threatswarm

Route an attack vector to the appropriate specialist agent — usage: /project:attack <target> <vector>

Start a new engagement for a target — verifies scope, creates evidence directories, and launches recon agent

Run an ATT&CK-based threat hunt with a specific hypothesis

Incident response workflow — triage, evidence collection, timeline, and IOC extraction

Post-exploitation workflow after getting shell access — privesc, credential harvest, lateral movement

Generate a professional penetration test report from all evidence files

Active Directory and Windows domain attack specialist. Use for Kerberoasting, AS-REP roasting, DCSync, BloodHound enumeration, ADCS ESC attacks, Golden/Silver Ticket, and domain privilege escalation. Triggers on: kerberoast, AS-REP, bloodhound, DCSync, golden ticket, ADCS, ESC, domain controller, LDAP, GPO, AD, domain admin.

API security testing specialist for REST, GraphQL, gRPC, and WebSocket APIs. Handles BOLA/IDOR, mass assignment, authentication bypass, rate limit evasion, JWT attacks, GraphQL introspection abuse, API enumeration, and OWASP API Top 10. Triggers on: API, REST, GraphQL, gRPC, WebSocket, BOLA, IDOR, mass assignment, API key, JWT, OpenAPI, swagger, rate limit, API auth, endpoint discovery.

Defensive security and hardening specialist. Creates detection rules, hardens Linux/Windows systems, writes Sigma rules, configures auditd, fail2ban, Sysmon, and provides CIS benchmark remediation guidance. Triggers on: harden, detection, Sigma rule, Sysmon, auditd, fail2ban, CIS benchmark, SIEM detection, blue team, defensive, firewall rules, access control, Windows hardening, Linux hardening.

Command and control infrastructure specialist for authorized red team operations. Handles Sliver C2 framework, Havoc C2, Metasploit multi-handler, msfvenom payload generation, implant configuration, HTTPS C2 traffic blending, and operator session management. Triggers on: C2, command and control, Sliver, Havoc, msfvenom, implant, beacon, Meterpreter, payload generation, listener, handler, staged payload.

Cloud penetration testing specialist for AWS, Azure, and GCP. Handles IAM enumeration, privilege escalation, S3 bucket abuse, metadata SSRF, Pacu framework, container escape to cloud, and cloud-native attack chains. Triggers on: AWS, Azure, GCP, cloud, IAM, S3, storage bucket, metadata endpoint, Pacu, cloud privesc, service account, managed identity.

Compliance and security standards assessment specialist. Handles CIS benchmarks, PCI-DSS controls, NIST CSF, SOC2, GDPR technical controls, OpenSCAP assessments, Docker CIS bench, Kubernetes CIS bench, and security configuration auditing. Triggers on: compliance, CIS benchmark, PCI-DSS, NIST, SOC2, GDPR, lynis, OpenSCAP, docker bench, kube-bench, audit.

Container and Kubernetes security specialist. Handles Docker escape techniques, Kubernetes RBAC abuse, service account token theft, kubelet API exploitation, etcd access, namespace breakout, and cloud-to-container pivot chains. Triggers on: docker, container, Kubernetes, k8s, pod, kubelet, etcd, service account, RBAC, namespace escape, container escape, helm.

Cryptography and TLS security specialist. Handles TLS configuration auditing, JWT algorithm confusion, padding oracle attacks, hash cracking mode selection, RSA weak key analysis, ECB mode detection, certificate inspection, and crypto protocol attacks. Triggers on: TLS, SSL, cipher, JWT, padding oracle, RSA, hash, crypto, certificate, BEAST, POODLE, Heartbleed, testssl, sslscan.

Digital forensics and incident response specialist. Handles triage, memory acquisition with AVML/LiME, Volatility analysis, log timeline reconstruction, IOC extraction, persistence hunting, and incident reporting. Triggers on: DFIR, incident response, forensics, Volatility, memory dump, timeline, IOC, triage, compromise, malware on host, breach, intrusion.

Antivirus and EDR evasion specialist for authorized red team engagements. Handles AMSI bypass, payload obfuscation, living-off-the-land techniques, sandbox detection, process injection concepts, and detection gap identification. Triggers on: AMSI bypass, AV evasion, EDR bypass, obfuscation, LOTL, living off the land, payload encoding, sandbox detection, process injection, defender bypass.

Exploitation specialist for gaining initial access. Use when exploiting CVEs, running Metasploit modules, using searchsploit, obtaining shells, or executing proof-of-concept code. Triggers on: exploit, CVE-, initial access, get shell, msfconsole, owned, pwn, vulnerability exploit, remote code execution, RCE.

IoT and embedded systems security specialist. Handles firmware extraction and analysis, hardcoded credential discovery, UART/JTAG access, MQTT/CoAP protocol testing, RouterSploit exploitation, web interface attacks, and OT/ICS protocol analysis. Triggers on: IoT, firmware, binwalk, UART, JTAG, router, embedded, RouterSploit, MQTT, Modbus, BACnet, hardcoded credentials, ICS, SCADA.

Security log analysis specialist. Parses and correlates auth.log, nginx/apache access logs, Windows Event Logs, syslog, audit logs, and cloud logs for anomalies, intrusions, and security events. Generates timeline and Sigma rules from findings. Triggers on: log analysis, log parsing, auth.log, access log, SIEM, event log, anomaly detection, log correlation, wevtutil, log forensics.

Malware analysis specialist for static and dynamic analysis. Handles PE/ELF/APK binary triage, behavioral analysis, IOC extraction, YARA rule writing, C2 protocol reverse engineering, deobfuscation, sandbox report interpretation, and ATT&CK mapping. Triggers on: malware, sample, IOC, YARA, sandbox, deobfuscate, unpack, C2, beacon, ransomware, trojan, RAT, dropper, PE analysis.

Mobile application security specialist for Android and iOS. Handles APK decompilation, static/dynamic analysis, Frida instrumentation, SSL pinning bypass, ADB shell exploitation, MobSF scanning, traffic interception, and deep link abuse. Triggers on: Android, iOS, APK, IPA, Frida, ADB, MobSF, apktool, jadx, SSL pinning, smali, mobile pentest, deep link.

Network penetration testing specialist for ARP attacks, MitM, packet capture, SNMP enumeration, SMB relay, Responder credential capture, and network-level attacks. Triggers on: ARP, MitM, sniff, intercept, VLAN, network attack, packet capture, relay, Responder, NTLM relay, SMB relay, SNMP.

Open source intelligence specialist for passive reconnaissance. Handles domain intelligence, certificate transparency, Shodan enumeration, email harvesting, GitHub dorking, employee profiling, ASN/IP research, breach data, Google dorks, and Wayback Machine analysis. Triggers on: OSINT, passive recon, theHarvester, shodan, whois, crt.sh, google dork, wayback, LinkedIn, GitHub dork, ASN, breach data, email harvest.

Post-exploitation specialist for privilege escalation, lateral movement, persistence, and credential harvesting. Use after obtaining initial shell access. Triggers on: privesc, lateral, pivot, persistence, escalate, post exploitation, linpeas, winpeas, mimikatz, secretsdump, pass the hash, token impersonation.

Reconnaissance and enumeration specialist. Use when scanning, enumerating ports, fingerprinting services, discovering subdomains, running nuclei vulnerability scans, directory brute-forcing, or building an attack surface map. Triggers on: scan, enumerate, discover, ports, fingerprint, recon, nmap, httpx, feroxbuster, subfinder, amass, nuclei.

Penetration test report writing specialist. Consolidates evidence from all evidence/ directories into professional reports with CVSS scoring, executive summaries, technical findings, remediation roadmaps, and methodology sections. Triggers on: write report, pentest report, executive summary, findings report, CVSS, risk rating, remediation roadmap, evidence consolidation.

Binary reverse engineering and exploit development specialist. Handles static analysis with Ghidra/Radare2, dynamic analysis with GDB/strace, shellcode crafting, ROP chain construction, format string exploits, heap exploitation, and CTF binary challenges. Triggers on: reverse engineer, binary analysis, Ghidra, r2, radare2, GDB, pwndbg, shellcode, ROP, format string, buffer overflow, heap, CTF, decompile, disassemble.

Social engineering and phishing simulation specialist. Handles GoPhish campaign setup, spear-phishing email crafting, evilginx2 adversary-in-the-middle phishing, pretexting scripts, vishing scenarios, SMS phishing, and awareness training. Triggers on: phishing, spear phishing, gophish, vishing, smishing, pretexting, social engineering, email campaign, evilginx, fake login, credential harvest.

Proactive threat hunting specialist using ATT&CK-based hypotheses. Hunts for lateral movement, persistence, credential dumping, C2 beaconing, data exfiltration, and living-off-the-land techniques across logs, pcaps, and endpoint telemetry. Triggers on: threat hunt, hunt, hypothesis, ATT&CK, lateral movement detection, beaconing, persistence hunting, EDR hunt, SIEM hunt, log analysis, anomaly.

Vulnerability research and CVE analysis specialist. Handles NVD API queries, searchsploit cross-reference, PoC reliability assessment, CVSS scoring, version fingerprinting, exploit chain research, and responsible disclosure coordination. Triggers on: CVE, vulnerability research, searchsploit, NVD, exploit, CVSS score, PoC, version fingerprint, responsible disclosure, advisory.

Web application penetration testing — SQL injection, XSS, SSRF, LFI, IDOR, JWT attacks, GraphQL, API parameter discovery, and OWASP Top 10 exploitation

Wireless network penetration testing specialist. Handles WPA2/WPA3 capture and cracking, PMKID attacks, Evil Twin / rogue AP attacks, WPS PIN attacks, EAP/PEAP credential capture, Bluetooth assessment, and wireless deauthentication. Triggers on: wifi, wireless, WPA2, WPA3, aircrack, airmon, WPS, evil twin, rogue AP, 802.11, PMKID, EAP, PEAP, Bluetooth, BLE, hostapd-wpe.

MITRE ATT&CK framework reference — tactics, techniques, and tool-to-TTP mappings for pentest documentation and detection rule writing

CVSS 3.1 vector examples, executive summary template, full technical finding template, and remediation language bank for pentest reports

SecLists path map, hashcat rules, CeWL usage, and custom wordlist generation for all attack categories

Active Directory attack reference — BloodHound Cypher queries, Kerberos attack decision tree, ACE/ACL abuse, ADCS ESC1-8, and AD misconfig checklist

Exploit-DB and searchsploit reference — EDB→Metasploit module mappings, PoC reliability rubric, CVSS tier quick reference, and searchsploit usage patterns

3 hooks across 3 events