DEV Community

Nathan Sportsman
Nathan Sportsman

Posted on

There's Always a Hardcoded Secret Somewhere — Meet Titus

#ai #llmsec #cybersecurity #aisec

It's week two of a red team engagement. You've got a foothold, a hundred cloned repos on your laptop, fifty more still enumerating from the org's GitHub, and you're eight Burp Repeater tabs deep into their internal web portal.

Somewhere in that pile of code and HTTP responses is a hardcoded AWS key, a Stripe secret, or an internal service token that nobody rotated after the last contractor left.

There's always something. It's just a matter of how long it takes you to find it.

Titus is an open source secret scanner from Praetorian that detects and validates leaked credentials across source code, binary files, and HTTP traffic. It ships with 450+ detection rules and runs as a CLI, Go library, Burp Suite extension, or Chrome browser extension — same engine, same rules, four places you're already working.

In some cases, you don't change your workflow at all. You just find secrets for free.

Why Not Just Use Nosey Parker?

Titus isn't our first scanner. In 2022 we released Nosey Parker — regex-based detection plus an ML denoiser trained on real engagement data. It was fast (up to 100x faster than common alternatives), the ML layer cut noise significantly, and it scaled to tens of terabytes of source code on modest hardware.

But Nosey Parker was written in Rust, and our ecosystem is overwhelmingly Go.

Embedding a Rust binary as a subprocess works. It's not the same as calling a function.

We wanted this:

scanner.ScanString(content)
Enter fullscreen mode Exit fullscreen mode

Not this:

exec.Command("noseyparker", "scan", "--stdin")
Enter fullscreen mode Exit fullscreen mode

So we ported it. Titus is a Go implementation of the same detection engine, carrying forward the battle-tested rules and adding capabilities that only make sense when the scanner lives in the same language as everything around it.

Secrets Validation — The Killer Feature

Regex scanners find patterns that look like secrets. On a large engagement you get hundreds of hits. Some are live. Some are revoked. Some are test fixtures from a tutorial someone copy-pasted three years ago.

Titus tells you which is which.

titus scan path/to/code --validate
Enter fullscreen mode Exit fullscreen mode

Each rule can optionally define a validator — a small YAML block specifying an HTTP request to make with the captured secret and how to interpret the response:

  • API returns 200 → key is live
  • API returns 401/403 → key is revoked
  • Endpoint unreachable → marked unknown

The scanner runs regex matching, then kicks off concurrent validation workers (4 by default, tunable with --validate-workers) against any finding with a validator defined. Each result gets tagged confirmed, denied, or unknown.

Knowing which keys are live before you start writing your report or attempting lateral movement changes how you spend the rest of your engagement.

Binary File Scanning

Most secret scanners stop at plaintext. Titus doesn't.

It cracks open Office documents (xlsx, docx, pptx), PDFs, Jupyter notebooks, SQLite databases, and common archive formats (zip, tar, tar.gz, jar, war, ear, apk, ipa, crx). Archives are recursively extracted up to configurable depth and size limits — a zip inside a zip still gets scanned.

titus scan path/to/files --extract=all
Enter fullscreen mode Exit fullscreen mode

We routinely find credentials in exported spreadsheets, embedded in Jupyter notebooks, or buried in mobile app packages that shipped with a hardcoded API key. Target specific formats with --extract=xlsx,pdf,zip to keep scan times tight.

450+ Detection Rules

The rule set comes from two sources:

~200 from Nosey Parker — credential patterns from years of engagements: AWS, GCP, Azure, GitHub tokens, Slack webhooks, database connection strings, and dozens more.

~250+ from Kingfisher — MongoDB's Nosey Parker fork that added patterns for Stripe, Twilio, SendGrid, Datadog, and hundreds of other SaaS platforms. We pulled their rules directly into Titus rather than duplicating the work.

Rule format stays identical to Nosey Parker, so pulling from other forks and contributing back is frictionless. If a service has an API key, there's probably a rule for it. If not, they're easy to add.

One Engine, Four Interfaces

CLI 

titus scan --git path/to/repo --format sarif
Enter fullscreen mode Exit fullscreen mode

Point it at a file, directory, or git repo. SARIF output pipes into CI/CD pipelines.

Go Library 

scanner, _ := titus.NewScanner(titus.WithValidation())
matches, _ := scanner.ScanString(httpResponseBody)
Enter fullscreen mode Exit fullscreen mode

Import it directly. No subprocesses, no parsing stdout.

Burp Suite Extension

Launches titus serve at startup, scans HTTP responses as they flow through the proxy. Passive scanning requires zero interaction — you browse, it finds secrets. You can also actively re-run the scanner against selected requests in an existing Burp project.

Chrome Extension

For web app assessments without Burp. Scans JavaScript, stylesheets, localStorage, and sessionStorage as you navigate. Same engine and ruleset compiled to WASM. It pops up an Xbox-style achievement notification every time it finds a secret. We're not sorry.

Especially handy in assumed breach contexts where you can't install Burp but have browser access to internal resources.

All four interfaces share the same repo, rule set, and build. Add a rule, it propagates everywhere.

After You Find Secrets

LLM-Assisted Denoising

Feed each finding's surrounding context into an LLM and ask whether it looks like a real credential or a false positive. In our testing this eliminates a significant chunk of noise. We're working on an --llm-denoise flag that integrates with major providers.

Credential Spraying with Brutus

Found passwords or reusable credentials? Feed them into Brutus, our credential spraying tool. It takes a set of credentials and sprays them across SSH, RDP, SMB, database protocols, and more.

Titus finds the credentials. Brutus tests them at scale. Both are part of a broader tooling suite we're releasing over the coming weeks.

Get Started

Titus is open source: github.com/praetorian-inc/titus

GitHub logo praetorian-inc / titus

High-performance secrets scanner. CLI, Go library, Burp Suite extension, and Chrome extension. 459 detection rules with live credential validation.

Titus - high-performance secrets scanner for source code, git history, and binary files

Titus: High-Performance Secrets Scanner

Go License CI

Titus is a high-performance secrets scanner that detects credentials, API keys, and tokens in source code, files, and git history. It ships with 459 detection rules covering hundreds of services and credential types, drawn from NoseyParker and Kingfisher. Titus runs as a CLI, a Go library, a Burp Suite extension, and a Chrome browser extension — all sharing the same detection engine and rule set.

Built for security engineers, penetration testers, and DevSecOps teams, Titus combines Hyperscan/Vectorscan-accelerated regex matching with live credential validation to find and verify leaked secrets across your entire codebase.

Table of Contents

Why Titus?

  • Fast secrets scanning: Regex matching accelerated by Hyperscan/Vectorscan when available, with a pure-Go fallback for portability on any platform.
  • Broad credential detection
View on GitHub

There's always a secret hiding somewhere. Titus just helps you find it faster.

Top comments (0)