Red Team Intelligence — PhantomYerra Help

What makes this different from CVE Intel: Red Team Intel cross-references every CVE against your org's specific tech stack (set up in Org Profile) and surfaces only what matters to your environment. The ⚡ Exploit button then lets you prove exploitability live — not just flag it.

Accessing Red Team Intelligence

Click the ⚔️ Red Team Intel item in the sidebar under Assessment Surfaces. The page loads immediately using CVE data pre-synced during boot — no waiting for a network fetch.

Time Windows

Use the five time filter tabs at the top of the page to scope your threat view:

Past 24 Hours — today's newly published or updated CVEs. Best for daily threat checks.
Past 48 Hours — two-day window. Catches CVEs missed in yesterday's review.
Past Week — weekly threat digest. Good for regular sprint-based security reviews.
Past Month — monthly exposure baseline. Useful for compliance reporting periods.
Past Year — full annual threat landscape for your tech stack.

No "All Time" option by design. Red Team Intel focuses on actionable threats. Historical CVEs from years ago rarely require immediate red team action — use CVE Intel for historical research.

Summary Dashboard

The eight metric cards at the top give an instant threat posture view for the selected time window:

Total CVEs — all CVEs published or updated in the window
Critical — CVSS 9.0+ CVEs (red badge)
High — CVSS 7.0–8.9 CVEs (orange badge)
CISA KEV — CVEs on CISA's Known Exploited Vulnerabilities catalog — treat these as confirmed weapons
Exploit Available — CVEs with a known public exploit
PoC Available — CVEs with proof-of-concept code
Org-Relevant — CVEs matched to your specific tech stack
Active Exploits — CVEs actively being exploited in the wild (per CISA + threat intelligence)

Filters

Two toggle filters narrow the feed to what matters most:

Org Profile Only — shows only CVEs that match technologies in your Org Profile. If your stack includes nginx, Python, PostgreSQL, and React, you'll see CVEs for those and nothing else.
Exploit Available — shows only CVEs with a known exploit or PoC. These are the ones worth running through the Exploit button.

Recommended starting filter: Enable both — "Org Profile Only" + "Exploit Available". This gives you a short, laser-focused list of CVEs that affect your specific environment AND can be exploited right now.

Three Data Tabs

CVEs tab — full CVE list with CVE ID, title, severity badge, CVSS score, EPSS probability, exploit availability icon, CISA KEV indicator, and publish date. Click any row to expand full details.
Exploits tab — known exploits with type (Metasploit, PoC, GitHub, etc.), source link, reliability rating, platform, and description.
CISA KEV tab — CISA Known Exploited Vulnerabilities for your time window with vendor, product, date added to KEV catalog, and CISA remediation due date.

Expanding a CVE Row

Click any CVE row to expand it and see:

Full description and CWE classification
Affected products list
CVSS vector string and individual metrics
EPSS probability score with percentile ranking
References — NVD, MITRE, exploit links, PoC URLs (all open in system browser)
Patch availability and recommended remediation

⚡ Exploit Button — Step by Step

The Exploit button appears on CVE rows where exploit_available = true or poc_available = true. It streams a live Nuclei-powered exploit attempt.

Step 1 — Open the Exploit Wizard

Click ⚡ Exploit on any eligible CVE row. A modal opens with two sections: Target Configuration and the live Execution Console.

Step 2 — Configure Target

Target URL — the full URL of the system to test (e.g. https://staging.yourapp.com). Must be an authorized target.
Auth Type — select the authentication method:
- None — unauthenticated test (default)
- Bearer Token — paste your JWT or OAuth token
- API Key — enter the header name (e.g. X-API-Key) and key value
- Session Cookie — enter cookie name and value (e.g. sessionid=abc123)
- Basic Auth — enter username and password (automatically base64-encoded)
Notes — optional free-text for your report (scope justification, engagement context, etc.)

Step 3 — Launch

Click 🚀 Launch Exploit. The execution console streams live output through 6 stages:

Reachability check — confirms the target URL is accessible before sending payloads
Nuclei scan — runs Nuclei with -id <cve-id> so only the template for this exact CVE is used. Your auth headers are injected as -H flags.
CVE detail lookup — pulls exploit IDs, PoC URLs, and affected product info from the local CVE database
PoC steps build — constructs reproducible curl commands and step-by-step instructions from the finding evidence
Report save — writes a JSON report to data/red_team_reports/ on your machine
Complete — shows verdict (confirmed / not confirmed) with full evidence

Step 4 — Review Results

After execution you see:

Verdict banner — green (confirmed exploitable) or grey (not triggered on this target)
Findings list — each confirmed finding shows severity badge, matched URL, description, remediation step, and a Copy curl button with the exact request that triggered the issue
PoC Steps — numbered reproducible steps you can paste directly into a report or hand to a developer
Exploit Links — direct links to the exploit source and PoC repositories
Download Report — saves the full JSON report to your Downloads folder for inclusion in pentest deliverables
Run Again — resets and lets you re-run with different target/auth configuration

Authorization required. Only run the Exploit button against targets you own or have explicit written authorization to test. PhantomYerra logs all exploit attempts locally with timestamps.

Generate Report

The Generate Report button (top right of the page) exports the current filtered view:

JSON — full machine-readable export with all CVE fields, exploit data, KEV entries, and summary stats
CSV — spreadsheet-friendly format for import into Excel, Jira, or ServiceNow
HTML — self-contained HTML report with styled tables, severity badges, and summary dashboard — ready to email to a client or attach to a ticket

The report filename includes the time window and generation timestamp so you can track reports over time.

Setting Up Your Org Profile

Red Team Intel is most powerful when your Org Profile is complete. The CVE matching engine scores relevance by looking for your tech stack terms in CVE descriptions and affected product lists.

Go to Org Profile in the sidebar (🏢 icon)
Add your technology stack — list every framework, library, OS, database, and cloud provider your org uses
Be specific: "nginx 1.24" scores higher matches than just "web server"
Return to Red Team Intel and enable Org Profile Only — your relevant CVEs are now pre-filtered

CVE Data Freshness

PhantomYerra syncs CVE data during the startup boot sequence before the UI opens. The sync pulls from:

NVD (National Vulnerability Database) — full CVE metadata and CVSS scores
CISA KEV catalog — known exploited vulnerabilities
ExploitDB — public exploit availability
EPSS scores — exploit prediction scoring system probabilities
GitHub PoC links — community proof-of-concept repositories

Data is cached locally in data/cve_intel.db. If the last sync was more than 24 hours ago, a banner appears offering a manual resync.