ArcherySec

ArcherySec (often simply referred to as Archery) is an open-source vulnerability assessment and management tool that serves as an Application Security Orchestration and Correlation (ASOC) platform. It serves as a centralized command center for security professionals and DevOps teams, enabling them to automate scans, consolidate vulnerability data from disparate sources, and manage the remediation lifecycle from a single dashboard.

In the context of modern DevSecOps, ArcherySec addresses the "fragmentation" problem in which security data is scattered across multiple tools (e.g., network scanners, web scanners, and static analysis tools). It ingests this raw data, correlates it to remove noise, and presents a unified view of an organization's security posture.

Core Capabilities and Functions

ArcherySec operates by wrapping around existing security tools rather than replacing them. Its primary functions include:

• Orchestration: It acts as a controller that can trigger and schedule scans across various connected tools. Instead of logging into five different consoles to start scans, a user can initiate them all from the Archery interface.

• Correlation and Consolidation: It ingests reports from network scanners (like OpenVAS), web scanners (like OWASP ZAP), and static analysis tools. It then parses and normalizes this data to provide a consolidated list of vulnerabilities, making it easier to prioritize fixes.

• CI/CD Integration: ArcherySec is designed for "Shift Left" security. It offers plugins and APIs that enable developers to trigger security scans automatically whenever code is committed or a build is deployed in pipelines such as Jenkins or GitLab.

• Authenticated Scanning: A distinct feature of ArcherySec is its ability to handle dynamic authenticated scanning. It uses Selenium to manage login sessions (cookies and headers), enabling scanners to test behind login pages where critical vulnerabilities often reside.

Supported Integrations and Scanners

ArcherySec supports a wide array of open-source and commercial security tools, categorized by their scanning domain:

• Web Application Scanners: Integrates with OWASP ZAP, Burp Suite Professional, Acunetix, Netsparker, and Arachni to detect issues like SQL Injection and XSS.

• Network/Infrastructure Scanners: Connects with OpenVAS and Nessus to identify unpatched services and misconfigured ports.

• Static Application Security Testing (SAST): Supports tools like Bandit (for Python), FindBugs (for Java), and Checkmarx to find vulnerabilities in source code.

• Container and Cloud Security: Ingests data from Trivy, Clair, and ScoutSuite to monitor container images and cloud configurations (AWS, Azure, GCP).

Strategic Benefits for Security Operations

Adopting ArcherySec provides several operational advantages:

Unified Vulnerability Management It eliminates the need for analysts to manually merge spreadsheets from different scanners. By centralizing the data, teams can track the "Age of Vulnerability" and monitor remediation progress over time through visual dashboards.

Automated Ticketing Workflows ArcherySec bridges the gap between security findings and developer action. It integrates with Jira, allowing the platform to automatically create tickets for discovered vulnerabilities. This ensures that security bugs are integrated into the standard engineering workflow immediately.

False Positive Management The platform allows analysts to mark specific findings as false positives. Once marked, ArcherySec remembers this decision for future scans, preventing the same non-issue from clogging up reports and wasting developer time in subsequent cycles.

Frequently Asked Questions

Is ArcherySec a scanner itself? No. ArcherySec is an orchestrator. It does not have its own scanning engine; instead, it leverages other tools (like Nmap or ZAP) to perform the actual scanning and then manages the results those tools produce.

Does it support authenticated web scanning? Yes. It uses Selenium to automate browser interactions required to log in to a web application and capture the necessary session cookies, enabling scanners to test authorized areas of the application.

Is ArcherySec free to use? Yes. ArcherySec is an open-source project and is free to use. However, it can integrate with commercial tools (such as Nessus or Burp Suite) that require paid licenses.

How is ArcherySec deployed? It is typically deployed using Docker containers, making it platform-agnostic and easy to set up in cloud or on-premise environments. It also requires Python and a database (usually PostgreSQL) to function.

ThreatNG and ArcherySec: Bridging Discovery and Orchestration

ThreatNG and ArcherySec function as a unified ecosystem, with ThreatNG serving as the external "Hunter" and ArcherySec as the internal "Manager." While ArcherySec excels at orchestrating scanners and managing vulnerability data for known assets, it relies on a defined target list to function effectively. ThreatNG complements this by providing the dynamic, outside-in discovery required to ensure ArcherySec is scanning the entire attack surface, not just the assets listed in a static spreadsheet.

ThreatNG feeds the "Unknown" assets into ArcherySec's "Known" inventory, creating a comprehensive DevSecOps loop that covers both discovery and remediation.

External Discovery: Fueling the Orchestrator

The primary limitation of orchestration platforms like ArcherySec is that they can only scan what they are told to scan. ThreatNG’s External Discovery engine solves this by automatically populating ArcherySec with a live, accurate target list.

• Automated Target Injection: ThreatNG uses recursive domain and subdomain enumeration to identify all digital assets belonging to the organization. When ThreatNG discovers a new, unlisted subdomain (e.g., api-staging.company.com), it effectively "feeds" this new target to the security team. This allows the team to add the new asset to ArcherySec, triggering tools such as OWASP ZAP or OpenVAS to scan it immediately.

• Shadow Infrastructure Identification: ArcherySec typically manages sanctioned assets. ThreatNG identifies the Shadow IT—such as unauthorized cloud buckets or developer-spun virtual machines. By discovering these "Rogue" assets, ThreatNG ensures they are brought under ArcherySec's management, preventing blind spots.

External Assessment: Contextualizing Technical Findings

ArcherySec aggregates technical vulnerability data (e.g., "SQL Injection found"). ThreatNG’s External Assessment enriches this data with the business and external context required to prioritize remediation in ArcherySec.

• Validating External Reachability (Technical Resources):

  • The Scenario: ArcherySec receives a report from a network scanner indicating a critical vulnerability on an internal server.

  • ThreatNG Contribution: ThreatNG assesses the asset from the public internet. If ThreatNG confirms that the server is not reachable externally, the priority in ArcherySec can be lowered. Conversely, if ThreatNG confirms the vulnerability is exposed to the open web, it validates the finding as a "Critical Emergency" and instructs the team to prioritize the ArcherySec ticket above all others.

• Supply Chain Risk (Financial & Legal Resources):

  • The Scenario: ArcherySec is managing vulnerabilities for a third-party integrated application.

  • ThreatNG Contribution: ThreatNG checks Financial and Legal Resources regarding the vendor. If ThreatNG identifies that the vendor is failing or legally compromised, it adds strategic context to the technical flaws in ArcherySec. The decision moves from "Patch the vulnerability" to "Replace the vendor entirely."

Investigation Modules: Forensics Beyond the Scanner

ArcherySec tells you what is wrong (the bug). ThreatNG’s investigation modules help you understand if it has been exploited and who is targeting it.

• Sanitized Dark Web Investigation:

  • The Workflow: ArcherySec reports a "Weak Password Policy" vulnerability on a web portal.

  • ThreatNG Deep Dive: Analysts use ThreatNG’s Sanitized Dark Web module to search for credentials associated with that portal. Finding active listings for "Admin Credentials" on the dark web confirms that the vulnerability identified by ArcherySec has already been weaponized. This transforms a routine maintenance ticket into an active incident response workflow.

• Cloud and SaaS Exposure Investigation:

  • The Workflow: ArcherySec integrates a cloud security scanner that flags a "Public Storage Bucket."

  • ThreatNG Deep Dive: Analysts use ThreatNG to inspect the bucket's contents from the outside. They verify if the bucket contains PII or benign image assets. This investigation provides the "Impact Evidence" needed to update the severity of the finding within the ArcherySec dashboard.

Continuous Monitoring: Triggering the Scan

Security is not static. ThreatNG’s Continuous Monitoring acts as the "Watchdog" that tells ArcherySec when to scan.

• Drift-Driven Scanning: Instead of running ArcherySec scans on a rigid weekly schedule, ThreatNG enables "Event-Driven" security. If ThreatNG detects Infrastructure Drift—such as a firewall change that opens Port 8080 on a production server—it identifies this change instantly. This external signal can prompt the security team to manually trigger a targeted scan in ArcherySec for that specific asset, catching the misconfiguration minutes after it happens rather than waiting for the next scheduled cycle.

Intelligence Repositories: Threat-Led Prioritization

ThreatNG’s Intelligence Repositories help ArcherySec users decide which vulnerabilities to fix first based on real-world threat activity.

• Ransomware Correlation: ArcherySec might list 1,000 unpatched vulnerabilities. ThreatNG identifies which of those specific technologies are currently being exploited by ransomware groups (e.g., a specific VPN vulnerability). By correlating the ArcherySec list with ThreatNG’s threat intelligence, teams can flag the "Ransomware Gateways" for immediate remediation.

Reporting: The Complete Posture View

ThreatNG’s Reporting capabilities merge with ArcherySec’s data to provide a holistic view of security.

• Discovery vs. Managed Reports: ThreatNG reports on the "Total Addressable Attack Surface," while ArcherySec reports on the "Scanned Surface." Comparing these two reports highlights the "Coverage Gap"—the percentage of assets that exist but are not yet being scanned. This metric is critical for CISOs to measure the maturity of their vulnerability management program.

Complementary Solutions

ThreatNG and ArcherySec work together to create a closed-loop vulnerability management process.

The "Feeder and Processor" Workflow

• Cooperation: ThreatNG acts as the Target Feeder. It continuously crawls the internet to find new domains, subdomains, and IP addresses. It provides this list to the security team. The security team then imports these assets into ArcherySec. ArcherySec acts as the Processor, dispatching tools such as OpenVAS and ZAP to scan the targets ThreatNG identified. This ensures that no asset is left unscanned simply because the security team didn't know it existed.

Jira and Remediation Tracking

• Cooperation: ArcherySec automatically pushes vulnerability tickets to Jira. ThreatNG enriches this workflow by providing the Verification. Once a developer marks a Jira ticket as "Fixed," ThreatNG’s external assessment can verify whether the external exposure has actually been closed. If ThreatNG still detects an open port or an exposed file, it confirms the fix failed, preventing the ticket from being closed prematurely.

CI/CD Pipeline Security

• Cooperation: ArcherySec scans code in the CI/CD pipeline. ThreatNG scans the deployed environment. This provides "Code-to-Cloud" visibility. ArcherySec ensures the code is secure before deployment; ThreatNG validates that the environment into which it was deployed (the cloud infrastructure) is secure and properly configured, catching environmental drift that static code analysis misses.

Frequently Asked Questions

Does ThreatNG replace ArcherySec? No. They serve different phases of the security lifecycle. ThreatNG finds the assets and assesses external risk (Discovery). ArcherySec manages the scanners and orchestrates the remediation workflow (Management).

Can ThreatNG investigate vulnerabilities found by ArcherySec? Yes. If ArcherySec finds a vulnerability, analysts can use ThreatNG’s Investigation Modules (like Domain Intelligence or Dark Web Search) to gather more context about the asset, helping to determine the likelihood of exploitation.

How do they help with Shadow IT? ThreatNG finds the Shadow IT asset. ArcherySec is then used to scan it. Without ThreatNG, ArcherySec would never know the Shadow IT asset existed; without ArcherySec, the Shadow IT asset would never be scanned for deep software vulnerabilities.