Mainframe Security Analysis

RACFhound

Parse RACF database unloads, model the access control graph, and visualize attack paths in BloodHound.

Get Started GitHub

RACFHound mascot — a raccoon detective examining a graph

What it does

⬡

IRRDBU00 Parsing

Reads native RACF database unloads via mfpandas into structured DataFrames — no RACF tooling required on the analyst workstation.

⬡

Graph Model

Transforms users, groups, datasets, and general resources into a typed node/edge graph: RACFUser, RACFGroup, RACFDataset, and more.

⬡

BloodHound Export

Uploads the graph via the BloodHound OpenGraph API. Run pre-built Cypher queries to find privilege escalation paths instantly.

⬡

Attack Path Queries

Ships with saved queries covering APF write, surrogate chains, group-scoped SPECIAL, PROCLIB abuse, and world-readable UACC misconfigurations.

Quick start

# Install
pip install racfhound

# Export an IRRDBU00 unload to BloodHound
racfhound export --unload /path/to/irrdbu00.dat \
                 --url https://your-bloodhound-host \
                 --token YOUR_API_TOKEN

Full installation guide →