Tools should expose their assumptions—not hide them behind claims.
This is a curated project portfolio, not a mirror of every public repository. Featured tools are described by demonstrated behavior, lifecycle, and limitations so visitors can judge what is ready to use and what remains experimental.
Each project includes its current maturity and verification state. Early-stage tools are not presented as production-ready products.
01
MVPPythonMIT
SurfaceLens
A local-first attack-surface intelligence workbench for penetration testers. It correlates common recon outputs into a ranked asset view for engagement triage.
Common recon-data imports
Ranked asset view
Snapshot comparison
Analyst annotations
HTML, Markdown, JSON, and CSV export
Public evidence state
An unreleased early-stage MVP whose public repository contains a small unit-test set. No production readiness, public CI, or formal release is claimed.
The same evidence discipline used for vulnerability claims also applies to code, examples, standards language, and safety behavior.
01
Purpose and boundary
The repository states what it does, what it does not do, and the authorized context in which it belongs.
02
Safe examples
Example data is synthetic, failure behavior is explicit, and sensitive operational details are absent.
03
Verifiable behavior
Documented claims are supported by tests, reproducible commands, or clearly scoped manual validation.
04
Lifecycle clarity
License, maintenance state, limitations, and release maturity are visible before someone relies on the tool.
Review queue · 03
Experimental repositories remain visible on GitHub—not endorsed here.
Recon helpers, engagement-data tools, segmentation prototypes, credential-processing utilities, and media-sanitization experiments require different reviews before promotion.
Items with unsafe examples, ambiguous failure handling, outdated standards language, sensitive-data exposure, incomplete documentation, or unsupported assurance claims stay outside the featured catalog until corrected.