Faraday: The Open-Source Vulnerability Aggregator That Parses 80+ Security Tools

Hook

The average security team runs 5-10 different scanning tools, each producing incompatible output formats—CSV, XML, JSON, proprietary binaries. Faraday solves the aggregation problem that commercial platforms charge $50k+/year to fix.

Context

Before centralized vulnerability management platforms, security teams drowned in scan reports. A penetration tester might run Nmap for network discovery, Nessus for vulnerability scanning, Burp Suite for web app testing, and Nikto for web server enumeration—then spend hours manually consolidating findings into a spreadsheet or Word document. Each tool spoke its own language: Nmap output XML, Nessus generated .nessus files, Burp produced proprietary XML schemas. Collaboration meant emailing report files back and forth, with no concept of real-time shared state or deduplication across tools.

Faraday emerged from Infobyte, an Argentine security consultancy, as an internal solution to this chaos. Rather than building yet another scanner, they built a universal aggregation layer—a PostgreSQL-backed platform that ingests output from any security tool through a plugin system, normalizes findings into a unified schema, and presents everything through a collaborative web interface. The open-source release in 2013 attracted security teams tired of manual report consolidation, CI/CD engineers needing pipeline-friendly security automation, and organizations wanting self-hosted alternatives to expensive commercial platforms. With 6,400+ GitHub stars and 80+ tool integrations, it's become the de facto open-source solution for multi-tool vulnerability management.

Technical Insight

Faraday's architecture centers on a plugin-based ingestion pipeline that transforms heterogeneous scanner output into a canonical data model. Each plugin implements a simple parser interface: receive raw tool output (XML, JSON, CSV, or stdout), extract vulnerability metadata (CVE IDs, severity, affected hosts, descriptions), and emit normalized objects that the core engine persists to PostgreSQL. The plugin directory shows parsers for everything from Nmap and Metasploit to cloud-native tools like Trivy and Prowler.

Here's the ingestion flow for importing an Nmap XML report via the CLI:

# Run Nmap and save XML output
nmap -sV -oX scan_results.xml target.example.com

# Import to Faraday workspace via CLI
faraday-cli auth -f https://faraday.company.com -u analyst -p <password>
faraday-cli workspace create pentest-2024-q1
faraday-cli tool report scan_results.xml -w pentest-2024-q1

Under the hood, the Nmap plugin parses the XML, extracting hosts, services, and vulnerabilities. When it encounters an Nmap script output indicating a vulnerability (like ssl-poodle or http-vuln-cve2017-5638), it creates a Vulnerability object with standardized fields: name, description, severity (Critical/High/Medium/Low/Informational), CVSS score if available, affected service, and remediation guidance. The CLI sends this structured data to Faraday's REST API, which handles deduplication (same vuln on same host doesn't create duplicates) and workspace isolation.

The real power emerges in CI/CD pipelines. Faraday's agent dispatcher allows you to orchestrate remote scans from the central server, eliminating the need to install every security tool on your build agents:

# GitHub Actions workflow example
name: Security Scan
on: [push]
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      
      - name: Run Faraday Agent
        run: |
          docker run -d -p 5432:5432 faradaysec/faraday
          pip install faraday-cli
          faraday-cli auth -f http://localhost:5985 -u faraday -p changeme
          faraday-cli workspace create ${{ github.repository }}-${{ github.sha }}
          
      - name: SAST with Bandit
        run: |
          pip install bandit
          bandit -r . -f json -o bandit-report.json
          faraday-cli tool report bandit-report.json -w ${{ github.repository }}-${{ github.sha }}
          
      - name: Dependency Check
        run: |
          safety check --json > safety-report.json
          faraday-cli tool report safety-report.json -w ${{ github.repository }}-${{ github.sha }}

This pipeline runs two security tools (Bandit for SAST, Safety for dependency vulnerabilities), and Faraday automatically aggregates findings into a single workspace tagged with the commit SHA. Teams can then review consolidated results in the web UI, assign remediation tasks, and track fix verification—all without manually parsing JSON reports.

The data model itself is worth examining. Faraday organizes everything into workspaces (isolated environments for projects/clients), with four primary entity types: Hosts (IP addresses or hostnames discovered during reconnaissance), Services (TCP/UDP ports and application fingerprints running on hosts), Vulnerabilities (security issues affecting hosts or services), and Credentials (usernames/passwords found during testing). This hierarchy mirrors how penetration testers think: "I found host 192.168.1.10 running SSH on port 22, which has CVE-2018-15473 (username enumeration), and I extracted credentials admin:P@ssw0rd from a config file."

Plugins populate these entities through a simple Python interface. Here's a simplified example of how a custom plugin might parse hypothetical scanner output:

from faraday_plugins.plugins.base import PluginXMLFormat
import xml.etree.ElementTree as ET

class CustomScannerPlugin(PluginXMLFormat):
    def parseOutputString(self, output):
        root = ET.fromstring(output)
        
        for host_elem in root.findall('host'):
            ip = host_elem.find('address').get('addr')
            h_id = self.createAndAddHost(ip)
            
            for vuln_elem in host_elem.findall('vulnerability'):
                name = vuln_elem.find('name').text
                severity = vuln_elem.find('severity').text
                desc = vuln_elem.find('description').text
                
                self.createAndAddVulnToHost(
                    host_id=h_id,
                    name=name,
                    desc=desc,
                    severity=severity,
                    resolution="Apply vendor patch"
                )

The base class handles API communication, deduplication logic, and error handling—plugin developers just focus on parsing their tool's output format. This abstraction is why Faraday supports 80+ tools: the barrier to adding a new integration is writing ~100 lines of parsing code.

Collaboration features include real-time updates (multiple analysts see changes instantly via WebSocket notifications), role-based access control (admins, pentesters, clients with read-only access), and comment threads on individual vulnerabilities. The REST API exposes every operation available in the UI, enabling custom dashboards, automated report generation, or integration with ticketing systems like Jira. Organizations often build workflows where high-severity findings automatically create Jira tickets assigned to development teams, with bidirectional sync so ticket closure marks vulnerabilities as resolved in Faraday.

Gotcha

The PostgreSQL dependency is non-negotiable, which adds operational overhead for small teams or personal projects. Unlike tools with embedded databases, you're managing a full Postgres instance—handling backups, upgrades, connection pooling, and potential replication for high availability. The Docker Compose setup simplifies initial deployment, but production deployments require real database administration skills. There's no SQLite fallback for lightweight use cases, so running Faraday on a laptop for ad-hoc testing means running Postgres locally.

Plugin quality varies significantly. Core plugins for mainstream tools like Nmap, Burp, and Nessus are battle-tested and well-maintained, but niche or newer tools may have parsers contributed by the community that lack comprehensive field mapping. For example, a plugin might correctly extract vulnerability names and severities but miss CVE references or custom fields specific to that scanner. When tools update their output formats, there's lag time before plugins catch up—commercial platforms with vendor partnerships get early access to format changes, while Faraday relies on community contributions or Infobyte's team to update parsers reactively. The web UI, while functional, feels dated compared to modern alternatives like DefectDojo. Expect traditional server-rendered pages rather than a snappy SPA experience, and some workflows (bulk operations, advanced filtering) require more clicks than they should. It gets the job done, but won't wow users accustomed to polished commercial UIs.

Verdict

Use if: You're running a security consultancy or pentest team managing multiple concurrent projects, need to aggregate findings from 5+ different scanning tools into unified reports, want self-hosted infrastructure with no per-user licensing costs, or require CI/CD integration for continuous security scanning in DevSecOps pipelines. Faraday excels when collaboration matters—multiple analysts contributing to shared workspaces, clients needing read-only access to findings, or organizations wanting a single source of truth across diverse security tools. The 80+ plugin ecosystem and active community (6,400+ stars) mean your tools are likely already supported. Skip if: You're a solo researcher or small team using 1-2 security tools (the overhead isn't justified—just use native tool output), can't commit to managing PostgreSQL infrastructure, need enterprise-grade support with SLAs (Infobyte offers commercial versions, but the open-source edition is community-supported), or want cutting-edge UI/UX and workflow automation features found in newer platforms like DefectDojo. Also skip if you need advanced features like risk scoring models, executive dashboards with business context, or deep integrations with GRC platforms—Faraday focuses on technical vulnerability aggregation, not broader security program management.