Pipeline-Native Pentesting
Pentesting is a pipeline: recon flows into enumeration, enumeration into exploitation, exploitation into exfiltration. Lateralus makes this literal.
A recon pipeline
let targets = "example.com"
|> subfinder()
|> filter(|d| d |> is_alive())
|> flat_map(|d| nmap_scan(d, ports: "1-1000"))
|> filter(|h| h.open_ports |> len() > 0)
|> sort_by(|h| h.open_ports |> len(), descending)Chaining tools
Each NullSec tool has a Lateralus wrapper that accepts and returns structured data. No more parsing grep output:
let vulns = targets
|> flat_map(|t| nuclei_scan(t, templates: "cves"))
|> filter(|v| v.severity >= High)
|> group_by(|v| v.host)
|> map_entries(|host, vulns| {
host: host,
count: vulns |> len(),
critical: vulns |> filter(|v| v.severity == Critical) |> len(),
})Reproducibility
Every pipeline is a script. Save it, version it, rerun it. No more "what commands did I run?" The entire engagement is documented as code.
Reporting
vulns
|> group_by(|v| v.severity)
|> to_markdown_report("engagement-2026-01.md")Pipeline results flow directly into report generation. The report includes the exact commands and their outputs.
Credential harvesting pipeline
After initial access, credential harvesting is the next step. Lateralus pipelines make it systematic:
let creds = compromised_hosts
|> flat_map(|h| {
let sam = dump_sam(h)
let lsa = dump_lsa_secrets(h)
let browser = extract_browser_creds(h)
let wifi = extract_wifi_profiles(h)
concat(sam, lsa, browser, wifi)
})
|> deduplicate_by(|c| (c.username, c.hash))
|> sort_by(|c| c.privilege_level, descending)
// Crack the hashes
creds
|> filter(|c| c.hash_type == NTLM)
|> map(|c| c.hash)
|> write_file("hashes.txt")
hashcat_attack("hashes.txt", wordlist: "rockyou.txt", rules: "best64")Lateral movement map
Visualizing attack paths is critical for reports. The pipeline builds a graph:
let attack_graph = creds
|> filter(|c| c.cracked)
|> flat_map(|c| {
// Test each cracked credential against all hosts
targets
|> filter(|t| t != c.source_host)
|> filter_map(|t| test_credential(c, t))
|> map(|success| Edge {
from: c.source_host,
to: success.host,
via: c.username,
protocol: success.protocol,
})
})
|> to_graph()
attack_graph |> render_dot("lateral-movement.svg")
attack_graph |> shortest_path(entry_point, domain_controller)
|> each(|hop| println(" {hop.from} --[{hop.via}]--> {hop.to}"))Automated evidence collection
Every action in a Lateralus pentesting pipeline is automatically logged with timestamps, commands, and outputs. This isn't just for reporting — it's a legal requirement for professional engagements:
let engagement = Engagement::new("client-2026-Q1")
|> with_scope(["10.0.0.0/8", "*.client.com"])
|> with_rules_of_engagement("roe-signed.pdf")
// Every pipeline step inside an engagement block
// is automatically logged to the evidence database
engagement.run(|| {
let recon = scope
|> flat_map(subdomain_enum)
|> flat_map(port_scan)
|> save_evidence("recon-results")
let vulns = recon
|> flat_map(vuln_scan)
|> save_evidence("vulnerability-scan")
let exploits = vulns
|> filter(|v| v.exploitable && v.in_scope)
|> map(attempt_exploit)
|> save_evidence("exploitation-attempts")
})Real engagement example
Here's a condensed but realistic external pentest workflow in 30 lines of Lateralus:
// External pentest: example.com
let scope = ["example.com"]
// Phase 1: Passive recon
let subdomains = scope
|> flat_map(|d| concat(
crtsh_search(d),
wayback_urls(d),
dns_brute(d, wordlist: "subdomains-top5000.txt")
))
|> deduplicate()
|> filter(dns_resolves)
// Phase 2: Active scanning
let services = subdomains
|> flat_map(|d| nmap_scan(d, ports: "1-10000", flags: "-sV"))
|> filter(|s| s.state == Open)
// Phase 3: Vulnerability assessment
let findings = services
|> flat_map(|s| nuclei_scan(s, templates: "cves,misconfigs,exposures"))
|> sort_by(|f| f.severity, descending)
// Phase 4: Report
findings |> to_report(format: "pdf", template: "nullsec-pentest-v2")Each phase produces structured data that feeds the next. No shell scripts gluing together text output. No lost context between tools. The entire engagement is reproducible, auditable, and version-controlled.