Osmedeus is a workflow engine for security automation. It executes YAML-defined workflows with support for multiple execution environments (host, Docker, SSH), scheduling, and distributed scanning.
The Osmedeus core engine is lightweight and can run anywhere with almost any specs. However, if you plan to use it for reconnaissance (which is the main use case), it is recommended to use a modern Linux, macOS, or Windows system with WSL. Since running reconnaissance generates heavy network traffic, it is also recommended to run Osmedeus in a cloud environment, such as a VM, Compute Engine, or EC2, to achieve the best performance.
Does Osmedeus support AI/LLM integration? Can I use tools like Claude Code and Codex with it?
Show Answer
Yes of course. Osmedeus has built-in support for LLMs and you can use it in your workflow to do things like generating recon reports, writing custom scripts, or even building your own agentic workflow. You can check out the LLM Workflow Example to see how it works.Be aware that using LLMs may require you to have API keys for the LLM provider and may incur additional costs based on your usage. Always monitor your usage and costs when using LLMs in your workflows.Since Osmedeus is an orchestration framework, you can leverage it to coordinate your own custom AI/LLM tools including integrations like Claude Code or OpenCode directly within your YAML workflows. For instance, you could design a custom agent that invokes multiple tools as part of a defined pipeline and seamlessly plug it into your workflow. The flexibility is virtually unlimited.
Does Osmedeus have an AI Skills that I can use in my agent?
Show Answer
Yes, I’ve built the osmedeus-expert skill at github.com/osmedeus/osmedeus-skills and you can use it in your agentic tool to writing YAML workflows, running CLI commands, and configuring advanced features.
Osmedeus is a standalone Golang binary and works perfectly fine on its own. However, when using Osmedeus to run YAML workflows for security automation, it often needs to call external tools like httpx, nuclei, ffuf, etc. These tools must be installed and available on your system for those workflows to function properly.
Do I need to install all the binaries in the registry using `osmedeus install binary --all --install-optional` ?
Hide Answer
No. Installing all tools is completely optional. The registry includes additional tools that are commonly used in YAML workflows, but you only need the ones required for your specific workflow. Installing everything is not necessary for running a basic workflow.
I tried everything I can but still haven't managed to install the required binaries. What should I do?
Hide Answer
Like I said above, not all binaries listed in the registry are required for every workflow. Your scans may still function correctly even if some tools are missing.If you would like the ideal setup then I recommend using Docker to run Osmedeus and its workflows. This ensures that all dependencies are met and eliminates any compatibility issues. See the Docker Setup for more details.
You can Join https://discord.gg/mtQG2FQsYA to see if anyone can help. I might answer from time to time but I couldn’t promise to answer every single of them.
Nope, natively it doesn’t support proxy. But since the design of the tool is running other 3rd party tools and a lot of them don’t support proxy by default. I’ve already considered proxychains but it makes it extremely slow and breaks a lot of things.
It will stay there because it got a sudo password prompt. Some special tools require root permission to run like nmap. Make sure you allow nmap can be run without sudo password prompt.
Why did my scan such as vulnerability scanning, port scanning, or content discovery take so long?
Hide Answer
It’s probably because the thing you put in was really big. Think about trying to run the content discovery against 2000 different hosts. That’s why it takes a long time.
Why Osmedeus didn't find any vulnerability even when I scan it with the intentionally vulnerable app?
Hide Answer
Again it very much depends on your target. Osmedeus really shines on large scope targets, not the single intentionally vulnerable web app. Just scan some random VDP then you will see the result.
The reason it won’t find any vulnerability on the intentionally vulnerable app is the vulnscan module won’t support it. But you’re always welcome to customize the workflow to do so.
How can I keep the scan or the web UI running in the background?
Hide Answer
The simplest way to do it is running the process under https://tmuxcheatsheet.com/ . Other than that you can setup a service to run the osmedeus web server as a background process.
Osmedeus found some vulnerable subdomains, but I am unable to access them?
Hide Answer
It is often the case that the availability of a subdomain found during a scan may not be the same when you attempt to manually verify it. This depends on the target and can vary.
When I run with the `--debug` flag, I've noticed that certain commands are returning errors with exit statuses such as 128, 255, or -1. Is this to be expected?
Hide Answer
Yes, it’s normal for certain commands to exhibit expected exit statuses, as they may succeed under specific conditions. However, if you’re confident that the raw bash command should succeed but is failing, please try copying the raw bash command and investigate why it’s encountering issues.
The scan executed without issues, but the UI doesn't display any assets?
Hide Answer
This is likely due to the fact that the workflow you executed did not generate any assets. You can verify this by checking the workspace directory located at ~/workspaces-osmedeus/<target>/ to see if any files were created.It is also because the workflow doesn’t use any database utility function to save the assets into the database. You can check the workflow file to see if it uses any database utility functions like db_import_asset. You can also see the full list of database related function at osmedeus func ls db --example
Why I didn't see any notification even when I setup the ?
Hide Answer
This is likely due to the fact that the workflow you executed did not generate any assets. You can verify this by checking the workspace directory located at ~/workspaces-osmedeus/<target>/ to see if any files were created.It is also because the workflow doesn’t use any notification utility function to save the assets into the notification. You can check the workflow file to see if it uses any notification utility functions like notify_telegram. You can also see the full list of notification related function at osmedeus func ls noti --example
I got this `failed to run database migrations`. What should I do?
Hide Answer
$ osmedeus server2026-02-16T22:59:11+07:00 ERROR Failed to create server {"error": "failed to run database migrations: failed to create index: SQL logic error: no such column: webhook_uuid (1)"}Error: failed to run database migrations: failed to create index: SQL logic error: no such column: ... (1)
Error like this means that the database schema is outdated and the server cannot start. To fix this, you can run osmedeus db clean --force to clean up the database and then start the server again. This will reset your database, so make sure to backup any important data before running the command.
