An intelligent, automated penetration testing platform designed to compete with commercial tools like XBow, while offering multi-domain coverage, low false positives, and self-hosted deployment.
- ✅ Automated Network Scanning - Nmap integration with async execution
- ✅ REST API - FastAPI with auto-generated Swagger documentation
- ✅ Distributed Processing - Celery workers for parallel task execution
- ✅ Real-time Monitoring - Flower dashboard for job tracking
- ✅ Scope Enforcement - Never scan unauthorized targets
- ✅ Database Persistence - PostgreSQL with async SQLAlchemy
- ✅ Security First - Command injection protection, input validation
┌─────────────┐ ┌──────────────┐ ┌─────────────┐
│ FastAPI │────▶│ Redis │────▶│ Celery │
│ (API) │ │ (Broker) │ │ Workers │
└─────────────┘ └──────────────┘ └─────────────┘
│ │
│ ▼
│ ┌─────────────┐
└─────────────────────────────────▶│ PostgreSQL │
│ (Database) │
└─────────────┘
- Docker Desktop
- Python 3.11+
- Git
# Clone repository
git clone https://github.com/Azi023/overwatch.git
cd overwatch
# Run automated setup
./setup.sh
# Start services
docker-compose up -d
# Activate environment
source venv/bin/activate
# Start API (Terminal 1)
poetry run uvicorn src.overwatch_core.api.main:app --reload --port 8000
# Start worker (Terminal 2)
./scripts/start_worker.sh# Create target
curl -X POST http://localhost:8000/api/v1/targets/ \
-H "Content-Type: application/json" \
-d '{"name": "Test", "ip_address": "127.0.0.1", "allowed_hosts": ["127.0.0.1"]}'
# Run scan
curl -X POST http://localhost:8000/api/v1/scans/ \
-H "Content-Type: application/json" \
-d '{"target_id": 1, "scan_type": "nmap", "config": {"profile": "balanced"}}'
# View results
curl http://localhost:8000/api/v1/scans/1View API Docs: http://localhost:8000/docs
| Feature | Overwatch | XBow |
|---|---|---|
| Network Scanning | ✅ Yes | ❌ No |
| Web App Testing | 🚧 In Progress | ✅ Yes |
| False Positive Rate | ✅ <10% (target) | ❌ ~60% |
| Self-Hosted | ✅ Yes | ❌ Cloud only |
| Cost | ✅ Free (OSS) | ❌ $2,000+/test |
| API Access | ✅ REST API | ✅ Yes |
| Multi-Domain | ✅ Network, Web, AD, Cloud | ❌ Web only |
- Backend: FastAPI, Python 3.11+
- Database: PostgreSQL 15
- Task Queue: Celery + Redis
- ORM: SQLAlchemy (async)
- Migrations: Alembic
- Testing: pytest, pytest-asyncio
- Tools: Nmap, (Nuclei, SQLMap - coming soon)
- Database foundation
- Scanner refactoring
- REST API
- Job queue orchestration
- Basic testing
- Comprehensive testing (70%+ coverage)
- Documentation
- Production deployment
- Claude AI integration
- Additional scanners (Nuclei, SQLMap, Nikto)
- Validation pipeline
- Report generation
- Web dashboard UI
- Active Directory testing
- Cloud security scanning
# Run all tests
poetry run pytest tests/ -v
# With coverage
poetry run pytest tests/ --cov=src/overwatch_core --cov-report=html
# View coverage
explorer.exe htmlcov/index.html # Windows/WSL- Quick Start Guide
- Implementation Guide
- Codebase Analysis
- API Documentation (when running)
This project is under active development. Contributions welcome!
MIT License - See LICENSE file
Built as an alternative to commercial pentesting platforms with focus on:
- Affordability (free/open-source)
- Privacy (self-hosted option)
- Accuracy (<10% false positive rate)
- Comprehensive coverage (network, web, infrastructure, cloud)
Status: MVP Complete - 90% functional, ready for testing and feedback!