SPECTER VICIOUS Docs — Full CLI Reference & Subsystem Guide

1. INSTALLATION

            $ pip install specter-vicious

            $ specter-vicious --version  # v1.0.0

            $ specter-vicious status    # display gate level and capabilities

SPECTER VICIOUS requires Python 3.11+. The PRION mutation engine requires a CUDA-capable GPU for full performance (20× CPU speed). CPU fallback is available but significantly slower for large mutation campaigns.

2. QUICK START

OPEN Gate — Reconnaissance Only

            $ specter-vicious recon --target https://target.example.com # WAF fingerprint + attack surface map

            $ specter-vicious recon --target https://target.example.com --json-output # structured JSON profile

INJECT Gate — Full AI-Driven Assault

            VICIOUS_INJECT_KEY=<key> specter-vicious engage --target https://target.example.com --roe roe.txt
        

EVOLVE Gate — Continuous Learning Mode

            VICIOUS_EVOLVE_KEY=<key> specter-vicious evolve --target https://target.example.com --roe roe.txt --confirm-evolve
        

UNLEASHED Gate — Persist and Harvest

            VICIOUS_UNLEASHED_KEY=<key> specter-vicious persist --target https://target.example.com --roe roe.txt --confirm-destroy

            VICIOUS_UNLEASHED_KEY=<key> specter-vicious harvest --target https://target.example.com --roe roe.txt --confirm-destroy

3. GATE ARCHITECTURE

Gate	Key Required	ROE Phrase	Subsystems Unlocked
OPEN	None	None	RECONNAISSANCE, REPORT
INJECT	VICIOUS_INJECT_KEY	Any valid ROE file	REASONING, ARMORY-SELECT, PRION-MUTATE, ORCHESTRATE, ADAPT
EVOLVE	VICIOUS_EVOLVE_KEY	"autonomous evolution authorised"	EVOLVE (continuous learning + --confirm-evolve)
UNLEASHED	VICIOUS_UNLEASHED_KEY	"vicious unleashed authorised"	PERSIST, HARVEST (+ --confirm-destroy)

Gate keys must be set as environment variables. Keys are validated against the operator key registry at ~/.red-specter/vicious/operator_key.pem. The EVOLVE gate and UNLEASHED gate are independent — holding one does not grant the other.

4. ROE FILE FORMAT

All INJECT-gate and above operations require a Rules of Engagement file. The ROE file must be passed with --roe <path>.

            # roe.json — example ROE file

            {

              "engagement_id": "RS-2026-001",

              "operator": "Red Specter Operator",

              "authorisation": "web application penetration testing authorised",

              "targets": ["https://target.example.com"],

              "scope": "full",

              "expires": "2026-12-31T23:59:59Z",

              "signed_by": "engagement-lead@example.com"

            }

For EVOLVE gate: the authorisation field must contain the phrase "autonomous evolution authorised". For UNLEASHED gate: the phrase must be "vicious unleashed authorised". ROE files are Ed25519-verified against the operator signing key.

5. SUBSYSTEM REFERENCE

01 RECONNAISSANCE OPEN

Target profiling, WAF fingerprinting, and attack surface mapping. Probes HTTP response headers, error page signatures, and timing behaviour to identify WAF vendor (ModSecurity, Cloudflare, AWS WAF, Akamai, Imperva, F5 AWAF, Barracuda, Sucuri). Enumerates injectable parameters, endpoint inventory, and authentication surface. Returns a scored target profile consumed by REASONING and ARMORY-SELECT.

$ specter-vicious recon --target <url> [--crawl-depth 3] [--json-output]

02 REASONING INJECT

DeepSeek R1 strategic attack planning. Consumes the RECONNAISSANCE profile and outputs a multi-phase attack plan: injection vector selection, bypass hypotheses, fallback pivot tree. Re-invoked after ADAPT cycles. Does not follow a fixed script — reasons about the specific target WAF configuration.

VICIOUS_INJECT_KEY=<key> specter-vicious reason --target <url> --roe roe.txt [--profile recon-output.json]

03 ARMORY-SELECT INJECT

Payload selection from ARMORY v13.1.0 (3,406 payloads, 170 categories). Queries by WAF fingerprint and attack class. Applies semantic similarity ranking. Seeds the PRION engine with selected base payloads.

VICIOUS_INJECT_KEY=<key> specter-vicious armory-select --target <url> --roe roe.txt --attack-class sqli

04 PRION-MUTATE INJECT

GPU-accelerated WAF-evading payload mutation. 20× CPU speed. Strategies: token substitution, URL/HTML/Unicode encoding, whitespace normalisation, comment insertion, case variation, concatenation fragmentation, null-byte injection. High-confidence variants scored and forwarded to ORCHESTRATE.

VICIOUS_INJECT_KEY=<key> specter-vicious prion-mutate --target <url> --roe roe.txt --payload-class sqli [--gpu] [--variants 5000]

05 ORCHESTRATE INJECT

Adaptive attack execution. Dispatches payload variants with configurable concurrency, jitter, and back-off. Classifies each response: BYPASS / BLOCKED / PARTIAL / ERROR. Feeds results to ADAPT.

VICIOUS_INJECT_KEY=<key> specter-vicious orchestrate --target <url> --roe roe.txt --concurrency 10 --jitter 200ms

06 ADAPT INJECT

Real-time WAF defence analysis and strategy feedback. Analyses ORCHESTRATE results to infer WAF detection rules. Updates PRION mutation model. Triggers REASONING re-invocation when strategy revision is required.

VICIOUS_INJECT_KEY=<key> specter-vicious adapt --session VCS-abc123 --roe roe.txt

07 EVOLVE EVOLVE

Continuous learning mode. Retains successful bypass patterns and blocked payload signatures across sessions. Builds a target-class-specific mutation corpus. Requires VICIOUS_EVOLVE_KEY + ROE "autonomous evolution authorised" + --confirm-evolve.

VICIOUS_EVOLVE_KEY=<key> specter-vicious evolve --target <url> --roe roe.txt --confirm-evolve [--session-limit 100]

08 PERSIST UNLEASHED

Durable web foothold implantation. Exploits BYPASS-confirmed injection vectors to plant persistent backdoors: webshell upload, SQL authentication bypass, SSTI-based code execution, deserialization RCE. Requires VICIOUS_UNLEASHED_KEY + ROE "vicious unleashed authorised" + --confirm-destroy.

VICIOUS_UNLEASHED_KEY=<key> specter-vicious persist --target <url> --roe roe.txt --confirm-destroy

09 HARVEST UNLEASHED

Credential, session token, and data extraction. SQL injection data dump, credential table extraction, session token harvest via XSS, admin credential brute-force from harvested hashes, API key extraction, IMDS credential retrieval via SSRF. Requires VICIOUS_UNLEASHED_KEY + ROE "vicious unleashed authorised" + --confirm-destroy.

VICIOUS_UNLEASHED_KEY=<key> specter-vicious harvest --target <url> --roe roe.txt --confirm-destroy [--extract-type credentials,sessions,apikeys]

10 REPORT OPEN

VCS-{hex12} Ed25519+ML-DSA-65 dual-signed session report. WAF fingerprint, attack plan, mutation statistics (variants generated, bypass rate, blocked rate), bypass-confirmed vectors, persist foothold status, harvest extraction inventory. MITRE ATT&CK and ATLAS mapping.

$ specter-vicious report --session-id VCS-abc123def456

$ specter-vicious report --session-id VCS-abc123def456 --format pdf

6. FULL CLI REFERENCE

specter-vicious recon       --target <url> [--crawl-depth N] [--json-output] [--timeout N]

specter-vicious reason      --target <url> --roe <file> [--profile <json>]

specter-vicious armory-select --target <url> --roe <file> --attack-class <class>

specter-vicious prion-mutate --target <url> --roe <file> [--gpu] [--variants N]

specter-vicious orchestrate --target <url> --roe <file> [--concurrency N] [--jitter <ms>]

specter-vicious adapt       --session <id> --roe <file>

specter-vicious engage      --target <url> --roe <file>     # full INJECT pipeline

specter-vicious evolve      --target <url> --roe <file> --confirm-evolve

specter-vicious persist     --target <url> --roe <file> --confirm-destroy

specter-vicious harvest     --target <url> --roe <file> --confirm-destroy [--extract-type <types>]

specter-vicious report      --session-id <VCS-id> [--format json|pdf|html]

specter-vicious sessions    # list all sessions with status and report IDs

specter-vicious status      # display gate level, active sessions, PRION capabilities

7. REPORT FORMAT

Every SPECTER VICIOUS session generates a VCS-{hex12} canonical JSON report, Ed25519 signed with the operator signing key and ML-DSA-65 countersigned. Reports are saved to ~/.red-specter/vicious/reports/.

session_id

VCS-{hex12} unique session identifier

target

Target URL and WAF fingerprint

waf_vendor

Identified WAF vendor, version, and confidence score

attack_plan

DeepSeek R1 reasoning output: phases, hypotheses, pivots

mutation_stats

Variants generated, bypass rate %, blocked rate %, PARTIAL rate %

bypass_vectors

Confirmed bypass injection vectors with payload samples

persist_status

Foothold type, location, and persistence verification result

harvest_inventory

Extracted credential count, session tokens, API keys, data volume

evolve_corpus

Bypass patterns retained for future sessions (EVOLVE gate)

mitre_mapping

ATT&CK and ATLAS technique identifiers

signature

Ed25519 + ML-DSA-65 dual signature and signing key fingerprint

8. WMD CLASSES

web_application_autonomous_exploitation waf_evasion_mutation ai_driven_attack_planning persistent_web_compromise credential_and_data_harvest continuous_evolution_attack

9. PRION ENGINE

The PRION mutation engine generates semantically-equivalent but syntactically distinct payload variants at GPU speed. Mutation strategies applied per variant:

Token substitution — replace keywords with equivalent tokens (e.g., SELECT → SEL/**/ECT)
Encoding transformation — URL encoding, HTML entities, Unicode normalisation, double-encoding
Whitespace normalisation — tab/newline/form-feed injection, null-byte padding
Comment insertion — inline SQL/HTML/JS comments that parse away after WAF inspection
Case variation — mixed-case keywords that bypass case-sensitive WAF signatures
Concatenation fragmentation — split payloads across multiple parameters that reassemble at parse time
Null-byte injection — terminate string matching at WAF level without affecting interpreter

Each variant receives a bypass probability score from a learned model trained on WAF response signatures. Only variants with score above threshold proceed to ORCHESTRATE. GPU acceleration (CUDA) achieves 20× CPU throughput for large mutation campaigns.

10. DEEPSEEK R1 REASONING

SPECTER VICIOUS integrates DeepSeek R1 as its strategic planning engine. R1 operates in multi-step reasoning mode, producing an explicit chain-of-thought before committing to an attack plan.

The reasoning loop:

Phase 1 — Analyse RECONNAISSANCE profile: WAF vendor, version, endpoint inventory, parameter types
Phase 2 — Formulate bypass hypotheses based on known WAF vendor weaknesses
Phase 3 — Prioritise attack vectors by expected bypass probability and impact
Phase 4 — Build fallback pivot tree: if primary vector is blocked, what are the next three options?
Phase 5 — After each ADAPT cycle: revise the plan based on observed defence behaviour

R1 does not follow a fixed rule set. It reasons about the specific configuration of the target WAF and the observed pattern of its responses. The longer the engagement runs, the more accurate its model of the defence becomes.