I built Lateralus because I wanted a language where the pipeline operator was a first-class citizen. I built LateralusOS because I wanted to run Lateralus on bare metal. I built NullSec Linux because security research deserves a purpose-built platform. And now I’m shipping the thing that ties all three together: Lateralus Pentester.
Lateralus Pentester is a full penetration testing suite written entirely in Lateralus. Not “uses Lateralus for scripting” or “has a Lateralus plugin” — every single line is Lateralus. Nine modules. Pipeline-native. $25/month rolling subscription. Let me explain why this exists and what makes it different.
THE PROBLEM WITH EXISTING PENTESTING TOOLS
I’ve been doing security research for years. The tooling situation is genuinely painful in ways that people don’t talk about enough.
The core problem is that penetration testing is fundamentally a pipeline activity. You discover hosts. Those hosts feed into a port scanner. The open ports feed into a service fingerprinter. The services feed into a vulnerability assessor. The vulns feed into an exploit attempt. The sessions feed into post-exploitation. The findings feed into a report.
That’s a pipeline. A typed pipeline where each stage has a specific input and output format. But the existing ecosystem treats it as a collection of independent tools connected by copy-paste, shell scripts, and XML parsing. Nmap outputs XML. You grep it. You pipe it to something that understands the grep output. You lose type information at every boundary.
With Lateralus, the pipeline is the program:
let findings = "192.168.1.0/24"
|> recon.discover_hosts()
|=> scan.port_scan(top_ports: 1000)
|> scan.service_fingerprint()
|?> vuln.assess(cve_db: "latest")
|> vuln.check_misconfigs()
findings
|> report.generate(format: "pdf", title: "Q2 Audit")
|> report.write_to("./q2-audit.pdf")That’s a complete recon-to-report engagement. Typed end to end. Every stage knows what it’s receiving and what it’s producing. If the CVE database is unreachable, |?> propagates the error cleanly instead of crashing at 2am.
WHAT’S IN THE BOX
Nine modules at launch:
Recon — passive and active host discovery, DNS enumeration, CT log scanning, ASN mapping, OSINT aggregation. Feeds into everything else.
Scan — SYN/TCP/UDP port scanning with |=> parallel fan-out across all CPU cores. Service fingerprinting with banner grabbing, HTTP header analysis, and TLS inspection. 1,000 hosts in 38 seconds on a 6-core machine.
Vuln — CVE database integration, misconfiguration detection, default credential testing, web application scanning (SQLi, XSS, SSRF, path traversal), and API security testing. High-severity CVEs with public PoC get integrated within 72 hours of disclosure.
Exploit — modular exploit templates written in Lateralus. Each exploit is a typed function that accepts a Target struct and returns a Session or an error. New templates added monthly.
Post — privilege escalation enumeration, credential harvesting, persistence identification, lateral movement mapping.
Report — converts list[Finding] to Markdown, HTML, PDF, or JSON. Automatic CVE cross-referencing, CVSS scores, remediation suggestions. JSON output imports into Dradis, PlexTrac, DefectDojo.
Evasion — timing jitter, packet fragmentation, decoy traffic, protocol obfuscation. These are composable wrappers — prepend them to any pipeline stage to add evasion.
Cloud — AWS/GCP/Azure misconfiguration auditing, IAM privilege escalation, S3 public access detection, metadata API exploitation, container escape paths.
Crypto — TLS/SSL weakness detection, weak cipher enumeration, certificate chain validation, hash cracking pipeline integration.
WHY LATERALUS SPECIFICALLY
People ask why not just write this in Python. It’s a fair question. The answer is three things the existing ecosystem gives up that Lateralus preserves:
Types across module boundaries. A Finding struct always has a severity, a host, a title, and a detail. Every module that produces findings produces the same type. The report module never sees “undefined key” errors because the schema is enforced by the compiler, not by runtime convention.
Error propagation as a primitive. |?> is not a try/except wrapper. It’s a pipeline operator that carries the error forward as a typed value. A failed exploit stage doesn’t crash the engagement. It produces an Err(StageName, ErrorDetail) that you can inspect, log, and report on.
Parallelism as a primitive. |=> distributes work across CPU cores with one character. No thread pools. No locks. No race conditions from shared mutable state. The scanner is fast because the language makes parallelism trivial to express correctly.
PLATFORM AND PRICING
Lateralus Pentester runs on any platform with the Lateralus runtime: any Linux distribution, macOS. Some raw socket modules need CAP_NET_RAW on standard Linux.
But the optimal platforms are LateralusOS and NullSec Linux. LateralusOS has capability-based network access — the tool gets exactly the network capabilities it needs without setuid wrappers or root. NullSec Linux has the runtime pre-installed alongside 200+ other security tools, and Lateralus Pentester integrates with the system launcher and update infrastructure.
The subscription is $25/month. It’s rolling, which means:
- New modules or major expansions every month
- CVE integrations weekly
- Evasion signature refreshes continuously as EDR vendors update
- Lateralus language updates reflected in the tool automatically
You update with ltl pkg update pentester. That’s it. No re-download links in email. No migration guides.
WHERE TO GO FROM HERE
Check out the Lateralus Pentester product page for full module docs and the subscribe link. If you want the deep technical dive, the architecture paper covers module system design, pipeline composition semantics, the typed finding schema, and the rolling update infrastructure.
If you’re already a NullSec Linux user, you’re already in the best place to run this. If you haven’t tried NullSec yet, grab the ISO.
For questions: wizard@lateralus.dev.