Technical Overview
The Engineering Behind DDactic
A distributed DDoS resilience testing platform built across 19 cloud providers, processing industry-wide vulnerability assessments at scale. This is what makes it hard to replicate.
7Pipeline Stages
19Cloud Platforms
233Attack Techniques
19Industry Configs
Infrastructure
19-Platform Cloud Orchestration
Most security platforms use one, maybe two cloud providers. DDactic deploys bot instances across 19 cloud platforms simultaneously through a single Go-based Deploy Service. Each platform has a dedicated adapter handling authentication, API differences, region selection, and snapshot management.
This isn't a wrapper around Terraform. It's a purpose-built deployment engine that handles platform-specific quirks: OVH's OpenStack metadata colliding with AWS at 169.254.169.254, Scaleway's cloud-init not running on snapshot instances, IBM requiring VPC infrastructure pre-provisioning, Tencent's mainland China regions being GFW-blocked.
5
Spot-Capable Platforms
AWS, GCP, Azure, Alibaba, Tencent. Each with different spot APIs, pricing models, and reclamation behaviors.
8
On-Demand Platforms
DigitalOcean, Vultr, Linode, Hetzner, OVH, Scaleway, IBM, Oracle. Instant provisioning from pre-built snapshots.
~15s
Average Deploy Time
From API call to bot binary running and registered with the Fleet Controller. Snapshot-based, no cloud-init dependency.
1
Boot Script
boot.sh auto-detects all 19 platforms via metadata endpoints, configures Fleet Controller, downloads binary. Zero manual intervention.
# Each platform has a unique metadata endpoint
curl -s 169.254.42.42 # Scaleway
curl -s 100.100.100.200 # Alibaba
curl -s 169.254.0.23 # Tencent
curl -s 169.254.169.254 # AWS, GCP, Azure, OVH (differentiated by headers)
cat /sys/class/dmi/id/sys_vendor # Linode ("Akamai"), Vultr
hostname # IBM (pattern match: *-ibm-*)
# OVH detected BEFORE AWS (both respond at 169.254.169.254)
# Solution: check /openstack/latest/vendor_data.json first
Resilience
Self-Healing Spot Instance Fleet
Spot instances save 60-90% on compute costs but can be reclaimed at any time. The Spot Monitor polls all 5 spot-capable platforms every 60 seconds through the Deploy Service's /status/instances endpoint, detects terminations, and automatically provisions replacements.
The replacement instance is deployed on the same platform with the same configuration, including the spot flag, so it's also a spot instance. The bot downloads its binary, auto-detects its platform, registers with the Fleet Controller, and rejoins the fleet. Total recovery: under 75 seconds.
T+0s
Cloud provider reclaims spot instance. GCP gives 30s warning (ignored; we detect post-termination). AWS gives 2min warning. Azure gives 30s.
T+60s (worst case)
Spot Monitor detects missing instance. Polling cycle catches the terminated status. Instance classified as "reclaimed" vs "manual destroy" based on is_spot metadata.
T+61s
POST /deploy sent to Deploy Service. Same platform, same region, same instance type, spot: true. The Deploy Service picks the platform adapter and provisions.
T+75s
New instance running and registered with the Fleet Controller. boot.sh executed, binary downloaded from Binary Server (Nginx :9999), platform auto-detected, Fleet Controller registration complete. Fleet at full strength.
// Every 60 seconds: GET /status/instances from Deploy Service
// Returns all instances across 19 platforms with is_spot flag
for _, dbInstance := range trackedInstances {
liveInst, alive := liveMap[dbInstance.ID]
if !alive {
// Instance disappeared - classify termination
if dbInstance.IsSpot {
reason = "reclaimed" // Spot instance → auto-redeploy
} else {
reason = "unknown" // On-demand → investigate
}
redeployInstanceFallback(dbInstance)
} else if liveInst.IsSpot && liveInst.Status == "TERMINATED" {
// GCP: terminated but not yet deleted
redeployInstanceFallback(dbInstance)
}
}
Intelligence
Multi-Source Certificate Intelligence
Certificate Transparency logs are a critical intelligence source for discovering subdomains. DDactic uses a multi-tier request strategy with automatic failover and caching to maintain reliable access to CT data at scale.
Results are cached in S3 with 24-hour TTL, so each domain is only queried once per day regardless of how many scans reference it. The scanner polls the cache while the backend pre-fetches asynchronously.
Request Chain
AWS Batch Scanner
↓ CT log query
Backend API
↓ multi-tier failover
Encrypted Tunnel
↓ reliable access
CT Log Sources
↓ certificate data
S3 Cache (24h TTL)
Why this matters:
• Multiple CT log sources for redundancy
• Automatic failover between data providers
• Encrypted tunnels for reliable access
• 24h S3 cache prevents redundant queries
• Async pre-fetching for scan performance
• Scales to thousands of domains per day
Intelligence
7-Stage Reconnaissance Pipeline
The scanner runs as a Docker container on AWS Fargate. Seven sequential stages build a complete picture of the target's attack surface, from passive discovery through active testing to AI-generated attack plans. Each stage feeds the next with enriched data. Every stage supports passive and active modes - passive sends zero traffic to the target, active probes directly.
The philosophy is techniques over tools. The pipeline doesn't just run nmap, nuclei, or httpx and dump output. Each stage applies specific mechanisms - H2 SETTINGS extraction, QUIC transport parameter probing, rate limit threshold discovery, cache behavior analysis - that expose how defenses actually behave under pressure. 233 attack techniques mapped to 23 core mechanisms, not tool names.
Stage 1
Discovery
SLD enumeration, subdomain discovery via 9 API sources, DNS brute-force permutation, AI-powered SLD validation, cloud storage discovery (S3/Azure/GCS).
passive
Stage 2
Port Scanning
Nmap scan with GlobalPing multi-region availability testing from 15+ locations. CDN detection and filtering. Last-hop traceroute analysis.
passiveactive
Stage 3
L7 Protocol Recon
Dispatches to 5 L7 protocols: HTTP/1.1, HTTP/2, HTTP/3 (QUIC), gRPC, and WebSocket. Per-protocol fingerprinting: H2 SETTINGS extraction, QUIC transport params, gRPC reflection. API endpoint discovery, WAF bypass detection, TLS JA4+ fingerprinting. Three depth modes: passive, semi-active, active.
passiveactive
Stage 4
Breach Database
Cross-references discovered domains against HIBP, DeHashed, and LeakCheck. Maps exposed credentials to authentication endpoints found in Stage 3.
passive
Stage 5
Active Recon
Three sub-modes: 5a path probing (sensitive files, source maps, tech-adaptive), 5b deep crawl (follow all links, API pagination, JS routes), 5c rate limit measurement (threshold probing, cache behavior, timing baselines). Tiered depth: light/moderate/deep.
active
Stage 6
AI Analysis
AWS Bedrock processes all findings. Generates risk narratives, confidence scoring, feasibility assessments, and regulatory context for each finding.
passive
Stage 7
Test Plan
Composable attack vectors generated from findings. Appliance-aware intensity calibration. Vendor-specific hardening commands. Before/after comparison framework.
passive
Offensive Testing
CDN Origin Bypass Discovery
CDN protection means nothing if the origin server is reachable directly. After L7 reconnaissance, DDactic runs automated origin bypass discovery using 6 methods, then validates each bypass path to confirm the origin is genuinely exposed.
6
Discovery Methods
DNS history, certificate transparency, common subdomain patterns, IP range scanning, HTTP header leaks, and cloud metadata enumeration.
5
CDN Vendors
Vendor-specific bypass validation and mitigation generation for Cloudflare, AWS CloudFront, Akamai, Fastly, and Azure Front Door.
Auto
Mitigation Output
For each confirmed bypass, generates origin firewall rules that restrict access to CDN-only IP ranges. Copy-paste ready.
Evasion
TLS Fingerprint Engine
Modern WAFs fingerprint TLS ClientHello messages to distinguish bots from browsers. DDactic's raw scanner builds TLS handshakes from scratch, matching real browser fingerprints from a database of 10,000+ profiles across Chrome, Firefox, Safari, and Edge versions.
JA4+
Fingerprint Standard
JA3, JA4, JA4H fingerprint generation and validation. Cross-referenced against a defense hash database of 138 known WAF/CDN signatures.
10K
Browser Profiles
Real browser fingerprints collected from Chrome, Firefox, Safari, Edge across multiple OS versions. Randomized per-request to avoid detection.
QUIC
HTTP/3 Support
Native QUIC implementation for testing HTTP/3 endpoints. UDP-based transport with TLS 1.3 built from raw sockets.
Scale
Industry-Wide Batch Intelligence
Beyond individual customer scans, DDactic maintains vulnerability intelligence across 19 industries. Pre-configured company lists enable batch scanning of hundreds of companies simultaneously via AWS Batch parallelization. This produces competitive benchmarks and market-wide protection assessments.
Fleet Coordination
Load-Balanced Fleet Controllers with HTTP/2
Redundant Fleet Controllers behind a load balancer handle fleet coordination. Test agents communicate over HTTP/2 through Cloudflare-proxied DNS, so the coordination infrastructure benefits from Cloudflare's DDoS protection. Each agent self-identifies its platform, IP, and capabilities on registration.
2
Fleet Controllers
Load-balanced routing distributes agents across servers. Each has an embedded web dashboard for real-time fleet visibility.
HTTP/2
Agent Protocol
Multiplexed connections, header compression. Agents poll for test instructions, report results. All traffic through Cloudflare proxy.
OTA
Over-the-Air Updates
Every boot pulls the latest binary from a central update server. Fleet-wide updates without SSH access to any instance.
App Intelligence
Desktop App Traffic Interception Lab
Web scanners miss desktop application endpoints entirely. DDactic operates a Windows desktop app lab - a dedicated VM running 44 desktop applications through MITM proxy interception. Every HTTP/HTTPS call, WebSocket connection, gRPC channel, and telemetry beacon is captured, parsed, and fed into the recon pipeline. These are API endpoints that no web crawler or subdomain scanner will ever find.
The lab runs on a scheduled capture cycle: install the app, launch it, interact with core features, capture all traffic, extract unique endpoints, and cross-reference them against the company's known infrastructure. Results feed directly into Stage 3 L7 recon and the attack simulation engine.
44
Windows Desktop Apps
Slack, Teams, Zoom, 1Password, Figma, Discord, VS Code, Notion, and 36 more. Each app cataloged with exe paths, MS Store IDs, and captured endpoint inventories.
MITM
Transparent Proxy Capture
All desktop app traffic routed through a transparent HTTPS proxy. TLS interception captures API calls, auth flows, certificate pinning attempts, and backend telemetry that apps send silently.
Auto
Scheduled Capture Cycles
Automated hourly capture scripts launch apps, trigger interactions, and parse traffic into structured endpoint inventories stored per-company in S3.
API
Non-Web Endpoint Discovery
Discovers API gateways, GraphQL endpoints, gRPC services, WebSocket feeds, and OAuth token endpoints that desktop apps use but web scanners never see.
# Windows VM captures traffic from 44 desktop apps
App Launch → MITM Proxy → Traffic Parse → Endpoint Extract
# Discovered endpoints fed into recon pipeline
desktop-recon/windows/ → L7 Recon (Stage 3) → Attack Sim (Stage 7)
# Example: Slack desktop reveals internal API surface
api.slack.com # Known web API
wss://wss-primary.* # WebSocket - desktop only
edgeapi.slack.com # Edge API - desktop only
files.slack.com # File CDN with auth tokens
Remediation
Vendor-Specific Hardening Engine
The platform generates copy-paste CLI commands tailored to the customer's CDN/WAF vendor. 16 hardening templates across 6 vendors, with optional credential injection from the customer's stored integrations. Before-test and after-test recommendation sets ensure the right fixes at the right time.
| Template | Cloudflare | AWS | GCP | Azure | Akamai |
|---|
| Rate Limiting | API + CLI | WAFv2 | Cloud Armor | Front Door | Property Mgr |
| WAF Rules | Managed | OWASP Set | Pre-config | WAF Policy | App & API |
| TLS Hardening | Min TLS | ACM Policy | SSL Policy | TLS Config | Edge Cert |
| DDoS Config | Sec Level | Shield | Armor | DDoS Plan | Kona Site |
| Bot Mgmt | Bot Fight | Bot Control | reCAPTCHA | Bot Mgr | Bot Mgr |
| Geo Blocking | Firewall | WAF Geo | Armor Geo | Geo Filter | Edge Logic |
Attack Planning
Appliance-Aware Test Plan Engine
Most DDoS testing tools use fixed intensity levels. DDactic generates test plans calibrated to the target's actual defense infrastructure. If you have a Radware DefensePro rated for 40 Gbps, we test at escalating levels relative to that capacity, not at arbitrary thresholds.
The taxonomy is built on 233 attack techniques organized by 23 core mechanisms (connection exhaustion, cache poisoning, protocol abuse, amplification), not by tool name. Each technique specifies the underlying mechanism, required protocol (HTTP/1.1, H2, H3, gRPC, WebSocket), escalation path, and the specific defense behavior it targets. This means test plans adapt to what the scanner discovered, not what tools happen to be installed.
19+
Appliance Profiles
Radware, Netscout Arbor, F5 Silverline, A10 Thunder, Fortinet FortiDDoS, Palo Alto, Check Point, Cloudflare Magic Transit, AWS Shield Advanced, Azure DDoS Protection, and more.
233
Attack Techniques
Organized by 23 core mechanisms, not tool names. Each technique maps to a specific protocol (H1, H2, H3, gRPC, WS), escalation ladder, and the defense behavior it exploits. Composable into multi-vector campaigns.
Deadly
Threshold Detection
Calculates the "deadly threshold" where detected traffic volume would overwhelm the appliance's rated capacity. Tells you exactly when your protection breaks.
API Intelligence
HAR-Driven API Testing
Web scanners find endpoints. DDactic goes further by analyzing real application traffic captured from HAR files. This reveals authentication flows, API gateway patterns, CSRF token chains, and session management behavior that no external scan can detect.
44
Companies with HAR Data
Captured from physical device labs and browser sessions. Includes desktop apps (Slack, Teams, Zoom) and customer web portals.
ATO
Account Takeover Risk
Cross-references HAR-discovered auth endpoints with breach database results. If credentials are leaked AND the login endpoint is exposed, ATO risk is scored.
Replay
Ready Templates
Extracts API call patterns into replay-ready test templates. Includes headers, auth tokens, and request sequences for the test plan engine.
Monitoring
Continuous Monitoring & Alerts
Security posture changes. New subdomains appear, CDN configurations drift, certificates expire, and protection gaps emerge. DDactic runs scheduled re-scans and alerts on meaningful changes, not noise.
Auto
Scheduled Re-scans
Configurable scan frequency. Each re-scan compares against the previous baseline and highlights only meaningful changes in protection posture.
Delta
Change Detection
New subdomains, CDN changes, certificate rotations, protection drops, and OPI score shifts trigger targeted alerts with context.
Baselines
Traffic Composition
Establishes normal traffic baselines per asset. Rate limiting recommendations calculated from actual traffic patterns, not guesswork.
Collaboration
Shareable Resilience Reports
Security findings need to reach board members, auditors, and technical teams in different formats. DDactic generates shareable report links with unique tokens, so you can send a read-only view to anyone without requiring a login.
Link
Token-Based Sharing
Generate a unique URL for any scan report. Rate-limited, read-only access. No account required for the recipient.
OPI
Executive Summary
Open Protection Index score with 6-component breakdown. Industry benchmarks. Before/after hardening comparison. Board-ready format.
Topology
Visual Infrastructure Map
Interactive topology showing CDN/WAF coverage, cloud providers, and exposed assets. The view that makes CISOs say "I didn't know we had that."
Defense
Shield: Real-Time DDoS Defense
DDactic doesn't just find vulnerabilities. Shield is a deployable defense layer that integrates with your existing reverse proxy (nginx, HAProxy, Envoy) to provide real-time traffic scoring and automated mitigation using the same fingerprint intelligence from the scanning platform.
JA4
TLS Traffic Scoring
Every incoming connection scored against the 10K browser fingerprint database. Known bot signatures blocked instantly. Unknown fingerprints challenged.
3
Proxy Integrations
Drop-in integration with nginx (auth_request), HAProxy (SPOE), and Envoy (ext_authz). No application code changes required.
XDP
Kernel Pre-Filter
eBPF/XDP layer drops known-bad traffic before it reaches userspace. Handles volumetric attacks at line rate without loading the application.
Accuracy
Self-Learning Scanner
Every scan improves the next one. False positive feedback loops, per-company exclusion persistence, and AI-powered SLD validation ensure that findings get more accurate over time, not less.
FP
Global Blocklist
False positives identified in any scan are added to a global blocklist. No customer sees the same false positive twice.
AI
SLD Validation
AI validates whether discovered second-level domains actually belong to the target company. Country-aware, subsidiary-aware, reduces noise by 30-40%.
138
Defense Hash DB
Cross-validates detected CDN/WAF vendor against TLS fingerprint hashes. If the fingerprint says Cloudflare but the CNAME says Akamai, something is wrong.
Moat
Why This Is Hard to Replicate
Each component is individually achievable. The moat is the integration: 19 cloud APIs, 9 intelligence sources, 7 pipeline stages, 233 attack techniques across 23 mechanisms, CDN bypass testing, appliance-aware test plans, desktop app traffic interception, self-learning accuracy, and real-time defense, all working as a single automated platform.
13
Cloud API Integrations
Each with unique auth, API shapes, quota limits, snapshot formats, and failure modes. 18+ months of platform-specific debugging.
19
Industry Datasets
Curated company lists with subsidiaries, primary domains, and industry categorization. Competitive intelligence at scale.
0
Manual Intervention
From scan submission to hardening report, fully automated. Spot recovery, binary updates, Fleet Controller registration - all zero-touch.
OPI
Proprietary Scoring
Open Protection Index: 6-category scoring framework. Industry benchmarks. Before/after comparison. Quantified security posture.