apPosture ASPM

Architecture

Assets and CI feed six engines and a local-LLM AI core; results deduplicate into one posture that the dashboard, gates and reports read. Nothing crosses your perimeter.

Deployment

Self-hosted via Docker Compose - Postgres, the warm scanner pool, the local DeepSeek LLM and the app, all containers you run and own. No SaaS account, no outbound dependency.

docker compose up -d postgres redis scanner ollama backend frontend
docker exec apposture-ollama ollama pull deepseek-coder-v2:16b   # one-time, local

Your first scan

1. Create an Application and add a Target (URL) or connect a repo on Integrations.
2. Run a scan (DAST for a URL; SAST/SCA/secrets/IaC for a repo) - or wire CI/CD.
3. Review findings in Vulnerabilities, let the AI prove & triage them, and gate your pipeline.

Applications

The top-level grouping. An application bundles targets/services and carries metadata used for prioritization: environment (prod/staging/dev), business_criticality, and owner_team. Each app gets its own risk score, grade and open/exploitable/SLA-breached counts. Microservice repos auto-create their own application from CI.

Targets & authentication

A target is a URL to scan. apPosture authenticates so it can test behind login:

• ✓ Auth types: form, bearer, header / API-key, cookie (credentials encrypted at rest).
• ✓ A second account for horizontal-access (IDOR/BOLA) testing.
• ✓ Hybrid AST: link a source_repo_path so DAST is source-informed; add business_logic_notes to steer the AI's test plan.

Discovery

Inventory your real attack surface - hosts, subdomains and APIs - with include/exclude scope controls (domains, IPs, TLDs). Newly appearing assets are flagged (shadow-IT diff) so nothing is scanned that you didn't intend, and nothing dangerous is missed.

SCM integrations

Connect GitHub or GitLab via OAuth or a personal access token, import a repo (cloned into a read-only sandbox), or upload a local folder. Tokens are stored encrypted; the connected repo becomes the source for SAST/SCA/secrets/IaC and the Hybrid-AST bridge for DAST.

Scans & profiles

Scans are queued and run by a concurrency-limited worker; you can pause, resume or stop them and watch a live phase timeline.

Options include scope exclusions, AJAX spider, graybox (source-informed) and authorized active exploitation (operator consent required). Incremental scans diff against a baseline_commit.

DAST & AI-Pentest

apPosture's dynamic testing runs as two bridged engine stages. DAST delivers broad, deterministic, reproducible coverage of the running application; AI-Pentest adds attacker-grade depth - gray-box reasoning, confirmed exploitation and AI triage. The stages feed each other: DAST output steers the AI-Pentest, and the AI-Pentest proves and ranks what DAST surfaced. Every phase streams to a live timeline grouped by stage.

Before the scan, the AI reads your source (Hybrid AST), builds a threat model and an attack map, and converts both into a targeted, taint-guided test plan. The deep profile drives the active scan at maximum attack strength with the full rule-set enabled.

Discovery & API scanning

A scan can only test what it can find. apPosture expands the attack surface three ways beyond the crawler:

Exploitation & out-of-band testing

Coverage finds candidates; apPosture then turns the strong ones into proven, exploit-confirmed findings.

SAST

Static analysis combines a multi-engine rule layer with a deep data-flow (taint) engine that tracks untrusted input from source to sink - intra-procedural, inter-procedural and cross-file - across Java, Go, C#, Ruby, Python, PHP and JS/TS. Findings map to CWE and OWASP and include the vulnerable snippet.

SCA & supply chain

Dependency analysis across npm, PyPI, Composer, Go, Maven/Gradle, NuGet and RubyGems against a curated offline advisory database, with SBOM export. An optional OSV feed (opt-in egress) augments the curated DB to production-grade CVE breadth, and a local-LLM AI advisor summarises impact and the safe upgrade path. Three offline signals cut noise and catch supply-chain risk:

Secrets

Curated provider patterns + entropy detection; values are always masked, never stored. Plus:

IaC

Misconfiguration checks for Terraform, Kubernetes, CloudFormation and Dockerfiles (curated rules + an industry-standard policy engine) - insecure defaults, exposed services, missing encryption and over-broad IAM.

Containers

Image OS + language-package CVEs from each microservice's Dockerfile and CI-built images. In CI the image is scanned on the runner and the SARIF is uploaded, so the image never leaves your network (see CI/CD → container).

Unified posture (Vulnerabilities)

Every engine writes into one Vulnerability store, deduplicated by a stable fingerprint so the same issue from DAST + SAST collapses into one. Each carries severity, CVSS, an EPSS band, KEV flag, reachable, exploit_confirmed, a composite priority score, owner, status lifecycle (new → triaged → resolved/accepted) and a full event history. Manage at scale with mutes, risk acceptances and Jira sync.

Priorities - the few that matter

A scanner that says "500 issues" is noise. The Priorities view narrows the full set down to the handful you must fix first - the genuinely actionable ones - and writes the security story in plain English.

The fix-first set is every non-informational critical/high plus anything proven-exploitable (exploit_confirmed) or known-exploited-in-the-wild (KEV). Reachability and EPSS order the list - they never hide a critical. An AI executive summary turns the numbers into a short, leadership-ready briefing with the top concrete actions, generated locally.

Exploit verification

A finding is marked exploit_confirmed only when it is genuinely proven, from any of four independent signals. All are rate-limited and gated by operator authorization, and evidence is redaction-aware. A model's opinion alone never confirms a finding - confirmed ones rank first, the rest are deprioritized.

Attack map

A graph of the attack surface and chained paths - how an exposed entry point connects to sensitive functions and data - so you fix the links that actually create risk.

Threat models

The AI reconstructs your architecture from source and builds a STRIDE threat model, versioned over time, with coverage mapping back to findings - automated threat modeling instead of a whiteboard session. You can also import an existing model (OWASP Threat Dragon, a Mermaid diagram, an OpenAPI spec or a CycloneDX SBOM) and let the AI enrich it. Each DAST-testable threat feeds straight into the scan's targeted test plan.

STRIDE model with trust zones, data flows and per-threat coverage. Import an existing model, or generate one from source.

ASPM coverage

A program-level view: security score & grade, open vs exploitable vs SLA-breached, MTTR, and 30-day trend / risk-burndown by severity - plus per-application risk ranking for where to focus.

Agentic AI engine

The local DeepSeek LLM drives autonomous agents that reason in a loop - plan, act, verify, correct. No data leaves your perimeter, no per-token bill.

AI assistant

Ask natural-language questions about your posture ("what's exploitable in payments?", "explain this finding", "draft a fix") - answered locally against your own data.

CI/CD pipelines

A portable agent runs in your pipeline, ships the source to the server, and relays the gate verdict as an exit code. Each microservice repo maps to its own application.

curl -fsSL https://aspm.apposture.com/api/v1/ci/agent.sh -o apposture && chmod +x apposture

./apposture test     --app payments --severity-threshold high --fail-on new   # gate a PR
./apposture monitor  --app payments                                           # baseline the default branch
./apposture container --image payments:$SHA --app payments                    # scan a built image
./apposture upload   --sarif results.sarif --app payments                     # bring your own SARIF

Copy-paste snippets for GitHub Actions, GitLab CI and Jenkins on the Setup page.

Gates

Break-the-build is owned by security, not the YAML. A deterministic rule engine + policy thresholds decide pass / warn / fail from severity, "new vs all", required scanners and accepted-risk waivers. Every evaluation is recorded as a GateRun for audit; the same call can post a PR/MR comment.

SCM webhooks (zero-pipeline)

Prefer not to edit each pipeline? Point a signature-verified webhook at apPosture and it clones + scans on push/PR automatically.

GitHub  → https://aspm.apposture.com/api/v1/scm/webhook/github   (HMAC-SHA256 secret)
GitLab  → https://aspm.apposture.com/api/v1/scm/webhook/gitlab   (secret token)

Push to the default branch records a baseline; a pull/merge request runs the gate and decorates the PR.

VS Code extension

Scan the open workspace from your editor; findings appear inline as diagnostics with one-click AI fixes. Set apposture.url + apposture.token, then run apPosture: Scan workspace. Talks only to your server.

API & tokens

Everything is under /api/v1, authenticated with a Bearer apt_… token (scoped, expiring, revocable). Interactive docs at /docs.

curl -X POST https://aspm.apposture.com/api/v1/ci/run \
  -H "Authorization: Bearer apt_…" \
  -F 'meta={"app":"payments","gate":{"fail_on_severity":"high","fail_on":"new"}}' \
  -F "source=@src.tar.gz"

Policies

Define organization rules once: severity thresholds, required scanners, environment-specific gates, auto-escalation (e.g. KEV/exploitable → critical) and exceptions. The same engine powers the dashboard, gates and SLAs.

Compliance & SBOM

Findings map to SOC 2, PCI DSS, HIPAA, NIST and GDPR controls; generate auditor-ready evidence on-prem. Export an SBOM in CycloneDX or SPDX per application.

SLA & tickets

Set remediation SLAs by severity; breaches surface on the dashboard and drive notifications. Push findings to Jira / GitLab / Azure DevOps and sync status back via signed webhooks. The AI can open an auto-fix PR with the patch.

Reports

Executive and operational reporting: posture trends, risk-by-application, scan history, and exportable run reports - plus shareable read-only report links secured by an expiring token.

Identity & access

• ✓ SSO (SAML / OIDC) + AD group → role mapping; RBAC with granular permissions.
• ✓ MFA / TOTP with backup codes; password policy + account lockout.
• ✓ API tokens (apt_…) for CI & automation, resolved to the owning user so RBAC still applies.
• ✓ Secrets encrypted at rest (Fernet); full audit trail.

Notifications

Email (SMTP), Slack, Telegram and generic webhook channels with per-user preferences, approved templates and a delivery log. Wire alerts for new criticals, gate failures, SLA breaches and health events. Dry-run mode renders without sending (offline-safe).

Audit log

Every privileged action - scans, gate runs, status changes, config edits, token use - is recorded with actor, IP and before/after state for incident review and compliance evidence.

Backups

Scheduled, encrypted database backups with automatic verify-restore into a scratch DB, a pre-restore safety snapshot, retention pruning, and off-site targets (local volume, S3/MinIO, SFTP, fileshare).

Health monitor

Watches the scanner pool, database, LLM and other services; alerts on down/recovery (e.g. via Telegram) with configurable thresholds and re-alert intervals - so a stuck scanner never silently fails scans.

Threat intel

A curated threat-intel feed (KEV / NVD / GHSA) cross-references findings (CWE/CVE class, exploit-in-the-wild signals) to sharpen prioritization, correlated to your detected technology stack. Opt-in & egress-gated, so it stays air-gap friendly when you need it to.

API Security platform

apPosture ships a second, independent product for runtime API protection (waf.apposture.com): continuous discovery of documented & shadow APIs, an AI-assisted WAF that blocks attacks inline, OWASP API Top 10 auditing (BOLA, BFLA, mass assignment), bot/abuse defense, rate limiting and schema validation. Separate app, separate data - run it alongside ASPM or on its own.