MobSF Exists for Mobile - So I Built One for the Web: Meet Argus

How a simple question (“why are we still running twelve tools before DAST?”) turned into an open, no-database security intelligence app.

The moment it clicked

If you’ve ever opened MobSF for an APK or IPA, you know that feeling: one place, many signals - static hints, permissions, network posture, packaged into something you can actually reason about.

I kept asking: where is that “single pane” for the web and API surface?

Not another full DAST war (I already love Burp for that - and I’ve written about [automating DAST with Burp + AI agents]). I mean the earlier layer: headers, TLS, DNS for mail, what’s exposed on the host, what subdomains exist, what the front-end leaks, takeover-shaped DNS, a sane export - the stuff teams still too often run one tool at a time before they ever go “active.”

So I did what any curious AppSec person does: research, chai, and annoying my friends.

I asked: “Before you go dynamic on a new target, what do you actually run?”

Almost everyone said the same thing, in different words:

I’ll check headers in one place…
Then check SSL Labs or openssl for TLS details…
Then I’ll look at open ports using public data like Shodan instead of doing a direct scan…
Then review cookies for missing flags like Secure, HttpOnly, SameSite…
Then check robots.txt for hidden or sensitive paths…
Then grep the JS if I have time…
Then VirusTotal if it’s external-facing…

Nobody said: “I press one button and it’s all there.”

That’s where I made up my mind.

Here it is: Argus - Security Intelligence.

Press enter or click to view image in full size

Live demo: Argus-security-intelligence07.vercel.app

Press enter or click to view image in full size

Live demo: Argus-security-intelligence07.vercel.app

What does Argus look like ?

Argus ships a dark, scanner-first UI : hero line, Quick vs Complete depth, one input, and modules that light up as they finish. Below is the auto-generated Open Graph image from the deployed app - same vibe as the real homepage.

Press enter or click to view image in full size

The favicon is generated the same way (no hand-drawn assets required):

Press enter or click to view image in full size

Scanner

Press enter or click to view image in full size

Code Review & Decoder

What problem does Argus actually solve?

Problem: Pre-DAST / pre-Burp recon and posture work is fragmented. You juggle browser devtools, header checkers, DNS clients, CT search, Shodan tabs, maybe a secret grep, a spreadsheet, and half a dozen bookmarks.

Argus’s bet: Give security folks and developers a single orchestrated pass over the same checks you were already going to do anyway - with no signup, no database, and exports when you need to hand something to a client or a ticket.

It is not a replacement for:

➤ Burp / ZAP (real active testing, session logic, auth flows)

➤ MobSF (mobile binaries)

➤ A full red team

It is a fast, honest posture + recon layer for web, API URLs, and IPs - the “static-ish and network-ish” moment before you go deeper.

How it works when you give it a host

You type a URL, domain, or IP and choose Quick or Complete.

Quick is the “demo + rate-limit friendly” path: headers, TLS, mail DNS (`SPF` / `DMARC`), `robots.txt` / `security.txt`, Shodan InternetDB ports, a takeover-oriented pass on the apex, stack hints from the main fetch - no heavy crawl, no VirusTotal, no Google dork, no AI summary.

Get Ankits_pandey07’s stories in your inbox

Join Medium for free to get updates from this writer.

Remember me for faster sign in

Complete adds the heavier modules: source / JS crawl for secrets and library/version signals (Retire-style), subdomain discovery (e.g. certificate transparency), VirusTotal (if you configured a key), Google Programmable Search dorks (if configured), WordPress / infra exposure probes, and an optional Gemini narrative over the aggregated JSON.

Under the hood: the UI is Next.js + React. Each capability is a separate API route (`/api/scan`, `/api/ssl`, `/api/ports`, …). The browser orchestrates them: it always starts with `/api/scan`; if the target is unreachable, it stops and shows a clear dialog instead of burning quota on ghosts. Other modules run in parallel where possible. That design matters on serverless hosts (e.g. Vercel): one long job is a timeout risk; many focused jobs are not.

Guards you’d expect in a public scanner:

➤ Optional `ARGUS_API_KEY` - visitors must send the same value as `x-argus-key` or `Authorization: Bearer …`

➤ Per-IP rate limiting (in-process; good enough to slow abuse)

➤ SSRF-style blocks for private / metadata hostnames unless you explicitly flip a lab-only env flag

➤ Optional domain allowlist for multi-tenant or internal deployments

State: scan history stays in `localStorage` on that browser - nothing 
is stored in Argus's server database, because there isn't one.

The checks, in human language

Headers : HSTS, CSP, framing, cookies, and friends - evaluated using a rule-based scoring model rather than simple presence checks.
SSL / TLS : Certificate sanity + protocol/cipher posture from a real handshake.
DNS (mail) : SPF & DMARC — “can this domain’s mail be spoofed easily?”
Site files : `robots.txt`, `security.txt` — hints and contact surface.
Ports : What the Internet has seen open on your IP (Shodan InternetDB - not “magic port scan from my laptop”).
Subdomains : CT-style discovery - “what else claims this brand?”
Source scan : Crawl + pattern work for secrets (redacted) and risky library versions.
Takeover : DNS shapes that often precede subdomain takeover - still verify manually.
AI summary : Optional Gemini story over the structured results - not a finding, a narrator.

Each row is a module you can reason about, retry alone, or skip via Quick.

Why I’m excited about this model

Honest scope: It doesn’t pretend to be Burp. It compresses the boring prelude.
Composable: Same app runs local (`npm run dev`) or hosted (I use [Vercel]for the public demo).
Exportable: JSON snapshot, CSV, SARIF subset, PDF - your PM / client / Jira doesn’t need a login.
Internationalized UI - multiple languages for labels and dates, because researchers aren’t all in one timezone or locale.
High-contrast mode - a small feature that makes a big difference during long sessions.

What’s next (and I’d love collaborators)

Argus is young and intentionally scoped. Things I’m thinking about to add in future:

Richer static rules for pasted code (today: heuristics + optional Semgrep where the CLI exists — not on vanilla serverless).
Deeper API discovery (OpenAPI import, HAR-aware checks) - still authorised testing only.
Better false-positive hygiene on secret patterns (context + entropy + path blocklists).
Optional persistence for teams who want a DB - behind real auth.

If you want to co-build, break it ethically, or sponsor a feature, I’m genuinely happy to collaborate.

👉 GitHub: Ankitspandey07 / Argus - Security-Intelligence

👉 LinkedIn: linkedin.com/in/ankits-pandey07

👉 Live app: argus-security-intelligence.vercel07.app

Only point Argus at systems you are explicitly authorised to test. Third-party APIs (VirusTotal, Shodan InternetDB, Gemini, etc.) have their own terms and quotas. If you run a public instance, use `ARGUS_API_KEY`, tune rate limits, and sleep better.

MobSF answered a question for mobile. I wanted a straight answer for web and API posture - the before-Burp chapter -without running twelve tabs first.

Argus reduces 20 - 15 minutes of repetitive recon work into a single orchestrated scan, allowing engineers to focus on actual vulnerabilities instead of setup. If this saves you even twenty minutes on your next assessment, the experiment was worth it.

Got Questions or Want to Discuss AI Security?

I’m always happy to chat about vulnerabilities, testing strategies, and the latest attack vectors. Feel free to reach out or drop your thoughts in the comments; I’ll be happy to help, collaborate, or learn from your experiences.

Happy Hacking! 🚀

LinkedIn handle :- https://www.linkedin.com/in/ankits-pandey07/