Welcome to DEM, a fully containerized cybersecurity evaluation system designed to support authorized analysts in conducting structured host discovery, container analysis, vulnerability enumeration, exploitation testing, and reporting operations.
DEM operates as a self-contained Docker Compose environment, bundling the backend, frontend, and Neo4j database into isolated containers.
- Overview
- Walkthrough Video
- Interface Preview
- Architecture Summary
- Product Features
- Deployment Using Docker Compose
- Database Schema
- Backend Architecture
- CAT 1 STIG Justification
- License
- Support & Subsystem Responsibilities
DEM is an integrated vulnerability‑assessment and exploitation platform that unifies host discovery, container enumeration, topology mapping, vulnerability analysis, exploitation workflows, and reporting into a single cohesive system.
The platform enables analysts to:
- Detect hosts and running Docker containers within a target host
- Retrieve metadata, open ports, services, and container configurations
- Analyze container relationships and generate interactive topology visualizations
- Perform vulnerability enumeration using Trivy, Grype, Dockle, and Gobuster
- Execute controlled exploitation with Metasploit and record supporting artifacts
- Compile and export structured reports in PDF, CSV, or XML formats
DEM is designed for use within a controlled environment and assumes users are authenticated prior to accessing the system. User authorization is handled externally, while DEM focuses exclusively on analysis, exploitation workflows, and reporting.
A complete end-to-end walkthrough of DEM, including installation, SSH tunnel setup, discovery, assessment, exploitation, topology mapping, and report generation.
Watch the full walkthrough: https://youtu.be/_i_yWlXTyA8?si=LhkWMEVHj1w9CHYm
 Dashboard |
 Discovery |
 Assessment |
 Exploitation |
 Reporting |
 Topology Map |
- Frontend: SvelteKit application (
5173) - Backend: FastAPI service (
8000) - Database: Neo4j Graph Database (
7474,7687) - Security Tools: Trivy, Grype, Gobuster, Nmap, Dockle, Metasploit
- Managers: Handle project lifecycle, scans, topology, dashboard functions, and secure DB operations.
DEM operates as four coordinated Docker containers, each with a dedicated role within the system architecture:
| Container | Purpose | Description |
|---|---|---|
| Frontend | User Interface | Hosts the SvelteKit application that delivers all pages for discovery, assessment, exploitation, reporting, and topology visualization. |
| Backend | API & Processing Layer | Runs the FastAPI backend, all managers, tool interfaces, routing logic, and system orchestration. |
| Neo4j | Primary Data Store | Stores projects, topology graphs, scan results, activities, notes, and all operational data. |
| Neo4j Backup | Automated Backup Sidecar | Continuously performs scheduled backups of Neo4j data volumes to prevent data loss during restarts, resets, or redeployments. |
| Tool | Version |
|---|---|
| Docker Engine | 28.x |
| Dockle | 0.4.15 |
| Gobuster | 3.6.0 |
| Grype | 0.91.0 |
| Trivy | 0.61.1 |
| Nmap | 7.95 |
| Metasploit Framework | 6.4 |
| SSH/OpenSSH | 10.x |
DEM/
├── backend/
│ ├── app/
│ │ ├── core/
│ │ ├── managers/
│ │ ├── models/
│ │ ├── routes/
│ │ ├── tools/
│ │ ├── utils/
│ │ └── main.py
│ └── tests/
│ ├── Dockerfile
│ └── pyproject.toml
│
├── frontend/
│ ├── src/
│ │ ├── lib/
│ │ ├── routes/
│ ├── static/
│ ├── package.json
│ └── Dockerfile
│
├── sample_data/
├── scripts/
├── docker-compose.yml
└── README.md
- Project Management (create, open, archive, import/export)
- Container Identification
- Topology Mapping
- Vulnerability Analysis using Trivy, Grype, Dockle, Gobuster
- Exploitation Workflow using Metasploit
- Dashboard Management (activity logs, notes, container history)
- Report Generation (PDF, XML, CSV)
- Docker Desktop or Docker Engine
- Ability to run Docker containers
- SSH tunnel to target hosts must be prepared prior to discovery
- Authorized DAC analyst access
- Operating System: Compatible with x86, ARM, and any Docker-based Linux host (targeted for Kali).
- CPU: 4-core, 2.5 GHz
- Memory: 8 GB RAM
- Disk: 10 GB
- Network:
- Ethernet or wireless adapter supporting 100 Mbps or higher
- SSH (port 22 or custom) from the DEM host to each target host
- Local access to the following ports on the DEM host:
5173(frontend),8000(backend),7474and7687(Neo4j)
DEM relies on an SSH-based SOCKS5 tunnel so the backend can reach the target host and its containers.
Before creating the tunnel, ensure:
- SSH key-based access to the target host (
TARGET_HOST_USER@TARGET_HOST_IP) is available. - The appropriate private key is loaded into an SSH agent.
Tip
For guidance on generating or managing SSH keys, see: SSH key generation guide
Run the following on the DEM host machine (not inside Docker) before using Discovery or Exploitation:
ssh -f -N -D 0.0.0.0:PORT_NUMBER TARGET_HOST_USER@<TARGET_HOST_IP>Note
The tunnel port may be changed per host if desired.
- -f — Run SSH in the background after authentication.
- -N — Do not execute a remote command; just forward ports.
- -D 0.0.0.0:PORT_NUMBER — Start a SOCKS5 proxy on specified port bound to all interfaces.
Once the SOCKS5 tunnel is active, the DEM backend routes traffic selectively based on the operation being performed. Exploitation tools such as msfconsole are routed through
proxychains4so their traffic traverses the SSH-backed SOCKS5 tunnel. Nmap is used in two distinct modes. Host reachability checks (for example, validating SSH on port 22) are performed directly from the backend without proxying. When validating container-level ports, Nmap is routed throughproxychains4so that container IPs—reachable only through the remote Docker host—can be tested accurately. Gobuster uses its explicit--proxyflag, as it does not reliably inherit proxychains behavior.
- Clone the repository
git clone https://github.com/christiandees/CS4311_DEM_Bravo_Fall2025.git
cd CS4311_DEM_Bravo_Fall2025- Start the environment
docker compose up --buildTip
Run the environment in detached mode to keep the console clear and avoid excessive output:
docker compose up -d --buildNote
The build process may take 5–10 minutes due to installing large assets, including the full SecLists collection for Gobuster and Metasploit’s Ruby-based dependencies.
This launches:
- Neo4j
- Neo4j backup
- FastAPI backend
- SvelteKit frontend
- All security tool interfaces
- Access services
| Service | URL |
|---|---|
| Frontend | http://localhost:5173 |
| Backend API | http://localhost:8000 |
| Neo4j Browser | http://localhost:7474 |
- Health check
curl http://localhost:8000/healthExpected:
{"ok": true}| Action | Command |
|---|---|
| Stop all containers | docker compose down |
| Rebuild | docker compose up --build |
| View logs | docker compose logs -f |
| Restart backend | docker compose restart backend |
| Reset (remove volumes) | docker compose down -v |
| Issue | Resolution |
|---|---|
| Port conflict | Free ports 7474, 7687, 8000, 5173 |
| Backend can't reach Neo4j | Wait 5–10 seconds; backend retries automatically |
| Containers start incorrectly | docker compose down && docker compose up --build |
| Neo4j password mismatch | Update the NEO4J_AUTH variable |
flowchart TB
classDef root fill:#e8f0ff,stroke:#2f5597,stroke-width:1.5px,color:#1a3557,font-size:14px,font-weight:bold;
classDef mid fill:#f7f9fc,stroke:#8a9bb5,stroke-width:1.1px,color:#2f3a45,font-size:12px;
classDef leaf fill:#fff9e6,stroke:#c9a34e,stroke-width:1px,color:#5c4a1d,font-size:11px;
linkStyle default stroke:#777,stroke-width:0.8px,color:#444,fill:none;
Project["Project"]:::root
Host["Host"]:::mid
Container["Container"]:::mid
Scan["Scan"]:::mid
Vulnerability["Vulnerability"]:::leaf
Finding["Finding"]:::leaf
Activity["Activity Log"]:::mid
Note["Note"]:::mid
Project -->|HAS_HOST| Host
Host -->|HAS_CONTAINER| Container
Container -->|HAS_SCAN| Scan
Scan -->|FOUND| Vulnerability
Scan -->|FOUND| Finding
Project -->|HAS_ACTIVITY| Activity
Project -->|HAS_NOTE| Note
flowchart TD
classDef api fill:#e7f0ff,stroke:#205295,stroke-width:1.5px,color:#102544,font-weight:bold;
classDef mgr fill:#f4f7ff,stroke:#3b6fb6,stroke-width:1.3px,color:#102544;
classDef tool fill:#edf4ff,stroke:#5b8fe0,stroke-width:1.3px,color:#102544;
classDef db fill:#d8e6ff,stroke:#1b437d,stroke-width:1.8px,color:#0b2440,font-weight:bold;
subgraph API_Routes["API Layer — Routes"]
direction TB
DiscoveryAPI
AssessmentAPI
ExploitationAPI
ReportsAPI
TopologyAPI
end
class API_Routes,DiscoveryAPI,AssessmentAPI,ExploitationAPI,ReportsAPI,TopologyAPI api;
subgraph Managers["Managers / Service Layer"]
direction TB
ProjectManager
ScanInfoManager
DiscoveryManager
ContainerInfoManager
HostInfoManager
DashboardManager
TopologyManager
ReportManager
NotesManager
ActivityManager
end
class Managers,ProjectManager,ScanInfoManager,DiscoveryManager,ContainerInfoManager,HostInfoManager,DashboardManager,TopologyManager,ReportManager,NotesManager,ActivityManager mgr;
subgraph Tools["Tool Interfaces"]
direction TB
NmapInterfacer
TrivyInterfacer
GrypeInterfacer
DockleInterfacer
GobusterInterfacer
MetasploitInterfacer
DockerInterfacer
end
class Tools,NmapInterfacer,TrivyInterfacer,GrypeInterfacer,DockleInterfacer,GobusterInterfacer,MetasploitInterfacer,DockerInterfacer tool;
subgraph DataLayer["Data & Security Layer"]
direction TB
DatabaseSecurityManager
DatabaseManager
Neo4j[(Neo4j Graph DB)]
end
class DataLayer,DatabaseSecurityManager,DatabaseManager,Neo4j db;
API_Routes --> Managers
Managers --> Tools
Managers --> DatabaseManager
DatabaseSecurityManager --> DatabaseManager
DatabaseManager --> Neo4j
This section documents mitigation and justification for all Category I STIG vulnerabilities relevant to the DEM application.
| VULNERABILITY ID | DESCRIPTION | MITIGATING REASON |
|---|---|---|
| V – 222400 | Validity periods must be verified on all application messages using WS-Security or SAML assertions. | For this project, this would not apply. |
| V – 222404 | The application must use both the NotBefore and NotOnOrAfter elements or OneTimeUse element when using the Conditions element in a SAML assertion. | For this project, this would not apply. |
| V – 222612 | The application must not be vulnerable to overflow attacks. | DEM mitigates overflow attacks by implementing: Input Validation Buffer Size Checks Secure Coding Practices Memory Safety Languages Static Code Analysis Dynamic Analysis |
| V – 222578 | The application must destroy the session ID value and/or cookie on logoff or browser close. | There will be no sessions established on this project. |
| V – 222430 | The application must execute without excessive account permissions. | DEM will inherit permission inline with DAC Analysts. |
| V – 222432 | The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. | For this project, this would not apply. |
| V – 222577 | The application must not expose session IDs. | For this project, this does not apply. |
| V – 222609 | The application must not be subject to input handling vulnerabilities. | DEM address input handling vulnerabilities by implementing: Avoid trusting user input Use parameterized queries File upload security (valid file types and restrict size) Error Handling Input Validation |
| V – 222608 | The application must not be vulnerable to XML-oriented attacks | For this project, this does not apply. |
| V – 222602 | The application must protect from Cross-Site Scripting (XSS) vulnerabilities | DEM mitigates Cross-Site Scripting (XSS) vulnerabilities by implementing: Output encoding Use frameworks with built-in protection (.g. React, Angular, Vue...) Escape Dynamic JavaScript values |
| V – 222601 | The application must not store sensitive information in hidden fields | DEM does not store sensitive information in hidden fields by implementing these practices: Avoid Storing Sensitive Data Secure Communication Channels Use local storage Data Masking |
| V – 222607 | The application must not be vulnerable to SQL Injection. | Neo4J is a NoSQL database and not susceptible to traditional SQL injection attacks. DEM prevents NoSQL injection by implementing: Use parameterized queries Sanitize input Error Handling Update dependencies |
| V – 222604 | The application must be protected from command injection. | DEM mitigates command injection vulnerabilities, especially in the context of using Neo4J, by implementing: Use parameterized queries Sanitize input Error Handling Update dependencies |
| V – 222403 | The application must use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion. | The analysts shall not be required to log in, so this does not apply. |
| V – 222585 | The application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. | DEM fails to a secure state by implementing: Error handling Graceful initialization Shutdown process Abort handling Testing Scenarios |
| V – 222550 | The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path to an accepted trust anchor. | DEM shall validate certificates as necessary to ensure system security and trustworthiness. |
| V – 222522 | The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | For this project, this would not apply. |
| V – 222554 | The application must not display passwords/PINs as clear text. | For this project, this would not apply. |
| V – 222596 | The application must protect the confidentiality and integrity of transmitted information. | DEM Will communicate with devices using an SSH Encrypted Channel. |
| V – 222399 | Messages protected with WS_Security must use time stamps with creation and expiration times. | N/A DEM will not use WS_Security tokens. |
| V – 222658 | All products must be supported by the vendor or the development team. | All products from DEM will be supported by the development team and vendor. |
| V – 222659 | The application must be decommissioned when maintenance or support is no longer available. | When decommissioned DEM will be available to terminate any files and storage |
| V – 222551 | The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key. | All PKI-Based Authentication shall give access to a corresponding private key. |
| V – 222620 | Application web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the DoD DMZ. | DEM will have no use of the internet. |
| V – 222536 | The application must enforce a minimum 15-character password length. | For this project, this would not apply. |
| V – 222643 | The application must have the capability to mark sensitive/classified output when required. | DEM gives the option to mark sensitive data to specific users. |
| V – 222542 | The application must only store cryptographic representations of passwords. | For this project, this would not apply. |
| V – 222543 | The application must transmit only cryptographically-protected passwords. | For this project, this would not apply. |
| V – 222425 | The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | DEM gives the approved user specific data they are entrusted with. |
| V – 222642 | The application must not contain embedded authentication data. | For this project, this would not apply. |
| V – 222662 | Default passwords must be changed. | For this project, this would not apply. |
| V – 222555 | The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. | DEM will follow all the guidelines of Federal Laws, Executive Orders, Policies, Regulations, Stands for the cryptographic module. |
This project is for educational, evaluation, and controlled deployment use unless otherwise licensed.
| Subsystem | Responsibilities | Contact |
|---|---|---|
| Subsystem 1 | - Dashboard View & Backend - Discovery Views & Backends - Docker PS & SSH Tunnel Compatibility - Nmap Component |
Team 7 Ivan Armenta iarmenta@miners.utep.edu |
| Subsystem 2 | - Projects Component - Assessment Views & Backends - Grype Component |
Team 16 Joe Mota jamota@miners.utep.edu |
| Subsystem 3 | - Topology Map Views & Backends - Database - Trivy Component |
Team 14 Javier Falliner jefalliner@miners.utep.edu |
| Subsystem 4 | - Exploitation Views & Backends - Reporting Views & Backends - Dockle Component |
Team 15 Victor Gonzalez vggonzalez3@miners.utep.edu |