T14 — Full-Spectrum Web Security & Post-Exploitation

REAPER v2.1

Full-Spectrum Web Security and Post-Exploitation

Pure Python. Built from the ground up for the new age of red teaming.

5,439

Tests

Phases

192+

Payloads (PRION)

T14

of 120 Tools

Documentation → All Tools

What is REAPER?

REAPER is a state-of-the-art offensive security framework built in pure Python with zero wrappers and zero dependencies on legacy tooling. It combines traditional web application security testing with AI-powered vulnerability analysis and full post-exploitation capabilities.

Built because the Kali toolset deserved a rival.

Where other frameworks rely on decades-old Ruby wrappers, shell scripts, and opaque module packs, REAPER is readable, auditable, and modular. Every phase is a standalone Python module. Every payload is documented. Every finding is structured JSON you can pipe into your pipeline.

What’s New in v2.1 — ARMORY PRION Integration

v2.1 wires the ARMORY PRION mutation engine directly into the REAPER payload system, replacing the static payload library with a living, adapting one.

PRION Mutation Engine

2,328 payloads across 110 categories. 27 mutation techniques generate dynamic WAF-bypass variants on demand. Every scan starts with a fresh mutation pass.

GPU Acceleration

Set PRION_LOCAL=true for on-device GPU-accelerated mutation via RTX 3090. Mutation speed scales linearly with VRAM. Zero API calls — fully air-gapped.

Graceful Fallback

When PRION is offline, REAPER falls back automatically to the 192 static payload library. Scans never stall. Use --no-armory to force static mode explicitly.

WAF-Bypass Variants

Mutation techniques include token splitting, Unicode normalization, case variation, comment injection, encoding chains, and 21 additional transform classes.

# Enable PRION with local GPU mutation
PRION_LOCAL=true reaper engage https://target.com

# Force static payloads only
reaper engage https://target.com --no-armory

# Check PRION status
reaper status --prion

WARLORD Integration

REAPER is now fully wired into WARLORD — the NIGHTFALL autonomous campaign orchestrator. WARLORD can call REAPER as part of a multi-tool campaign, passing targets and gate tokens, receiving findings in WARLORD-compatible JSON schema.

This makes REAPER the first web penetration testing tool in the world wired into an autonomous AI campaign orchestrator with cryptographic gate control.

Gate	Phases Available	WARLORD Use Case
OPEN	Discovery and scan	Reconnaissance phase of a multi-tool campaign
INJECT	Full engine, no UNLEASHED phases	Active exploitation within an authorised engagement
UNLEASHED	Full 11-phase engagement	Complete red team campaign with post-exploitation

# WARLORD calls REAPER as part of a campaign
reaper-warlord --gate open --target https://target.com engage

# WARLORD receives structured JSON findings
# {"tool": "reaper", "vulnerabilities_found": 3, "critical_count": 1, ...}

11-Phase Engagement Flow

REAPER structures every engagement as a linear kill chain from initial fingerprinting through to full post-exploitation. Each phase is independently runnable or chained sequentially.

PHASE −1

DISCOVERY

Technology fingerprinting, endpoint enumeration, API discovery. Builds the engagement surface map before any probe fires.

PHASE 0

SCAN

OWASP Top 10 automated scan with 192-payload static library and live PRION mutation. Structured JSON findings output.

PHASE 1

EXPLOIT

Automated exploitation of confirmed scan findings. Chains vulnerability to initial access. Pure Python, no Metasploit dependency.

PHASE 2

PAYLOAD

Custom payload generation for confirmed access vectors. Requires UNLEASHED gate. Ed25519-signed payload manifest.

PHASE 3

Command and control listeners. HTTP, DNS, and WebSocket channels. Requires UNLEASHED gate and ROE file.

PHASE 4

IMPLANT

Agent deployment to compromised targets. Persistent callback with jitter and beacon randomisation. UNLEASHED gate.

PHASE 5

PRIVESC

Privilege escalation enumeration. SUID/GUID scanning, sudo misconfigurations, PATH hijacking, kernel exploit surface mapping.

PHASE 6

LATERAL

Lateral movement across adjacent hosts. Credential reuse, SMB relay, token impersonation. Requires UNLEASHED gate.

PHASE 7

PERSIST

Persistence installation via cron, systemd, startup scripts, and registry keys. Requires UNLEASHED gate.

PHASE 8

HARVEST

Credential and file harvesting. Browser secrets, SSH keys, AWS credentials, environment variables, config files.

PHASE 9

EVASION

Payload obfuscation and evasion. AV/EDR bypass techniques, traffic blending, and PRION-mutated delivery chains.

Web Security Coverage

OWASP Top 10 full coverage with a 192-payload static library augmented by PRION mutation. Every class fires across multiple bypass variants by default.

SQL Injection

Union-based, error-based, boolean blind, and time-based variants. Auto-detected backend fingerprinting. PRION generates WAF-specific bypass chains.

Cross-Site Scripting

Reflected, DOM, and stored XSS. Context-aware payloads adapt to attribute, script, and HTML injection contexts. CSP bypass variants included.

Server-Side Request Forgery

Internal network probing, cloud metadata endpoint enumeration (AWS/GCP/Azure), and protocol smuggling via URL parser confusion.

XML External Entity (XXE)

Classic, blind, and out-of-band XXE. SSRF via XXE chaining. Covers XML, SVG, DOCX, and RSS/Atom parser attack surfaces.

Server-Side Template Injection

Jinja2, Twig, Freemarker, Velocity, and Smarty engine detection with RCE escalation payloads for each confirmed engine.

Command Injection

OS command injection across Linux and Windows targets. Shell metacharacter fuzzing with blind and time-based detection modes.

Path Traversal

Directory traversal with encoding bypass: double URL encoding, null bytes, UNC paths, and PRION-generated filter bypass variants.

API Security

GraphQL introspection and injection, REST IDOR enumeration, authentication bypass, and rate limit detection across API surfaces.

AI Mode

Optional GPU-accelerated analysis via Ollama. When --ai-mode is set, REAPER feeds scan findings into a local reasoning model for context-aware triage, payload selection, and attack chain planning. No data leaves the network.

Capability	Description
Vulnerability Triage	Context-aware analysis of findings with exploit feasibility scoring
Payload Selection	WAF-aware payload recommendation via PRION mutation scoring
Attack Chain Planning	Multi-step exploitation path planning from initial access to objective
Default Model	deepseek-r1:32b via local Ollama — replaceable with any Ollama-compatible model

# AI mode with default model (deepseek-r1:32b)
reaper engage https://target.com --ai-mode

# AI mode with custom model
reaper engage https://target.com --ai-mode --model llama3.3:70b

# Ollama endpoint override
reaper engage https://target.com --ai-mode --ollama http://192.168.1.10:11434

UNLEASHED Protocol

Destructive operations are cryptographically gated behind Ed25519 key authentication and a Rules of Engagement file. Dry-run mode is the default for all Phase 2–7 operations. No live payloads fire without explicit confirmation.

Gate	Phases	Requirement
OPEN	-1, 0, 5, 8	No restriction — discovery, scanning, privesc enumeration, harvesting
INJECT	1	REAPER_GATE=INJECT environment variable
UNLEASHED	2, 3, 4, 6, 7, 9	Ed25519 key + ROE file containing “authorised” + `--confirm-destroy` flag

Quick Start

# Standard engagement — discovery + scan
reaper engage https://target.com

# AI-assisted engagement
reaper engage https://target.com --ai-mode

# Full engagement with UNLEASHED phases enabled
reaper engage https://target.com --unleashed --confirm-destroy

# Specific phase only
reaper phase scan https://target.com
reaper phase harvest https://target.com

# PRION mutation enabled
PRION_LOCAL=true reaper engage https://target.com

# Generate report from findings
reaper report --input ./findings.json --format html

Part of NIGHTFALL

REAPER is Tool 14 of 120 in the NIGHTFALL offensive AI security framework. Every tool in the suite integrates with ARMORY for payload sharing and with the broader kill chain taxonomy.

NIGHTFALL

120

Tools

64,770

Tests

Kill Chain Phases

Attack Layers

REAPER occupies Layer 1 of the NIGHTFALL attack surface taxonomy: Traditional Web & Network Exploitation. It feeds findings and harvested credentials downstream into tools covering AI-specific attack surfaces, cloud infrastructure, and autonomous agent exploitation.

⚠ Authorised Use Only

REAPER is for authorised security testing only. You must have explicit written permission from the system owner before running any scan, probe, or exploitation phase.

Unauthorised use may violate the Computer Misuse Act 1990 (UK) and equivalent legislation in your jurisdiction, including the Computer Fraud and Abuse Act (US) and the Council of Europe Convention on Cybercrime.

Red Specter Security Research Ltd accepts no liability for use of this tool outside of authorised engagements.