Proposed product 1 of 2 · CNO

Fulcrum — the CNO CLI

The variant-research workflow as a CLI — proposed design, not yet operational. Operator drives, agent loop executes, disclosure terminal pinned in code by design.

Status Proposed design, not operational. Fulcrum’s rulebook schema and orchestrator contracts are scaffolded in source; the integrated pipeline is not yet runnable end-to-end. If built per the design, the resulting software would fall under EAR ECCN 4D004 (intrusion-software command and control), with controls allowlist-gated, append-only audit-logged, and disclosure-terminal pinned to coordinated-disclosure channels.

Fulcrum is the proposed offensive-research surface of @trenchwork/erosolar. As designed, the operator brings a target (a vendor advisory, a binary, a patched/vulnerable image pair) and Fulcrum would run the seven-step pipeline through to a coordinated-disclosure terminal. The design adds Kali wrappers (sqlmap, gobuster, ffuf, hydra, john, hashcat, masscan, …), AFL++ fuzzing, gdb / pwndbg triage, pwntools, binary analysis (objdump / readelf / radare2 / checksec), Ghidra headless. If built, sale and use would be scoped under EAR ECCN 4D004, with planned controls: allowlist-gated end users and append-only audit logs.

1 · AcquireTarget imagePatched + vulnerable build pair from vendor advisory
2 · DiffGhidra headlessPatch-diff IOS XE / firmware images
3 · SearchVariant huntFind sibling sinks of the patched bug class
4 · FuzzAFL++ campaignDrive each variant to a crashing input
5 · Triagegdb / pwndbgReachability and exploit primitive
6 · PoCpwntoolsMinimal repro for vendor confirmation
7 · DiscloseHackerOne / PSIRT / CERT/CCDisclosure terminal designed to be pinned in code

By design, disclosure would exit only through the EVRP DisclosureTerminal enum: HackerOne, vendor PSIRT, CERT/CC, or a 90-day published advisory. Broker channels would be structurally invalid — once implemented, a Fulcrum run cannot terminate at one. Profile gating is specified to be enforced in code and verified by hardening tests; the default coding profile would not load Fulcrum’s tools even if a configured MCP server tries to surface them. See EAR compliance for the full control inventory the design specifies.

Open portal → Email the operator

Fulcrum this page

Driver
Operator
Cadence
Per-engagement
Scope
Chosen target
Intent
CNE / CNA-shaped, disclosure-pinned
Surface
Variant research, exploit dev

Bulwark Details →

Driver
Schedule
Cadence
Continuous, unattended
Scope
Vendor surface deployed at scale
Intent
CND, coordinated-disclosure-pinned
Surface
Eviction by pre-empting the next weaponized variant