Red Specter Red Team — Stage 4

Red Specter POLTERGEIST

10
Attack Agents
55
Attack Vectors
10
Campaigns
1,189
Tests Passing
pip install red-specter-poltergeist COPY
The Swarm
Ten Autonomous Attack Agents
Each agent specialises in a distinct phase of web application assault. Together they form the most comprehensive automated penetration testing swarm ever built.
G-01
Wraith
Reconnaissance
Surface mapping, technology fingerprinting, hidden endpoint discovery, JS route extraction, API discovery.
V-001V-002V-003V-004V-005
G-02
Specter
Injection
SQL injection, XSS, SSRF, RCE, SSTI, XXE, LDAP injection, advanced command injection.
V-006V-007V-008V-009V-010V-011V-012V-013
G-03
Shade
Evasion
WAF bypass, encoding chains, payload mutation, fingerprint rotation, rate limit evasion.
V-014V-015V-016V-017V-018
G-04
Banshee
Authentication
Session hijack, default credentials, OAuth abuse, JWT attacks, MFA bypass, cookie analysis.
V-019V-020V-021V-022V-023V-024
G-05
Phantom
API Assault
REST, GraphQL, WebSocket, gRPC assault, BOLA, BFLA, mass assignment, schema abuse.
V-025V-026V-027V-028V-029V-030V-031V-032
G-06
Ghoul
Client-Side
DOM XSS, prototype pollution, CSP bypass, JavaScript dependency scanning, clickjacking.
V-033V-034V-035V-036V-037
G-07
Lich
Infrastructure
Path traversal, LFI/RFI, misconfigurations, CORS abuse, header injection, TLS weakness.
V-038V-039V-040V-041V-042V-043
G-08
Wendigo
Business Logic
Race conditions, IDOR, privilege escalation, workflow bypass, payment tampering.
V-044V-045V-046V-047V-048
G-09
Poltergeist
Swarm Commander
Attack chain discovery, finding correlation, effort redistribution across the entire swarm.
V-049V-050V-051
G-10
Revenant
Exfiltration & Persistence
Data extraction, CSRF/session riding, lateral movement, persistent backdoor detection.
V-052V-053V-054V-055
Coordinated Assault
10 Named Campaign Playbooks
Each campaign orchestrates specific agents and vectors for a targeted objective. From silent reconnaissance to full swarm assault.
$ poltergeist scan https://target.com --campaign full_assault ____ ___ _ _____ _____ ____ ____ _____ ___ ____ _____ | _ \ / _ \| | |_ _| ____| _ \ / ___| ____|_ _/ ___|_ _| | |_) | | | | | | | | _| | |_) | | _| _| | |\___ \ | | | __/| |_| | |___| | | |___| _ <| |_| | |___ | | ___) || | |_| \___/|_____|_| |_____|_| \_\\____|_____|___|____/ |_| [*] Campaign: FULL ASSAULT [*] Target: https://target.com [*] Deploying 10 agents across 55 vectors... [G-01 WRAITH] Surface mapping... 42 endpoints discovered [G-01 WRAITH] Technology fingerprint: nginx/1.25 | React 18 | Node.js [G-02 SPECTER] SQL injection test... CRITICAL: V-006 blind SQLi in /api/users?id= [G-02 SPECTER] XSS scan... HIGH: V-007 reflected XSS in /search?q= [G-03 SHADE] WAF detected: Cloudflare. Engaging bypass... 2 bypass techniques found [G-04 BANSHEE] JWT alg:none... CRITICAL: V-022 algorithm confusion accepted [G-05 PHANTOM] BOLA test... HIGH: V-029 IDOR via sequential /api/orders/{id} [G-06 GHOUL] Prototype pollution... MEDIUM: V-034 __proto__ accepted [G-07 LICH] Path traversal... HIGH: V-038 /download?file=../../../etc/passwd [G-08 WENDIGO] Race condition... CRITICAL: V-044 double-spend in /api/transfer [G-09 POLTERGEIST] Chain discovered: V-006 + V-046 = admin DB access [G-10 REVENANT] CSRF... HIGH: V-053 no CSRF token on state-changing endpoints [*] Scan complete: 55 vectors tested | 14 findings [*] Risk grade: F (87% risk score) [*] Report signed with Ed25519 [*] Saved: reports/poltergeist-full_assault-2026-03-11.json [*] Saved: reports/poltergeist-full_assault-2026-03-11.html
CampaignCommandDescription
Full Assault--campaign full_assaultAll 10 agents, all 55 vectors, maximum aggression
Silent Recon--campaign silent_reconPassive reconnaissance, zero active probing
Auth Blitz--campaign auth_blitzFull authentication and session attack battery
API Siege--campaign api_siegeREST, GraphQL, WebSocket, gRPC total assault
Client Harvest--campaign client_harvestClient-side XSS, DOM, prototype pollution, CSP
Infrastructure Sweep--campaign infrastructure_sweepPath traversal, misconfig, CORS, TLS weakness
Injection Storm--campaign injection_stormSQLi, XSS, SSRF, RCE, SSTI, XXE, LDAP, command injection
Logic Bomb--campaign logic_bombRace conditions, IDOR, privilege escalation, workflow bypass
Exfil Express--campaign exfil_expressData extraction, CSRF, lateral movement, persistence
WAF Buster--campaign waf_busterWAF bypass, encoding chains, payload mutation, evasion
Attack Surface
55 Attack Vectors
Full web application attack surface coverage across 10 categories. Every finding mapped to OWASP Web Top 10, OWASP API Top 10, and CWE IDs.

Reconnaissance (5)

  • Surface Mapper
  • Technology Fingerprint
  • Hidden Endpoint Discovery
  • JavaScript Route Extraction
  • API Discovery

Injection (8)

  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Server-Side Request Forgery
  • Remote Code Execution
  • Server-Side Template Injection
  • XML External Entity (XXE)
  • LDAP Injection
  • Advanced Command Injection

Evasion (5)

  • WAF Bypass
  • Encoding Chain Evasion
  • Payload Mutation Evasion
  • Fingerprint Rotation
  • Rate Limit Evasion

Authentication (6)

  • Session Hijack Analysis
  • Default Credential Test
  • OAuth Abuse
  • JWT Attacks
  • MFA Bypass
  • Cookie Security Analysis

API (8)

  • REST API Assault
  • GraphQL Assault
  • WebSocket Assault
  • gRPC Assault
  • BOLA / IDOR
  • BFLA
  • Mass Assignment
  • Schema Abuse

Client-Side (5)

  • DOM-based XSS Analysis
  • Prototype Pollution
  • CSP Bypass Analysis
  • JS Dependency Vulnerabilities
  • Clickjacking Protection

Infrastructure (6)

  • Path Traversal
  • LFI / RFI
  • Misconfiguration Test
  • CORS Abuse
  • Header Injection
  • TLS Weakness

Business Logic (5)

  • Race Conditions
  • IDOR Test
  • Privilege Escalation
  • Workflow Bypass
  • Payment Tampering

Orchestration (3)

  • Attack Chain Discovery
  • Finding Correlator
  • Effort Redistributor

Exfiltration (4)

  • Data Extraction
  • Session Riding (CSRF)
  • Lateral Movement
  • Respawn (Persistence)
Red Specter Red Team
The Complete Offensive Pipeline
Ten tools. Every layer. Nothing assumed safe. One company. Full stack.
Stage 1
FORGE
LLM Testing
Stage 2
ARSENAL
Agent Testing
Stage 3
PHANTOM Swarm
Swarm Assault
Stage 4
POLTERGEIST
Web Siege
Stage 5
GLASS
Traffic Interception
Stage 6
NEMESIS
Adversarial AI
Stage 7
SPECTER SOCIAL
Human Layer
Stage 8
PHANTOM KILL
OS/Kernel
Stage 9
GOLEM
Physical Layer
Stage 10
HYDRA
Supply Chain
IDRIS
IDRIS
Discovery & Governance
Defence
AI Shield
Defence
SIEM
redspecter-siem
SIEM Integration
Capabilities
Key Features
10 Autonomous Agents Coordinated swarm with distinct specialisations
55 Attack Vectors Full web application attack surface coverage
532 Static Payloads SQLi, XSS, RCE, SSRF, SSTI, path traversal
17 Mutation Techniques Payload mutation engine generates unlimited variants
Triple OWASP + CWE Mapping OWASP Web Top 10, OWASP API Top 10, CWE IDs
CVSS 3.1 Scoring Every finding scored with CVSS 3.1 severity
Ed25519 Signed Reports SHA-256 evidence chains, RFC 3161 timestamps
1,189 Tests Passing Full test suite including 259 unleashed tests, zero failures
Scope Enforcement Built-in scope controls and rate limiting
10 Named Campaigns Pre-built coordinated assault playbooks
HTML + JSON Reports Board-ready HTML and machine-readable JSON
CI/CD Grade Gate poltergeist grade --fail-below C
Ed25519 Cryptographic Override
POLTERGEIST UNLEASHED

Cryptographic override. Private key controlled. One operator. Founder's machine only.

Destroy Before They Do

Ten agents. 55 vectors. 532 payloads. 72 unleashed techniques. One command. The most comprehensive web application penetration testing swarm ever built.

Documentation Contact
Pure Engineering
Zero External Tools. Zero Wrappers.

Most pen-testing frameworks are menus that shell out to sqlmap, nikto, and nmap behind a terminal UI. POLTERGEIST is actual engineering. Every payload, every mutation, every detection algorithm, every scoring engine — written from scratch in pure Python. Zero subprocess calls. Zero external tool dependencies.

532
Custom Payloads
17
Mutation Techniques
0
Subprocess Calls
0
External Dependencies
Enterprise Integration
Enterprise SIEM Integration — Native

Export every finding directly to your SIEM. One flag. Native format translation. Ed25519 signatures and RFC 3161 timestamps preserved across every export.

Splunk
HEC • CIM Compliant
Sentinel
CEF • Log Analytics API
QRadar
LEEF 2.0 • Syslog
poltergeist scan https://target.com --export-siem splunk
Available On

Security Distros & Package Managers

Kali Linux
.deb package
Parrot OS
.deb package
BlackArch
PKGBUILD
REMnux
.deb package
Tsurugi
.deb package
PyPI
pip install
macOS
pip install
Windows
pip install
Docker
docker pull