Audits SSH & TLS configurations — checks algorithms, banners, certificates and known weaknesses.

Reads auth.log, firewall logs, auditd and the systemd journal — correlates events by source IP to detect SSH brute force, port scans, and post-login lateral movement.