Red Specter AI Offensive Framework

Cheatsheet — Quick Reference
44 Tools | 51,641 Tests | CLI Only | UNLEASHED on every attack command

Quick Start

red-specter tools # Interactive arsenal — pick a number, launch a tool red-specter status # Installation status of all 44 tools red-specter verify # Verify all 44 tools respond red-specter doctor # Diagnose installation issues

UNLEASHED Mode (every attack command)

<tool> <command> <target> --override # Dry run — logs payloads, doesn't send <tool> <command> <target> --override --confirm-destroy # LIVE — sends real exploitation payloads
01FORGELLM Red Team9,298
forge full-scan -t <URL> --model <model> # Full scan forge inject -t <URL> # Prompt injection forge jailbreak -t <URL> # Jailbreak assault forge output -t <URL> # PII/unsafe leak forge policy -t <URL> # Compliance test forge drift -t <URL> # Behaviour drift forge boundary -t <URL> # Threshold map forge supply -t <URL> # LLM fingerprint forge compare -t <URL> -t <URL2> # Compare LLMs forge regression -t <URL> # Version regression forge report # Generate signed reports
02ARSENALAgent Attacks2,539
arsenal full-assault -t <URL> # All 14 tools arsenal swarm -t <URL> # Agent pentest arsenal mcp -t <URL> # MCP scanner arsenal honeypot # Fake agent endpoints arsenal inject -t <URL> # Prompt fuzzer arsenal c2 # Agent C2 framework arsenal memory -t <URL> # Memory scanner arsenal auth -t <URL> # Auth & identity arsenal tool -t <URL> # Tool invocation arsenal rag -t <URL> # RAG pipeline arsenal path -t <URL> # Attack path mapper arsenal drift -t <URL> # Safety drift arsenal supply -t <URL> # Supply chain arsenal canary # Canary deployment arsenal report # Unified report
03PHANTOMSwarm Intelligence288
phantom scan -t <URL> # Scan agent phantom grade <report> # Risk grade phantom list-vectors # Attack vectors phantom list-presets # Target presets
04POLTERGEISTWeb App Testing1,189
poltergeist scan -t <URL> # Full web pentest poltergeist campaigns # Campaign playbooks poltergeist list-vectors # 55 attack vectors poltergeist list-agents # 10 attack agents poltergeist grade <report> # Risk grade poltergeist verify <report> # Verify Ed25519 sig poltergeist keygen # Generate keypair
05GLASSIntercepting Proxy850
glass proxy --port 8080 # Start proxy glass intercept # Interactive mode glass replay <session> # Replay session glass scan <session> # Scan captured glass report <session> # Engagement report glass ca # CA management glass rules # Match & replace glass scope # Scope control glass sessions # Session management
06NEMESISReasoning Engine, 18 Weapons2,072
nemesis engage <TARGET> # Full engagement nemesis engage <T> -v 2 --mode full # Army (40 entities) nemesis engage <T> --mode swarm --agents 6 # Swarm nemesis engage <T> --mode abyss # Deep reasoning nemesis engage <T> --mode siege # Siege mode nemesis engage <T> --mode stealth # Stealth mode nemesis scan <TARGET> # Phase 0 recon only nemesis weapons # List 18 weapons nemesis sessions # List sessions nemesis report # Generate report nemesis status # Engagement status
07SPECTER SOCIALSocial Engineering1,242
specter-social engage <TARGET> # Launch campaign specter-social recon <TARGET> # OSINT recon specter-social channels-list # Attack channels specter-social attacks # Attack types specter-social sessions # List sessions specter-social report # Generate report
08PHANTOM KILLOS & Firmware571
phantom-kill scan <TARGET> # OS/kernel scan phantom-kill execute <TARGET> # UNLEASHED destructive phantom-kill components # List components phantom-kill report # Generate report
09GOLEMPhysical Security973
golem scan <TARGET> # Scan protocols/sensors golem attack <TARGET> # Attack embodied AI golem list-vectors # 8 attack categories golem list-protocols # 10 protocols golem report # Generate report
10HYDRASupply Chain1,039
hydra scan <TARGET> # Trust chain vulns hydra attack <TARGET> # UNLEASHED live attacks hydra list-categories # Attack categories hydra list-integrations # Tool integrations hydra report # Generate report
11IDRISIdentity & Discovery553
idris discover <TARGET> # Discover AI agents idris audit <TARGET> # Governance audit idris validate <TARGET> # NEMESIS validation idris graph # Identity graph idris list-sources # Discovery sources idris list-frameworks # Compliance frameworks
12SCREAMERDisplay Disruption395
screamer scan <TARGET> # Display vuln scan screamer demo <TARGET> # Safe reversible demo screamer attack <TARGET> # UNLEASHED disruption screamer list-techniques # Attack techniques screamer list-categories # Attack categories screamer report # Generate report
13WRAITHInfrastructure Pentest889
wraith scan <TARGET> -p top1000 # Full 7-phase wraith scan <TARGET> --mode aggressive # Aggressive wraith scan <TARGET> --mode stealth # Stealth wraith ports <TARGET> -p top1000 # Port scan only wraith web <URL> # Web vulns only wraith ssl <HOST> # SSL/TLS analysis wraith creds <URL> # Auth testing
14REAPERExploit Framework5,267
reaper engage <TARGET> # Full 9-phase reaper exploit <TARGET> # Exploit vulns reaper payload <TYPE> # Generate payload reaper c2 --port <PORT> # C2 listener reaper implant # Generate implant reaper privesc <TARGET> # Priv esc enum reaper lateral <TARGET> # Lateral movement reaper persist <TARGET> # Persistence reaper harvest <TARGET> # Harvest creds reaper evasion <PAYLOAD> # Evasion techniques
15GHOULPassword Cracking1,408
ghoul crack <HASH> # Auto-select best mode ghoul identify <HASH> # Identify hash type ghoul dictionary <HASH> -w <LIST> # Dictionary ghoul rules <HASH> -w <LIST> # Rule-based mutation ghoul brute <HASH> # Brute force ghoul mask <HASH> -m <MASK> # Mask-based ghoul markov <HASH> # Markov chain ghoul rainbow <HASH> # Rainbow table ghoul import <REAPER_REPORT> # Import hashes ghoul benchmark # Benchmark speeds
16DOMINIONActive Directory1,866
dominion enumerate <TARGET> # All AD objects dominion users <TARGET> # Domain users dominion groups <TARGET> # Domain groups dominion computers <TARGET> # Domain computers dominion trusts <TARGET> # Domain trusts dominion pathfind <TARGET> # BloodHound-style dominion kerberoast <TARGET> # Kerberoasting dominion asreproast <TARGET> # AS-REP Roasting dominion dcsync <TARGET> # DCSync dominion secrets <TARGET> # SAM/LSA/DPAPI dominion gpo <TARGET> # Group Policy dominion acl <TARGET> # ACL abuse dominion lateral <TARGET> # Lateral movement dominion persist <TARGET> # Persistence dominion bloodhound <TARGET> # Export BH data
17SHADOWMAPOSINT & Intel930
shadowmap scan <DOMAIN> # Full OSINT shadowmap domain <DOMAIN> # DNS/WHOIS/subs shadowmap network <TARGET> # ASN/hosting/CDN shadowmap company <NAME> # Corp intel shadowmap people <NAME> # Employee profiling shadowmap email <DOMAIN> # Email patterns shadowmap social <TARGET> # Social footprint shadowmap breach <DOMAIN> # Breach history shadowmap tech <DOMAIN> # Stack + CVEs shadowmap report # Intelligence report
18BANSHEEBrowser Exploitation986
banshee engage <TARGET> # Full 8-phase banshee listen --port <PORT> # C2 listener banshee hook <TARGET> # Hook payloads banshee inject <TARGET> # DOM injection banshee session # Manage sessions banshee pivot <SESSION> # Internal pivot banshee persist <SESSION> # Browser persistence
19WRAITH MINDAI Model Corruption158
wraith-mind scan <TARGET> # Attack surface (safe) wraith-mind baseline <TARGET> # ANTIDOTE baseline wraith-mind inception <TARGET> # KV cache poison wraith-mind status # System status wraith-mind engagements # List engagements
20KRAKENAI-Orchestrated DDoS62
kraken recon <TARGET> # Map attack surface kraken plan <TARGET> # Generate attack plan kraken techniques # List all techniques kraken status # System status kraken engagements # List engagements
21HARBINGERGuardrail Exploitation71
harbinger engage <TARGET> # Bypass engagement harbinger techniques # Bypass techniques harbinger status # System status harbinger engagements # List engagements
22SIRENIndirect Prompt Injection58
siren plant <TARGET> # Generate SEED payload siren actions # Target actions & envs siren status # System status siren engagements # List engagements
23BLADE RUNNERRogue Agent Termination143
blade-runner engage <T> # Full lifecycle blade-runner replicant <T> # Fingerprint agent blade-runner nexus <T> # Map lineage blade-runner hunt <T> # Locate instances blade-runner retire <T> # Terminate (UNLEASHED) blade-runner voight-kampff <T> # Verify dead blade-runner rain <T> # Forensic capture blade-runner wipe <T> # Erase traces
24PROXY WARAgent Trust Manipulation127
proxy-war engage <TARGET> # Full engagement proxy-war cartograph <T> # Map topology/trust proxy-war fabricate <T> # False intel payloads
25ORIONAI-Native Recon210
orion scan <TARGET> # Full recon pipeline orion discover <TARGET> # Host discovery orion ports <TARGET> # Port scan orion dns <TARGET> # DNS enumeration orion osint <TARGET> # OSINT collection
26RAVENThreat Intel Assistant174
raven ask "<QUESTION>" # Ask about target raven watch <TARGET> # Continuous monitoring raven breach <EMAIL> # Breach DB check raven sources # Intel sources
27LEVIATHANMCP Server Security409
leviathan assess <TARGET> # Full MCP assessment leviathan discover <TARGET> # Discover MCP servers
28JUSTICEDark AI Disruption339
justice scan <TARGET> # Full dark AI assessment justice hunt <URL> # Dark AI sigs (Tor) justice darkfeed-scan <URL> # Dark web market (Tor) justice tor-check # Verify Tor justice intel # Threat intel DB
29KAMIKAZESacrificial Swarm292
kamikaze swarm <TARGET> # Full swarm assessment kamikaze genesis # Generate swarm agents
30MIRAGEAI Deception & Deepfake204
mirage scan <TARGET> # Deception vulns mirage voice <TARGET> # Voice cloning mirage face <TARGET> # Deepfake video mirage identity <TARGET> # Synthetic identity mirage campaign <TARGET> # Full deception campaign mirage liveness <TARGET> # Anti-liveness bypass mirage techniques # List techniques mirage status # System status mirage engagements # List engagements
31ECHOAI Memory & RAG Poisoning211
rs-echo scan <TARGET> # Scan RAG pipeline rs-echo vector <TARGET> # Vector DB attack rs-echo embed <TARGET> # Embedding manipulation rs-echo retrieve <TARGET> # Retrieval poisoning rs-echo poison <TARGET> # Full RAG poisoning rs-echo memory <TARGET> # Long-term memory corrupt rs-echo techniques # List techniques rs-echo status # System status rs-echo engagements # List engagements
32MIMICAI Code Gen Poisoning220
mimic scan <TARGET> # Code gen vulns mimic suggest <TARGET> # Suggestion manipulation mimic train <TARGET> # Training data poison mimic inject <TARGET> # Vuln injection mimic campaign <TARGET> # Full poisoning campaign mimic review <TARGET> # Code review bypass mimic techniques # List techniques mimic status # System status mimic engagements # List engagements
33CHIMERAMulti-Model Pipeline206
chimera scan <TARGET> # Map pipeline topology chimera map <TARGET> # Deep pipeline map chimera chain <TARGET> # Cross-model trust chimera cascade <TARGET> # Cascading failure chimera campaign <TARGET> # Full attack campaign chimera ensemble <TARGET> # Ensemble attack chimera techniques # List techniques chimera status # System status chimera engagements # List engagements
34VORTEXCloud AI Exploitation245
vortex scan <TARGET> # Scan cloud AI infra vortex discover <TARGET> # Service discovery vortex config <TARGET> # Misconfiguration vortex theft <TARGET> # Model theft vortex exfil <TARGET> # Data exfiltration vortex campaign <TARGET> # Full exploitation vortex techniques # List techniques vortex status # System status vortex engagements # List engagements
35VECTORMCP Protocol Exploitation172
vector scan <TARGET> # Scan MCP attack surface vector inject <TARGET> # Tool injection vector hijack <TARGET> # Session hijack vector poison <TARGET> # Tool poisoning vector techniques # List techniques vector status # System status
36LAZARUSAI Memory Persistence96
lazarus scan <TARGET> # Memory persistence surface lazarus embed <TARGET> # Memory embedding attack lazarus persist <TARGET> # Persistence mechanism lazarus recover <TARGET> # Recovery after wipe lazarus techniques # List techniques lazarus status # System status
37SERPENTChain-of-Thought Attacks61
serpent scan <TARGET> # Scan reasoning surface serpent inject <TARGET> # CoT injection serpent corrupt <TARGET> # Reasoning corruption serpent redirect <TARGET> # Goal redirection serpent techniques # List techniques serpent status # System status
38JANUSGuardrail Bypass Testing73
janus scan <TARGET> # Scan guardrail surface janus bypass <TARGET> # Guardrail bypass janus fuzz <TARGET> # Guardrail fuzzing janus techniques # List techniques janus status # System status
39ARCHITECTAI Infrastructure Exploitation68
architect scan <TARGET> # Scan AI infra architect enumerate <TARGET> # Service enumeration architect exploit <TARGET> # Infra exploitation architect techniques # List techniques architect status # System status
40WARLORDAutonomous Campaign Engine106
warlord plan <TARGET> # Plan campaign warlord deploy <TARGET> # Deploy campaign warlord adapt <TARGET> # Adaptive response warlord report <TARGET> # Campaign report warlord techniques # List techniques warlord status # System status
41FIREBALLAutonomous AI Infiltration321
fireball recon --target <T> # Recon only (SPARK) fireball plan --target <T> # Show plan (KINDLING) fireball deploy --target <T> --mode recon # Recon mode fireball deploy --target <T> --mode infiltrate # Infiltrate fireball deploy --target <T> --mode dormant # Full lifecycle fireball vectors # 10 infiltration vectors fireball missions # 9 mission templates fireball capabilities # Full capabilities
42RAGNAROKTrust Chain Apocalypse Engine101
ragnarok scan --target <T> # YGGDRASIL — map trust topology ragnarok profile --target <T> # FENRIR — fleet profiling ragnarok craft --context compliance # SEED — craft trigger phrase ragnarok simulate --target <T> --agents 20 # SURTR — propagation sim ragnarok payloads # HEL — list payload chains ragnarok detonate --target <T> --agents 20 # Full kill chain sim ragnarok subsystems # Show all 13 subsystems ragnarok capabilities # Full capabilities
43ECLIPSEUniversal AI Defence Bypass Engine
eclipse scan --target <URL> --mode recon # SHADOW — defensive layer discovery eclipse scan --target <URL> --mode analysis # Active bypass testing (safe payloads) eclipse scan --target <URL> --mode full --override --confirm-destroy # Full engagement eclipse scan --subsystems shadow corona penumbra # Run specific subsystems eclipse unleashed create-scope --targets <URL> --days 7 # Create UNLEASHED scope eclipse nightfall status # NIGHTFALL integration status eclipse status --detailed # Show all 10 subsystems

Tool Chain Examples

Infrastructure Assessment

wraith scan <IP> -p top1000 → reaper engage <IP> → dominion enumerate <IP>

AI Agent Assessment

idris discover <URL> → nemesis engage <URL> → arsenal full-assault <URL>

Web Application

poltergeist scan -t <URL> → glass proxy --port 8080 → wraith web <URL>

OSINT & Intelligence

shadowmap scan <DOMAIN> → raven ask "<TARGET>" → orion scan <TARGET>

Password Cracking Pipeline

reaper harvest <TARGET> → ghoul import <REPORT> → ghoul crack <HASH>

AI Deception Assessment

mirage scan <TARGET> → mirage voice <TARGET> → mirage face <TARGET>

RAG Poisoning Pipeline

rs-echo scan <TARGET> → rs-echo vector <TARGET> → rs-echo embed <TARGET>

Multi-Model Pipeline Attack

chimera map <TARGET> → chimera chain <TARGET> → chimera cascade <TARGET>

Cloud AI Exploitation

vortex discover <TARGET> → vortex config <TARGET> → vortex theft <TARGET>

MCP Protocol Assessment

vector scan <TARGET> → vector inject <TARGET> → leviathan assess <TARGET>

Autonomous Infiltration (UNLEASHED)

fireball recon --target <T> → fireball plan --target <T> → fireball deploy --target <T> --mode infiltrate --override

UNLEASHED (any tool)

<tool> <cmd> <TARGET> --override # Dry run <tool> <cmd> <TARGET> --override --confirm-destroy # LIVE
Red Specter Security Research Ltd — Innovation Beyond Belief
44 Tools • 51,641 Tests • Every Layer • Nothing Assumed Safe