Metadata-Version: 2.4
Name: evadex
Version: 3.29.0
Summary: Comprehensive DLP evasion test suite — scanner-agnostic, file-aware
License-Expression: MIT
Project-URL: Homepage, https://github.com/tbustenk/evadex
Project-URL: Repository, https://github.com/tbustenk/evadex
Project-URL: Bug Tracker, https://github.com/tbustenk/evadex/issues
Project-URL: Changelog, https://github.com/tbustenk/evadex/blob/main/CHANGELOG.md
Keywords: dlp,security,evasion,testing,compliance,pci-dss,scanner
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: System Administrators
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: System :: Systems Administration
Classifier: Typing :: Typed
Requires-Python: >=3.11
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: click<9,>=8.1
Requires-Dist: httpx<1,>=0.27
Requires-Dist: python-docx<2,>=1.1
Requires-Dist: fpdf2<3,>=2.7.9
Requires-Dist: openpyxl<4,>=3.1
Requires-Dist: jinja2<4,>=3.1
Requires-Dist: rich<14,>=13.0
Requires-Dist: pyyaml<7,>=6.0
Provides-Extra: dev
Requires-Dist: pytest<10,>=8.0; extra == "dev"
Requires-Dist: pytest-asyncio<2,>=0.23; extra == "dev"
Requires-Dist: respx<1,>=0.21; extra == "dev"
Requires-Dist: ruff<1,>=0.4; extra == "dev"
Provides-Extra: barcodes
Requires-Dist: qrcode[pil]<9,>=7.4; extra == "barcodes"
Requires-Dist: python-barcode[images]<1,>=0.15; extra == "barcodes"
Requires-Dist: Pillow<13,>=10.0; extra == "barcodes"
Provides-Extra: data-formats
Requires-Dist: pyarrow<24,>=14.0; extra == "data-formats"
Requires-Dist: pandas<4,>=2.0; extra == "data-formats"
Provides-Extra: archives
Requires-Dist: py7zr<2,>=0.20; extra == "archives"
Provides-Extra: bridge
Requires-Dist: fastapi<1,>=0.110; extra == "bridge"
Requires-Dist: uvicorn[standard]<1,>=0.27; extra == "bridge"
Requires-Dist: python-multipart<1,>=0.0.9; extra == "bridge"
Dynamic: license-file

# evadex

DLP quality assurance testing. Generate synthetic sensitive data, test your scanner, measure detection gaps.

---

## Install

```bash
pip install evadex
```

## Quick start

```bash
evadex quickstart
```

The wizard detects your environment, configures your scanner, and runs a first test. Saves config to `evadex.yaml` so subsequent runs just work.

---

## Core commands

```bash
evadex scan                          # test your scanner (northam tier, auto-detect scanner)
evadex scan --fast                   # top techniques only, ~5 min
evadex scan --tier full              # comprehensive test, all payloads

evadex generate                      # interactive: pick format, count, output
evadex generate --format xlsx        # 100-record spreadsheet
evadex generate --formats xlsx,docx,pdf --tier northam  # all formats at once

evadex falsepos                      # measure false positive rate (100 values)
evadex falsepos --count 500          # more thorough

evadex report results/scan.json      # generate HTML report
```

---

## HTTP transport (recommended for Siphon)

For faster scanning start Siphon in server mode:

```bash
siphon serve --port 8080 --api-key $YOUR_KEY
```

Then scan via HTTP — 12x faster than CLI mode:

```bash
evadex scan --transport http --url http://localhost:8080 --api-key $YOUR_KEY --tier northam
```

Or configure in `evadex.yaml`:

```yaml
transport: http
url: http://localhost:8080
api_key: your-key   # or set EVADEX_API_KEY env var
```

| Mode | Throughput | Northam scan time |
|------|-----------|-------------------|
| CLI (default) | ~11/sec | ~45 min |
| HTTP | ~131/sec | ~4 min |

---

## Tiers

| Tier | Focus | Est. Time | When to use |
|------|-------|-----------|-------------|
| `northam` **(default)** | Canada + US + capital markets | ~5 min | Daily North America testing |
| `banking` | Canadian banking focus | ~4 min | Banking compliance (CA-only) |
| `core` | Broad PII + international | ~10 min | Weekly benchmarks |
| `regional` | Full international coverage | ~20 min | Global deployments |
| `full` | Everything | ~30 min | Major releases |

---

## Formats

Generate test files in any of these formats:

```
xlsx · docx · pdf · csv · txt · json · xml · sql · log · eml
parquet · sqlite · zip · 7z · mbox · png · jpg
```

---

## Evasion techniques

evadex tests 13 technique families:

| Technique | Examples |
|---|---|
| `unicode_encoding` | Fullwidth digits, homoglyphs, zero-width chars, NFD normalization |
| `delimiter` | Space, hyphen, dot, tab, newline, mixed, doubled, none |
| `splitting` | Mid-value line break, HTML comment injection, JSON field split |
| `leetspeak` | Minimal, moderate, aggressive substitution tiers |
| `regional_digits` | Arabic-Indic, Devanagari, Bengali, Thai, and 6 more scripts |
| `encoding` | Base64, ROT13, double URL encoding, encoding chains |
| `context_injection` | Value in JSON record, XML element, SQL snippet |
| `bidirectional` | Unicode RLO/LRO/RLE control characters |
| `soft_hyphen` | U+00AD invisible separator at group boundaries |
| `morse_code` | Digits encoded as International Morse Code |

---

## Capital markets coverage

v3.24.0 adds securities identifiers and financial messaging references to the `banking` and `core` tiers:

| Category | Examples | Tier |
|---|---|---|
| `isin` | US0378331005 (Apple), CA7800871021 (RBC) | banking |
| `cusip_num` | 037833100 (Apple), 46625H100 (JPMorgan) | banking |
| `cins_num` | G0177J108 (UK-registered), F22797108 (French) | core |
| `sedol_num` | 2005973 (BP), 0540528 (HSBC) | core |
| `figi_num` | BBG000B9XRY4 (Apple), BBG000DMBXR2 (JPMorgan) | banking |
| `lei_num` | HWUPKR0MPOU8FGXBT394 (Apple), R0MUWSFPU8MPRO8K5P83 (BNP) | banking |
| `ticker_symbol` | AAPL, JPM, RY.TO, BRK.A | core |
| `reuters_ric` | AAPL.O, JPM.N, BP.L | core |
| `valor_num` | 3234936 (Apple/SIX), 1225514 (Nestlé) | core |
| `wkn_num` | 865985 (Apple/Frankfurt), 840400 (BMW) | core |
| `mt103_ref` | FT23148BTJK7LMNQ, PAYREF2024031401 | banking |
| `mifid_tx_id` | MIFID20230517ABC0000000012345678… | core |
| `chips_uid` | 0001JPMC | banking |
| `sepa_ref` | RF18539007547034 | banking |
| `fedwire_imad` | 20231015BNKUS33XXXX000123456789 | banking |

All securities identifiers include checksum-validated synthetic generators (CUSIP ANSI X9.6, SEDOL weighted mod-10, ISIN Luhn, FIGI Luhn, LEI ISO 17442 mod-97).

---

## Configuration

Run `evadex init` to create `evadex.yaml` in the current directory:

```yaml
tool: siphon-cli
exe: /path/to/siphon
tier: northam
concurrency: 32
```

CLI flags override config values. `evadex.yaml` is auto-discovered from the working directory.

---

## Analysis commands

```bash
evadex history                       # past scan and falsepos runs
evadex trend                         # ASCII chart of detection rate over time
evadex techniques --top 10           # techniques with highest bypass rate
evadex doctor                        # environment health check
evadex benchmark                     # measure generate/scan performance
```

## Result commands (v3.27–3.28)

```bash
# Compare two scan runs at the individual variant level
evadex diff before.json after.json
evadex diff before.json after.json --format html --output diff.html
evadex diff before.json after.json --format json --output diff.json

# Export scan results as CSV or Markdown
evadex export scan.json --format csv --output findings.csv
evadex export scan.json --format markdown --output findings.md
evadex export scan.json --format csv --only-bypassed  # evasions only

# Validate that a document template generates a correct, openable file
evadex validate --template trade_confirmation --format docx
evadex validate --all-templates --format csv
evadex validate --template swift_mt103 --format docx --scan   # also submit to scanner

# Current state at a glance: scanner, last scan, bridge, cache, scheduled jobs
evadex status
evadex status --json

# Manage the scan result cache (SQLite, 24-hour TTL by default)
evadex cache stats
evadex cache clear --yes

# Resume an interrupted scan from a saved checkpoint
evadex scan --resume
evadex scan --tier northam --resume --scanner-label post-patch
```

## Advanced commands (Siphon-specific)

```bash
evadex entropy --url http://localhost:8080   # test entropy detection modes
evadex edm    --url http://localhost:8080   # test Exact Data Match engine
evadex lsh    --url http://localhost:8080   # test document-similarity detection
evadex bridge --port 9191                   # start HTTP API bridge
```

---

## Requirements

- Python 3.11+
- A DLP scanner (Siphon recommended, dlpscan-rs supported, any CLI scanner via adapter)

Optional extras:

```bash
pip install evadex[barcodes]      # PNG/JPG barcode generation (QR, Code128, EAN-13)
pip install evadex[data-formats]  # Parquet and SQLite output
pip install evadex[archives]      # 7z archive output
pip install evadex[bridge]        # HTTP API bridge (FastAPI)
```

---

## Full documentation

See [docs/REFERENCE.md](docs/REFERENCE.md) for the complete CLI reference:

- All flags and options for every command
- Payload coverage by region (593 payloads, 501 categories)
- Adapter configuration (Siphon, dlpscan-rs, Presidio)
- Profile system and scheduling
- Bridge/C2 integration
- Architecture overview
