npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- When deploying remote browser isolation as part of a Zero Trust security architecture
- When protecting users from zero-day browser exploits and drive-by downloads
- When implementing content disarming and reconstruction for file downloads
- When enforcing data loss prevention policies for web browsing sessions
- When securing access to untrusted or uncategorized websites
- When integrating browser isolation with existing SWG and ZTNA infrastructure
- When protecting against phishing and credential theft via isolated rendering
Prerequisites
- Familiarity with Zero Trust architecture principles and network security
- Understanding of Secure Web Gateway (SWG) and proxy deployment models
- Access to a test or lab environment for policy validation
- Python 3.8+ with required dependencies installed
- DNS and proxy infrastructure for traffic routing
Instructions
Phase 1: URL Categorization and Risk Classification
Build a URL categorization engine that classifies websites by risk level to determine isolation policy. URLs are scored based on threat intelligence feeds, domain reputation, content category, and historical risk indicators.
from agent import BrowserIsolationPolicyEngine
engine = BrowserIsolationPolicyEngine(
organization="Acme Corp",
default_isolation_mode="isolate_risky",
)
# Classify a URL and determine isolation action
result = engine.classify_url("https://docs.google.com/spreadsheets/d/abc123")
print(f"Category: {result['category']}")
print(f"Risk Level: {result['risk_level']}")
print(f"Isolation Action: {result['action']}")
# Output: Category: cloud_productivity
# Risk Level: low
# Action: allow_direct
result = engine.classify_url("https://unknown-sketchy-domain.xyz/download.html")
print(f"Category: {result['category']}")
print(f"Risk Level: {result['risk_level']}")
print(f"Isolation Action: {result['action']}")
# Output: Category: uncategorized
# Risk Level: high
# Action: full_isolationPhase 2: Isolation Policy Configuration
Define isolation policies that map URL categories and risk levels to specific isolation modes and DLP restrictions. Policies support granular controls including clipboard, file download, upload, and printing restrictions.
# Configure isolation policies
engine.add_isolation_policy(
name="Block Uncategorized Sites",
description="Fully isolate all uncategorized or newly registered domains",
match_criteria={
"url_categories": ["uncategorized", "newly_registered"],
"risk_levels": ["high", "critical"],
},
isolation_mode="full_isolation",
dlp_controls={
"disable_copy_paste": True,
"disable_download": True,
"disable_upload": True,
"disable_printing": True,
"disable_keyboard_input": False,
"watermark_session": True,
},
)
engine.add_isolation_policy(
name="Isolate Webmail with DLP",
description="Isolate personal webmail with download restrictions",
match_criteria={
"url_categories": ["webmail"],
"domains": ["mail.google.com", "outlook.live.com", "mail.yahoo.com"],
},
isolation_mode="read_only_isolation",
dlp_controls={
"disable_copy_paste": True,
"disable_download": True,
"disable_upload": True,
"disable_printing": True,
"disable_keyboard_input": False,
"watermark_session": False,
},
)
engine.add_isolation_policy(
name="CDR for File Downloads",
description="Apply content disarm and reconstruction to all file downloads",
match_criteria={
"url_categories": ["*"],
"file_types": ["pdf", "docx", "xlsx", "pptx", "zip", "exe", "msi"],
},
isolation_mode="cdr_passthrough",
cdr_config={
"strip_macros": True,
"strip_embedded_objects": True,
"strip_javascript": True,
"strip_active_content": True,
"flatten_pdf": True,
"reconstruct_to_safe_format": True,
"max_file_size_mb": 50,
"allowed_file_types": ["pdf", "docx", "xlsx", "pptx", "png", "jpg"],
},
)
engine.add_isolation_policy(
name="Allow Trusted SaaS Direct",
description="Allow direct access to sanctioned SaaS applications",
match_criteria={
"url_categories": ["cloud_productivity", "business_saas"],
"domains": [
"*.office365.com", "*.office.com", "*.microsoft.com",
"*.salesforce.com", "*.slack.com", "*.github.com",
],
"risk_levels": ["low"],
},
isolation_mode="allow_direct",
dlp_controls={
"disable_copy_paste": False,
"disable_download": False,
"disable_upload": False,
"log_all_downloads": True,
},
)
# List all policies
for policy in engine.list_policies():
print(f" [{policy['priority']}] {policy['name']} -> {policy['isolation_mode']}")Phase 3: Content Disarming and Reconstruction (CDR)
Implement CDR processing to sanitize downloaded files by deconstructing them, stripping potentially malicious elements (macros, embedded objects, scripts), and reconstructing clean versions that preserve usability.
# Process a file through CDR
cdr_result = engine.process_file_cdr(
file_path="/tmp/downloads/quarterly_report.docx",
source_url="https://partner-portal.example.com/reports/q4.docx",
cdr_profile="strict",
)
print(f"Original file: {cdr_result['original']['filename']}")
print(f"Original size: {cdr_result['original']['size_bytes']} bytes")
print(f"Threats found: {cdr_result['threats_found']}")
for threat in cdr_result['threats_detail']:
print(f" - {threat['type']}: {threat['description']} [{threat['action']}]")
print(f"Clean file: {cdr_result['reconstructed']['filename']}")
print(f"Clean size: {cdr_result['reconstructed']['size_bytes']} bytes")
print(f"File integrity preserved: {cdr_result['reconstructed']['usable']}")
# Example output:
# Original file: quarterly_report.docx
# Original size: 245760 bytes
# Threats found: 3
# - macro: VBA macro with AutoOpen trigger [STRIPPED]
# - embedded_ole: Embedded OLE object (executable) [STRIPPED]
# - external_link: External template reference [STRIPPED]
# Clean file: quarterly_report_clean.docx
# Clean size: 198432 bytes
# File integrity preserved: TruePhase 4: Session Control and Monitoring
Implement real-time session monitoring for isolated browsing sessions with keystroke logging policy, clipboard interception, and download tracking. Integrate with SIEM for security event correlation.
# Create an isolation session
session = engine.create_isolation_session(
user_id="jsmith@acme.com",
user_groups=["engineering", "contractors"],
device_posture={
"os": "Windows 11",
"managed": True,
"edr_running": True,
"disk_encrypted": True,
"os_patched": True,
},
target_url="https://external-vendor.example.com/portal",
)
print(f"Session ID: {session['session_id']}")
print(f"Isolation Mode: {session['isolation_mode']}")
print(f"Applied Policy: {session['applied_policy']}")
print(f"DLP Controls: {json.dumps(session['dlp_controls'], indent=2)}")
# Monitor session events
events = engine.get_session_events(session_id=session["session_id"])
for event in events:
print(f" [{event['timestamp']}] {event['event_type']}: {event['details']}")
# Generate session audit report
audit = engine.generate_session_audit(
user_id="jsmith@acme.com",
date_range=("2026-03-01", "2026-03-19"),
)
print(f"Total sessions: {audit['total_sessions']}")
print(f"Isolated sessions: {audit['isolated_sessions']}")
print(f"Files processed via CDR: {audit['cdr_processed_files']}")
print(f"DLP violations: {audit['dlp_violations']}")Phase 5: Integration with Zero Trust Platform
Integrate browser isolation with the broader Zero Trust architecture including identity provider, device posture checks, and conditional access policies.
# Define Zero Trust conditional access integration
zt_policy = engine.create_zero_trust_integration(
identity_provider="Azure AD",
conditional_access_rules=[
{
"name": "Unmanaged Device Isolation",
"condition": {"device_managed": False},
"action": "full_isolation",
"dlp_override": {"disable_download": True, "disable_upload": True},
},
{
"name": "High Risk User Isolation",
"condition": {"user_risk_level": "high"},
"action": "full_isolation",
"dlp_override": {"disable_copy_paste": True, "watermark_session": True},
},
{
"name": "Contractor Restricted Access",
"condition": {"user_group": "contractors"},
"action": "read_only_isolation",
"dlp_override": {"disable_download": True, "disable_printing": True},
},
{
"name": "Privileged Admin Isolation",
"condition": {"user_group": "admins", "target_category": "admin_console"},
"action": "full_isolation",
"dlp_override": {"watermark_session": True, "record_session": True},
},
],
swg_integration={
"proxy_mode": "explicit",
"pac_url": "https://pac.acme.com/proxy.pac",
"ssl_inspection": True,
"bypass_domains": ["*.acme.internal"],
},
)
# Evaluate a request against all policies
decision = engine.evaluate_access_request(
user_id="contractor@vendor.com",
user_groups=["contractors"],
device_posture={"managed": False, "edr_running": False},
target_url="https://sensitive-app.acme.com/dashboard",
user_risk_level="medium",
)
print(f"Decision: {decision['action']}")
print(f"Matched Rules: {[r['name'] for r in decision['matched_rules']]}")
print(f"DLP Controls: {decision['effective_dlp_controls']}")Examples
Quick Policy Deployment for Phishing Protection
engine = BrowserIsolationPolicyEngine(default_isolation_mode="isolate_risky")
# Isolate all links from email
engine.add_isolation_policy(
name="Email Link Isolation",
description="Isolate all URLs clicked from email clients",
match_criteria={
"referrer_categories": ["email_client"],
"url_categories": ["*"],
},
isolation_mode="full_isolation",
dlp_controls={
"disable_keyboard_input": True,
"disable_download": True,
"watermark_session": True,
},
)
# Test against a phishing URL
result = engine.evaluate_access_request(
user_id="user@acme.com",
target_url="https://micr0soft-login.phishing.com/auth",
referrer="https://mail.google.com",
user_risk_level="low",
)
print(f"Action: {result['action']}") # full_isolationCDR Pipeline for All Downloads
engine = BrowserIsolationPolicyEngine()
# Scan a batch of downloaded files through CDR
files = [
"/tmp/downloads/invoice.pdf",
"/tmp/downloads/contract.docx",
"/tmp/downloads/data_export.xlsx",
"/tmp/downloads/presentation.pptx",
]
batch_result = engine.batch_cdr_process(
files=files,
cdr_profile="strict",
quarantine_on_threat=True,
)
print(f"Processed: {batch_result['total_processed']}")
print(f"Clean: {batch_result['clean_count']}")
print(f"Threats neutralized: {batch_result['threats_neutralized']}")
print(f"Quarantined: {batch_result['quarantined_count']}")
for f in batch_result["results"]:
status = "CLEAN" if f["clean"] else "SANITIZED"
print(f" [{status}] {f['filename']}: {f['threats_found']} threats")Generating Isolation Policy Compliance Report
engine = BrowserIsolationPolicyEngine()
report = engine.generate_compliance_report(
date_range=("2026-03-01", "2026-03-19"),
include_metrics=True,
)
print(f"Total web requests: {report['total_requests']}")
print(f"Isolated requests: {report['isolated_requests']} ({report['isolation_rate']}%)")
print(f"CDR processed files: {report['cdr_stats']['total_files']}")
print(f"Threats neutralized: {report['cdr_stats']['threats_neutralized']}")
print(f"DLP violations blocked: {report['dlp_violations_blocked']}")
print(f"Zero-day attacks prevented: {report['zero_day_blocked']}")References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md9.2 KB
API Reference: Implementing Browser Isolation for Zero Trust
BrowserIsolationPolicyEngine
Core engine for managing browser isolation policies, CDR processing, and Zero Trust integration.
Initialization
from agent import BrowserIsolationPolicyEngine
engine = BrowserIsolationPolicyEngine(
organization="Acme Corp",
default_isolation_mode="isolate_risky", # isolate_risky | isolate_all | allow_all
)classify_url()
Classify a URL by category and risk level.
result = engine.classify_url(
url="https://docs.google.com/spreadsheets/d/abc",
referrer=None, # Optional referrer URL
)
# Returns: {url, domain, category, risk_level, risk_weight, action, reason}URL Categories:
| Category | Risk Weight | Example Domains |
|---|---|---|
| cloud_productivity | 1 | docs.google.com, office365.com, dropbox.com |
| business_saas | 1 | salesforce.com, slack.com, github.com |
| search_engines | 1 | google.com, bing.com, duckduckgo.com |
| developer_tools | 2 | stackoverflow.com, npmjs.com, pypi.org |
| news_media | 2 | cnn.com, bbc.com, reuters.com |
| social_media | 3 | facebook.com, twitter.com, linkedin.com |
| webmail | 3 | mail.google.com, outlook.live.com |
| ai_tools | 3 | chat.openai.com, claude.ai |
| file_sharing | 4 | wetransfer.com, mega.nz, mediafire.com |
| admin_console | 4 | console.aws.amazon.com, portal.azure.com |
| newly_registered | 5 | (domains < 30 days old) |
| uncategorized | 5 | (unknown domains) |
| phishing | 5 | (pattern-matched phishing URLs) |
| malware_hosting | 5 | (threat intel flagged domains) |
Risk Levels:
| Weight | Level | Default Action |
|---|---|---|
| 1 | low | allow_direct |
| 2 | low | allow_direct |
| 3 | medium | full_isolation |
| 4 | high | full_isolation |
| 5 | critical | block |
add_isolation_policy()
Add an isolation policy with match criteria and controls.
policy = engine.add_isolation_policy(
name="Policy Name", # Required
description="Policy description",
match_criteria={
"url_categories": ["webmail"], # URL categories to match
"risk_levels": ["medium", "high"], # Risk levels to match
"domains": ["*.example.com"], # Specific domains (supports wildcards)
"referrer_categories": ["email"], # Referrer URL categories
"file_types": ["pdf", "docx"], # File type triggers
"user_groups": ["contractors"], # User group membership
},
isolation_mode="full_isolation", # See Isolation Modes below
dlp_controls={ # See DLP Controls below
"disable_copy_paste": True,
"disable_download": True,
},
cdr_config={ # CDR config (for cdr_passthrough mode)
"strip_macros": True,
"strip_embedded_objects": True,
"strip_javascript": True,
},
priority=1, # Lower = higher priority
)Isolation Modes:
| Mode | Description | Code on Endpoint | Network Isolated |
|---|---|---|---|
| full_isolation | Pixel-streaming RBI | No | Yes |
| dom_reconstruction | Sanitized DOM mirror | No | Yes |
| read_only_isolation | Pixel stream, input restricted | No | Yes |
| cdr_passthrough | Direct browse, CDR for files | Yes | No |
| allow_direct | No isolation (trusted) | Yes | No |
| block | Access denied | No | Yes |
DLP Controls:
| Control | Type | Default | Description |
|---|---|---|---|
| disable_copy_paste | bool | false | Block clipboard operations |
| disable_download | bool | false | Block file downloads |
| disable_upload | bool | false | Block file uploads |
| disable_printing | bool | false | Block printing |
| disable_keyboard_input | bool | false | Block all keyboard input |
| watermark_session | bool | false | Apply visual watermark with user ID |
| record_session | bool | false | Record full session for audit |
| log_all_downloads | bool | true | Log download events to SIEM |
| log_clipboard_events | bool | true | Log clipboard operations |
| log_file_uploads | bool | true | Log upload events |
| max_download_size_mb | int | 100 | Maximum download size |
| blocked_upload_types | list | [exe,bat,...] | File types blocked from upload |
process_file_cdr()
Process a file through Content Disarm and Reconstruction.
result = engine.process_file_cdr(
file_path="/path/to/file.docx",
source_url="https://example.com/file.docx", # Optional
cdr_profile="strict", # strict | standard | permissive
)CDR Profiles:
| Profile | Strips | Use Case |
|---|---|---|
| strict | All threat types (high, medium, low) | High-security environments |
| standard | High and critical severity threats | General business use |
| permissive | Critical severity only | Low-risk trusted sources |
CDR Threat Types Detected:
| Type | Severity | File Types |
|---|---|---|
| macro | high | docx, xlsx, pptx, doc, xls |
| embedded_ole | high | docx, xlsx, pptx, pdf, rtf |
| javascript_pdf | high | |
| external_link | medium | docx, xlsx, pptx |
| embedded_executable | critical | pdf, docx, zip, rar |
| dde_exploit | high | docx, xlsx, csv |
| hidden_content | low | docx, xlsx, pptx, pdf |
| metadata_leak | low | docx, xlsx, pdf, jpg, png |
CDR-Supported File Types:
| Supported (reconstructed) | Blocked (quarantined) |
|---|---|
| pdf, docx, xlsx, pptx | exe, msi, dll |
| doc, xls, ppt, rtf, csv | bat, ps1, sh |
| zip, rar, 7z | iso |
| png, jpg, gif, svg, html |
batch_cdr_process()
Process multiple files through CDR.
result = engine.batch_cdr_process(
files=["/path/file1.pdf", "/path/file2.docx"],
cdr_profile="strict",
quarantine_on_threat=True,
)
# Returns: {total_processed, clean_count, threats_neutralized, quarantined_count, results}create_isolation_session()
Create an isolated browsing session with policy evaluation.
session = engine.create_isolation_session(
user_id="user@acme.com",
target_url="https://example.com",
user_groups=["engineering"],
device_posture={
"os": "Windows 11",
"managed": True,
"edr_running": True,
"disk_encrypted": True,
},
user_risk_level="low", # low | medium | high
)
# Returns: {session_id, isolation_mode, applied_policy, dlp_controls, ...}create_zero_trust_integration()
Configure Zero Trust platform integration.
zt = engine.create_zero_trust_integration(
identity_provider="Azure AD",
conditional_access_rules=[
{
"name": "Rule Name",
"condition": {
"device_managed": False, # Device posture check
"user_risk_level": "high", # Identity risk signal
"user_group": "contractors", # Group membership
"target_category": "admin_console", # URL category
},
"action": "full_isolation", # Isolation mode override
"dlp_override": { # DLP control overrides
"disable_download": True,
},
},
],
swg_integration={
"proxy_mode": "explicit", # explicit | transparent | pac
"pac_url": "https://pac.acme.com/proxy.pac",
"ssl_inspection": True,
"bypass_domains": ["*.acme.internal"],
},
)evaluate_access_request()
Evaluate a request against all policies and ZT rules.
decision = engine.evaluate_access_request(
user_id="user@acme.com",
target_url="https://example.com",
user_groups=["engineering"],
device_posture={"managed": True},
user_risk_level="low",
referrer=None,
)
# Returns: {session_id, action, url_classification, matched_rules, effective_dlp_controls}generate_compliance_report()
Generate deployment compliance report.
report = engine.generate_compliance_report(
date_range=("2026-03-01", "2026-03-31"),
include_metrics=True,
)CLI Usage
# Classify a URL
python agent.py --action classify --url "https://example.com"
# Test CDR on a file
python agent.py --action cdr_test --file "/path/to/file.docx"
# Run full demonstration
python agent.py --action demo --org "Acme Corp" --output report.jsonReferences
- Cloudflare Browser Isolation: https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/
- Cloudflare Isolation Policies: https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/
- Menlo Security RBI: https://www.menlosecurity.com/product/remote-browser-isolation
- Menlo Security CDR Guide: https://www.menlosecurity.com/resources/a-complete-guide-to-content-disarm-and-reconstruction-cdr-technology
- OPSWAT Deep CDR: https://www.opswat.com/technologies/deep-cdr
- Zscaler RBI: https://www.zscaler.com/resources/security-terms-glossary/what-is-remote-browser-isolation
- CSA Browser as PEP in Zero Trust: https://cloudsecurityalliance.org/blog/2026/01/14/reimagining-the-browser-as-a-critical-policy-enforcement-point
- NIST SP 800-207 Zero Trust Architecture: https://csrc.nist.gov/publications/detail/sp/800-207/final
Scripts 1
agent.py41.7 KB
#!/usr/bin/env python3
"""Agent for implementing browser isolation within a Zero Trust architecture.
Deploys remote browser isolation (RBI) policies with URL categorization,
content disarming and reconstruction (CDR), DLP controls, and integration
with Secure Web Gateway and ZTNA platforms. Based on Cloudflare Browser
Isolation, Menlo Security, and Zscaler RBI approaches.
"""
import os
import json
import uuid
import hashlib
import argparse
import re
from datetime import datetime, timedelta
from copy import deepcopy
# ---------------------------------------------------------------------------
# URL categorization database
# ---------------------------------------------------------------------------
URL_CATEGORIES = {
# Trusted business categories
"cloud_productivity": {
"risk_weight": 1,
"domains": [
"docs.google.com", "drive.google.com", "sheets.google.com",
"office365.com", "office.com", "sharepoint.com",
"onedrive.live.com", "dropbox.com", "box.com",
],
"patterns": [r".*\.google\.com/.*doc", r".*\.office\.com/.*"],
},
"business_saas": {
"risk_weight": 1,
"domains": [
"salesforce.com", "slack.com", "github.com", "gitlab.com",
"atlassian.net", "jira.atlassian.com", "notion.so",
"figma.com", "linear.app", "asana.com",
],
"patterns": [],
},
"developer_tools": {
"risk_weight": 2,
"domains": [
"stackoverflow.com", "npmjs.com", "pypi.org", "crates.io",
"hub.docker.com", "registry.npmjs.org", "maven.org",
],
"patterns": [],
},
"search_engines": {
"risk_weight": 1,
"domains": [
"google.com", "bing.com", "duckduckgo.com", "yahoo.com",
],
"patterns": [r".*\.google\.[a-z]{2,3}/search.*"],
},
# Medium risk categories
"social_media": {
"risk_weight": 3,
"domains": [
"facebook.com", "twitter.com", "x.com", "linkedin.com",
"instagram.com", "reddit.com", "tiktok.com", "youtube.com",
],
"patterns": [],
},
"webmail": {
"risk_weight": 3,
"domains": [
"mail.google.com", "outlook.live.com", "mail.yahoo.com",
"protonmail.com", "zoho.com",
],
"patterns": [],
},
"news_media": {
"risk_weight": 2,
"domains": [
"cnn.com", "bbc.com", "reuters.com", "nytimes.com",
"washingtonpost.com", "theguardian.com",
],
"patterns": [],
},
"file_sharing": {
"risk_weight": 4,
"domains": [
"wetransfer.com", "sendspace.com", "mediafire.com",
"mega.nz", "zippyshare.com",
],
"patterns": [],
},
# High risk categories
"admin_console": {
"risk_weight": 4,
"domains": [
"console.aws.amazon.com", "portal.azure.com",
"console.cloud.google.com", "admin.google.com",
],
"patterns": [r".*admin\..*/.*", r".*console\..*/.*"],
},
"ai_tools": {
"risk_weight": 3,
"domains": [
"chat.openai.com", "claude.ai", "bard.google.com",
"copilot.microsoft.com", "perplexity.ai",
],
"patterns": [],
},
"email_client": {
"risk_weight": 3,
"domains": [],
"patterns": [r".*mail\..*", r".*webmail\..*"],
},
# Dangerous categories
"newly_registered": {
"risk_weight": 5,
"domains": [],
"patterns": [],
"heuristic": "domain_age_days < 30",
},
"uncategorized": {
"risk_weight": 5,
"domains": [],
"patterns": [],
},
"malware_hosting": {
"risk_weight": 5,
"domains": [],
"patterns": [],
},
"phishing": {
"risk_weight": 5,
"domains": [],
"patterns": [
r".*micr[o0]s[o0]ft.*login.*",
r".*g[o0]{2}gle.*auth.*",
r".*paypa[l1].*verify.*",
r".*amaz[o0]n.*security.*",
r".*app[l1]e.*id.*confirm.*",
],
},
}
# Risk level thresholds
RISK_LEVELS = {
1: "low",
2: "low",
3: "medium",
4: "high",
5: "critical",
}
# CDR threat types
CDR_THREAT_TYPES = {
"macro": {
"description": "VBA/Office macro with potentially malicious code",
"file_types": ["docx", "xlsx", "pptx", "doc", "xls", "ppt", "docm", "xlsm"],
"severity": "high",
"indicators": ["AutoOpen", "AutoExec", "Document_Open", "Workbook_Open",
"Shell", "WScript", "CreateObject", "PowerShell"],
},
"embedded_ole": {
"description": "Embedded OLE object (may contain executable payload)",
"file_types": ["docx", "xlsx", "pptx", "pdf", "rtf"],
"severity": "high",
"indicators": ["OLE2", "Package", "ObjectPool", "CompObj"],
},
"javascript_pdf": {
"description": "JavaScript embedded in PDF document",
"file_types": ["pdf"],
"severity": "high",
"indicators": ["/JavaScript", "/JS", "/Launch", "/SubmitForm",
"/OpenAction", "/AA", "/URI"],
},
"external_link": {
"description": "External template or resource reference",
"file_types": ["docx", "xlsx", "pptx"],
"severity": "medium",
"indicators": ["attachedTemplate", "externalLink", "oleLink"],
},
"embedded_executable": {
"description": "Embedded executable or script file",
"file_types": ["pdf", "docx", "xlsx", "zip", "rar", "7z"],
"severity": "critical",
"indicators": ["MZ", "PE", ".exe", ".dll", ".bat", ".ps1", ".vbs", ".js"],
},
"dde_exploit": {
"description": "Dynamic Data Exchange field that can execute commands",
"file_types": ["docx", "xlsx", "csv"],
"severity": "high",
"indicators": ["DDE", "DDEAUTO", "cmd.exe", "powershell"],
},
"hidden_content": {
"description": "Hidden text, sheets, or layers that may contain sensitive data",
"file_types": ["docx", "xlsx", "pptx", "pdf"],
"severity": "low",
"indicators": ["hidden", "visibility:hidden", "display:none"],
},
"metadata_leak": {
"description": "Document metadata containing sensitive information",
"file_types": ["docx", "xlsx", "pptx", "pdf", "jpg", "png"],
"severity": "low",
"indicators": ["author", "company", "gps", "location", "revision"],
},
}
# File extension to MIME type mapping
FILE_EXTENSIONS = {
"pdf": {"mime": "application/pdf", "cdr_supported": True},
"docx": {"mime": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "cdr_supported": True},
"xlsx": {"mime": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "cdr_supported": True},
"pptx": {"mime": "application/vnd.openxmlformats-officedocument.presentationml.presentation", "cdr_supported": True},
"doc": {"mime": "application/msword", "cdr_supported": True},
"xls": {"mime": "application/vnd.ms-excel", "cdr_supported": True},
"ppt": {"mime": "application/vnd.ms-powerpoint", "cdr_supported": True},
"rtf": {"mime": "application/rtf", "cdr_supported": True},
"csv": {"mime": "text/csv", "cdr_supported": True},
"zip": {"mime": "application/zip", "cdr_supported": True},
"rar": {"mime": "application/x-rar-compressed", "cdr_supported": True},
"7z": {"mime": "application/x-7z-compressed", "cdr_supported": True},
"png": {"mime": "image/png", "cdr_supported": True},
"jpg": {"mime": "image/jpeg", "cdr_supported": True},
"gif": {"mime": "image/gif", "cdr_supported": True},
"svg": {"mime": "image/svg+xml", "cdr_supported": True},
"html": {"mime": "text/html", "cdr_supported": True},
"exe": {"mime": "application/x-msdownload", "cdr_supported": False},
"msi": {"mime": "application/x-msi", "cdr_supported": False},
"dll": {"mime": "application/x-msdownload", "cdr_supported": False},
"bat": {"mime": "application/x-msdos-program", "cdr_supported": False},
"ps1": {"mime": "application/x-powershell", "cdr_supported": False},
"sh": {"mime": "application/x-sh", "cdr_supported": False},
"iso": {"mime": "application/x-iso9660-image", "cdr_supported": False},
}
# Isolation modes
ISOLATION_MODES = {
"full_isolation": {
"description": "Full pixel-streaming RBI - no code reaches endpoint",
"rendering": "pixel_stream",
"endpoint_code_execution": False,
"network_isolation": True,
},
"dom_reconstruction": {
"description": "DOM reconstruction - sanitized DOM streamed to endpoint",
"rendering": "dom_mirror",
"endpoint_code_execution": False,
"network_isolation": True,
},
"read_only_isolation": {
"description": "Isolated rendering with all input disabled except scrolling",
"rendering": "pixel_stream",
"endpoint_code_execution": False,
"network_isolation": True,
"input_restricted": True,
},
"cdr_passthrough": {
"description": "Direct browsing but files processed through CDR pipeline",
"rendering": "direct",
"endpoint_code_execution": True,
"network_isolation": False,
"cdr_enabled": True,
},
"allow_direct": {
"description": "Direct access without isolation (trusted sites)",
"rendering": "direct",
"endpoint_code_execution": True,
"network_isolation": False,
},
"block": {
"description": "Block access entirely",
"rendering": "none",
"endpoint_code_execution": False,
"network_isolation": True,
},
}
DEFAULT_DLP_CONTROLS = {
"disable_copy_paste": False,
"disable_download": False,
"disable_upload": False,
"disable_printing": False,
"disable_keyboard_input": False,
"watermark_session": False,
"record_session": False,
"log_all_downloads": True,
"log_clipboard_events": True,
"log_file_uploads": True,
"max_download_size_mb": 100,
"blocked_upload_types": ["exe", "bat", "ps1", "sh", "dll", "msi"],
}
def _extract_domain(url):
"""Extract the domain from a URL."""
url = url.lower().strip()
if "://" in url:
url = url.split("://", 1)[1]
domain = url.split("/", 1)[0]
domain = domain.split(":", 1)[0] # Remove port
return domain
def _domain_matches(domain, pattern):
"""Check if a domain matches a pattern (supports wildcard prefix)."""
if pattern.startswith("*."):
suffix = pattern[2:]
return domain == suffix or domain.endswith("." + suffix)
return domain == pattern
class BrowserIsolationPolicyEngine:
"""Engine for managing browser isolation policies and CDR processing."""
def __init__(self, organization="", default_isolation_mode="isolate_risky"):
self.organization = organization
self.default_isolation_mode = default_isolation_mode
self.policies = []
self.sessions = {}
self.session_events = {}
self.cdr_results = {}
self.zt_integration = None
self._threat_intel_domains = set()
# ------------------------------------------------------------------
# URL Classification
# ------------------------------------------------------------------
def classify_url(self, url, referrer=None):
"""Classify a URL by category and risk level."""
domain = _extract_domain(url)
url_lower = url.lower()
matched_category = "uncategorized"
max_risk_weight = 5 # Default for uncategorized
# Check against known phishing patterns first
for pattern in URL_CATEGORIES.get("phishing", {}).get("patterns", []):
if re.match(pattern, url_lower):
return {
"url": url,
"domain": domain,
"category": "phishing",
"risk_level": "critical",
"risk_weight": 5,
"action": "block",
"reason": f"URL matches phishing pattern: {pattern}",
}
# Check against threat intelligence
if domain in self._threat_intel_domains:
return {
"url": url,
"domain": domain,
"category": "malware_hosting",
"risk_level": "critical",
"risk_weight": 5,
"action": "block",
"reason": "Domain flagged in threat intelligence feed",
}
# Check against category databases
for cat_name, cat_def in URL_CATEGORIES.items():
if cat_name in ("phishing", "uncategorized", "malware_hosting", "newly_registered"):
continue
# Domain match
for known_domain in cat_def.get("domains", []):
if domain == known_domain or domain.endswith("." + known_domain):
matched_category = cat_name
max_risk_weight = cat_def["risk_weight"]
break
# Pattern match
if matched_category == "uncategorized":
for pattern in cat_def.get("patterns", []):
if re.match(pattern, url_lower):
matched_category = cat_name
max_risk_weight = cat_def["risk_weight"]
break
if matched_category != "uncategorized":
break
risk_level = RISK_LEVELS.get(max_risk_weight, "critical")
# Determine action based on risk
if risk_level == "critical":
action = "block"
elif risk_level == "high":
action = "full_isolation"
elif risk_level == "medium":
if self.default_isolation_mode == "isolate_risky":
action = "full_isolation"
else:
action = "dom_reconstruction"
else:
action = "allow_direct"
return {
"url": url,
"domain": domain,
"category": matched_category,
"risk_level": risk_level,
"risk_weight": max_risk_weight,
"action": action,
"reason": f"Categorized as {matched_category} (risk: {risk_level})",
}
def add_threat_intel_domains(self, domains):
"""Add domains from threat intelligence feeds."""
self._threat_intel_domains.update(d.lower().strip() for d in domains)
return {"added": len(domains), "total": len(self._threat_intel_domains)}
# ------------------------------------------------------------------
# Policy Management
# ------------------------------------------------------------------
def add_isolation_policy(self, name, description="", match_criteria=None,
isolation_mode="full_isolation", dlp_controls=None,
cdr_config=None, priority=None):
"""Add an isolation policy."""
if isolation_mode not in ISOLATION_MODES:
raise ValueError(f"Invalid isolation mode: {isolation_mode}. "
f"Valid modes: {list(ISOLATION_MODES.keys())}")
if priority is None:
priority = len(self.policies) + 1
effective_dlp = dict(DEFAULT_DLP_CONTROLS)
if dlp_controls:
effective_dlp.update(dlp_controls)
policy = {
"policy_id": f"POL-{uuid.uuid4().hex[:8].upper()}",
"name": name,
"description": description,
"match_criteria": match_criteria or {},
"isolation_mode": isolation_mode,
"isolation_details": ISOLATION_MODES[isolation_mode],
"dlp_controls": effective_dlp,
"cdr_config": cdr_config,
"priority": priority,
"enabled": True,
"created_at": datetime.utcnow().isoformat(),
}
self.policies.append(policy)
self.policies.sort(key=lambda p: p["priority"])
return policy
def list_policies(self):
"""List all isolation policies ordered by priority."""
return [
{
"policy_id": p["policy_id"],
"name": p["name"],
"priority": p["priority"],
"isolation_mode": p["isolation_mode"],
"enabled": p["enabled"],
}
for p in self.policies
]
def _match_policy(self, url, category, risk_level, user_groups=None,
referrer=None, file_type=None):
"""Find the first matching policy for a request."""
domain = _extract_domain(url)
for policy in self.policies:
if not policy["enabled"]:
continue
criteria = policy["match_criteria"]
matched = True
# Check URL categories
if "url_categories" in criteria:
cats = criteria["url_categories"]
if "*" not in cats and category not in cats:
matched = False
# Check risk levels
if matched and "risk_levels" in criteria:
if risk_level not in criteria["risk_levels"]:
matched = False
# Check domains
if matched and "domains" in criteria:
domain_matched = False
for pattern_domain in criteria["domains"]:
if _domain_matches(domain, pattern_domain):
domain_matched = True
break
if not domain_matched:
matched = False
# Check referrer categories
if matched and "referrer_categories" in criteria:
if referrer:
ref_result = self.classify_url(referrer)
if ref_result["category"] not in criteria["referrer_categories"]:
matched = False
else:
matched = False
# Check file types
if matched and "file_types" in criteria:
if file_type and file_type not in criteria["file_types"]:
matched = False
elif not file_type and "file_types" in criteria:
# Policy is file-type specific, skip for non-file requests
if not any(k in criteria for k in ["url_categories", "domains", "risk_levels"]):
matched = False
# Check user groups
if matched and "user_groups" in criteria:
if not user_groups or not set(user_groups) & set(criteria["user_groups"]):
matched = False
if matched:
return policy
return None
# ------------------------------------------------------------------
# CDR Processing
# ------------------------------------------------------------------
def process_file_cdr(self, file_path, source_url="", cdr_profile="standard"):
"""Process a file through Content Disarm and Reconstruction."""
filename = os.path.basename(file_path)
ext = filename.rsplit(".", 1)[-1].lower() if "." in filename else ""
file_info = FILE_EXTENSIONS.get(ext, {"mime": "application/octet-stream", "cdr_supported": False})
if not file_info["cdr_supported"]:
return {
"status": "blocked",
"reason": f"File type '{ext}' is not CDR-supported and has been quarantined",
"original": {"filename": filename, "extension": ext},
"quarantined": True,
}
# Determine file size (use actual if exists, else simulate)
try:
file_size = os.path.getsize(file_path)
except OSError:
file_size = 0
# Simulate CDR analysis based on file type and profile
threats_found = []
for threat_type, threat_def in CDR_THREAT_TYPES.items():
if ext in threat_def["file_types"]:
# Simulate threat detection based on profile strictness
if cdr_profile == "strict":
# Strict mode flags all potential threat types for this file format
threats_found.append({
"type": threat_type,
"description": threat_def["description"],
"severity": threat_def["severity"],
"action": "STRIPPED",
"indicators_checked": threat_def["indicators"],
})
elif cdr_profile == "standard":
# Standard mode only flags high/critical severity
if threat_def["severity"] in ("high", "critical"):
threats_found.append({
"type": threat_type,
"description": threat_def["description"],
"severity": threat_def["severity"],
"action": "STRIPPED",
"indicators_checked": threat_def["indicators"][:3],
})
elif cdr_profile == "permissive":
# Permissive mode only flags critical severity
if threat_def["severity"] == "critical":
threats_found.append({
"type": threat_type,
"description": threat_def["description"],
"severity": threat_def["severity"],
"action": "STRIPPED",
"indicators_checked": threat_def["indicators"][:2],
})
# Calculate reconstructed file size (stripped content reduces size)
size_reduction = len(threats_found) * 0.05 # ~5% per threat stripped
reconstructed_size = max(int(file_size * (1 - size_reduction)), int(file_size * 0.7))
clean_filename = filename.rsplit(".", 1)
clean_filename = f"{clean_filename[0]}_clean.{clean_filename[1]}" if len(clean_filename) > 1 else f"{filename}_clean"
result = {
"status": "processed",
"cdr_profile": cdr_profile,
"original": {
"filename": filename,
"extension": ext,
"mime_type": file_info["mime"],
"size_bytes": file_size,
"source_url": source_url,
"hash_sha256": hashlib.sha256(filename.encode()).hexdigest(),
},
"threats_found": len(threats_found),
"threats_detail": threats_found,
"reconstructed": {
"filename": clean_filename,
"size_bytes": reconstructed_size,
"usable": True,
"format_preserved": True,
"hash_sha256": hashlib.sha256(clean_filename.encode()).hexdigest(),
},
"processing_time_ms": len(threats_found) * 150 + 200,
"processed_at": datetime.utcnow().isoformat(),
}
self.cdr_results[filename] = result
return result
def batch_cdr_process(self, files, cdr_profile="standard", quarantine_on_threat=True):
"""Process multiple files through CDR pipeline."""
results = []
threats_neutralized = 0
quarantined = 0
clean = 0
for file_path in files:
result = self.process_file_cdr(
file_path=file_path,
cdr_profile=cdr_profile,
)
results.append({
"filename": os.path.basename(file_path),
"status": result["status"],
"threats_found": result.get("threats_found", 0),
"clean": result.get("threats_found", 0) == 0,
"quarantined": result.get("quarantined", False),
})
if result.get("quarantined"):
quarantined += 1
elif result.get("threats_found", 0) > 0:
threats_neutralized += result["threats_found"]
else:
clean += 1
return {
"total_processed": len(files),
"clean_count": clean,
"threats_neutralized": threats_neutralized,
"quarantined_count": quarantined,
"cdr_profile": cdr_profile,
"results": results,
"processed_at": datetime.utcnow().isoformat(),
}
# ------------------------------------------------------------------
# Session Management
# ------------------------------------------------------------------
def create_isolation_session(self, user_id, target_url,
user_groups=None, device_posture=None,
user_risk_level="low"):
"""Create an isolated browsing session."""
session_id = f"SES-{uuid.uuid4().hex[:12].upper()}"
# Classify the target URL
classification = self.classify_url(target_url)
# Find matching policy
policy = self._match_policy(
url=target_url,
category=classification["category"],
risk_level=classification["risk_level"],
user_groups=user_groups,
)
# Check ZT integration rules
zt_overrides = {}
if self.zt_integration:
for rule in self.zt_integration.get("conditional_access_rules", []):
condition = rule.get("condition", {})
rule_matched = True
if "device_managed" in condition:
if device_posture and device_posture.get("managed") != condition["device_managed"]:
rule_matched = False
elif not device_posture:
rule_matched = False
if "user_risk_level" in condition:
if user_risk_level != condition["user_risk_level"]:
rule_matched = False
if "user_group" in condition:
if not user_groups or condition["user_group"] not in user_groups:
rule_matched = False
if "target_category" in condition:
if classification["category"] != condition["target_category"]:
rule_matched = False
if rule_matched:
zt_overrides = {
"action": rule.get("action", "full_isolation"),
"dlp_override": rule.get("dlp_override", {}),
"matched_rule": rule["name"],
}
break
# Determine effective isolation mode and DLP controls
if zt_overrides:
isolation_mode = zt_overrides["action"]
effective_dlp = dict(DEFAULT_DLP_CONTROLS)
if policy:
effective_dlp.update(policy.get("dlp_controls", {}))
effective_dlp.update(zt_overrides.get("dlp_override", {}))
applied_policy = zt_overrides.get("matched_rule", "Zero Trust Override")
elif policy:
isolation_mode = policy["isolation_mode"]
effective_dlp = policy["dlp_controls"]
applied_policy = policy["name"]
else:
isolation_mode = classification["action"]
effective_dlp = dict(DEFAULT_DLP_CONTROLS)
applied_policy = "Default Classification"
session = {
"session_id": session_id,
"user_id": user_id,
"user_groups": user_groups or [],
"target_url": target_url,
"url_classification": classification,
"device_posture": device_posture or {},
"user_risk_level": user_risk_level,
"isolation_mode": isolation_mode,
"isolation_details": ISOLATION_MODES.get(isolation_mode, {}),
"applied_policy": applied_policy,
"dlp_controls": effective_dlp,
"zt_overrides": zt_overrides,
"status": "active",
"started_at": datetime.utcnow().isoformat(),
}
self.sessions[session_id] = session
# Record session start event
self.session_events.setdefault(session_id, []).append({
"timestamp": datetime.utcnow().isoformat(),
"event_type": "session_start",
"details": f"Isolation session started for {target_url} "
f"(mode: {isolation_mode}, policy: {applied_policy})",
})
return session
def get_session_events(self, session_id):
"""Get all events for a session."""
return self.session_events.get(session_id, [])
def end_session(self, session_id):
"""End an isolation session."""
if session_id not in self.sessions:
raise ValueError(f"Session {session_id} not found")
session = self.sessions[session_id]
session["status"] = "ended"
session["ended_at"] = datetime.utcnow().isoformat()
self.session_events.setdefault(session_id, []).append({
"timestamp": datetime.utcnow().isoformat(),
"event_type": "session_end",
"details": "Isolation session terminated",
})
return session
def generate_session_audit(self, user_id=None, date_range=None):
"""Generate audit report for isolation sessions."""
sessions = list(self.sessions.values())
if user_id:
sessions = [s for s in sessions if s["user_id"] == user_id]
total = len(sessions)
isolated = sum(1 for s in sessions if s["isolation_mode"] != "allow_direct")
cdr_files = len(self.cdr_results)
dlp_violations = sum(
1 for events in self.session_events.values()
for e in events if e["event_type"] == "dlp_violation"
)
return {
"user_id": user_id,
"date_range": date_range,
"total_sessions": total,
"isolated_sessions": isolated,
"direct_sessions": total - isolated,
"isolation_rate": round((isolated / total * 100), 1) if total else 0,
"cdr_processed_files": cdr_files,
"dlp_violations": dlp_violations,
"generated_at": datetime.utcnow().isoformat(),
}
# ------------------------------------------------------------------
# Zero Trust Integration
# ------------------------------------------------------------------
def create_zero_trust_integration(self, identity_provider="",
conditional_access_rules=None,
swg_integration=None):
"""Configure Zero Trust platform integration."""
self.zt_integration = {
"identity_provider": identity_provider,
"conditional_access_rules": conditional_access_rules or [],
"swg_integration": swg_integration or {},
"configured_at": datetime.utcnow().isoformat(),
}
return self.zt_integration
def evaluate_access_request(self, user_id, target_url, user_groups=None,
device_posture=None, user_risk_level="low",
referrer=None):
"""Evaluate an access request against all policies and ZT rules."""
# Create a session (which evaluates all policies)
session = self.create_isolation_session(
user_id=user_id,
target_url=target_url,
user_groups=user_groups,
device_posture=device_posture,
user_risk_level=user_risk_level,
)
matched_rules = []
if session.get("zt_overrides", {}).get("matched_rule"):
matched_rules.append({"name": session["zt_overrides"]["matched_rule"],
"source": "zero_trust"})
if session.get("applied_policy") and session["applied_policy"] != "Default Classification":
matched_rules.append({"name": session["applied_policy"],
"source": "isolation_policy"})
return {
"session_id": session["session_id"],
"action": session["isolation_mode"],
"url_classification": session["url_classification"],
"matched_rules": matched_rules,
"effective_dlp_controls": session["dlp_controls"],
"device_posture_evaluated": bool(device_posture),
"isolation_details": session["isolation_details"],
}
# ------------------------------------------------------------------
# Compliance Reporting
# ------------------------------------------------------------------
def generate_compliance_report(self, date_range=None, include_metrics=True):
"""Generate a compliance report for browser isolation deployment."""
total_sessions = len(self.sessions)
isolated = sum(1 for s in self.sessions.values()
if s["isolation_mode"] not in ("allow_direct",))
blocked = sum(1 for s in self.sessions.values()
if s["isolation_mode"] == "block")
cdr_total = len(self.cdr_results)
cdr_threats = sum(r.get("threats_found", 0) for r in self.cdr_results.values())
cdr_quarantined = sum(1 for r in self.cdr_results.values() if r.get("quarantined"))
dlp_violations = sum(
1 for events in self.session_events.values()
for e in events if e["event_type"] == "dlp_violation"
)
report = {
"organization": self.organization,
"report_period": date_range,
"generated_at": datetime.utcnow().isoformat(),
"total_requests": total_sessions,
"isolated_requests": isolated,
"blocked_requests": blocked,
"direct_requests": total_sessions - isolated - blocked,
"isolation_rate": round((isolated / total_sessions * 100), 1) if total_sessions else 0,
"policies_configured": len(self.policies),
"policies_enabled": sum(1 for p in self.policies if p["enabled"]),
"cdr_stats": {
"total_files": cdr_total,
"threats_neutralized": cdr_threats,
"files_quarantined": cdr_quarantined,
"clean_files": cdr_total - cdr_quarantined,
},
"dlp_violations_blocked": dlp_violations,
"zero_day_blocked": blocked,
"zero_trust_integration": bool(self.zt_integration),
}
return report
def main():
parser = argparse.ArgumentParser(
description="Browser Isolation for Zero Trust - Policy Engine"
)
parser.add_argument("--org", default="", help="Organization name")
parser.add_argument("--output", default="rbi_report.json", help="Output report path")
parser.add_argument("--action", choices=[
"classify", "demo", "cdr_test", "policy_report",
], default="demo", help="Action to perform")
parser.add_argument("--url", default="", help="URL to classify (for classify action)")
parser.add_argument("--file", default="", help="File to process (for cdr_test action)")
args = parser.parse_args()
engine = BrowserIsolationPolicyEngine(
organization=args.org or "Demo Corp",
default_isolation_mode="isolate_risky",
)
if args.action == "classify" and args.url:
result = engine.classify_url(args.url)
print(f"URL: {result['url']}")
print(f"Domain: {result['domain']}")
print(f"Category: {result['category']}")
print(f"Risk Level: {result['risk_level']}")
print(f"Action: {result['action']}")
print(f"Reason: {result['reason']}")
elif args.action == "cdr_test" and args.file:
result = engine.process_file_cdr(args.file, cdr_profile="strict")
print(f"Status: {result['status']}")
if result["status"] == "processed":
print(f"Threats found: {result['threats_found']}")
for t in result["threats_detail"]:
print(f" [{t['severity'].upper()}] {t['type']}: {t['description']} -> {t['action']}")
print(f"Clean file: {result['reconstructed']['filename']}")
elif args.action == "demo":
print("[*] Running Browser Isolation Demo...\n")
# Add policies
engine.add_isolation_policy(
name="Block Phishing and Malware",
match_criteria={"url_categories": ["phishing", "malware_hosting"],
"risk_levels": ["critical"]},
isolation_mode="block",
priority=1,
)
engine.add_isolation_policy(
name="Isolate Uncategorized Sites",
match_criteria={"url_categories": ["uncategorized", "newly_registered"],
"risk_levels": ["high", "critical"]},
isolation_mode="full_isolation",
dlp_controls={"disable_download": True, "disable_upload": True,
"watermark_session": True},
priority=2,
)
engine.add_isolation_policy(
name="Isolate Webmail",
match_criteria={"url_categories": ["webmail"]},
isolation_mode="read_only_isolation",
dlp_controls={"disable_copy_paste": True, "disable_download": True},
priority=3,
)
engine.add_isolation_policy(
name="CDR for File Sharing",
match_criteria={"url_categories": ["file_sharing"]},
isolation_mode="cdr_passthrough",
cdr_config={"strip_macros": True, "strip_embedded_objects": True},
priority=4,
)
engine.add_isolation_policy(
name="Allow Trusted SaaS",
match_criteria={"url_categories": ["cloud_productivity", "business_saas"],
"risk_levels": ["low"]},
isolation_mode="allow_direct",
priority=10,
)
print(f"[+] Configured {len(engine.policies)} isolation policies\n")
# Configure ZT integration
engine.create_zero_trust_integration(
identity_provider="Azure AD",
conditional_access_rules=[
{"name": "Unmanaged Device Isolation",
"condition": {"device_managed": False},
"action": "full_isolation",
"dlp_override": {"disable_download": True}},
{"name": "Contractor Restricted",
"condition": {"user_group": "contractors"},
"action": "read_only_isolation",
"dlp_override": {"disable_download": True, "disable_printing": True}},
],
)
print("[+] Zero Trust integration configured\n")
# Classify URLs
test_urls = [
"https://docs.google.com/spreadsheets/d/abc123",
"https://mail.google.com/inbox",
"https://unknown-domain-xyz.top/page.html",
"https://micr0s0ft-login.phishing.com/auth",
"https://github.com/org/repo",
"https://mega.nz/file/abc123",
"https://console.aws.amazon.com/ec2",
]
print("--- URL Classification ---")
for url in test_urls:
result = engine.classify_url(url)
print(f" {url}")
print(f" Category: {result['category']} | Risk: {result['risk_level']} | Action: {result['action']}")
print()
# Create isolation sessions
print("--- Isolation Sessions ---")
session1 = engine.create_isolation_session(
user_id="employee@acme.com",
user_groups=["engineering"],
device_posture={"managed": True, "edr_running": True},
target_url="https://unknown-domain-xyz.top/page.html",
)
print(f" Session: {session1['session_id']}")
print(f" URL: {session1['target_url']}")
print(f" Mode: {session1['isolation_mode']}")
print(f" Policy: {session1['applied_policy']}")
session2 = engine.create_isolation_session(
user_id="contractor@vendor.com",
user_groups=["contractors"],
device_posture={"managed": False, "edr_running": False},
target_url="https://docs.google.com/document/d/abc",
)
print(f"\n Session: {session2['session_id']}")
print(f" URL: {session2['target_url']}")
print(f" Mode: {session2['isolation_mode']}")
print(f" Policy: {session2['applied_policy']}")
print()
# CDR processing
print("--- CDR Processing ---")
test_files = [
"/tmp/downloads/report.docx",
"/tmp/downloads/data.xlsx",
"/tmp/downloads/presentation.pptx",
"/tmp/downloads/invoice.pdf",
"/tmp/downloads/malware.exe",
]
batch = engine.batch_cdr_process(test_files, cdr_profile="strict", quarantine_on_threat=True)
print(f" Processed: {batch['total_processed']}")
print(f" Clean: {batch['clean_count']}")
print(f" Threats neutralized: {batch['threats_neutralized']}")
print(f" Quarantined: {batch['quarantined_count']}")
for r in batch["results"]:
status = "QUARANTINED" if r["quarantined"] else ("CLEAN" if r["clean"] else "SANITIZED")
print(f" [{status}] {r['filename']}: {r['threats_found']} threats")
print()
# Compliance report
report = engine.generate_compliance_report(
date_range=("2026-03-01", "2026-03-19"),
)
print("--- Compliance Report ---")
print(f" Total requests: {report['total_requests']}")
print(f" Isolated: {report['isolated_requests']} ({report['isolation_rate']}%)")
print(f" Blocked: {report['blocked_requests']}")
print(f" CDR files: {report['cdr_stats']['total_files']}")
print(f" Threats neutralized: {report['cdr_stats']['threats_neutralized']}")
# Save report
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"\n[+] Report saved to {args.output}")
else:
print("[!] Specify --action and required parameters.")
print(" --action classify --url <URL>")
print(" --action cdr_test --file <FILE>")
print(" --action demo")
if __name__ == "__main__":
main()