Multi-platform firewall analysis
that works offline, on purpose.
Transform firewall configs into actionable security intelligence. Parse OPNsense, pfSense, Cisco, Fortinet, and more. Compliance checks, dead rule detection, and audit-ready reports -- all from a single binary with zero external dependencies.
Zero Telemetry
No phone-home, no analytics, no tracking. Your configs never leave your machine.
Single Binary
Static Go binary. No runtime dependencies, no containers required, no database needed.
Airgap Ready
Designed for disconnected environments. Works identically on and off the network.
Open Source Core
All parsers Apache 2.0 licensed. Inspect the code, contribute, and trust what runs on your infra.
Platform parsers are always free.
Parsing is always free and open source. Paid tiers add analysis, compliance, and team features -- not platform support.
OPNsense
Available now
pfSense
In development
On the roadmap: Cisco ASA/IOS, FortiGate, Palo Alto, Juniper, MikroTik, Ubiquiti/UniFi
Community Edition
Everything you need for single-config firewall analysis, audit reporting, and compliance checking. Free and open source under Apache 2.0.
Multi-Format Export
Parse firewall configs and export as structured Markdown, JSON, or YAML. Summary and comprehensive output modes.
opndossier convert -f markdown config.xmlSecurity Audit Reports
Three reporting perspectives: standard findings, blue team remediation priorities, and red team exploitable paths.
opndossier audit --mode red config.xmlTerminal Rendering
Rich terminal display with syntax highlighting and themed output. Review configs directly in your terminal.
opndossier display --theme dark config.xmlCompliance Checks
Built-in cybersecurity best practices, SANS firewall hardening checks, and NSA/CISA joint hardening guidelines. Plugin architecture for custom rulesets.
opndossier audit --plugins best-practices config.xmlDead Rule Detection
Identify unused, shadowed, and redundant firewall rules. Clean up rule bloat and reduce your attack surface.
Config Diff
Compare two configs side-by-side. Track changes across backups and identify what moved between versions.
opndossier diff old.xml new.xmlBuilt for every operator.
From homelabbers to classified networks. Start free. Add compliance, topology, and team features as your scope grows.
Community
Single-config analysis for individual operators and homelabbers.
- All platform parsers
- Security findings & dead rule detection
- Markdown, JSON, YAML export
- Cybersecurity best practices checks
- SANS firewall hardening checks
- CISA/federal hardening guidelines
- Config diff
- Offline operation, zero telemetry
Professional
For consultants and red/blue teams doing multi-platform assessments.
- Everything in Community
- STIG compliance checks
- Topology mapping & visualization
- Attack path analysis
- Red team & blue team report outputs
- Desktop application
- Local analysis history
Enterprise
Centralized deployment for security teams managing network infrastructure.
- Everything in Professional
- Self-hosted server deployment
- Multi-user with shared history
- Persistent topology history
- Custom rule authoring
- API access
- NIST 800-53/CSF mapping
Federal & Restricted
For government agencies, government contractors, and enterprises with strict procurement or compliance requirements. Same software and entitlements as Enterprise -- we customize licensing and terms to meet your procurement process.
- Everything in Enterprise
- Offline license validation
- Source-available for security review
- Custom compliance frameworks
- PO/invoice procurement
- Commercial license option
What's coming in Pro.
The same operator-first design philosophy, applied to the hard problems. Topology mapping, attack path analysis, and compliance reporting for teams that need to close findings.
Topology Mapping
Ingest a directory of configs from multiple heterogeneous devices. Reconstruct the network topology as Mermaid diagrams, Graphviz DOT, or structured JSON/YAML. Identify trust boundaries, segmentation gaps, and implicit access paths.
Point-in-time analysis from exported configs -- not another monitoring tool. Built for red team pre-engagement recon and blue team segmentation validation.
Attack Path Analysis
Given an entry point, trace permitted paths through the reconstructed topology. Identify lateral movement opportunities and segmentation failures that exist in the config, before they exist on the wire.
Same analysis engine, two outputs: the red team report shows exploitable paths, the blue team report shows prioritized remediation.
STIG Compliance
Line-by-line STIG compliance checks against firewall configurations. STIGs define mandatory controls, not best practices -- opnDossier validates against them so you don't have to cross-reference manually.
Findings mapped to specific STIG IDs with remediation guidance. Built for the compliance workflow that gov/defense teams already follow.
Desktop Application
Native desktop app built with Wails (Go backend, native WebView). Interactive topology diagrams rendered with Mermaid JS. Local SQLite database for analysis history.
Single binary with embedded assets. Still offline, still zero dependencies, still your machine.
Get started in 30 seconds.
Install from your package manager, Homebrew, Docker, or grab the binary from GitHub Releases.
# Install via Homebrew
brew install evilbit-labs/tap/opndossier
# Analyze a config
opndossier audit config.xml
# Export to Markdown
opndossier convert -f markdown config.xml -o report.mdReady to see what's in your firewall configs?
Start with the open source Community edition. When you need STIG compliance, topology mapping, or attack path analysis, Pro is on the way.