🛡️ Fortify

AI-Powered Phishing Simulation & Security Awareness Training Platform

Advanced system to test employee resilience against social engineering attacks

Features • Installation • Documentation • Architecture

📋 Table of Contents

Overview
Key Features
Tech Stack
Quick Start
Configuration
Usage
Architecture
API Reference
Workflow
Security
Roadmap
Contributing
License
Authors

🎯 Overview

Fortify is an enterprise platform for simulating phishing and smishing attacks in a controlled environment, designed to increase cybersecurity awareness among corporate employees.

💡 The Problem

91% of security breaches start with a phishing email
Companies lose millions annually to social engineering attacks
Traditional training is ineffective and not personalized

✨ The Solution

Fortify uses advanced AI (Llama 70B) and OSINT (LinkedIn scraping) to:

🔍 Analyze public employee profiles
🤖 Generate ultra-personalized phishing messages
📊 Measure real staff vulnerability
📈 Provide targeted training based on results

🚀 Key Features

🎭 AI-Powered Personalization

6 pre-built campaign types (password reset, CEO fraud, invoice, etc.)
Personalized messages using Nebius AI (Llama 3.3 70B)
Tone and language analysis for maximum credibility
Automatic adaptation to target's role and seniority

🔍 OSINT Intelligence

Automated LinkedIn scraping with Puppeteer + Stealth
Data extraction: experiences, skills, recent posts
Complete versioning with profile change history
Intelligent rate limiting to avoid detection

🏢 Enterprise Multi-Tenancy

Complete isolation between organizations
3 roles: Admin, Company Admin, Analyst
Granular permissions with RBAC
Dedicated dashboard for each company

📊 Analytics & Reporting

Real-time tracking: email sent, clicked, submitted
Advanced metrics: Click-through rate, Submission rate
Vulnerability heatmap by department
Exportable PDF reports (coming soon)

🔐 Security & Compliance

Soft delete with full retention
Audit logging of all operations
Encryption at rest for sensitive data
GDPR compliant (public data only)

🛠 Tech Stack

Frontend (Coming Soon)

Nuxt 4 - Full-stack Vue framework
NuxtUI - Apple-style design system
Tailwind CSS - Utility-first styling

Backend

Nuxt Server API - Serverless RESTful API
Better Auth - Modern authentication system
Drizzle ORM - Type-safe database toolkit
PostgreSQL - Relational database

AI & Scraping

Nebius AI - Llama 3.3 70B Instruct
Puppeteer - Browser automation
Puppeteer Extra Stealth - Anti-detection

DevOps

pnpm - Fast package manager
Drizzle Kit - Database migrations
TypeScript - End-to-end type safety

⚡ Quick Start

Prerequisites

node >= 18.x
pnpm >= 10.x
postgresql >= 14.x

Setup

# 1. Clone the repository
git clone <repository-url>
cd Fortify

# 2. Install dependencies
pnpm install

# 3. Configure environment
cp .env.example .env
# Edit .env with your credentials

# 4. Setup database
pnpm db:generate
pnpm db:migrate

# 5. Create admin user
pnpm setup:admin

# 6. Start development server
pnpm dev

Open http://localhost:3000 🎉

⚙️ Configuration

Environment Variables

Create a .env file in the root:

# Database
DATABASE_URL=postgresql://user:password@localhost:5432/fortify

# Better Auth
BETTER_AUTH_SECRET=your-super-secret-key-min-32-chars
BETTER_AUTH_URL=http://localhost:3000

# Nebius AI
NEBIUS_API_KEY=your-nebius-api-key

# App
NODE_ENV=development
PORT=3000

Getting Nebius API Key

Go to studio.nebius.ai
Create an account
Navigate to API Keys
Generate new key for Llama 3.3 70B
Copy the key to your .env file

📖 Usage

1. Create Organization (Admin)

POST /api/organizations
Content-Type: application/json

{
  "nome": "Acme Corporation",
  "email": "admin@acmecorp.com"
}

2. Add Employee Targets

POST /api/targets
Content-Type: application/json

{
  "nome": "John Doe",
  "email": "john.doe@acmecorp.com",
  "posizione": "Senior Developer",
  "dipartimento": "Engineering",
  "linkedinUrl": "https://linkedin.com/in/johndoe"
}

3. Profile Scraping

POST /api/scraping/linkedin
Content-Type: application/json

{
  "targetId": "target-uuid",
  "profileUrl": "https://linkedin.com/in/johndoe"
}

4. Create Campaign

POST /api/campaigns
Content-Type: application/json

{
  "nome": "Q1 2025 Security Awareness",
  "targetIds": ["uuid1", "uuid2", "uuid3"],
  "campaignType": "password_reset",
  "descrizione": "Baseline awareness test for engineering team"
}

AI will automatically generate personalized messages for each target!

5. Launch Campaign

POST /api/campaigns/{campaignId}/launch

6. Monitor Results

GET /api/campaigns/{campaignId}

🏗 Architecture

Database Schema

organization ─┬─> user (role, organizationId)
              ├─> employee_target
              └─> phishing_campaign ─> campaign_target ─> interaction_log

employee_target ─> social_profile ─> scraping_history (versioning)

API Structure

server/
├── api/
│   ├── organizations/    # Organization CRUD (admin)
│   ├── targets/          # Employee targets CRUD
│   ├── scraping/         # LinkedIn scraping
│   ├── profiles/         # Social profiles data
│   └── campaigns/        # Phishing campaigns
├── db/
│   └── schema.ts         # Drizzle schema
└── utils/
    ├── auth.ts           # Better Auth config
    ├── db.ts             # Database client
    ├── rbac.ts           # Access control
    ├── scraper/          # Puppeteer scrapers
    │   ├── base.ts       # Base classes
    │   └── linkedin.ts   # LinkedIn scraper
    └── ai/
        └── nebius.ts     # AI integration

Data Flow

graph LR
    A[Company Admin] --> B[Create Target]
    B --> C[LinkedIn Scraping]
    C --> D[Scraping History DB]
    D --> E[Create Campaign]
    E --> F[Nebius AI]
    F --> G[Personalized Messages]
    G --> H[Launch Campaign]
    H --> I[Track Interactions]
    I --> J[Analytics Dashboard]

🔌 API Reference

Organizations

Endpoint	Method	Auth	Description
`/api/organizations`	POST	Admin	Create organization
`/api/organizations`	GET	Admin	List organizations
`/api/organizations/:id`	GET	Admin/Own	Organization details
`/api/organizations/:id`	PATCH	Admin	Update organization

Targets

Endpoint	Method	Auth	Description
`/api/targets`	POST	Company Admin	Create target
`/api/targets`	GET	Company Admin	List targets
`/api/targets/:id`	GET	Company Admin	Target details
`/api/targets/:id`	PATCH	Company Admin	Update target
`/api/targets/:id`	DELETE	Company Admin	Delete target (soft)

Scraping

Endpoint	Method	Auth	Description
`/api/scraping/linkedin`	POST	Company Admin	Start scraping
`/api/scraping/history/:targetId`	GET	Company Admin	Scraping history
`/api/profiles/:profileId/latest`	GET	Company Admin	Latest data

Campaigns

Endpoint	Method	Auth	Description
`/api/campaigns`	POST	Company Admin	Create campaign
`/api/campaigns`	GET	Company Admin	List campaigns
`/api/campaigns/:id`	GET	Company Admin	Campaign details
`/api/campaigns/:id`	PATCH	Company Admin	Update campaign
`/api/campaigns/:id/launch`	POST	Company Admin	Launch campaign

🎬 Complete Workflow

Scenario: Phishing Test for Engineering Team

# 1. Login as Company Admin
POST /api/auth/sign-in/email
{"email": "admin@acme.com", "password": "****"}

# 2. Add 5 developers as targets
POST /api/targets × 5
# Include LinkedIn URL for each

# 3. Automatic profile scraping
POST /api/scraping/linkedin × 5
# Wait for completion (30-60s per profile)

# 4. Create "Password Reset" campaign
POST /api/campaigns
{
  "nome": "Engineering Team - Password Test",
  "targetIds": ["dev1", "dev2", "dev3", "dev4", "dev5"],
  "campaignType": "password_reset"
}
# AI generates 5 personalized messages

# 5. Review messages (optional)
GET /api/campaigns/{id}
# Verify generated messages

# 6. Launch campaign
POST /api/campaigns/{id}/launch
# Simulate immediate email sending

# 7. Monitor real-time results
GET /api/campaigns/{id}
# See who clicked, who submitted credentials

# 8. Analyze metrics
# Click rate: 60% (3/5)
# Submit rate: 40% (2/5)
# → 2 developers need urgent training!

🔒 Security & Privacy

GDPR Compliance

✅ Only publicly available data (LinkedIn)
✅ No passwords or real credentials saved
✅ Soft delete with retention policy
✅ Client company consent (contract)
✅ Optional results anonymization

Best Practices

Use HTTPS in production
Rotate BETTER_AUTH_SECRET regularly
Rate limiting on public APIs
Daily database backups
Audit logging for sensitive operations

Ethics

Fortify is an educational tool. Authorized use only:

✅ With explicit organization consent
✅ For training and awareness purposes
✅ In controlled and authorized environments
❌ NOT for real or illegal attacks

🗺 Roadmap

✅ Phase 1 - Backend (Completed)

🚧 Phase 2 - Frontend (Q1 2025)

🔮 Phase 3 - Advanced Features (Q2 2025)

🤝 Contributing

Contributions welcome! Please:

Fork the repository
Create a branch: git checkout -b feature/amazing-feature
Commit: git commit -m 'Add amazing feature'
Push: git push origin feature/amazing-feature
Open a Pull Request

Coding Standards

✅ TypeScript strict mode
✅ ESLint + Prettier
✅ Conventional Commits
✅ Test coverage > 80% (future)

📄 License

This project is developed for educational and research purposes within the university context.

👥 Authors

_{Mattia Guariglia}
_@mattyx97
💻 🎨 🔬

_{Giuseppe Cerella}
_@cerella17
💻 📖 📊

💻 Code · 🎨 Design · 📖 Documentation · 🔬 Research · 📊 Data Analysis

🙏 Acknowledgments

Nuxt Team - Amazing framework
Nebius AI - Llama 70B access
Drizzle Team - Best ORM ever
Better Auth - Modern auth solution
Puppeteer Team - Automation magic

⭐ If Fortify is useful to you, give it a star!

Built with ❤️ to make the web safer

⬆️ Back to top

Name		Name	Last commit message	Last commit date
Latest commit History 7 Commits
.cursor/rules		.cursor/rules
app		app
public		public
scripts		scripts
server		server
.gitignore		.gitignore
README.md		README.md
SETUP.md		SETUP.md
drizzle.config.ts		drizzle.config.ts
nuxt.config.ts		nuxt.config.ts
package.json		package.json
pnpm-lock.yaml		pnpm-lock.yaml
start.sh		start.sh
tsconfig.json		tsconfig.json

mattyx97/Fortify

Folders and files

Latest commit

History

Repository files navigation