🎯

Red Team & Threat Intelligence

AI-driven red team adversary simulation with MITRE ATT&CK mapping, plus real-time CVE/threat intelligence dashboard with CISA KEV, ExploitDB, and EPSS scoring.

Prerequisites

  • Written Rules of Engagement (ROE) document signed by target organization
  • Defined scope: IP ranges, domains, user accounts, physical locations (if applicable)
  • Claude API key configured (Settings → AI Configuration)
  • Target environment type confirmed (Lab / Pre-Production / Production)
  • MITRE ATT&CK tactics approved for engagement (agreed with client)
  • Out-of-scope systems explicitly listed to prevent accidental impact
  • Org Profile configured with target tech stack for threat intelligence matching
  1. 1

    Select Red Team from Home Screen

    Click the 🎯 Red Team card on the Home Screen. Choose your campaign type from the selection panel:

    Campaign Types: Full Red Team β†’ End-to-end adversary simulation: initial access through exfiltration, all MITRE ATT&CK tactics, goal-based objectives Purple Team β†’ Collaborative red/blue exercise: attack executes while defenders monitor, detection gap analysis, joint debrief Assumed Breach β†’ Skip initial access: start from inside the network with domain credentials, test lateral movement + escalation Phishing Campaign β†’ Social engineering: email phishing, credential harvesting, payload delivery, user awareness measurement Physical + Social β†’ Physical security assessment: badge cloning, tailgating, USB drop, pretexting, dumpster diving (requires on-site ROE)
    Each campaign type pre-configures the MITRE ATT&CK tactics, tools, and reporting templates appropriate for that engagement style.
  2. 2

    Configure Adversary Profile

    Select the threat actor profile that matches your engagement objectives. PhantomYerra emulates real-world adversary TTPs mapped to MITRE ATT&CK.

    MITRE ATT&CK Tactics Selection (14 tactics): TA0043 Reconnaissance TA0042 Resource Development TA0001 Initial Access TA0002 Execution TA0003 Persistence TA0004 Privilege Escalation TA0005 Defense Evasion TA0006 Credential Access TA0007 Discovery TA0008 Lateral Movement TA0009 Collection TA0011 Command and Control TA0010 Exfiltration TA0040 Impact Threat Actor Emulation Profiles: APT29 (Cozy Bear) β†’ Russia / SolarWinds-style supply chain, stealthy C2 APT28 (Fancy Bear) β†’ Russia / spearphishing, credential theft, VPN exploits Lazarus Group β†’ North Korea / financial theft, destructive wiper payloads FIN7 (Carbanak) β†’ Financial crime / POS malware, social engineering APT41 (Winnti) β†’ China / dual espionage + financial, supply chain backdoors Sandworm β†’ Russia / destructive OT/ICS attacks, NotPetya-style Scattered Spider β†’ Social engineering, MFA fatigue, identity provider attacks Custom Profile β†’ Define your own TTP selection from the full ATT&CK matrix
  3. 3

    Define Target Environment

    Configure the scope boundaries, rules of engagement, and approved techniques for the campaign.

    Scope Configuration: IP Ranges β†’ 10.0.0.0/8, 192.168.1.0/24, specific host IPs Domains β†’ corp.target.com, *.internal.target.com User Accounts β†’ test accounts for credential attacks (if approved) Cloud Tenants β†’ AWS account ID, Azure tenant, GCP project (if in scope) Rules of Engagement: Approved TTPs β†’ Check/uncheck each MITRE technique individually Out-of-Scope Systems β†’ List IPs/hostnames that must never be touched Time Windows β†’ Business hours only / after hours / 24x7 Notification Rules β†’ Alert blue team on critical impact / silent operation Data Handling β†’ No real data exfil / simulated exfil / hash-only proof Escalation Contact β†’ Emergency phone number for accidental impact
  4. 4

    Complete Mission Control Wizard with Red Team Settings

    The wizard collects final configuration before campaign launch:

    Wizard Steps for Red Team: Step 1: Environment → Lab / Pre-Production / Production Step 2: Mode → Automated AI (Claude drives the full campaign) Step 3: Campaign Type → Full Red Team / Purple Team / Assumed Breach / etc. Step 4: Adversary → Select threat actor profile or custom TTP set Step 5: Scope → IP ranges, domains, users, cloud tenants Step 6: ROE Upload → Attach signed Rules of Engagement document Step 7: Objectives → Define campaign goals (Domain Admin, data exfil, etc.) Step 8: Review + Launch→ Confirm full plan, set campaign duration, launch
  5. 5

    AI Executes Campaign — 8-Phase Kill Chain

    Claude autonomously executes the red team campaign through all approved MITRE ATT&CK phases. Each phase adapts based on findings from previous phases.

    Phase 1 β€” Initial Access: β†’ Spearphishing emails with custom payloads (T1566) β†’ Exploit public-facing applications (T1190) β†’ Valid account discovery via OSINT (T1078) β†’ Supply chain compromise simulation (T1195) Phase 2 β€” Execution: β†’ PowerShell/cmd payload execution (T1059) β†’ Scheduled task creation (T1053) β†’ WMI/DCOM remote execution (T1047) Phase 3 β€” Persistence: β†’ Registry run keys, startup folder (T1547) β†’ Scheduled tasks for callback (T1053) β†’ DLL hijacking / search order abuse (T1574) β†’ Web shell deployment (T1505.003) Phase 4 β€” Privilege Escalation: β†’ Token impersonation (T1134) β†’ Kerberoasting / AS-REP roasting (T1558) β†’ Unquoted service paths (T1574.009) β†’ UAC bypass techniques (T1548.002) Phase 5 β€” Defense Evasion: β†’ AMSI bypass, ETW patching (T1562) β†’ Process injection (T1055) β†’ Timestomping, log clearing (T1070) β†’ Living-off-the-land binaries (T1218) Phase 6 β€” Credential Access: β†’ LSASS memory dump (T1003.001) β†’ SAM database extraction (T1003.002) β†’ DCSync attack (T1003.006) β†’ Kerberos ticket harvesting (T1558) Phase 7 β€” Lateral Movement: β†’ PsExec / SMB file copy (T1021.002) β†’ WinRM / PowerShell remoting (T1021.006) β†’ RDP hijacking (T1563.002) β†’ Pass-the-Hash / Pass-the-Ticket (T1550) Phase 8 β€” Exfiltration: β†’ Data staging and compression (T1074) β†’ Exfiltration over C2 channel (T1041) β†’ Exfiltration over alternative protocol (T1048) β†’ Simulated data theft with hash-only proof
  6. 6

    Monitor Campaign Dashboard

    The Campaign Dashboard provides real-time visibility into the active red team operation.

    Dashboard Panels: Kill Chain Progress β†’ Visual MITRE ATT&CK matrix with completed techniques highlighted green (successful) or red (detected/blocked) Detection Status β†’ Each technique marked: Evaded / Detected / Blocked Dwell Time Tracker β†’ Time from initial access to detection (if detected) MITRE ATT&CK Map β†’ Interactive heat map of all techniques attempted Attack Graph β†’ Node graph showing the full attack path from entry to objective, with every pivot and escalation step Activity Feed β†’ Chronological log of every action taken by Claude Objective Tracker β†’ Progress toward campaign goals (Domain Admin: 72%)
  7. 7

    Generate Red Team Report

    Click Reports → Red Team Report to generate the full campaign deliverable.

    Report Sections: Executive Summary β†’ Business-impact narrative for C-level audience Kill Chain Narrative β†’ Story-form walkthrough of the entire attack path MITRE ATT&CK Coverage β†’ Matrix showing tested vs. detected vs. evaded techniques Detection Gap Analysis β†’ Techniques that succeeded without triggering any alert Findings by Severity β†’ Each finding with evidence, PoC steps, CVSS score Attack Path Diagram β†’ Visual graph from initial access to objective Dwell Time Analysis β†’ Time-to-detect metrics per phase Remediation Roadmap β†’ Prioritized fix list: critical detections gaps first Appendix: Raw Evidence β†’ Full HTTP captures, terminal output, screenshots

What Claude Tests (Red Team Campaign)

  • Initial Access: phishing payload delivery, exploit public apps, valid account reuse, drive-by compromise
  • Execution: PowerShell, cmd, WMI, DCOM, scheduled tasks, scripting engines
  • Persistence: registry keys, startup items, DLL hijacking, web shells, implant callbacks
  • Privilege Escalation: Kerberoasting, token impersonation, UAC bypass, unquoted paths, kernel exploits
  • Defense Evasion: AMSI bypass, process injection, timestomping, LOLBAS, obfuscation
  • Credential Access: LSASS dump, SAM extraction, DCSync, Kerberos ticket theft, credential spraying
  • Lateral Movement: PsExec, WinRM, RDP, SMB, Pass-the-Hash, Pass-the-Ticket
  • Collection & Exfiltration: data staging, compression, C2 channel exfil, DNS tunneling
⏱️ Campaign duration: 1–5 days for Full Red Team. Assumed Breach: 4–16 hours. Purple Team: 1–3 days. Phishing Campaign: 2–7 days (includes user response window).

CVE / Threat Intelligence Dashboard

The Threat Intelligence Dashboard provides real-time CVE monitoring, CISA KEV tracking, ExploitDB integration, and EPSS scoring — all filtered to your organization's specific technology stack.

Dashboard Walkthrough

Time Filter Tabs (top of page): Past 24 Hours β†’ Today's newly published or updated CVEs Past 48 Hours β†’ Two-day window, catches missed items Past Week β†’ Weekly threat digest for sprint reviews Past Month β†’ Monthly exposure baseline for compliance Past Year β†’ Full annual threat environment Metric Cards (8 summary tiles): Total CVEs β†’ All CVEs published/updated in the selected window Critical β†’ CVSS 9.0+ (red badge) β€” requires immediate action High β†’ CVSS 7.0–8.9 (orange badge) β€” address within sprint CISA KEV β†’ On CISA Known Exploited Vulnerabilities catalog Exploit Available β†’ Public exploit exists (Metasploit, ExploitDB, GitHub) PoC Available β†’ Proof-of-concept code published (GitHub, blog, advisory) Org-Relevant β†’ Matched to your Org Profile tech stack Active Exploits β†’ Actively exploited in the wild (CISA + threat intel) Data Tabs (3 views): CVEs Tab β†’ Full CVE list: ID, title, severity, CVSS, EPSS, exploit status, CISA KEV indicator, publish date. Click to expand. Exploits Tab β†’ Known exploits: type (Framework Module, PoC, GitHub), source link, reliability rating, platform, description CISA KEV Tab β†’ CISA Known Exploited Vulnerabilities: vendor, product, date added, remediation due date

Org Profile Setup (4 Steps)

Step 1 β€” Add Technologies: Navigate to Org Profile (sidebar). Add every technology in your stack: frameworks, libraries, operating systems, databases, cloud providers, network equipment, IoT firmware. Be specific: "nginx 1.24" scores higher matches than "web server". Step 2 β€” Add Vendors: Add vendor names for commercial software: Microsoft, Cisco, Palo Alto, Fortinet, VMware, etc. CVEs are matched against the CPE vendor field. Step 3 β€” Configure Alerts: Set severity thresholds for notifications: Critical + Org-Relevant β†’ Desktop notification + email CISA KEV addition β†’ Desktop notification Exploit published β†’ Dashboard badge update Step 4 β€” Set Filters: Default filter presets for the dashboard: Recommended: "Org Profile Only" + "Exploit Available" enabled This shows only CVEs that affect YOUR stack AND have a working exploit.

Exploit Wizard (4 Steps)

Step 1 β€” Select CVE: Click the ⚑ Exploit button on any CVE row where exploit_available = true or poc_available = true. The Exploit Wizard modal opens. Step 2 β€” Configure Target: Target URL β†’ Full URL of the system to test (must be authorized) Auth Type β†’ None / Bearer Token / API Key / Session Cookie / Basic Auth Notes β†’ Optional engagement context for the report Step 3 β€” Launch Exploit: Click "Launch Exploit". The execution console streams 6 stages: 1. Reachability check β†’ Confirms target is accessible 2. Vulnerability scan β†’ Runs CVE-specific template with your auth headers 3. CVE detail lookup β†’ Pulls exploit IDs, PoC URLs from local CVE database 4. PoC steps build β†’ Constructs reproducible curl commands 5. Report save β†’ Writes JSON report to data folder 6. Complete β†’ Shows verdict: confirmed or not confirmed Step 4 β€” Review Results: Verdict banner (green = confirmed, grey = not triggered) Findings list with severity, matched URL, remediation, "Copy curl" button PoC Steps: numbered reproducible steps for report inclusion Exploit Links: direct links to exploit source and PoC repos Download Report / Run Again buttons

EPSS Scoring

EPSS (Exploit Prediction Scoring System) provides a probability score from 0.0 to 1.0 representing the likelihood that a CVE will be exploited in the wild within the next 30 days. PhantomYerra displays the EPSS score and percentile ranking on every CVE entry. Use EPSS alongside CVSS to prioritize: a CVSS 7.5 with EPSS 0.95 is more urgent than a CVSS 9.8 with EPSS 0.02.

Options Reference

Option Values Default Description
Campaign TypeFull Red Team, Purple Team, Assumed Breach, Phishing, PhysicalFull Red TeamOverall campaign objective and scope
Adversary ProfileAPT29, APT28, Lazarus, FIN7, APT41, Sandworm, CustomCustomThreat actor TTP emulation template
IntensityStealth, Standard, AggressiveStandardNoise level: Stealth avoids detection, Aggressive tests all TTPs
MITRE Tactics14 checkboxes (TA0001–TA0043)All enabledWhich ATT&CK tactics are approved for this engagement
Data HandlingNo exfil, Hash-only, Simulated, Full (ROE required)Hash-onlyHow discovered sensitive data is handled during exfiltration phase
Time WindowBusiness hours, After hours, 24x724x7When active testing is permitted
NotificationSilent, Alert on critical, Real-time feed to blue teamSilentWhether to notify defenders during campaign
CVE Time Filter24h, 48h, Week, Month, YearWeekThreat Intelligence dashboard time window
Org Profile FilterOn / OffOffShow only CVEs matching your tech stack
Exploit AvailableOn / OffOffShow only CVEs with known exploits or PoCs

Common Scenarios

Scenario 1: Annual Red Team Assessment
A financial services company requires an annual red team engagement to satisfy regulatory requirements. Select Full Red Team with APT29 profile, all 14 MITRE tactics approved, Standard intensity, Hash-only data handling. Run for 10 business days. Deliverable: executive report with ATT&CK Navigator layer showing coverage gaps.
Scenario 2: Purple Team After Incident
After a real breach attributed to Scattered Spider, the security team wants to validate their detection improvements. Select Purple Team with Scattered Spider profile, Real-time feed to blue team notification, focus on social engineering + MFA fatigue + identity provider TTPs. Joint debrief after each phase.
Scenario 3: Assumed Breach for New SOC
A company has deployed a new SIEM/EDR stack and wants to validate detection capabilities. Select Assumed Breach, provide domain credentials, start from inside the network. Focus on Phases 4–8 (priv esc through exfil). Track detection rate per technique. Deliverable: detection gap analysis with SIEM rule recommendations.
Scenario 4: Threat Intel Daily Review
A security analyst reviews the Threat Intelligence Dashboard every morning. Configure Org Profile with the full tech stack. Set default filter to Past 24 Hours + Org Profile Only + Exploit Available. Review critical CVEs, check EPSS scores, run the Exploit Wizard against staging environment for any high-EPSS findings.

Common Issues

This usually means the target's perimeter defenses are strong. Verify that phishing emails are not being quarantined by checking the mail gateway logs (if Purple Team). Try alternative initial access vectors: VPN exploit, web application vulnerability, or credential spray against cloud services (O365, Azure AD). If all fail, consider switching to Assumed Breach mode to test internal defenses directly — this is a valid and common approach when perimeter security is mature.

In Automated mode, Claude may use sub-techniques within an approved parent tactic. For example, approving "Credential Access" (TA0006) enables all sub-techniques under it. To restrict specific sub-techniques, switch to Semi-Automated mode where each technique requires individual approval. You can also uncheck specific techniques in the MITRE ATT&CK tactics selection during wizard Step 2.

Your Org Profile is either empty or contains generic terms. Navigate to Org Profile in the sidebar and add specific technology names with version numbers: "nginx 1.24", "PostgreSQL 16", "React 18", "Ubuntu 22.04". The matching engine scores relevance by looking for these terms in CVE descriptions and CPE affected product lists. After updating your profile, return to the dashboard and enable the Org Profile Only filter.

The Exploit Wizard tests the specific target URL you provide. "Not confirmed" means the target is either patched, not running the vulnerable version, or has a WAF/IDS blocking the payload. Check: (1) the target is actually running the affected software version, (2) the correct endpoint path is being tested, (3) authentication credentials are valid if the vulnerable endpoint requires auth. Try running with different auth configurations or against a known-vulnerable test instance to verify the template works.

The dwell time tracker requires detection events to calculate time-to-detect. If running in Silent notification mode without a connected SIEM, no detection events are fed back into PhantomYerra. For accurate dwell time: (1) switch to Purple Team mode with blue team participation, (2) connect your SIEM via the Integrations page (Splunk, Elastic, Sentinel), or (3) manually mark detection timestamps for each technique in the Campaign Dashboard.

Related Topics

πŸ—οΈ Network / Infrastructure Pentest 🌐 Web Application Pentest ☁️ Cloud Security ⚑ Automated AI Mode πŸ“Š Reports πŸ”„ Adaptive Attack Loop
© Ravi Yerra. All Rights Reserved.