Commands the battlefield. Deploys every weapon. Doesn't stop. Campaign planning, multi-tool coordination, 40-tool NIGHTFALL registry, adaptive strategy, evidence chain, and relentless execution -- weaponised for authorised red team engagements.
Running one tool at a time against a modern AI stack is like fighting a war with a single soldier. You need reconnaissance, initial access, escalation, lateral movement, persistence, exfiltration, and impact -- all coordinated, all adapting in real time. WARLORD thinks like a campaign commander, not a button-pusher.
40 offensive tools. Each with its own CLI, flags, output format, and dependencies. Running them one at a time means missed attack paths, inconsistent coverage, and hours of manual coordination that should take minutes.
Recon feeds initial access. Initial access feeds escalation. Escalation feeds lateral movement. Without automated dependency resolution, operators lose the chain -- and the chain is everything in a real engagement.
When FORGE gets blocked by a guardrail, a human operator pivots to JANUS or SERPENT. That takes time. WARLORD pivots automatically -- escalation rules, pivot rules, abort rules -- all firing in real time based on phase results.
Manual engagements produce scattered logs across dozens of tool outputs. No unified evidence chain. No cryptographic signing. No single campaign report tying every finding to every phase to every tool. WARLORD signs everything.
Individual tool outputs tell you what happened. Campaign intelligence tells you why it matters. WARLORD correlates findings across all 40 tools, identifies attack paths that span multiple phases, and quantifies real-world impact.
High-impact operations need cryptographic gates, not just flags. Ed25519 dual-gate. One private key. One operator. One machine. Destruction presets require --override AND --confirm-destroy. No accidents.
WARLORD is built from six specialised subsystems that together form a complete autonomous campaign engine. Each subsystem handles a distinct phase of the engagement lifecycle -- from planning through execution to reporting.
Define and plan multi-phase campaigns with objectives, success criteria, phase dependencies, and timeout controls. Pre-built templates for common engagement types.
Resolves phase dependencies into parallel execution waves. Phases with no dependencies fire first. Phases with satisfied dependencies are grouped for concurrent execution.
Complete registry of all 40 NIGHTFALL offensive tools with capability mapping. Intelligent tool selection by objective type. 21 capability categories.
Automated pre-campaign reconnaissance before any tool fires. Target surface mapping. Technology fingerprinting. Attack surface enumeration.
Analyses phase results in real time and adjusts campaign strategy. Escalation rules deploy heavier tools when findings are critical. Pivot rules switch vectors when blocked.
Generates comprehensive campaign reports with multi-tool result correlation, risk scoring, and findings by severity and tool. Signed evidence chain for every engagement.
Campaign memory, strategic journal, and OODA reasoning loop. The campaign engine thinks between phases — tracking intelligence, logging decisions, and reasoning about what to do next.
Four normal-mode campaign templates covering the most common red team engagement types. Each template defines a complete phase sequence with tool assignments, dependency chains, and success criteria. Select a template with warlord plan --template <id> or build custom campaigns from scratch.
WARLORD runs entirely from the command line. No GUI. No web interface. Five primary commands cover the full campaign lifecycle -- from listing templates to launching full autonomous campaigns.
$ warlord templates Campaign Templates -- Normal Mode ID Name Phases Description full_stack_assessment Full Stack AI Assessment 8 Complete assessment of an AI stack guardrail_deep_dive Guardrail Deep Dive 5 Focused guardrail stack resilience agent_network_assault Agent Network Assault 6 Attack multi-agent network infrastructure_siege Infrastructure Siege 6 Cloud and compute infrastructure
$ warlord plan -t https://target.example.com --template full_stack_assessment Campaign: Full Stack AI Assessment Target: https://target.example.com Phases: 8 Tools: 12 Estimated duration: 150 min Wave 1: P1 Wave 2: P2, P3, P6 Wave 3: P4, P5 Wave 4: P7 Wave 5: P8
$ warlord launch -t https://target.example.com --template agent_network_assault --autonomous WARLORD CAMPAIGN: Agent Network Assault Target: https://target.example.com Mode: AUTONOMOUS Campaign Results Phase Type Tools Findings Status Agent Discovery recon GLASS, SHADOWMAP 2 complete MCP Exploitation initial_access VECTOR 5 complete Agent Compromise escalation FORGE, NEMESIS 4 complete Agent Lateral lateral_movement NEMESIS, LAZARUS 3 complete Memory Persistence persistence LAZARUS 3 complete Network Impact impact NEMESIS, KAMIKAZE 6 complete Total findings: 23 Phases completed: 6
$ warlord arsenal NIGHTFALL Arsenal: 40 tools, 50,914 tests Capabilities: 21 # Name Tests Description 1 FORGE 9,298 Automated LLM security testing 2 ARSENAL 2,539 Exploit chain builder 3 PHANTOM 288 Evasion and stealth ... 40 WARLORD 57 Autonomous campaign engine
$ warlord capabilities Arsenal: 40 tools, 50,914 tests Campaign templates: 4 (normal mode) Destruction presets: 4 (UNLEASHED only) Autonomous: True Adaptive: True Evidence chain: True Ed25519 signing: True
$ warlord templates --override --confirm-destroy Campaign Templates -- Normal Mode [... 4 templates ...] UNLEASHED Destruction Presets ID Name Phases Description annihilate ANNIHILATE -- Total Destruction 5 9 tools. Recon through OS-level compromise scorched_earth SCORCHED EARTH -- Infrastructure 6 6 tools. Recon, exploit, DCSync, OS kill web_destroy WEB DESTROY -- Web App Compromise 6 6 tools. Web scan, exploit, browser hook ai_destroy AI DESTROY -- AI Stack Compromise 7 7 tools. LLM, agent, guardrail, RAG, code gen
The orchestrator is the brain of WARLORD. It takes a campaign definition with phase dependencies and resolves them into an ordered execution plan. Phases with no dependencies fire first. Phases whose dependencies are all satisfied are grouped into parallel execution waves.
Topological sort of phase dependencies. WARLORD builds a dependency graph from phase definitions, identifies phases with satisfied dependencies, and groups them for concurrent execution.
Independent phases run simultaneously. In the full_stack_assessment template, Wave 2 runs P2 (Guardrail Testing), P3 (MCP Exploitation), and P6 (Infrastructure) in parallel because they all only depend on P1.
Each completed phase passes data forward to subsequent phases via the data_passed_forward dictionary. Recon findings feed into initial access. Compromised credentials feed into lateral movement. The chain never breaks.
Three execution modes. Supervised mode requires operator confirmation between waves. Autonomous mode runs the full campaign without intervention. UNLEASHED mode activates destruction presets.
Eight phase types mirror the kill chain. Each phase type carries expected finding estimates and maps to specific tool categories in the arsenal.
Campaigns move through a defined lifecycle from planning to completion. Each phase tracks its own status independently.
WARLORD maintains a complete registry of every NIGHTFALL offensive tool. Each tool is catalogued with its capabilities, test count, and CLI command. The arsenal engine selects optimal tools for each campaign objective automatically.
| # | Tool | CLI | Tests | Description | Capabilities |
|---|---|---|---|---|---|
| 01 | FORGE | forge | 9,298 | Automated LLM security testing | injection, guardrail_bypass |
| 02 | ARSENAL | arsenal | 2,539 | Exploit chain builder | injection, escalation |
| 03 | PHANTOM | phantom | 288 | Evasion and stealth | evasion |
| 04 | POLTERGEIST | poltergeist | 1,189 | Persistence framework | persistence |
| 05 | GLASS | glass | 850 | Reconnaissance and mapping | recon |
| 06 | NEMESIS | nemesis | 2,011 | Autonomous adversary -- 18 weapons, 40 entities | autonomous, injection, escalation |
| 07 | SPECTER SOCIAL | specter-social | 1,242 | Social engineering framework | social_engineering |
| 08 | PHANTOM KILL | phantom-kill | 571 | Anti-forensics | evasion |
| 09 | GOLEM | golem | 973 | Infrastructure attack | infrastructure |
| 10 | HYDRA | hydra | 1,039 | Multi-vector attack | injection, escalation |
| 11 | IDRIS | idris | 553 | Identity attack | identity |
| 12 | SCREAMER | screamer | 395 | Stress testing | destruction |
| 13 | WRAITH | wraith | 889 | Command and control | lateral_movement, persistence |
| 14 | REAPER | reaper | 5,267 | Post-exploitation | exfiltration, escalation |
| 15 | GHOUL | ghoul | 1,408 | Data exfiltration | exfiltration |
| 16 | DOMINION | dominion | 1,866 | Privilege escalation | escalation |
| 17 | SHADOWMAP | shadowmap | 930 | Network mapping | recon |
| 18 | BANSHEE | banshee | 986 | Wireless attacks | infrastructure |
| 19 | WRAITH MIND | wraith-mind | 158 | Psychological manipulation | social_engineering |
| 20 | KRAKEN | kraken | 62 | Maritime/ICS attacks | infrastructure |
| 21 | HARBINGER | harbinger | 71 | Supply chain attacks | infrastructure |
| 22 | SIREN | siren | 58 | Voice/audio attacks | deepfake |
| 23 | BLADE RUNNER | blade-runner | 143 | Physical security | infrastructure |
| 24 | PROXY WAR | proxy-war | 127 | Proxy chain attacks | evasion, lateral_movement |
| 25 | ORION | orion | 210 | Satellite/space systems | infrastructure |
| 26 | RAVEN | raven | 174 | Drone/UAV systems | infrastructure |
| 27 | LEVIATHAN | leviathan | 409 | Cloud exploitation | cloud_attack |
| 28 | JUSTICE | justice | 339 | Legal compliance testing | recon |
| 29 | KAMIKAZE | kamikaze | 292 | Destructive operations | destruction |
| 30 | MIRAGE | mirage | 204 | Deepfake generation | deepfake |
| 31 | ECHO | echo | 211 | RAG poisoning | rag_attack, injection |
| 32 | MIMIC | mimic | 220 | Code generation attacks | injection |
| 33 | CHIMERA | chimera | 206 | Multi-model attacks | multi_model |
| 34 | VORTEX | vortex | 245 | Cloud AI attacks | cloud_attack |
| 35 | VECTOR | vector | 172 | MCP protocol exploitation | mcp_exploitation, injection |
| 36 | LAZARUS | lazarus | 96 | AI memory persistence | memory_attack, persistence |
| 37 | SERPENT | serpent | 61 | Chain-of-thought attacks | cot_attack |
| 38 | JANUS | janus | 73 | Guardrail bypass testing | guardrail_bypass |
| 39 | ARCHITECT | architect | 68 | AI infrastructure exploitation | infrastructure, cloud_attack |
| 40 | WARLORD | warlord | 57 | Autonomous campaign engine | campaign, autonomous |
WARLORD doesn't blindly follow a plan. The adapt engine analyses phase results in real time and makes strategic decisions -- escalating tools when findings are critical, pivoting to alternative attack vectors when blocked, adding phases when new surfaces appear, and aborting when the target is hardened beyond scope.
When a recon phase produces critical findings, WARLORD escalates to FORGE and NEMESIS. When initial access succeeds, it deploys DOMINION and REAPER. When escalation works, it moves to GHOUL and KAMIKAZE for impact.
When FORGE is blocked, pivot to JANUS or VECTOR. When JANUS can't bypass guardrails, pivot to SERPENT (reasoning attacks) or LAZARUS (memory persistence). When VECTOR fails, pivot to ARCHITECT or LEVIATHAN.
When the finding count exceeds 10 and the campaign isn't finished, WARLORD recognises additional attack surface and recommends adding new phases to the campaign plan dynamically.
Phases that cannot produce results based on prior phase outcomes are identified and skipped. No wasted cycles on attack vectors that the prior phase data proves are unviable.
When findings suggest a capability gap in the current phase, WARLORD dynamically adds tools from the 40-tool arsenal to fill the gap -- without requiring a new phase.
Phases producing results but hitting time limits get extended. A productive phase should never be killed by a clock when it is still finding vulnerabilities.
If 3 or more phases complete with zero findings, WARLORD recommends aborting. The target is either well-hardened, out of scope, or the attack surface doesn't match the template.
When everything is working as expected -- moderate findings, no blocks, no new surfaces -- the adapt engine simply continues with the original plan. No adaptation needed.
WARLORD sits at the top of the NIGHTFALL stack. It doesn't replace the individual tools -- it commands them. Every tool in the arsenal operates as a deployable unit that WARLORD assigns to campaign phases, monitors for results, and adapts around.
Every campaign execution produces a cryptographically signed evidence chain. Ed25519 signatures on findings. SHA-256 integrity hashes on reports. UUID-based campaign and phase identifiers. UTC timestamps on every state transition. The evidence chain is immutable and court-admissible.
Full campaign summary with risk score, risk grade, total findings, findings by severity, findings by tool, adaptations made, and total duration.
Every finding and every report is signed with Ed25519 elliptic curve cryptography. One private key. One operator. Tamper-evident. Non-repudiable.
Report files are hashed with SHA-256. Any modification to a report after generation invalidates the integrity hash. Zero tolerance for post-hoc tampering.
Campaign IDs (RSW-CAMP-*), plan IDs (RSW-PLAN-*), adaptation IDs (ADAPT-ESC-*, ADAPT-PIV-*). Every entity in the campaign is uniquely identifiable and traceable.
ISO 8601 UTC timestamps on campaign creation, phase start, phase completion, and report generation. Every event in the campaign timeline is precisely recorded.
Per-phase result records: phase_id, status (complete/failed/timeout/skipped), tools_executed, findings_count, duration_seconds, data_passed_forward.
WARLORD campaign telemetry is structured for consumption by SIEM platforms and SOC teams. Every phase result, finding, and adaptation is exportable in machine-readable formats for correlation with defensive monitoring.
Campaign results export as structured data with consistent schemas. Phase results include tool names, finding counts, severity levels, and timestamps -- ready for SIEM ingestion without transformation.
WARLORD campaigns produce timestamped attack events that SOC teams can correlate against their defensive monitoring. Did the SIEM catch the FORGE scan? Did the WAF log the JANUS bypass? Did the EDR see PHANTOM KILL?
By comparing WARLORD campaign findings with SIEM alert data, security teams can identify detection gaps -- attacks that succeeded without triggering a single alert. That gap is the real finding.
Full campaign execution logs enable replay analysis. SOC teams can walk through the entire multi-phase campaign step by step, understanding exactly what happened at each phase and which tools were deployed.
Standard mode detects. UNLEASHED exploits. Ed25519 crypto. Dual-gate safety. One operator.
Maps full attack surface across all tool categories. Coordinates detection-only scans across 40 tools. No exploitation. Reports only.
Plans full multi-tool campaigns. Shows exactly what every tool would do. Execution order with parallel waves. Ed25519 required. No execution.
Cryptographic override. Private key controlled. One operator. Founder's machine only. --override --confirm-destroy.
THIS TOOL IS FOR AUTHORISED SECURITY TESTING ONLY. EVERY EXECUTION IS SIGNED AND LOGGED.
Four pre-built campaigns that orchestrate multiple NIGHTFALL tools in sequence. Each requires Ed25519 cryptographic authorisation. One private key. One operator. One machine.
EVERY DESTRUCTION PRESET REQUIRES Ed25519 CRYPTOGRAPHIC AUTHORISATION. --override --confirm-destroy
WARLORD orchestrates sustained multi-tool campaigns against target systems. It is intended for authorised penetration testing and red team engagements ONLY. Unauthorised use is illegal and unethical. Always obtain written authorisation and define clear scope before launching any campaign. Every campaign execution is cryptographically signed, timestamped, and logged. There is no plausible deniability.
6 subsystems. 57 tests. 40 tools. 4 campaign templates. 4 destruction presets. 21 capability types. 8 phase types. The autonomous engine that commands the entire NIGHTFALL arsenal.