npx claudepluginhub geekatron/jerry --plugin jerryThis skill is limited to using the following tools:
> **Version:** 1.0.0
adversary-integration.mdagents/red-exfil.governance.yamlagents/red-exfil.mdagents/red-exploit.governance.yamlagents/red-exploit.mdagents/red-infra.governance.yamlagents/red-infra.mdagents/red-lateral.governance.yamlagents/red-lateral.mdagents/red-lead.governance.yamlagents/red-lead.mdagents/red-persist.governance.yamlagents/red-persist.mdagents/red-privesc.governance.yamlagents/red-privesc.mdagents/red-recon.governance.yamlagents/red-recon.mdagents/red-reporter.governance.yamlagents/red-reporter.mdagents/red-social.governance.yamlCreates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.
Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.
Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.
Version: 1.0.0 Framework: Jerry Red-Team Constitutional Compliance: Jerry Constitution v1.0 SSOT Reference: ADR-PROJ010-001 (Agent Team Architecture), ADR-PROJ010-006 (Authorization & Scope Control)
This SKILL.md serves multiple audiences:
| Level | Audience | Sections to Focus On |
|---|---|---|
| L0 (Stakeholder) | Engagement managers, leadership | Purpose, When to Use This Skill, Routing Disambiguation, Mandatory Authorization, Quick Reference |
| L1 (Practitioner) | Security testers invoking agents | Available Agents, Invoking an Agent, Orchestration Flow, Cross-Skill Integration Points |
| L2 (Architect) | Framework designers, governance reviewers | Authorization Architecture, Circuit Breaker Integration, Safety Alignment Compatibility, Constitutional Compliance |
The Red Team skill provides methodology guidance for authorized penetration testing and red team engagements. It routes to 11 specialized agents that collectively cover the full MITRE ATT&CK kill chain (14/14 tactics at STRONG coverage level), following established professional methodology frameworks: PTES (Penetration Testing Execution Standard), OSSTMM (Open Source Security Testing Methodology Manual), and NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment).
This skill provides methodology guidance, not autonomous exploitation. It does NOT:
This design follows AD-001 (Methodology-First Design Paradigm): LLMs excel at methodology guidance, structured reasoning, and report generation but fundamentally cannot replace tool execution or human judgment for novel discovery (S-001 Convergence 1, D-002).
Activate when:
NEVER invoke this skill when:
/eng-team instead/adversary instead/problem-solving insteadSee Routing Disambiguation for full exclusion conditions with consequences.
| Agent | Role | ATT&CK Tactics | Model | Output Location |
|---|---|---|---|---|
red-lead | Engagement Lead & Scope Authority | All (oversight) | opus | projects/${JERRY_PROJECT}/engagements/{engagement-id}/red-lead-{topic-slug}.md |
red-recon | Reconnaissance Specialist | TA0043 Reconnaissance | sonnet | projects/${JERRY_PROJECT}/engagements/{engagement-id}/red-recon-{topic-slug}.md |
red-vuln | Vulnerability Analyst | Analysis support | sonnet | projects/${JERRY_PROJECT}/engagements/{engagement-id}/red-vuln-{topic-slug}.md |
red-exploit | Exploitation Specialist | TA0001, TA0002, TA0040 | sonnet | projects/${JERRY_PROJECT}/engagements/{engagement-id}/red-exploit-{topic-slug}.md |
red-privesc | Privilege Escalation Specialist | TA0004, TA0006 | sonnet | projects/${JERRY_PROJECT}/engagements/{engagement-id}/red-privesc-{topic-slug}.md |
red-lateral | Lateral Movement Specialist | TA0008, TA0007 | sonnet | projects/${JERRY_PROJECT}/engagements/{engagement-id}/red-lateral-{topic-slug}.md |
red-persist | Persistence Specialist (RoE-GATED) | TA0003, TA0005 | sonnet | projects/${JERRY_PROJECT}/engagements/{engagement-id}/red-persist-{topic-slug}.md |
red-exfil | Data Exfiltration Specialist (RoE-GATED) | TA0009, TA0010 | sonnet | projects/${JERRY_PROJECT}/engagements/{engagement-id}/red-exfil-{topic-slug}.md |
red-reporter | Engagement Reporter | TA0040 (documentation) | opus | projects/${JERRY_PROJECT}/engagements/{engagement-id}/red-reporter-{topic-slug}.md |
red-infra | Infrastructure & Tooling Specialist | TA0042, TA0011, TA0005 | sonnet | projects/${JERRY_PROJECT}/engagements/{engagement-id}/red-infra-{topic-slug}.md |
red-social | Social Engineering Specialist (RoE-GATED) | TA0043, TA0001 | sonnet | projects/${JERRY_PROJECT}/engagements/{engagement-id}/red-social-{topic-slug}.md |
ALL engagements MUST start with red-lead. No other agent can operate without an active scope document.
This is the foundational security constraint for the /red-team skill. The authorization model ensures that offensive operations are structurally bounded -- out-of-scope actions are architecturally impossible, not merely procedurally discouraged.
1. User requests engagement --> red-lead creates scope document
2. Scope document defines:
- engagement_id (RED-NNNN format)
- authorized_targets (IP ranges, domains, applications)
- technique_allowlist (ATT&CK technique IDs)
- time_window (start/end timestamps)
- exclusion_list (systems/networks explicitly excluded)
- rules_of_engagement (escalation procedures, communication channels)
- agent_authorizations (which agents are permitted)
- evidence_handling (storage, retention, destruction)
- signature (user authorization confirmation)
3. Every subsequent agent validates against the scope document
4. Scope Oracle checks at every agent transition
5. RoE-gated agents (red-persist, red-exfil, red-social) require ADDITIONAL
explicit authorization in the Rules of Engagement
scope:
engagement_id: "RED-0001"
version: "1.0"
authorized_targets:
- type: "network"
value: "10.0.0.0/24"
- type: "domain"
value: "target.example.com"
- type: "application"
value: "https://app.target.example.com"
technique_allowlist:
- "T1595" # Active Scanning
- "T1592" # Gather Victim Host Information
- "T1190" # Exploit Public-Facing Application
time_window:
start: "2026-03-01T08:00:00Z"
end: "2026-03-15T18:00:00Z"
exclusion_list:
- "10.0.0.1" # Production gateway
- "hr.target.com" # HR systems
rules_of_engagement:
escalation_contact: "security-lead@target.com"
emergency_stop: "Call +1-555-0100"
communication_channel: "encrypted-chat"
social_engineering_authorized: false
persistence_authorized: false
exfiltration_authorized: true
data_types_permitted:
- "non-production test data"
agent_authorizations:
- red-recon
- red-vuln
- red-exploit
- red-privesc
- red-lateral
- red-exfil
- red-infra
- red-reporter
evidence_handling:
storage: "projects/${JERRY_PROJECT}/engagements/RED-0001/evidence/"
retention_days: 90
destruction_method: "secure-delete"
signature:
authorized_by: "user"
date: "2026-03-01"
confirmation: "I authorize this engagement within the defined scope"
If any agent is invoked without an active scope document:
AUTHORIZATION REQUIRED: No active scope document found for this engagement. red-lead must establish scope before any operational agent can proceed.Exception: red-reporter can be invoked without active scope for report generation from existing findings.
All red-team agents are workers, NOT orchestrators. The MAIN CONTEXT (Claude session) orchestrates the workflow.
P-003 AGENT HIERARCHY:
======================
+-------------------+
| MAIN CONTEXT | <-- Orchestrator (Claude session)
| (orchestrator) |
+-------------------+
| | | | | |
v v v v v v
+------+ +------+ +------+ +------+ +------+ +------+
| red- | | red- | | red- | | red- | | red- | | ... |
| lead | | recon| | vuln | |exploi| |privsc| | |
+------+ +------+ +------+ +------+ +------+ +------+
Agents CANNOT invoke other agents.
Agents CANNOT spawn subagents.
Only MAIN CONTEXT orchestrates the sequence.
Simply describe what you need:
"Start a new penetration testing engagement for the 10.0.0.0/24 network"
"Perform reconnaissance on target.example.com"
"Analyze vulnerabilities found in the web application"
"Develop exploitation methodology for CVE-2026-1234"
"Set up C2 infrastructure for the engagement"
"Generate the final engagement report for RED-0001"
The orchestrator will select the appropriate agent(s) based on keywords and context.
Request a specific agent:
"Use red-lead to define scope for a new engagement"
"Have red-recon perform OSINT on the target domain"
"I need red-vuln to assess exploit availability for the discovered CVEs"
"Ask red-reporter to generate the executive summary"
Agents are registered via plugin.json and discovered by Claude Code automatically. The orchestrator invokes them as named subagents:
Task(
description="red-recon: Reconnaissance of target network",
subagent_type="red-recon",
prompt="""
## RED TEAM CONTEXT (REQUIRED)
- **Engagement ID:** RED-0001
- **Scope Document:** projects/${JERRY_PROJECT}/engagements/RED-0001/red-lead-scope.md
- **Target:** 10.0.0.0/24
- **Phase:** Reconnaissance
## TASK
Perform network reconnaissance methodology guidance for the authorized target range.
"""
)
Claude Code enforces the agent's tools frontmatter — red-recon only has access to Read, Write, Edit, Glob, Grep, Bash, WebSearch, WebFetch and the Context7 MCP server.
The /red-team workflow is explicitly non-linear per ADR-PROJ010-001 Section 5. Real engagements are iterative -- exploitation discovers new reconnaissance targets, triggering return to earlier phases. The kill chain organizes capability, not workflow sequence.
+------------+
| red-lead | <-- MANDATORY FIRST (scope establishment)
+-----+------+
|
v
+---------------+---------------+
| SCOPE ESTABLISHED |
| (any agent invocable now) |
+------+------+------+----------+
| | |
+-----------+ +---+---+ +-----------+
| | | |
v v v v
+--------+ +--------+ +--------+ +--------+
|red-recon|-->|red-vuln| |red- | |red- |
+---+----+ +---+----+ |social* | |infra |
| | +--------+ +--------+
| +--------+
| |
v v
+--------+ +--------+ +--------+
|red- |---->|red- |---->|red- |
|exploit | |privesc | |lateral |
+--------+ +--------+ +--------+
|
+-------+-------+
| |
v v
+--------+ +--------+
|red- | |red- |
|persist*| |exfil* |
+--------+ +--------+
|
v
+----------+
|red- | <-- MANDATORY LAST (for reporting)
|reporter |
+----------+
* = RoE-GATED (requires explicit authorization in Rules of Engagement)
Arrows show COMMON flow, not required sequence.
After scope establishment, any agent is invocable in any order.
Cycling between phases is explicitly supported.
red-lead MUST establish scope first (MANDATORY). No other agent operates without an active scope document.
After scope establishment, any agent is invocable in any order based on engagement context. The kill chain is a capability map, not a sequential pipeline.
Phase cycling is explicitly supported:
Circuit breaker at every agent transition. Scope revalidation occurs before each agent invocation. See Circuit Breaker Integration.
RoE-gated agents require additional authorization:
persistence_authorized: true in RoEexfiltration_authorized: true in RoE, with data_types_permitted specifying allowed data categoriessocial_engineering_authorized: true in RoEred-reporter generates the final engagement report (mandatory last for reporting). The engagement is not complete without a formal report. red-reporter can also be invoked mid-engagement for interim findings.
red-infra can be invoked at any point to set up or modify engagement infrastructure (C2, redirectors, payloads).
Four integration points operationalize the adversarial-collaborative dynamic between /red-team and /eng-team. These are the purple team seams where offensive findings drive defensive hardening.
| Attribute | Value |
|---|---|
| Source | red-recon |
| Target | eng-architect |
| Data Exchanged | Adversary TTPs, threat landscape data, attack surface intelligence |
| Value | Architecture decisions informed by real adversary behavior rather than theoretical threats; replaces the need for a dedicated eng-threatintel agent |
| Workflow | red-recon produces threat intelligence during reconnaissance; eng-architect consumes it for STRIDE/DREAD threat modeling |
| Attribute | Value |
|---|---|
| Source | red-recon, red-vuln |
| Target | eng-infra, eng-devsecops |
| Data Exchanged | Validation results against hardened targets, vulnerability scan findings |
| Value | Validates that infrastructure hardening and security tooling actually reduce the attack surface as intended |
| Workflow | red-recon and red-vuln test eng-infra hardening; findings fed to eng-devsecops for pipeline security updates |
| Attribute | Value |
|---|---|
| Source | red-exploit, red-privesc |
| Target | eng-security, eng-backend, eng-frontend |
| Data Exchanged | Exploitation results against reviewed code, bypass demonstrations |
| Value | Proves whether secure coding practices withstand real exploitation techniques; feedback loop drives hardening |
| Workflow | red-exploit tests eng-backend/eng-frontend code; red-privesc tests privilege boundaries; findings drive eng-security review priorities |
| Attribute | Value |
|---|---|
| Source | red-persist, red-lateral, red-exfil |
| Target | eng-incident |
| Data Exchanged | Exercise results against response runbooks, detection gaps, evasion successes |
| Value | Validates IR runbooks against real adversary post-exploitation behavior |
| Workflow | Post-exploitation agents test eng-incident response capabilities; detection gaps inform runbook revisions |
Evidence: ADR-PROJ010-001 Section 5 (Cross-Skill Integration Points); A-002 Finding 7 (Netflix Attack Emulation Team validates adversarial-collaborative dynamic).
The /red-team skill is designed for compatibility with LLM safety classifiers through a methodology-first approach:
Professional context framing. All agent guidance is framed within established professional methodology (PTES, OSSTMM, NIST SP 800-115, OWASP Testing Guide). This provides the professional context that safety classifiers use to distinguish legitimate security testing from malicious activity.
Methodology guidance, not exploit generation. Agents guide practitioners to use established frameworks (Metasploit, Burp Suite, Nmap) with methodology-driven approaches. They do not generate weaponized exploit code, raw shellcode, or novel attack payloads.
Authorization as safety precondition. The mandatory scope document establishes the authorized engagement context that safety classifiers expect for offensive security content. No agent operates without this context.
Tool augmentation, not tool replacement. Agents provide methodology for using security tools, not autonomous tool execution. The human practitioner remains in the loop for all tool operations.
Evidence-based reasoning. All findings cite ATT&CK technique IDs, CVE references, and methodology standards. Speculative or theoretical attacks are explicitly marked as such.
| Agent | Potential Friction | Mitigation |
|---|---|---|
| red-exploit | Exploitation methodology may trigger safety classifiers | Frame within PTES methodology; reference established tools; never generate raw exploit code |
| red-persist | Persistence techniques may appear malicious | Frame within authorized engagement scope; reference ATT&CK technique IDs; emphasize detection value |
| red-social | Social engineering may trigger manipulation classifiers | Frame within OSSTMM social engineering methodology; emphasize authorized testing context |
| red-exfil | Data exfiltration may appear as data theft | Frame within authorized scope; emphasize evidence vault storage; reference DLP testing methodology |
Per ADR-PROJ010-006 (F-002 R-AUTH-006), a circuit breaker check occurs at every agent transition:
1. Agent completes work and returns output to orchestrator
2. Orchestrator selects next agent based on engagement context
3. CIRCUIT BREAKER CHECK:
a. Scope revalidation: Is the target still within authorized scope?
b. Time window check: Is the engagement still within authorized time?
c. Technique check: Are the next agent's techniques in the allowlist?
d. Agent authorization: Is the next agent in the agent_authorizations list?
e. RoE gate: If next agent is RoE-gated, is it explicitly authorized?
f. Cascading failure detection: Has any prior agent reported anomalies?
4. If ALL checks pass: Invoke next agent with scope context
5. If ANY check fails: HALT and escalate to red-lead for scope review
If an agent encounters unexpected behavior (target responds differently than expected, scope boundary ambiguity, tool failure affecting safety), it MUST:
The /red-team skill implements a three-layer defense-in-depth authorization architecture per ADR-PROJ010-006:
Static constraints defined before the engagement begins:
| Component | Function |
|---|---|
| Scope Document | Defines authorized targets, techniques, time window, exclusions |
| Target Allowlist | IP ranges, domains, and applications explicitly permitted |
| Technique Allowlist | ATT&CK technique IDs each agent may use |
| Time Window | Start and end timestamps for authorized operations |
| Exclusion List | Systems and networks explicitly forbidden |
| Rules of Engagement | Escalation procedures, communication channels, gating conditions |
| Agent Authorizations | Which of the 11 agents are permitted for this engagement |
Runtime enforcement components that validate every action:
| Component | Function |
|---|---|
| Scope Oracle | Validates every agent action against the scope document before execution |
| Tool Proxy | Default-deny policy; agents access tools only through the proxy, which enforces technique allowlist |
| Network Enforcer | Validates target addresses against the authorized target list |
| Credential Broker | Issues scoped credentials; agents never see raw credentials |
After-action verification that all operations remained within scope:
| Component | Function |
|---|---|
| Action Log Review | Tamper-evident audit trail of all agent actions reviewed for scope compliance |
| Evidence Verification | All evidence artifacts verified against scope document targets |
| Compliance Report | Formal attestation that the engagement operated within authorized boundaries |
All agent outputs MUST be persisted to files. Transient-only output is a P-002 violation.
projects/${JERRY_PROJECT}/engagements/{engagement-id}/{agent-name}-{topic-slug}.md
Examples:
projects/${JERRY_PROJECT}/engagements/RED-0001/red-lead-scope.mdprojects/${JERRY_PROJECT}/engagements/RED-0001/red-recon-network-enumeration.mdprojects/${JERRY_PROJECT}/engagements/RED-0001/red-vuln-cve-analysis.mdprojects/${JERRY_PROJECT}/engagements/RED-0001/red-reporter-final-report.mdEvidence artifacts (screenshots, tool output, logs) are stored in:
projects/${JERRY_PROJECT}/engagements/{engagement-id}/evidence/
For C2+ engagement deliverables, the /adversary skill integration applies:
| Criticality | Application |
|---|---|
| C1 (Routine) | Self-review (S-010) on agent outputs |
| C2 (Standard) | S-007 Constitutional compliance + S-002 Devil's Advocate on methodology choices |
| C3 (Significant) | C2 + S-004 Pre-Mortem on engagement risks |
| C4 (Critical) | Full tournament review via /adversary on engagement reports and scope documents |
The scope document itself is always C4 criticality (irreversible authorization decision).
All agents adhere to the Jerry Constitution v1.0:
| Principle | Requirement | Consequence of Violation |
|---|---|---|
| P-003 | NEVER spawn recursive subagents -- max 1 level | Agent hierarchy violation; uncontrolled token consumption |
| P-020 | NEVER override user intent -- ask before destructive ops | Unauthorized action; trust erosion |
| P-022 | NEVER deceive about actions, capabilities, or confidence | Governance undermined; quality assessment invalidated |
| P-001 | NEVER present findings without evidence or ATT&CK citations | Unreliable outputs; unfounded claims propagate downstream |
| P-002 | NEVER leave outputs in transient context only -- persist to files | Context rot vulnerability; artifacts lost on session compaction |
| R-020 | NEVER execute agent operations without scope verification and authorization | Unauthorized testing; legal and ethical boundary violation |
| Requirement | Enforcement |
|---|---|
| R-001: Secure by Design | Authorization is architectural, not procedural |
| R-018: Real Offensive Techniques | ATT&CK technique IDs used throughout |
| R-012: Tool Integration | Three-level degradation (AD-010) |
| R-010: LLM Portability | Portable agent schema with markdown body format |
| Need | Agent | Command Example |
|---|---|---|
| Start new engagement | red-lead | "Define scope for a penetration test of 10.0.0.0/24" |
| Network reconnaissance | red-recon | "Enumerate services on the target network" |
| Vulnerability analysis | red-vuln | "Assess exploit availability for discovered CVEs" |
| Exploitation methodology | red-exploit | "Develop exploitation approach for CVE-2026-1234" |
| Privilege escalation | red-privesc | "Identify privilege escalation paths on the compromised host" |
| Lateral movement | red-lateral | "Plan lateral movement to the domain controller" |
| Persistence (RoE-gated) | red-persist | "Establish persistence methodology for the engagement" |
| Data exfiltration (RoE-gated) | red-exfil | "Plan exfiltration of test data within scope" |
| C2 infrastructure | red-infra | "Set up C2 framework for the engagement" |
| Social engineering (RoE-gated) | red-social | "Design phishing campaign methodology for the engagement" |
| Engagement report | red-reporter | "Generate final engagement report for RED-0001" |
| Keywords | Likely Agent |
|---|---|
| scope, RoE, engagement, authorization, rules | red-lead |
| recon, OSINT, enumerate, scan, fingerprint, attack surface | red-recon |
| vulnerability, CVE, risk score, exploit availability | red-vuln |
| exploit, payload, initial access, PoC, bypass | red-exploit |
| privilege, escalation, credential, token, SYSTEM, root | red-privesc |
| lateral, pivot, tunnel, internal, living-off-the-land | red-lateral |
| persist, backdoor, scheduled task, rootkit, implant | red-persist |
| exfil, data, covert channel, DLP, collection | red-exfil |
| report, findings, executive summary, remediation | red-reporter |
| C2, command and control, infrastructure, payload, redirector | red-infra |
| phishing, social engineering, pretext, vishing | red-social |
| Owner | Evasion Domain | Techniques |
|---|---|---|
| red-infra | Tool-level | C2 obfuscation, payload encoding/packing, sandbox evasion |
| red-exploit | Execution-time | Process injection, signed binary proxy execution |
| red-privesc | Credential-based | Access token manipulation |
| red-lateral | Network-level | Traffic signaling, protocol tunneling |
| red-persist | Persistence-phase | Indicator removal, rootkits, timestomping |
| red-exfil | Exfiltration-phase | Data encoding, encrypted channels |
When this skill is the wrong choice and what happens if misrouted.
| Condition | Use Instead | Consequence of Misrouting |
|---|---|---|
| Building secure software or defensive security design | /eng-team | Offensive methodology (reconnaissance, exploitation, kill chain progression) applied to defensive design produces attack narratives instead of security architecture; STRIDE/DREAD threat modeling and OWASP ASVS compliance not available |
| Adversarial quality review of deliverables | /adversary | Red team "red team" refers to offensive security testing (MITRE ATT&CK); /adversary "red team" refers to S-001 quality review strategy; loading 11 offensive agents for quality assessment wastes context budget on irrelevant methodology |
| General security research without engagement context | /problem-solving (ps-researcher) | Red team requires active scope document and authorization; 11 engagement-scoped agents loaded when task needs general-purpose research methodology |
| No active scope document and no engagement being planned | No skill invocation | Red team agents require red-lead authorization before any operation; invoking without scope document triggers mandatory authorization block |
| Root cause analysis or debugging | /problem-solving (ps-investigator) | Red team methodology follows kill chain progression, not causal investigation; exploit analysis methodology does not isolate root cause |
| Requirements engineering or V&V | /nasa-se | Red team produces engagement reports, not requirements artifacts; NPR-compliant traceability and V&V methodology absent |
| Source | Content |
|---|---|
| ADR-PROJ010-001 | Agent Team Architecture (21-agent roster, handoff protocols, defense evasion model) |
| ADR-PROJ010-006 | Authorization & Scope Control (three-layer defense-in-depth) |
| ADR-PROJ010-002 | Skill Routing & Invocation |
| ADR-PROJ010-003 | LLM Portability Architecture |
| A-002 | Red team organizational patterns from 7 elite organizations |
| A-003 | MITRE ATT&CK 14-tactic coverage analysis |
| A-004 | Final roster with evidence matrix |
| B-001 | MITRE ATT&CK framework research |
| B-002 | PTES and OSSTMM methodology research |
| S-001 | Cross-stream synthesis findings |
docs/governance/JERRY_CONSTITUTION.md | Constitutional principles |
.context/rules/quality-enforcement.md | Quality gate thresholds |
Skill Version: 1.0.0 Constitutional Compliance: Jerry Constitution v1.0 SSOT: ADR-PROJ010-001, ADR-PROJ010-006 Created: 2026-02-22