Enterprise-Grade Security Assessment, Risk Quantification, and Compliance Platform
Donjon replaces $110K+/yr in commercial security tooling (Tenable, Qualys, RiskLens, Drata) with a single platform. 17 security scanners, 30 compliance frameworks, AI-powered analysis, FAIR risk quantification, and post-quantum secure licensing -- all deployable from a USB drive, fixed installation, Docker, or CI/CD pipeline.
License: Proprietary EULA. See LICENSE for the full End User License Agreement.
| Capability | Details |
|---|---|
| Scanners | 17 built-in scanners: network, vulnerability, web, SSL/TLS, Windows, Linux, Active Directory, cloud (AWS/Azure/GCP), container, SBOM, compliance, credential, ASM, OpenVAS, malware, shadow AI, and full-suite orchestration |
| Compliance | 30 frameworks including NIST 800-53, NIST CSF 2.0, HIPAA, PCI-DSS v4, ISO 27001:2022, SOC 1/2 Type II, CMMC, FedRAMP, GDPR, SOX, HITRUST, DORA, NIS2, EU AI Act, and more |
| AI Engine | 6-provider fallback chain: Ollama (local), StepFun Step 3.5 Flash, Anthropic Claude, Google Gemini, OpenAI GPT-4, and pure-Python template (always available, no LLM needed) |
| Risk Quantification | FAIR taxonomy with Monte Carlo simulation (10,000 iterations), dollar-quantified ALE, EPSS/KEV/CVSS correlation |
| Licensing | Post-quantum secure: dual ML-DSA-65 (NIST FIPS 204) + Ed25519 signatures, machine fingerprint binding, revocation list support |
| Deployment | One-click start, air-gap ready, USB portable, Docker Compose, CI/CD headless mode |
| Database | Dual backend: SQLite (default, portable) or PostgreSQL (production) |
| Feature | Community (Free) | Pro | Enterprise | Managed (MSSP/MSP) |
|---|---|---|---|---|
| Core scanners (network, vuln, web, SSL, Windows, Linux, compliance) | Yes | Yes | Yes | Yes |
| Advanced scanners (AD, cloud, container, SBOM, ASM, credential, OpenVAS, malware, shadow AI) | -- | Yes | Yes | Yes |
| Scan depths | Quick, Standard | All | All | All |
| Max targets per scan | 16 | Unlimited | Unlimited | Unlimited |
| Export formats | CSV, JSON | All (HTML, PDF, SARIF, XML) | All | All |
| Compliance frameworks | 3 | Unlimited | Unlimited | Unlimited |
| AI queries/day | 10 | Unlimited | Unlimited | Unlimited |
| Scheduled scans | -- | Yes | Yes | Yes |
| Users | 1 | 25 | Unlimited | Unlimited |
| SSO / RBAC | -- | -- | Yes | Yes |
| Multi-tenant | -- | -- | Yes | Yes |
| Client provisioning, rollup reporting, sub-licensing | -- | -- | -- | Yes |
| Price | Free | Licensed | Licensed | Licensed |
Community tier requires no license file. Paid tiers are activated by placing a signed license file (data/license.json) generated by the offline license admin tool.
# Windows -- double-click START.bat, or:
.\START.bat
# Linux / macOS
./bin/setup.sh && python3 bin/donjon-launcherSTART.bat calls bin\donjon-launcher.bat, which creates a virtual environment, installs dependencies, and launches the TUI on first run.
# Start the REST API + dashboard
python bin/start-server.py
# Custom port, no auth (development)
python bin/start-server.py --port 9090 --no-auth
# Dashboard: http://localhost:8443/
# API base: http://localhost:8443/api/v1/# Production stack (API + PostgreSQL + scheduler)
docker compose up -d
# Environment variables
POSTGRES_PASSWORD=secure_password
DONJON_API_KEYS=your-api-key
NVD_API_KEY=your-nvd-key # optional, speeds up intel downloadsCopy the entire project directory to a USB drive. Plug in and run the launcher directly -- no network or installation required. The platform auto-detects USB mode and disables cloud scanning, defaults AI to template backend, and uses local SQLite for all data.
# Linux/macOS
python3 /media/USB_DRIVE/donjon-platform/bin/donjon-launcher
# Windows
E:\donjon-platform\START.bat# GitHub Actions example
- name: Security Scan
run: |
python3 bin/donjon-launcher quick --output sarifThe platform aggregates 7 intelligence sources into a local SQLite database for offline use:
| Source | Entries | What It Provides |
|---|---|---|
| NVD (NIST) | 318,225 CVEs | CVSS scores, CWE mappings, references, affected products |
| EPSS (FIRST.org) | 314,949 scores | Exploit probability predictions for every CVE |
| CISA Vulnrichment | 130,904 decisions | SSVC triage: Act / Attend / Track per CVE |
| Exploit-DB | 30,215 mappings | CVE-to-public-exploit cross-references |
| Nuclei Templates | 3,782 templates | CVE-to-detection-template mappings |
| Metasploit | 3,482 modules | CVE-to-Metasploit-module mappings |
| CISA KEV | 1,513 entries | Known actively exploited vulnerabilities |
| Total | 803,070+ |
# Quick mode (~2 min): KEV + full EPSS + 14-day NVD
python3 bin/update-intel.py --quick
# Full mode (~2 hrs with API key): all 7 sources, 2-year NVD coverage
NVD_API_KEY=your-key python3 bin/update-intel.py
# Check database status
python3 bin/update-intel.py --statusGet a free NVD API key at https://nvd.nist.gov/developers/request-an-api-key (10x faster downloads).
| Feature | Tenable | Qualys | Rapid7 | RiskLens ($50K) | Drata ($10K) | Donjon v7.0 |
|---|---|---|---|---|---|---|
| Network scanning | Yes | Yes | Yes | No | No | Yes |
| Web app scanning | Paid | Yes | Yes | No | No | Yes |
| FAIR Risk ($$$) | No | No | No | Core | No | Yes |
| AI Analysis | Add-on | Add-on | No | No | Add-on | Yes |
| Container Security | Paid | Paid | Yes | No | No | Yes |
| SBOM Generation | No | SCA | No | No | No | Yes |
| Cloud Security | Paid | Paid | Paid | No | Partial | Yes |
| CI/CD + SARIF | Limited | Limited | Limited | No | Yes | Yes |
| Attack Surface Mgmt | Paid | Paid | Paid | No | No | Yes |
| 30 Compliance Fwks | Partial | Partial | Partial | No | Yes | Yes |
| USB Portable | No | No | No | No | No | Yes |
| Air-gapped Operation | No | No | No | No | No | Yes |
| Requirement | Details |
|---|---|
| Python | 3.10+ (3.11+ recommended) |
| RAM | 4 GB minimum |
| Disk | 1 GB (100 MB base + up to 800 MB for full vulnerability intelligence DB) |
| OS | Windows 11, Linux (any modern distro), macOS |
| Tool | Purpose | Required? |
|---|---|---|
| nmap | Network scanning | Recommended |
| nikto | Web scanning | Optional |
| nuclei | Vulnerability scanning | Optional |
| testssl.sh | SSL assessment | Optional (Linux/macOS) |
| trivy | Container/SBOM vuln check | Optional |
| amass | Active DNS enumeration | Optional |
| docker/podman | Container scanning | Optional |
| aws/az/gcloud | Cloud scanning | Optional |
All scanners gracefully degrade when external tools are unavailable.
Main configuration file: config/active/config.yaml
ai:
provider: 'template' # template | ollama | openai | anthropic | gemini | stepfun
sanitize_external: true # Strip IPs/hostnames for external LLMs
risk:
industry: 'technology' # Maps to IBM/Ponemon benchmarks
monte_carlo_iterations: 10000
compliance:
frameworks:
- 'NIST-800-53'
- 'HIPAA'
- 'PCI-DSS-v4'
- 'ISO27001-2022'
cicd:
security_gate:
fail_on_critical: true
max_high: 5See docs/CONFIGURATION.md for the complete reference.
| Document | Description |
|---|---|
| ARCHITECTURE.md | Platform architecture, module layout, data flow |
| SECURITY.md | Cryptographic design, license verification, security model |
| API.md | REST API reference (all endpoints) |
| DEPLOYMENT.md | Deployment guide (Windows, Linux, Docker, air-gap) |
| QUICKSTART.md | 5-minute cross-platform setup guide |
| FEATURES-v7.md | Detailed v7.0 feature documentation |
| CONFIGURATION.md | Complete config.yaml reference |
| CLI-REFERENCE.md | Command-line interface reference |
| WINDOWS-GUIDE.md | Windows 11 setup and usage |
| TROUBLESHOOTING.md | Common issues and solutions |
| CHANGELOG-v7.md | v7.0 release notes |
- All scanning requires explicit authorization
- Cloud credentials never stored in portable (USB) mode
- LLM data sanitization strips infrastructure details before external API calls
- Container scanner uses read-only operations only
- Post-quantum license verification (ML-DSA-65 + Ed25519 dual-signature)
- No private keys in product code; verification-only public keys embedded
- Credential storage uses Fernet symmetric encryption
- Evidence database contains sensitive data -- protect accordingly
To report a security vulnerability, see docs/SECURITY.md.
Proprietary EULA. See LICENSE for the full End User License Agreement.
By using this software you agree to the terms of the EULA. Professional security assessment use only. Only scan networks with explicit written authorization.
Donjon Platform v7.0 -- Enterprise-Grade Security Assessment, Risk Quantification, and Compliance