Security Tool Build Note

Building a portable SecurityScorecard ASI tool in one HTML file

This started as a Python helper for SecurityScorecard Attack Surface Intelligence work. It became a portable browser tool: single HTML file, no backend, visual exploration, maps, portfolio review, fourth-party discovery, and practical query controls for analyst workflows.

SecurityScorecard ASI Single HTML Third-party portfolios Fourth-party discovery

I built Supply Chain CYBER Exposure Discovery because I wanted a faster way to explore SecurityScorecard ASI-style data. At first, the tool was a Python workflow: call the API, parse responses, export results, and use the output somewhere else.

That worked, but it was not portable. Every time I wanted to share the tool, demo it, or use it on another machine, I had to think about runtime setup, dependencies, scripts, and environment assumptions. The more useful the tool became, the more that friction bothered me.

So I moved it into HTML and JavaScript.

The design goal became simple: one file that an analyst can open in a browser, use immediately, and carry anywhere.

From script output to visual exploration

The first version was about retrieving data. The browser version became about understanding data. Once the tool was in HTML/JS, I could put the query controls, result table, ranked charts, map, and export actions into the same surface.

That changed the workflow. Instead of running a query, waiting for output, copying data somewhere else, and then deciding what to do next, the tool made it possible to inspect and refine in place:

  • Run an ASI query.
  • Scan the live findings table.
  • Use ranked charts to see top CVEs, products, ports, countries, cities, ASNs, ISPs, threat actors, and MITRE techniques.
  • Open the map to see geographic concentration.
  • Click a chart bar to drill into a narrower query.
  • Export the exact result set for follow-up.

That is where the tool started to feel less like a script and more like a small analyst console.

Tailored for ASI workflows

The tool is not trying to be a generic dashboard. It is tailored around SecurityScorecard ASI workflows: query exposure data, move quickly between facets, and inspect results from multiple angles.

The query builder supports boolean logic, ranges, negation, and one-click threat signals. I wanted common pivots to be fast, but not hidden. Every action still becomes part of the visible query, so the analyst can see what the tool is asking for.

I also added two interaction details that matter when queries get complex:

  • Click to select: fast positive filtering for common pivots.
  • Long press to reverse: quick negative selection when the useful question is "show me everything except this."

That long-press negative selection sounds small, but it keeps the workflow fluid. In security analysis, exclusion is often as important as inclusion.

Third-party portfolios and fourth-party discovery

The next useful layer was portfolio work. In supply-chain security, the question is rarely one domain at a time. You often want to review a group of vendors, compare patterns, and understand what connected exposure might exist beyond the immediate third party.

So I added third-party portfolio support, then integrated AVD-style automatic vendor detection. The goal is to start with a portfolio, inspect the visible exposure, and then expand into fourth-party discovery from vendor relationships.

That makes the tool useful for questions like:

  • Which vendors in this portfolio show similar exposed products or services?
  • Which findings cluster by geography, ASN, ISP, or product family?
  • Which fourth-party/vendor relationships deserve a closer look?
  • What should be exported for review, remediation, or a follow-up report?

Handling result limits without making the user babysit

One practical issue with API-backed tools is response size. A useful analyst query can be bigger than a single request should reasonably return.

Instead of forcing the user to manually split the work, the tool can concatenate results across multiple fetches when the feedback is larger than a single query can send back cleanly. The point is not to hide the API. The point is to keep the analyst focused on the investigation instead of pagination mechanics.

I also added multi-threaded and adaptive fetch behavior. The tool can make progress across larger result sets while adjusting to the work in front of it, rather than treating every query as the same size and shape.

Why single-file still matters

Single-file HTML is not fashionable, but it is useful. For this tool, portability is a feature:

  • No install.
  • No backend to operate.
  • No database to secure.
  • No build step before trying it.
  • Easy to inspect, archive, and share.

That matters for small security tools. A tool that takes too much setup often never gets tried. A portable browser tool can be opened, evaluated, and thrown away if it is not useful.

Where it landed

The current version is a single-file browser dashboard for ASI-oriented work: query, charts, map, third-party portfolios, AVD-style vendor detection, fourth-party discovery, and exports. It can use a SecurityScorecard ASI API key for live data, and it also includes a demo mode so the full workflow can be explored without setup.

That last part is important, but it is not the main story. The main story is portability: a practical security tool that moved from script output to a shareable browser surface anyone can try.