Under maintenance

Pricing

Pay per usage

Try for free

Go to Apify Store

Ghost Logic Engine

Under maintenance

Try for free

Pricing

Pay per usage

Rating

0.0

(0)

Developer

Zaher el siddik

Actor stats

Bookmarked

Total users

Monthly active users

7 days ago

Last modified

Ghost-Target: Logic Engine

Actor 2 of 3 in the Ghost-Target Autonomous Red Team Pipeline.

Reads the Ghost Inventory built by Actor 1 from the shared KV Store, then runs Nuclei against every discovered asset. Every CVE finding is cross-referenced against the live CISA Known Exploited Vulnerabilities (KEV) catalog. Leaked credentials from GitHub are tested against live endpoints. Historical drift is tracked to surface newly opened attack surface since the last scan.

What It Does

Phase 1 — Load Ghost Inventory

Reads surface__{domain} from the shared KV Store (ghost-target-brain) — the brain state written by Actor 1 — and extracts the full list of discovered subdomains and GitHub leak references.

Phase 2 — CISA KEV Catalog Fetch

Pulls the live CISA Known Exploited Vulnerabilities JSON feed at runtime. At time of writing this contains 1,500+ CVEs that are confirmed to be actively exploited in the wild. Every CVE finding from Nuclei is cross-referenced against this list.

Phase 3 — Nuclei Scanning

Runs Nuclei against all discovered targets (http:// and https:// variants). Templates are pre-baked into the Docker image at build time to avoid slow runtime downloads.

Default template tags:

Tag	What It Detects
`exposure`	`.env`, `.git/config`, backup files, config leaks
`secrets`	API keys, tokens, connection strings in responses
`misconfig`	CORS misconfigs, open redirects, insecure headers
`default-login`	Vendor default credentials (`admin:admin`, etc.)
`cve`	Known CVEs with public PoC (cross-referenced with KEV)
`takeover`	Subdomain takeover fingerprints (dangling DNS)

Phase 4 — Credential Correlation

Takes GitHub leak references from Actor 1's brain, extracts candidate API keys/tokens, and tests them against live asset endpoints. A HTTP 200 response with the leaked credential is flagged as a critical finding — LEAKED_CREDENTIAL_VALID.

Phase 5 — Historical Drift Detection

Diffs current findings against the previous scan stored in KVS. Flags:

New findings — attack surface that opened since last scan
Resolved findings — issues that appear to be fixed

This enables continuous monitoring — run the pipeline on a schedule and only get alerted on what changed.

Input

Field	Type	Required	Default	Description
`targetDomain`	string	✅	—	Root domain to scan. Must match what was used in Actor 1
`globalKvsName`	string	—	`ghost-target-brain`	Shared Key-Value Store name. Must match Actor 1
`apifyApiToken`	string	—	—	Apify API token. Required when triggered by Actor 1 via webhook — automatically forwarded
`nucleiTemplates`	array	—	`["exposure","secrets","misconfig","default-login","cve","takeover"]`	Nuclei template tags to run
`severityFilter`	string	—	`medium`	Minimum severity to report (`info` / `low` / `medium` / `high` / `critical`)
`concurrency`	integer	—	`25`	Number of concurrent Nuclei template checks
`rateLimit`	integer	—	`50`	Max HTTP requests per second
`exploitSynthesizerActorId`	string	—	—	Actor ID of Actor 3 to auto-trigger when findings exceed threshold
`criticalFindingsThreshold`	integer	—	`1`	Min critical/high findings required to trigger Actor 3

Output

Dataset

One row per finding:

{
  "asset": "dev.example.com",
  "templateId": "exposure/config/exposed-env-file",
  "name": "Exposed .env File",
  "severity": "high",
  "cvss": 7.5,
  "cveId": null,
  "allCves": [],
  "isKev": false,
  "kevDetails": null,
  "matchedAt": "https://dev.example.com/.env",
  "extractedData": ["DB_PASSWORD=s3cr3t", "AWS_SECRET_ACCESS_KEY=xxxxx"],
  "tags": ["exposure", "config", "files"],
  "description": "An exposed .env file was found which may contain sensitive credentials.",
  "remediation": "Remove .env from the web root and rotate any exposed credentials immediately.",
  "isNew": true,
  "timestamp": "2026-05-15T09:52:03.000Z"
}

KEV-matched finding example:

{
  "asset": "vpn.example.com",
  "templateId": "cve/2021/CVE-2021-44228",
  "name": "Apache Log4j RCE",
  "severity": "critical",
  "cvss": 10.0,
  "cveId": "CVE-2021-44228",
  "isKev": true,
  "kevDetails": {
    "name": "Apache Log4j2 Remote Code Execution Vulnerability",
    "product": "Log4j2",
    "vendor": "Apache",
    "dateAdded": "2021-12-10",
    "dueDate": "2021-12-24"
  },
  "isNew": true
}

Key-Value Store (`ghost-target-brain`)

Writes findings__{domain} — the full enriched findings array consumed by Actor 3.

Also updates surface__{domain} with a lastVulnScan summary:

{
  "lastVulnScan": {
    "timestamp": "2026-05-15T09:57:46.000Z",
    "totalFindings": 12,
    "critical": 2,
    "high": 5,
    "kevFindings": 1,
    "newFindings": 4,
    "resolvedFindings": 1,
    "credentialHits": 0
  }
}

Automatic Pipeline Chaining

When exploitSynthesizerActorId is set and criticalHighCount >= criticalFindingsThreshold, this actor automatically triggers Actor 3 (Exploit Synthesizer) with the findings context.

To always trigger Actor 3 regardless of severity, set criticalFindingsThreshold: 0.

Prerequisites

Two Go binaries bundled in the Docker image at build time:

nuclei v3.3.9 — vulnerability scanner
httpx v1.6.10 — HTTP probing

Nuclei templates are pre-downloaded during Docker build (nuclei -update-templates) so actor startup is fast and there's no dependency on GitHub at runtime.

Usage Examples

Standalone (after Actor 1 has run)

{
  "targetDomain": "example.com",
  "globalKvsName": "ghost-target-brain",
  "apifyApiToken": "apify_api_xxxxxxxxxxxxxxxxxxxxxxxx",
  "severityFilter": "medium",
  "nucleiTemplates": ["exposure", "secrets", "misconfig", "default-login", "cve", "takeover"]
}

With Actor 3 auto-trigger

{
  "targetDomain": "example.com",
  "globalKvsName": "ghost-target-brain",
  "apifyApiToken": "apify_api_xxxxxxxxxxxxxxxxxxxxxxxx",
  "exploitSynthesizerActorId": "YOUR_USERNAME/ghost-exploit-synthesizer",
  "criticalFindingsThreshold": 1,
  "severityFilter": "medium"
}

Targeted CVE-only scan

{
  "targetDomain": "example.com",
  "globalKvsName": "ghost-target-brain",
  "apifyApiToken": "apify_api_xxxxxxxxxxxxxxxxxxxxxxxx",
  "nucleiTemplates": ["cve"],
  "severityFilter": "high",
  "concurrency": 50,
  "rateLimit": 100
}

CISA KEV Cross-Reference

When a Nuclei finding contains a CVE ID, this actor checks it against the CISA KEV catalog live at runtime. A KEV match means the vulnerability is:

Confirmed exploitable — not just theoretical
Actively being exploited by threat actors right now
Federally mandated to patch for US government systems (18-day remediation deadline)

KEV findings should be treated as P0 — patch immediately.

Legal Notice

This tool is for authorized penetration testing and security research only. Nuclei sends HTTP requests to target systems. Only run against systems you own or have explicit written authorization to test.

Ghost Email Scraper - Advanced, Fast & Cheapest

contacts-api/ghost-email-scraper-fast-advanced-and-cheapest

👻 Ghost Email Scraper helps you find writer and publication emails from Ghost-powered sites 🔍 Ideal for content marketing and partnerships 📧

Lead Heaven

Ghost Email Scraper – Advanced, Cheapest & Reliable 📧⚡

contactminerlabs/ghost-email-scraper---advanced-cheapest-reliable

🔍 Scrape Ghost.org Emails Enter your search parameters to collect verified contact emails from public Ghost profiles, along with profile title, bio, source URL & platform info ✉️📊 Perfect for lead generation, influencer outreach & data enrichment in tools like Google Sheets or CRMs⚡🧩

ContactMinerLabs

Lead Engine

xmiso_scrapers/lead-engine

Lead Engine

Miso

Ghost Shadow Discovery

wonderful_beluga/ghost-shadow-discovery

Zaher el siddik

Ghost Newsletter Scraper

webdatalabs/ghost-newsletter-scraper

Extract structured data from any Ghost-powered newsletter - track posts, monitor pricing, analyze publishing patterns, and research the creator economy.

WebDataLabs

5.0

Ghost Exploit Synthesizer

wonderful_beluga/ghost-exploit-synthesizer

Zaher el siddik

Ghost Job Detector

badruddeen/ghost-job-detector

Identify ghost, fake, or reposted LinkedIn and company jobs. Monitors listings, extracts signals, and calculates a Hiring Likelihood Score to help job seekers focus on genuine opportunities.

Badruddeen Naseem

Logic-Immo Scraper — French Real Estate Listings & Prices

studio-amba/logicimmo-scraper

Scrape property listings from Logic-Immo.com, a major French real estate portal. Extract sale and rental listings with prices, photos, descriptions, and agent details.

Studio Amba

SERP - Search Engine Results

vivid_astronaut/serp

Search engine results from Google and DuckDuckGo. Get web, image, news, and video results.

Fabio Suizu

Newsletter Archiver: Substack, Beehiiv, Ghost, RSS

aitoolbreakdown/atb-newsletter-archiver

Point it at a newsletter's public RSS feed. Returns every post as structured JSON: title, date, full HTML + plaintext, author, URL. Works with Substack, Beehiiv, Ghost, and any Atom/RSS 2.0 feed.