Documentation

Crossfyre docs

Everything to install the toolchain, bring nodes online, run distributed offensive security workflows, and read the results. New here? Jump to the Quickstart.

Overview

Crossfyre is a hosted control plane for distributed offensive security. You enrol your own machines as nodes; the platform orchestrates scan engines across them, and turns raw output into prioritized findings. Today the shipping engines are mach (content discovery), voyage (subdomain enum) and pulse (network scan), with vulnerability scanning and custom workflows on the roadmap. The scan engines and node agent are open source; the orchestration, scheduling and dashboard are the hosted platform.

The pieces: the CLI (crossfyre) you install on a host, a node (that host, enrolled and running scans), engines (the scanners), workflows (.cfx scripts that drive a scan), findings (the results), and credits (the metered fuel a scan burns).

Quickstart

  1. Create an account at crossfyre.io.
  2. Install the CLI:
    curl -fsSL https://get.crossfyre.io/install.sh | sudo bash
  3. Authenticate:
    crossfyre login
  4. In the dashboard create a node, copy its key, then enrol this host:
    sudo crossfyre node init
  5. Start a workflow from the dashboard (or crossfyre run), then watch findings stream in and get notified when it finishes.

Requirements

  • OS: Linux or macOS (the Windows installer is experimental).
  • Docker: required. The engines persist scan state to a local Postgres that the CLI runs as a Docker container, so install Docker before crossfyre node init (curl -fsSL https://get.docker.com | sh).
  • Root: needed to install the node service and set up isolated network namespaces / tunnels.

Installation

Linux and macOS:

curl -fsSL https://get.crossfyre.io/install.sh | sudo bash

Windows (PowerShell):

irm https://get.crossfyre.io/install.ps1 | iex

The installer downloads crossfyre and the node worker to /opt/crossfyre/bin (symlinking crossfyre into your PATH), verifying every binary's SHA-256 against the signed release manifest, and adds /opt/crossfyre/bin to your shell PATH. Prebuilt binaries are on the toolchain page; you can also build from source from the open repo.

CLI reference

One CLI drives everything. The most-used commands:

crossfyre loginAuthenticate the CLI to your account (API key, username/password, or browser).
crossfyre logoutRemove the saved session and stop/disable any installed engines.
crossfyre node initEnrol this host as a node using a node key from the dashboard. Installs the selected engines, provisions the database, and installs the OS service.
crossfyre node listList your fleet from the control plane, with live online/offline status.
crossfyre node statusShow the node daemons running on THIS host.
crossfyre node up / downStart / stop the node supervisor service (brings all local nodes online or offline).
crossfyre node restart / enable / disableRestart the service, or toggle start-on-boot.
crossfyre node remove [id] [--inactive]Remove a registered node from this host.
crossfyre extension listList engines with install state and daemon health.
crossfyre extension install <mach|voyage|pulse|all>Download, checksum-verify and start an engine.
crossfyre extension remove / update / start / stop / restart <name>Manage an installed engine.
crossfyre run <script.cfx> <type:value ...>Run a .cfx workflow locally, no control plane required.
crossfyre update [self|all|<ext>]Update the CLI, the node binary, and engines from the signed release manifest.
crossfyre statusOverview of local node daemons, engines and the database.
crossfyre db <up|down|start|stop|restart>Manage the toolchain Postgres container.
crossfyre doctorDiagnose the environment: Docker, database, release-CDN reachability, PATH.
crossfyre uninstall [--purge]Remove services, engines, binaries and the database container.

Nodes

A node is one of your hosts, enrolled to run scans. Create it in the dashboard (Nodes), then run sudo crossfyre node init on the host and paste the node key. Enrolment installs the engines you selected, provisions the local database, and installs an OS service so the node survives reboots.

The node service runs a supervisor that keeps every registered node online; each reports a heartbeat so the dashboard shows it online or offline. Bring them up or down with crossfyre node up / crossfyre node down, check local daemons with crossfyre node status, or the whole fleet with crossfyre node list.

OPSEC: a node can route outbound traffic through proxy chains and an isolated network namespace with a VPN/WireGuard tunnel, so scans leave from where you choose and never touch the host's own network.

Scan engines

  • mach: HTTP fuzzer and content-discovery engine (paths, parameters, virtual hosts). Stateful and resumable.
  • voyage: subdomain enumeration: passive sources plus active wordlist brute-forcing.
  • pulse: network host and port scanning (SYN/connect, service detection).

Engines are open source and installed/supervised by the CLI (crossfyre extension install mach). Each runs as a local daemon and persists state to the toolchain Postgres. Run them standalone, or let the platform orchestrate them across your fleet.

Workflows

A workflow is a .cfx script (Python) that drives a scan: it picks targets, calls the engines, and reports results. Run one locally with crossfyre run content-discovery.cfx url:https://example.com, or launch it from the dashboard to run across your nodes.

Workflows are crash-safe: the platform reserves an estimated cost at launch and reconciles the actual work at completion (reserve-then-reconcile). A dropped node or a crash resumes where it left off, and you are never charged twice or for work that did not run. Schedule a workflow to run on a recurring basis and have results pushed to you.

Findings

Results land in the Findings explorer: filter by severity, by active or passive discovery, and by host; search, paginate, and export the set to CSV, JSON or Markdown for your report or pipeline.

Notifications

Get alerted the moment a scan finishes or a finding lands, on the channel you already live in:

  • Discord / Slack: add the Crossfyre bot, run /login <email> and confirm with the code we email you (/verify). Subscribe a channel and alerts post there.
  • Email: enable email alerts in Settings → Notifications.

Manage channels and what triggers an alert from the Notifications page in your dashboard.

Teams & roles

Work as a crew in a Team Space: shared nodes, wordlists and findings, with role-based access (leaders manage members and billing; members run work). Seats are set by your plan. Invite teammates from Team Space and they join with the invite code emailed to them.

Wordlists

Crossfyre ships default wordlists and lets you upload your own, scoped to your team. Engines (mach, voyage) pull from them during active discovery. Manage them from the Wordlists page.

Billing & credits

Your plan sets your limits (nodes, concurrent workflows, storage, seats) and drops a monthly batch of credits into your balance. Credits are the metered fuel a scan burns, billed to the actual work done (reserve-then-reconcile). Credits never expire, and individual accounts pause new work at zero rather than overspending.

  • Free: 1 node, 1 workflow at a time, starter credits.
  • Pro: 10 nodes, 5 concurrent, 2,500 credits / month.
  • Team: 50 nodes, 20 concurrent, 10 seats, 12,000 credits / month.

Top up credits any time. See pricing for the full breakdown.

Coming soon

On the roadmap, not yet available. These are in active development:

Extensions ecosystem & marketplace

Coming soon

An open marketplace of engines and integrations, built both by the Crossfyre team and the community. Discover, install and publish extensions that plug straight into your nodes and workflows, the same way the core mach / voyage / pulse engines do.

Mission Planner

Coming soon

Compose multi-stage engagements visually: chain workflows, branch on findings, gate steps, and schedule the whole campaign across your fleet. A planner for end-to-end recon missions rather than one-off scans.

Vulnerability scanning

Coming soon

A dedicated vulnerability-scanning engine on top of the recon layer, turning discovered surface into checked, evidence-backed findings. In development, not yet available.

Valkyrie

Coming soon

An AI security agent that works alongside your scans: it gives intel and context on findings, and mutates vulnerability-scanning payloads to probe deeper and cut false positives. Not yet live.

Troubleshooting

Start with crossfyre doctor, which checks Docker, the database container, release-CDN reachability and your PATH.

  • node init fails / engines won't start: Docker isn't installed or running. Install it (get.docker.com) and start the daemon.
  • node shows offline: check the service with crossfyre node status; bring it up with sudo crossfyre node up.
  • command not found after install: open a new shell so /opt/crossfyre/bin is on your PATH (crossfyre is also linked into /usr/local/bin).
  • dashboard says systems offline: the control plane is unreachable; the in-app status page shows what's down.

Support

Questions or stuck? Join the Discord, or email [email protected]. Found a security issue? Email [email protected] privately (see the toolchain repo's SECURITY policy).