Security Tools in Lateralus
Security tools are fundamentally about data processing pipelines. You capture packets, parse protocols, filter anomalies, correlate events, and generate reports. Every step transforms data and passes it forward. That's exactly what the pipeline operator was built for.
Port Scanner
A basic port scanner in Lateralus reads like a description of what it does:
fn scan_ports(target: String, range: Range<u16>) -> Vec<PortResult> {
range
|> map(|port| spawn probe(target, port))
|> await collect()
|> filter(|r| r.status == Open)
|> map(|r| {
let service = r.port |> identify_service()
let banner = r |> grab_banner()
PortResult { port: r.port, service, banner }
})
|> sort_by(|r| r.port)
}Each scan runs concurrently via spawn. Results flow through filter, enrichment, and sorting — all in one pipeline.
Packet Analysis
Packet parsing benefits enormously from pattern matching. Protocol headers are union types — an Ethernet frame contains either an IPv4 packet, IPv6 packet, ARP reply, or something else:
fn analyze_packet(raw: Bytes) -> Analysis {
raw
|> parse_ethernet()
|> match {
Ethernet { payload: IPv4(pkt), .. } =>
pkt |> analyze_ipv4(),
Ethernet { payload: IPv6(pkt), .. } =>
pkt |> analyze_ipv6(),
Ethernet { payload: ARP(arp), .. } =>
arp |> check_arp_spoof(),
_ => Analysis::unknown(),
}
}
fn analyze_ipv4(pkt: IPv4Packet) -> Analysis {
match pkt.protocol {
TCP(seg) => seg |> detect_syn_flood() |> check_payload(),
UDP(dgm) => dgm |> detect_dns_tunnel(),
ICMP(msg) => msg |> detect_ping_sweep(),
_ => Analysis::benign(),
}
}Log Correlation
Security monitoring means correlating events across multiple log sources. Pipelines make the correlation chain explicit:
fn detect_lateral_movement(logs: Vec<LogSource>) -> Vec<Alert> {
logs
|> flat_map(|src| src |> parse_entries())
|> filter(|e| e.event_type == Authentication)
|> group_by(|e| e.source_ip)
|> filter_entries(|ip, events| {
let hosts = events |> map(|e| e.target) |> unique() |> len()
let window = events |> time_window()
hosts > 5 && window < minutes(10)
})
|> map(|ip, events| Alert {
severity: Critical,
kind: LateralMovement,
source: ip,
evidence: events,
})
}The algorithm is the code: parse → filter authentication events → group by source → detect rapid multi-host access → generate alerts.
Vulnerability Scanner
Combining async pipelines with pattern matching creates scanners that are both fast and readable:
fn scan_web_app(base_url: String) -> Report {
base_url
|> crawl_urls()
|> map(|url| spawn {
let xss = url |> test_xss()
let sqli = url |> test_sqli()
let ssrf = url |> test_ssrf()
(url, xss, sqli, ssrf)
})
|> await collect()
|> filter(|r| r |> has_findings())
|> sort_by(|r| r |> severity(), descending)
|> Report::generate()
}Why Pipelines for Security
Three properties make pipelines ideal for security tools:
- Auditability. Each step in a pipeline is visible and independent. Peer reviewers can trace exactly what the tool does.
- Composability. Security analysis chains together — parse, enrich, correlate, alert. Each step is a function that can be tested alone.
- Concurrency. Scanning is inherently parallel.
spawnin a pipeline runs probes concurrently without callback complexity.
Security tools should be as auditable as the systems they protect. Pipelines make the logic transparent.
Structured output across tools
The biggest advantage of Lateralus for security automation is that every tool wrapper returns typed data. No more regex parsing of text output:
// Traditional Bash approach:
nmap -sV target | grep "open" | awk '{print $1}' | cut -d/ -f1
// Lateralus approach:
nmap_scan(target, flags: "-sV")
|> flat_map(|h| h.ports)
|> filter(|p| p.state == Open)
|> map(|p| p.number)
// The type system guarantees:
// - nmap_scan returns Vec<Host>
// - Host.ports is Vec<Port>
// - Port.state is an enum (Open | Closed | Filtered)
// - Port.number is a u16
// If nmap changes its output format, the wrapper catches it.Building custom scanners
Lateralus isn't just for wrapping existing tools. The networking primitives make it easy to build custom scanners:
// Custom HTTP header scanner
fn scan_security_headers(url: String) -> SecurityReport {
let response = http::get(url) |> await
let headers = response.headers
let checks = [
("Strict-Transport-Security", headers.get("Strict-Transport-Security")),
("Content-Security-Policy", headers.get("Content-Security-Policy")),
("X-Frame-Options", headers.get("X-Frame-Options")),
("X-Content-Type-Options", headers.get("X-Content-Type-Options")),
("Referrer-Policy", headers.get("Referrer-Policy")),
("Permissions-Policy", headers.get("Permissions-Policy")),
]
let findings = checks
|> map(|(name, value)| match value {
Some(v) => HeaderResult::Present(name, v),
None => HeaderResult::Missing(name),
})
SecurityReport { url, findings, timestamp: now() }
}
// Scan 1000 domains in parallel
let reports = domains
|> map(scan_security_headers)
|> await_all(concurrency: 50)
|> sort_by(|r| r.missing_count(), descending)Integration with existing workflows
Lateralus tools integrate with existing security infrastructure:
- Jira/GitLab Issues — findings can be automatically exported as tickets with severity labels, reproduction steps, and evidence screenshots
- Slack/Discord webhooks — real-time notifications when critical vulnerabilities are discovered during automated scans
- DefectDojo — native integration with the popular vulnerability management platform. Scan results push directly into DefectDojo with deduplication.
- SARIF output — all scanners can output in SARIF format for integration with GitHub Advanced Security and Azure DevOps
Structured output across tools
The biggest advantage of Lateralus for security automation is that every tool wrapper returns typed data. No more regex parsing of text output:
// Traditional Bash approach:
nmap -sV target | grep "open" | awk '{print $1}' | cut -d/ -f1
// Lateralus approach:
nmap_scan(target, flags: "-sV")
|> flat_map(|h| h.ports)
|> filter(|p| p.state == Open)
|> map(|p| p.number)
// The type system guarantees:
// - nmap_scan returns Vec<Host>
// - Host.ports is Vec<Port>
// - Port.state is an enum (Open | Closed | Filtered)
// - Port.number is a u16
// If nmap changes its output format, the wrapper catches it.Building custom scanners
Lateralus isn't just for wrapping existing tools. The networking primitives make it easy to build custom scanners:
// Custom HTTP header scanner
fn scan_security_headers(url: String) -> SecurityReport {
let response = http::get(url) |> await
let headers = response.headers
let checks = [
("Strict-Transport-Security", headers.get("Strict-Transport-Security")),
("Content-Security-Policy", headers.get("Content-Security-Policy")),
("X-Frame-Options", headers.get("X-Frame-Options")),
("X-Content-Type-Options", headers.get("X-Content-Type-Options")),
("Referrer-Policy", headers.get("Referrer-Policy")),
("Permissions-Policy", headers.get("Permissions-Policy")),
]
let findings = checks
|> map(|(name, value)| match value {
Some(v) => HeaderResult::Present(name, v),
None => HeaderResult::Missing(name),
})
SecurityReport { url, findings, timestamp: now() }
}
// Scan 1000 domains in parallel
let reports = domains
|> map(scan_security_headers)
|> await_all(concurrency: 50)
|> sort_by(|r| r.missing_count(), descending)Integration with existing workflows
Lateralus tools integrate with existing security infrastructure:
- Jira/GitLab Issues — findings can be automatically exported as tickets with severity labels, reproduction steps, and evidence screenshots
- Slack/Discord webhooks — real-time notifications when critical vulnerabilities are discovered during automated scans
- DefectDojo — native integration with the popular vulnerability management platform. Scan results push directly into DefectDojo with deduplication.
- SARIF output — all scanners can output in SARIF format for integration with GitHub Advanced Security and Azure DevOps