.md |
Head-to-head vs Burp Suite / ZAP / Nessus / sqlmap |
docs/methodology/ |
OWASP Testing Guide v4 · NIST SP 800-115 · PTES |
CHANGELOG.md |
Full version history |
SECURITY.md |
Responsible disclosure policy |
CONTRIBUTING.md |
How to contribute |
CODE_OF_CONDUCT.md |
Community conduct |
HEAVEN is intended for authorized security testing and education only.
Running it against systems you do not own or lack explicit written permission to test is illegal in most jurisdictions and may carry criminal penalties.
- Every destructive action requires the
--i-have-authorizationflag. - All scan activity is logged to an HMAC-signed, append-only audit trail.
- The authors accept no liability for misuse or damage.
By using HEAVEN you agree you are solely responsible for ensuring you have proper authorization before running any scan. Licensed under MIT.
372 tests · 136 modules · 38 CLI commands · 55 API routes · 21 UI pages · PostgreSQL + SQLite · MIT
