Dosu Logo
Home
Documents
opnDossier Detailed Product Strategy
opnDossier Detailed Product Strategy
Type
External
Status
Published
Created
Apr 19, 2026
Updated
Apr 19, 2026
Source
View

Market Context#

Enterprise tools (RedSeal, Tufin, AlgoSec, Titania Nipper) target Cisco/Palo Alto/Fortinet at $3K-$25K+/year, excluding small and mid-size organizations. No existing tool combines: OPNsense-native support, pfSense support, offline operation, security analysis, dead rule detection, compliance reporting, and multi-device topology mapping.

Three Target Markets#

  1. Commercial red/blue teams and consultancies (Year-one revenue focus): Small shops with procurement challenges, need fast multi-platform analysis during engagements.
  2. Homelabbers and small network operators (Free evangelism engine): Price-sensitive, high volume, strong community voice in forums/Reddit/YouTube.
  3. Security-sensitive organizations (gov/IC/defense) (Year-two+, inbound only): Airgapped environments, offline licensing required. Ken has domain expertise but cannot solicit; buyers must come to EvilBit Labs. Krystal handles commercial conversations.

Supported Platforms (All Free)#

All platform parsers are free and open source. opnDossier becomes the universal firewall config parser, driving adoption across every firewall community. Paid tiers sell what you do with parsed data, not which data you can parse.
Platforms: OPNsense, pfSense, Cisco ASA/IOS, Fortinet FortiGate, Palo Alto, Juniper, MikroTik, Ubiquiti/UniFi.
Input formats vary by platform: XML (OPNsense, pfSense, Palo Alto), flat text with indentation (Cisco IOS/ASA), block-structured text (Fortinet, Juniper), command-style text (MikroTik), JSON (Ubiquiti EdgeOS).

Tier Details#

Community (Free):

  • All platform parsers (OPNsense, pfSense, Cisco, Fortinet, Palo Alto, Juniper, MikroTik, Ubiquiti)
  • Single-config analysis with security findings and dead rule detection
  • Multi-format export (Markdown, JSON, YAML)
  • Firewall best practices checks (direct, platform-specific)
  • SANS/NSA best practice checks
  • Offline operation, zero telemetry
    Professional (Individual License):
  • Everything in Community
  • CLI tool with full feature set
  • STIG checks (direct) — gov/defense standard compliance
  • Wails desktop application (Go backend, native WebView frontend, local SQLite for history)
  • Topology mapping: ingest directory of heterogeneous configs, build internal graph, output as Mermaid diagrams (interactive via JS in Wails app), Graphviz DOT, JSON/YAML
  • Attack path analysis from the entry point through permitted paths
  • Trust boundary identification and segmentation gap detection
  • Red team report output (exploitable findings view)
  • Blue team report output (remediation priority view)
  • Local analysis history
    Enterprise (Site License):
  • Everything in Professional
  • Server deployment: Go backend, HTMX + Go templates frontend, SQLite database
  • Multi-user accounts with shared analysis history
  • Persistent topology history (track network changes over time)
  • Config diff/change tracking
  • Centralized config repository
  • Custom rule authoring (write analysis rules beyond built-in checks)
  • API access for integration with other tools
  • Audit trail (who analyzed what, when, with what findings)
  • Compliance cross-reference mapping: SANS/STIG findings mapped to PCI-DSS, SOC 2, and ISO 27001 requirements
  • NIST 800-53 / NIST CSF control mapping
    Gov/IC (Custom Pricing):
  • Everything in Enterprise
  • Offline license validation (signed JWT, no phone-home)
  • Custom compliance framework mapping
  • Self-certification audit procedures (in lieu of external audits for security-sensitive environments)
  • Source-available access for security review
  • Procurement-friendly terms (PO/invoice, custom EULA)
  • Commercial license alternative for organizations that cannot use Apache 2.0

Compliance Framework Strategy#

Note: CIS Benchmarks require a paid Product Vendor Membership ($6,000+/year) for commercial use. See for full details on costs, certification requirements, and our recommended approach. Until licensed, all checks ship as "Cybersecurity Best Practices."
Implementation is layered:
Layer 1 — Direct checks (mapped to config findings):

  1. Cybersecurity Best Practices (platform-specific firewall hardening checks derived from industry-standard guidance) — Community tier
  2. STIGs (gov/defense standard, extremely prescriptive) — Professional tier
  3. SANS/NSA best practices (practitioner-respected, less formal) — Community tier
  4. NIST 800-53 / NIST CSF (maps controls to categories) — Enterprise tier
    Layer 2 — Cross-reference mapping (Enterprise tier):
    PCI-DSS, SOC 2, and ISO 27001 as report overlays, not direct checks. "The 15 cybersecurity best practice findings in this report collectively address PCI-DSS requirements 1.1, 1.2, 1.3." One tool, one report, multiple compliance obligations satisfied.

Topology Mapping (Flagship Differentiator)#

Static network topology reconstruction from config files. Ingest a directory of configs from multiple heterogeneous devices. Build an internal graph of subnets, interfaces, VLANs, and routing. Output as Mermaid diagrams, Graphviz DOT, JSON/YAML. Identify trust boundaries, implicit access paths, segmentation gaps, and attack paths from a specified entry point.
This is a point-in-time analysis of exported configs (red team pre-engagement reconnaissance, blue team segmentation validation), not real-time monitoring. Offline-first design is a feature.
Professional tier: local, point-in-time topology analysis.
Enterprise tier: persistent topology history showing how the network changes over time.
Cloud VPC/NSG support could be on the long-term roadmap; the initial scope is on-prem network device configs.

Red/Blue Dual-Output Reports#

Same analysis engine, two report templates. Example: a firewall rule allowing ANY-to-ANY on SSH appears as "HIGH: exploitable lateral movement path via unrestricted SSH" in the red team report and "HIGH: restrict SSH source to admin VLAN, implement jump host architecture" in the blue team report.

Technical Architecture#

Two-repo model:

  1. Open-source repository (Apache 2.0): Parsers, CommonDevice model, basic analysis engine. Published as a Go module. Community contributes parsers without touching Pro code.
  2. Pro repository (source-available to licensed customers): Imports open-source module as a dependency. Adds compliance mapping, topology, diff, red/blue reports, Wails desktop app, and web server for the Enterprise tier.
    Parser architecture: New platform parsers implement the DeviceParser interface (two methods: Parse and ParseAndValidate), which takes an io.Reader and returns a *common.CommonDevice. The OPNsense reference implementation uses three layers: raw DTO deserialization, a converter with 50+ methods mapping DTO to CommonDevice, and a thin parser wrapper orchestrating both. New platforms create a package under internal/model/{platform}/ with a parser and converter, then register in the factory's auto-detect/override routing.
    Parser contribution model: Maintainer-written, with community PRs accepted for bug fixes and improvements. The DeviceParser interface is documented for future external plugin architecture. The full plugin system (external packages promoted to mainline after validation) is a roadmap item driven by community demand.
    Desktop app (Professional): Wails framework (Go backend, native WebView frontend). Single binary with embedded assets. Mermaid JS library renders interactive topology diagrams. SQLite for local analysis history.
    Server deployment (Enterprise): Go backend, HTMX + Go templates frontend, SQLite database. Single binary deployment, zero external dependencies. The customer runs one binary on their infrastructure.

Implementation Plan#

See for the phased plan covering open repo stabilization, pro repo scaffolding, licensing mechanism, and go-to-market sequence.