Download¶

Download RedPick applications for your platform. Two apps are available:

Admin Dashboard — for the RedPick team (pentest management, terminal, runner)
Client Portal — for clients (engagement tracking, findings, report download, billing)

Desktop App (v1.4.0)¶

Windows (x64) — BeDefended-Desktop-v1.4.0-windows-x64.zip

Platform	Size	Requirements
Windows (x64)	14 MB	Windows 10+
macOS (Apple Silicon)	Coming soon	macOS 12+

First Launch

The desktop app connects to your BeDefended server. On first launch, enter your server URL and credentials.

Client Portal (Desktop)¶

Windows (x64) — BD-ClientPortal-v1.0.0-windows-x64.zip macOS (Apple Silicon) — BD-ClientPortal-v1.0.0-macos-arm64.dmg

Platform	Download	Size	Requirements
Windows (x64)	BD-ClientPortal-v1.0.0-windows-x64.zip	12 MB	Windows 10+
macOS (Apple Silicon)	BD-ClientPortal-v1.0.0-macos-arm64.dmg	—	macOS 12+

What Is the Client Portal?¶

The BeDefended Client Portal is the application for clients who commission penetration tests. It allows managing the entire engagement lifecycle without needing access to the terminal, testing tools, or internal data.

Key features:

Engagement management — Create new penetration tests, define target and scope, monitor status in real time
Intake questionnaire — Fill out the pre-engagement questionnaire (business context, tech stack, compliance) directly in the portal
Digital authorization — Sign the test authorization with OTP confirmation (compliant with art. 1341-1342 Italian Civil Code)
Sanitized findings — View discovered vulnerabilities (without PoC or internal details), track remediation status
Attack chains — Mermaid diagrams of correlated vulnerability chains
Report download — Download the report in PDF, HTML, or HWG format
Retest — Request verification of remediated vulnerabilities
Messaging — Communicate directly with the BeDefended team for each engagement
Billing — Choose a plan, pay via Stripe, download invoices
Team management — Invite colleagues with differentiated roles (admin, technical, viewer)
2FA — Two-factor authentication (TOTP) for enhanced security

Technical Architecture¶

The Client Portal is a separate Flutter project (client_portal/) that shares the design system (packages/bd_design_system/) with the admin dashboard. This ensures:

Identical UI — Same colors, typography, widgets (BdCard, BdButton, BdInput, etc.) as the admin app
Strict separation — The client portal has no access to terminal, runner, Claude sessions, or internal data
Native desktop — Flutter codebase compiled for native desktop (Windows/macOS)

client_portal/          # Flutter app (desktop)
  lib/
    screens/            # 15 screens (login, dashboard, findings, etc.)
    providers/          # Riverpod (same pattern as admin)
    api/                # HTTP client (Dio) to /api/v2/client/*
    models/             # 8 models (Engagement, Finding, Message, etc.)
    widgets/            # Layout, engagement card, severity chart
    i18n/               # Italian (primary) + English

packages/
  bd_design_system/     # Shared Dart package
    lib/src/
      theme/            # BdColors, BdTypography, BdShadows, BdAnimations
      widgets/          # BdCard, BdButton, BdInput, BdBadge, BdModal, etc.

Tech stack:

Component	Technology
Frontend	Flutter 3.27+ (desktop)
State management	Riverpod
Routing	GoRouter
HTTP client	Dio with JWT interceptor + automatic refresh
Backend	FastAPI (extension of existing, `/api/v2/client/*`)
Database	PostgreSQL 16 (with SQLite fallback for development)
Auth	Separate JWT (`type: "client"`) + TOTP (pyotp)
Payments	Stripe Checkout

Security — 4 Isolation Layers¶

Separate JWTs — Client tokens (type: "client") are rejected by all admin endpoints (/api/v1/*) and vice versa
Row-level isolation — Every query includes WHERE company_id = :current_company_id
Finding sanitization — Removed: poc_http, raw_markdown, steps_to_reproduce, internal file paths
Filtered WebSocket — Only phase_changed, finding_published, status_updated events (never context_updated or session_output)

Client Portal Installation (Desktop)¶

WindowsmacOS

Download BD-ClientPortal-v1.0.0-windows-x64.zip
Extract the ZIP archive
Run bd_client_portal.exe
Register your company or log in with the credentials you received

Download BD-ClientPortal-v1.0.0-macos-arm64.dmg
Open the .dmg and drag BeDefended Portal to Applications
On first launch, macOS may require authorization in System Settings > Privacy & Security
Register your company or log in with the credentials you received

Typical Client Workflow¶

graph LR
    A[Registration] --> B[Login + 2FA]
    B --> C[New Engagement]
    C --> D[Intake Questionnaire]
    D --> E[Scope Definition]
    E --> F[Sign Authorization OTP]
    F --> G[BD Countersign]
    G --> H[Testing in Progress]
    H --> I[Findings + Report]
    I --> J[Remediation Tracking]
    J --> K[Request Retest]

Client Portal — Local Development Setup¶

To develop or test the Client Portal locally:

1. Backend (shared with Admin Dashboard)¶

cd redpick/dashboard/backend

# Install dependencies (includes client portal ones)
pip install -r requirements.txt

# Start the server
uvicorn app.main:app --host 127.0.0.1 --port 8880 --reload

The backend automatically exposes both admin (/api/v1/*) and client (/api/v2/client/*) endpoints.

Client API health check

curl http://127.0.0.1:8880/api/v2/client/health
# Response: {"status":"ok","service":"client-portal"}

2. Client Portal (Flutter)¶

cd redpick/client_portal

# Resolve dependencies
flutter pub get

# Launch in desktop Windows mode
flutter run -d windows

API configuration: The Client Portal connects to http://localhost:8000 by default. To change:

flutter run -d windows --dart-define=API_BASE_URL=http://127.0.0.1:8880

3. Register a test company¶

curl -X POST http://127.0.0.1:8880/api/v2/client/auth/register \
  -H "Content-Type: application/json" \
  -d '{"company_name":"Test Corp","email":"test@test.com","password":"testtest","full_name":"John Doe"}'

Client Portal vs Admin Dashboard — Comparison¶

Feature	Admin Dashboard	Client Portal
Target users	BeDefended team (pentesters)	Clients who commission tests
Auth	Username/password (`/api/v1/auth`)	Email/password + 2FA (`/api/v2/client/auth`)
Engagement	Full management + test execution	Request, monitoring, results only
Findings	Complete (PoC, raw markdown, path)	Sanitized (no PoC, no internal paths)
Terminal	Interactive Claude Code sessions	Not available
Runner	Launch pentest skills	Not available
Report	Generation + export	Download only
Billing	Not present	Plans + Stripe + invoices
Authorization	Countersign	Generation + OTP signing
WebSocket	All events	Filtered public events only
Design System	`packages/bd_design_system/`	Same shared package

Client Portal Troubleshooting¶

Issue	Solution
"Server unreachable"	Check that the backend is running on the correct port
"Email already registered"	Email is unique across the system. Use a different email
"Invalid OTP code"	Check that the device clock is synchronized (TOTP is time-based)
"Findings not available"	Findings are only visible for engagements in `in_progress` or `completed` status
"Network error"	Check CORS: the backend must have `http://localhost:8080` in allowed origins
"2FA not available"	Install `pyotp` in the backend: `pip install pyotp`

Proxy Extensions (Burp Suite & Caido)¶

Bridge manual and automated testing — send proxy traffic to the BeDefended Dashboard for AI analysis.

Distribution

These extensions are distributed as GitHub Release assets only — they are NOT published to the Burp BApp Store or Caido plugin store.

Burp Suite Extension¶

Download bd-proxy-bridge-1.1.0.jar

Platform	Format	Requirements
Burp Suite Pro/Community	`.jar` (Java)	Burp Suite 2024+, Java 17+

Features: AI Real-Time Analysis (Claude-powered, async), Scanner tab integration, response fingerprint dedup, endpoint dedup with path normalization, VulnContext tagging (auth/payment/admin/API), Burp target scope integration, injection point extraction, binary content filtering.

Setup: Extensions > Add > Select JAR > Configure Dashboard URL + API Key in "BD Bridge" tab. AI Analysis is ON by default.

Caido Plugin¶

Download bd-proxy-bridge-caido-v1.0.0.zip

Platform	Format	Requirements
Caido	`.zip` (TypeScript)	Caido v0.40+ (modern plugin SDK)

Features: Native Caido SDK (backend/frontend split), sdk.requests.inScope() filtering, SQLite queue persistence, response/endpoint dedup, automatic Caido Finding creation for AI-flagged requests.

Setup: Plugins > Install from folder > Select extracted directory > Configure in "BD Bridge" settings page.

Full Guide

See the AI-Augmented PT guide for detailed setup instructions and workflow best practices.

What Is the Desktop App?¶

The RedPick desktop app is a native Flutter application (compiled to native code via Skia — not a web wrapper) providing:

Real-time findings — Live vulnerability tracking as pentests run via WebSocket
Attack chain visualization — Multi-step exploitation path diagrams (Mermaid SVG)
Retest tracking — Monitor remediation status across engagements
Report generation — Export professional pentest reports (HTML/PDF)
Terminal emulator — Interactive Claude Code sessions directly in the app
Session streaming — Live output from running pentest agents
Compliance gap analysis — Multi-framework (PCI-DSS, SOC2, ISO27001, GDPR, ASVS, DORA, NIS2)
Surface drift detection — Snapshot creation and diff comparison
Remediation code generation — Framework-specific fix snippets per finding
Webhook/SIEM integration — Slack, Teams, Splunk, CEF, syslog
Continuous monitoring — Cron-based periodic re-scan scheduling
Learning engine — Technique extraction and success recommendations
Team assignments — Skill-to-pentester allocation with status tracking
Cost & ROI tracking — Pre-engagement estimates and post-engagement metrics
CI/CD code review — Client management, API key provisioning, 4-step onboarding wizard

Installation¶

Windows

Download BeDefended-Desktop-v1.4.0-windows-x64.zip
Extract the ZIP archive
Run bd_desktop.exe
Enter your RedPick server URL and credentials

Local Development Setup¶

To run the RedPick desktop app connected to a local backend, follow these prerequisites:

Backend Requirements¶

1. FastAPI Backend (Required)¶

The desktop app is a client-only application — it requires a running RedPick backend server. For local development:

# Clone the repository
git clone https://github.com/sbbedefended/redpick.git
cd redpick/backend

# Install Python 3.13+
python --version  # Verify Python 3.13 or later

# Create virtual environment
python -m venv venv
source venv/bin/activate  # On Windows: venv\Scripts\activate

# Install dependencies
pip install -r requirements.txt

# Start the FastAPI server
uvicorn app.main:app --host 127.0.0.1 --port 8880 --reload

Backend runs on: http://127.0.0.1:8880

2. Database Setup¶

The backend uses SQLite (default, development-friendly) or PostgreSQL (production):

SQLite (Default — No setup needed): - Database file: backend/app.db (auto-created on first run) - No additional configuration required

PostgreSQL (Optional — for production-like testing):

# Install PostgreSQL 14+
# Create database
createdb redpick

# Set environment variable
export DATABASE_URL="postgresql://user:password@localhost:5432/redpick"
# On Windows: set DATABASE_URL=postgresql://user:password@localhost:5432/redpick

# Run migrations (if any)
python -m alembic upgrade head

# Start backend
uvicorn app.main:app --host 127.0.0.1 --port 8880 --reload

3. Create Test Users¶

After the backend starts, create a test user:

# Option A: Via API (curl)
curl -X POST http://127.0.0.1:8880/api/v1/admin/users \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"admin","role":"admin"}'

# Option B: Via FastAPI docs (interactive)
# Open http://127.0.0.1:8880/docs
# Navigate to POST /api/v1/admin/users
# Create user with: {"username":"admin","password":"admin","role":"admin"}

Desktop App Configuration¶

1. Server URL Entry (First Launch)¶

When you launch bd_desktop.exe or RedPick.app:

Connect Screen appears (first launch only)
Enter server URL: http://127.0.0.1:8880
Click Test Connection — should show ✅ "Connected"
Click Continue

For remote server (e.g., deployed backend): - Enter: https://your-domain.com (HTTPS required for remote)

After connection test: 1. Enter username: admin 2. Enter password: admin (or your created password) 3. Click Login

Credentials are stored securely in: - Windows: Credential Manager - macOS: Keychain

Optional: Credentials Configuration File¶

For faster local testing, pre-populate credentials (not recommended for production):

Create ~/.bd-dashboard/config.json:

{
  "serverUrl": "http://127.0.0.1:8880",
  "username": "admin",
  "password": "admin",
  "autoConnect": true
}

The app will auto-connect on launch (stored securely after first login).

Port Configuration¶

Service	Default Port	Environment Variable
FastAPI Backend	`8880`	`BACKEND_PORT`
FastAPI Docs	`8880/docs`	—
Mermaid Renderer (optional)	Embedded in backend	—
Database (PostgreSQL)	`5432`	`DATABASE_URL`

To change backend port:

# Start backend on custom port
uvicorn app.main:app --host 127.0.0.1 --port 9000

# Then enter in app: http://127.0.0.1:9000

Firewall & Network¶

If app can't connect to backend:

Check backend is running:
```
curl http://127.0.0.1:8880/api/v1/health
```
Should return: {"status":"ok"}
Check Windows Firewall (if applicable):
Allow bd_desktop.exe through firewall
Or: Allow inbound on port 8880
Check macOS Firewall:
System Settings > Privacy & Security > Firewall
- Allow RedPick app
If using VPN or proxy:
Configure in desktop app Settings
Backend must be accessible through your network

Full Checklist¶

[ ] Python 3.13+ installed
[ ] Backend cloned from sbbedefended/redpick
[ ] Backend dependencies installed (pip install -r requirements.txt)
[ ] Database initialized (SQLite auto-creates, or PostgreSQL configured)
[ ] Test user created (username: admin, password: admin)
[ ] Backend running on http://127.0.0.1:8880
[ ] Backend health check passes: curl http://127.0.0.1:8880/api/v1/health
[ ] Desktop app downloaded and extracted
[ ] Desktop app first launch: enter http://127.0.0.1:8880
[ ] Login with admin / admin
[ ] Dashboard loads with test data

Troubleshooting¶

Issue	Solution
"Server unreachable"	Check backend is running: `uvicorn app.main:app --port 8880`
"401 Unauthorized"	Verify username/password. Check user was created in backend
"WebSocket connection failed"	Backend WebSocket endpoint may be disabled. Check `/api/v1/ws/*` routes
"Mermaid diagrams not rendering"	Backend needs `mermaid-cli` (`mmdc`) installed. Install: `npm install -g @mermaid-js/mermaid-cli`
"Terminal not responsive"	PTY bridge may not be configured. Ensure backend `/api/v1/terminal/ws` is enabled

Release Notes¶

v1.4.0 — Roles, Licensing & AI Analysis (2026-03-17)¶

5 unified roles — admin, pentester, client, client_viewer, bughunter with role-filtered sidebar
Continuous AI Proxy Analyzer — Background claude -p analysis of Burp/Caido traffic (pentest-grade, 10 OWASP categories)
Bug Bounty integration — Connect HackerOne, Bugcrowd, Intigriti, YesWeHack. Sync programs, push reports, track submissions + payouts
Encrypted report delivery — RSA-4096 + AES-256-GCM hybrid encryption. Clients upload public key, download encrypted reports
Ticketing system — Bug reports with auto-sync to GitHub Issues (sbbedefended/redpick)
Bughunter license tiers — Solo, Team, Pro with platform connections and collaboration
Client license tiers — Essentials, Professional, Enterprise with feature gating
Proxy History + Scan Intel — Record and analyze manual proxy traffic per engagement
Approved Targets — Admin management of pre-approved pentest targets
Slack notifications default — Always ON for automated /pentest, --no-notify to disable
Flutter 3.41.4 — Upgraded from 3.27.4
Full changelog

v1.3.0 — Full Dashboard Parity (2026-03-16)¶

17 new screens — Compliance, Surface Drift, Remediation, Threat Model, Executive Brief, Retro, Attack Sim, Webhooks, Confidence, Monitoring, Learning, Assignments, Costs & ROI, Tool Compare, CI/CD Clients, CI/CD Onboarding
10 new API clients — Complete backend integration for all new features
Expandable sidebar — Per-engagement sub-navigation with 15 sub-items (matches web dashboard exactly)
Full parity — Desktop app now matches 100% of web dashboard pages (36 screens total)
Full changelog

v1.2.0 — Knowledge Refresh (2026-03-16)¶

Knowledge Refresh screen — Full-featured knowledge pack management with live output
Report Generator — Custom report generation with template selection
Vuln Library — 168 vulnerability templates with search and detail view
Full changelog

v1.1.0 — Dashboard Overhaul (2026-03-15)¶

Vulnerability Library: 168 templates imported, HTML rendering, dedicated detail view, locale tabs
Secure Code Review: new launch flow with GitHub/GitLab/Bitbucket OAuth repository connection
Header: split "Launch" into "Code Review" + "Pentest" buttons (web + desktop)
Terminal: ConPTY support via pywinpty, WebSocket proxy through host runner
Rebranding: removed all PwnDoc references, fully BeDefended
Full changelog

v1.0.1 — Initial Release¶

All releases and changelogs are available on the GitHub Releases page.

Need Help?¶

Getting Started Guide — Full setup instructions
Configuration — Credentials, proxy, VPN setup