Back to projects
Open Source

ETC Collector - Open Source Security Auditor

Identity security auditor rewritten from Node.js to Go. Single binary, zero dependencies. 400+ checks, ADCS ESC1-11 auditing, concurrent LDAP queries. REST API (Gin), Docker multi-arch, audits 500 users in under 60 seconds. Sustainable Use License.

GoLDAP/LDAPSMicrosoft Graph APIDockerGinCobra CLIJWTSMB
View project

Go-Based CLI + REST API Architecture

Open-source security auditor rewritten from Node.js to Go for performance and portability

01

CLI & REST API

Cobra CLI framework + Gin HTTP server on port 8443. JWT authentication, rate limiting (100 req/min), async job support with polling for large domains. Health check endpoint.

Cobra CLIGinJWTRate Limiting
02

Audit Engine

400+ detectors across 15 categories. Self-registering detector registry pattern. Graph-based attack path analysis for privilege escalation detection. Concurrent LDAP queries via goroutines.

Detector RegistryAttack GraphConcurrent QueriesGo Routines
03

Provider Layer

LDAP provider (AD on-prem), Azure provider (Graph API with pagination >999 items), Network probes, SMB protocol. YAML config with environment variable interpolation.

go-ldap/ldapAzure SDKgo-smb2Viper Config

Key Features

400+ Security Checks

AD + Azure Entra ID across 15 categories: Kerberos, ADCS, Permissions, GPO, Network, Compliance, Attack Paths, and more

Complete Go Rewrite

From Node.js to Go. Single binary, zero external dependencies, concurrent operations via goroutines

Graph-Based Attack Path Analysis

Privilege escalation detection analyzing relationships between AD objects, group memberships, and permissions. Maps vulnerabilities to real attack chains

ADCS Certificate Auditing (ESC1-11)

Complete Active Directory Certificate Services security coverage. Detects ESC1 through ESC11 certificate vulnerability patterns

REST API with Async Jobs

JWT auth, rate limiting, async mode for large domains (10,000+ objects) with polling. Health checks. AD and Azure audit endpoints

Multi-Format Output

JSON, HTML, CSV export. Structured findings with severity classification, MITRE ATT&CK mapping, and remediation guidance per finding

Compliance Frameworks

ANSSI, CIS, NIST, DISA built-in. Standards-aligned security checks with compliance scoring and gap analysis

Docker Multi-Arch

linux/amd64 + linux/arm64. Alpine 3.19, non-root execution, health checks. Also available as standalone binary for any platform

Tech Stack

Go 1.24 Runtime

99.2% of codebase. Single binary, zero dependencies, goroutines for concurrency

go-ldap/ldap v3 LDAP Client

Active Directory connectivity. Connection pooling, LDAPS (port 636), injection prevention

Azure SDK + Graph SDK Azure Provider

Azure Entra ID auditing. Pagination >999 items, conditional access, PIM analysis

Gin HTTP Framework

REST API server. JWT middleware, rate limiting, async job support, health checks

Cobra + Viper CLI Framework

CLI command structure + YAML config with environment variable interpolation

go-smb2 SMB Protocol

Network-level security probing (port 445). SMB signing verification

Docker Multi-Arch Deployment

Alpine 3.19, multi-stage build, non-root user, amd64 + arm64 support

uber/zap Observability

Structured logging. Production-grade, high-performance, leveled logging

Results & Metrics

Technical Performance

< 60 sec
500 Users Audit
Concurrent LDAP queries
Single file
Binary Size
Zero external dependencies
Goroutines
Concurrency
Parallel LDAP + Graph queries
Multi-arch
Docker Image
amd64 + arm64 Alpine

Business Impact

400+
Security Checks
AD + Azure
15
Categories
Kerberos/ADCS/Permissions/...
Open Source
License
Open-core model
EtcSec
SaaS Integration
Feeds SaaS dashboard

Security & Compliance

100/min
JWT + Rate Limiting
Per client IP
Non-root
Container Hardening
Alpine 3.19, UID 1001
Prevented
LDAP Injection
go-ldap auto-escaping
uber/zap
Structured Logging
Production-grade observability

Technical Challenges & Solutions

Complete Rewrite Node.js to Go

Problem
Node.js could not handle concurrent LDAP queries efficiently. Memory overhead with 400+ detectors, single-threaded event loop bottleneck for CPU-intensive analysis
Solution
Go with goroutines for concurrent LDAP queries, single binary compilation (zero runtime dependencies), detector registry pattern for scalable check management

Graph-Based Attack Path Engine

Problem
Individual vulnerability findings lack context. Need to show how vulnerabilities chain together for privilege escalation (e.g., Kerberoasting + weak ACLs + admin group)
Solution
Internal attack graph module analyzing relationships between AD objects, permissions, delegations, and group memberships. Traverses paths from any compromised account to Domain Admin

Azure Graph API Pagination for Large Tenants

Problem
Microsoft Graph API returns max 999 items per page. Large tenants with 10k+ users/groups cause incomplete audits if not paginated correctly
Solution
Automatic cursor-based pagination traversal with retry logic. Implemented in v2.5.9 to handle tenants of any size

Detector Registry Scalability

Problem
Managing 400+ individual detectors across 15 categories with different provider requirements (AD, Azure, Network, SMB). Adding new detectors should be trivial
Solution
Self-registering registry pattern: each detector declares metadata (category, severity, provider, MITRE mapping). Engine orchestrates execution order and concurrent scheduling automatically

Demonstrated Skills

Go Development

Goroutines/ConcurrencyDetector Registry PatternSingle Binary DistributionMulti-Arch BuildsGo Module Structure

Security Engineering

400+ DetectorsAttack Path AnalysisADCS ESC1-11MITRE ATT&CK MappingCompliance Frameworks

Protocol Engineering

LDAP/LDAPSSMB ProtocolMicrosoft Graph APIAzure SDKNetwork Probing

API Design

REST API (Gin)JWT AuthenticationAsync Jobs with PollingRate LimitingHealth Checks

Open Source & DevOps

CI/CD (GitHub Actions)Multi-Registry Docker PublishingChangelog ManagementSemantic Versioning

Interested in this project?

Contact me to discuss similar projects or for more information.

Contact me View all projects