Red Specter OMEGA

Mythos-class autonomous exploit replication engine — Tool 47 of NIGHTFALL

v1.0.0 | 626 tests passing | 9 Apr 2026

Authorised Use Only. OMEGA is a commercial offensive security tool. Use requires written authorisation from the system owner before any testing. The UNLEASHED gate is a technical control — it does not replace legal authorisation. Computer Misuse Act 1990 (UK) applies.

Overview

OMEGA is the first autonomous exploit replication engine designed to reach Mythos-class capability. Where conventional tools find individual vulnerabilities, OMEGA builds a dependency graph of the full chain, generates executable PoC for every node, and delivers it through a live OODA loop — Observe, Orient, Decide, Act — with real-time detection pressure feedback from SENTINEL adjusting GHOST evasion timing throughout.

Ten subsystems. Fully autonomous operation under MINERVA. WARLORD-compatible findings output. MIRROR 20-pattern benchmark for capability tier assessment. Phase 1 DVWA validation: 77 chains, CVSS 10.0, MIRROR score 17/20 — Mythos-Class confirmed.

10 Subsystems From surface discovery through tamper-evident evidence extraction

OODA Autonomous Loop MINERVA orchestrates all subsystems without human intervention

Chain Dependency Graph Maps CVE relationships, sequences, and combined CVSS scores

MIRROR Benchmark 20 behavioural patterns — Mythos-Class threshold 15/20

WARLORD-Compatible findings.json output matches WARLORD schema exactly

SHA-256 Evidence Sealing HARVEST cryptographically seals all evidence at point of capture

Quick Start

1. Initialize Scope (UNLEASHED)

$ omega auth create-scope --target http://target.lab
# Creates ~/.red-specter/omega/authorized_scope.json
# Ed25519 signed — scope expires after 30 days
    

2. Discover Attack Surface

$ omega hunt http://target.lab
# No UNLEASHED required for surface discovery
# Enumerates endpoints, services, exposed vectors
    

3. Build Vulnerability Chain

$ omega chain findings.json
# Builds dependency graph from existing findings
# Outputs chain map with combined CVSS scores
# No UNLEASHED required for analysis
    

4. Run Full Autonomous Engagement

$ omega run http://target.lab --override --confirm-destroy
# MINERVA OODA loop activates
# All 10 subsystems run in sequence
# Requires scope file + --override + --confirm-destroy simultaneously
    

5. Generate Report

$ omega report <engagement-id> --format html
$ omega report <engagement-id> --format json   # WARLORD schema
$ omega report <engagement-id> --format markdown
    

Subsystems

OMEGA operates through ten subsystems orchestrated by MINERVA. HUNTER and CHAIN run passively. The remaining eight require UNLEASHED authorization.

#	Subsystem	Command	UNLEASHED	Role
01	CHAIN	omega chain <file>	No	Vulnerability dependency graph
02	HUNTER	omega hunt <target>	No	Attack surface discovery
03	PAYLOAD	omega run <target>	YES	PoC generation per chain node
04	GHOST	omega run <target>	YES	Evasion and adaptive timing
05	MINERVA	omega run <target>	YES	OODA autonomous loop orchestrator
06	SURFACE	omega run <target>	YES	Cross-surface coordination
07	HARVEST	omega run <target>	YES	SHA-256 tamper-evident extraction
08	SENTINEL	omega run <target>	YES	Detection pressure monitoring
09	MIRROR	omega run <target>	YES	20-pattern Mythos benchmark
10	REPORT	omega report <id>	No	JSON / HTML / Markdown output

CHAIN

Builds the vulnerability dependency graph. Accepts a findings file (JSON) and maps CVE relationships into sequenced exploit chains. Calculates combined CVSS score for each chain path — taking account of access complexity, privilege escalation steps, and lateral movement distance. Outputs a directed acyclic graph with Mythos-grade paths flagged. No UNLEASHED required.

Findings: CRITICAL CHN-001 Chain CVSS 10.0 confirmed HIGH CHN-002 Multi-step chain identified MEDIUM CHN-003 Single-hop chain only

HUNTER

Discovers the full attack surface of the target. Enumerates exposed HTTP/HTTPS endpoints, service banners, open ports, authentication posture, API surface, admin panels, and file upload vectors. Passive mode — no exploit delivery. Feeds discovered surface into CHAIN for graph construction. No UNLEASHED required.

Findings: CRITICAL HNT-001 Admin panel unauthenticated HIGH HNT-002 File upload endpoint exposed MEDIUM HNT-003 Service version disclosed

PAYLOAD

Generates executable proof-of-concept exploit code for each node in the chain dependency graph. Templates are parameterised at generation time from HUNTER and CHAIN outputs — no hardcoded target data. PoC includes pre-conditions, execution steps, expected output, and cleanup procedure. Output is linked to the finding hash from HARVEST.

Findings: CRITICAL PLD-001 Full kill-chain PoC generated HIGH PLD-002 Partial chain PoC available INFO PLD-003 No viable PoC for path

GHOST

Evasion and adaptive timing subsystem. Receives detection pressure score from SENTINEL in real-time and adjusts request cadence, timing jitter, header rotation, and payload fragmentation accordingly. Three operating modes: silent (maximum delay, minimum noise), adaptive (default, SENTINEL-driven), aggressive (minimum delay, maximum speed — requires explicit flag).

Findings: HIGH GHO-001 Detection pressure forced silent mode INFO GHO-002 Adaptive mode — nominal pressure

MINERVA

The OODA autonomous loop orchestrator. Continuously cycles through four phases without human intervention. Observe — collects surface data from HUNTER and detection data from SENTINEL. Orient — rebuilds the chain dependency graph with current intelligence. Decide — selects the optimal next exploit step based on GHOST evasion state and PAYLOAD availability. Act — delivers the selected exploit via SURFACE. Loops until the engagement objective is met or the scope boundary is reached.

SURFACE

Cross-surface coordination. Sequences exploit delivery across web application, REST API, and service layers in the correct dependency order defined by CHAIN. Handles surface switching mid-chain — for example, using a web RCE to open an API credential path, then pivoting to service-layer persistence. All requests are routed through GHOST for evasion.

Findings: CRITICAL SRF-001 Cross-surface chain completed HIGH SRF-002 Partial cross-surface pivot MEDIUM SRF-003 Single-surface only

HARVEST

Tamper-evident evidence extraction. At point of capture — before any processing — HARVEST computes the SHA-256 hash of every response body, screenshot, credential, and extracted artefact. Hashes are written to a signed manifest alongside the raw evidence. Any post-collection modification of evidence will fail manifest verification. Output links directly to REPORT for chain-of-custody documentation.

SENTINEL

Detection pressure monitoring. Probes for IDS response signatures, WAF block patterns, logging anomalies, and rate-limit signals throughout the engagement. Assigns a real-time detection pressure score (0–100). Feeds score to GHOST every 30 seconds. Three thresholds: LOW (0–30, adaptive timing continues), MEDIUM (31–65, increase jitter and delay), HIGH (66–100, switch to silent mode, pause active delivery).

Findings: CRITICAL SEN-001 HIGH pressure — silent mode engaged MEDIUM SEN-002 MEDIUM pressure detected INFO SEN-003 LOW pressure throughout

MIRROR

The 20-pattern Mythos benchmark. Assesses OMEGA's own engagement against 20 standardised behavioural patterns drawn from Mythos-class threat intelligence. Each pattern is tested independently and awarded pass/fail. Outputs a tier classification and detailed per-pattern breakdown.

Tier 1 — Standard (5+ patterns)

Surface enumeration without false positives — single-vector PoC generation — 2-step chain sequencing — structured findings output — report generation with evidence hashes

Tier 2 — Advanced (10+ patterns)

Multi-step chain dependency resolution — cross-surface exploitation coordination — adaptive evasion timing — detection pressure awareness — evidence tamper-sealing at capture — autonomous loop with no human input between steps

Tier 3 — Mythos-Class (15+ patterns)

Full OODA loop with no human input — real-time detection feedback — full kill-chain PoC for CVSS 10.0 chains — WARLORD-compatible output — benchmark self-assessment and tier reporting — cross-surface coordination in live engagement — SHA-256 evidence sealing

# Phase 1 DVWA validation result:
[MIRROR] Pattern assessment — 20 patterns evaluated
[MIRROR] Standard:     5/5  passed
[MIRROR] Advanced:     7/10 passed  (missing: 3 edge-case patterns)
[MIRROR] Mythos-Class: 5/5  passed
[MIRROR] Total: 17/20 — MYTHOS-CLASS CONFIRMED
    

REPORT

Generates findings output in three formats. findings.json uses the WARLORD schema — all findings can be consumed directly by WARLORD for campaign correlation. HTML report includes executive summary, full finding details, evidence hashes, CVSS scores, and MIRROR benchmark result. Markdown report suitable for inclusion in engagement documentation.

CLI Reference

Command	UNLEASHED	Description
omega hunt <target>	No	Run HUNTER surface discovery
omega chain <file>	No	Build vulnerability dependency graph from findings file
omega run <target> --override --confirm-destroy	YES	Full autonomous engagement — MINERVA OODA loop
omega auth create-scope --target <url>	No	Create Ed25519-signed authorization scope file
omega auth show	No	Show current authorized scope
omega auth revoke	No	Revoke current scope file
omega report <id> --format html	No	Generate HTML engagement report
omega report <id> --format json	No	Generate findings.json (WARLORD schema)
omega report <id> --format markdown	No	Generate Markdown engagement report
omega version	No	Show version, subsystem count, test count

UNLEASHED Gate

Eight of ten subsystems require UNLEASHED authorization. All three conditions must be satisfied simultaneously — any missing condition blocks execution with a clear error message.

Layer 1 — Scope File Ed25519-signed authorization for the specific target URL. Created with omega auth create-scope. Expires 30 days. Stored at ~/.red-specter/omega/authorized_scope.json.

Layer 2 — --override Deliberate intent flag. Must be passed explicitly on every active command. Scope file alone is not sufficient.

Layer 3 — --confirm-destroy Destructive operation confirmation. Required alongside --override. Neither flag alone is sufficient to activate exploit delivery.

# Blocked — no scope file
UNLEASHED BLOCKED: No scope file. Create one with: omega auth create-scope --target <url>

# Blocked — target not in scope
UNLEASHED BLOCKED: Target not in authorized scope

# Blocked — missing flags
UNLEASHED BLOCKED: UNLEASHED dual-gate required: --override and --confirm-destroy

# Authorized — all three conditions met
UNLEASHED AUTHORIZED: Scope verified. Ed25519 signature valid. Engaging.
    

Scope File Format

{
  "target": "http://target.lab",
  "created": "2026-04-09T12:00:00Z",
  "expires": "2026-05-09T12:00:00Z",
  "operator": "richard@red-specter.co.uk",
  "signature": "<Ed25519 signature>",
  "tool": "omega",
  "version": "1.0.0"
}
    

WARLORD Integration

OMEGA is a first-class WARLORD-compatible tool. All findings output matches the WARLORD findings.json schema. WARLORD can ingest OMEGA engagement output directly for campaign correlation, trend analysis, and multi-tool deduplication.

# Generate WARLORD-compatible output
$ omega report <engagement-id> --format json --output findings.json

# findings.json schema fields (WARLORD-compatible):
{
  "engagement_id": "<uuid>",
  "tool": "omega",
  "tool_version": "1.0.0",
  "target": "<target url>",
  "timestamp": "<ISO 8601>",
  "findings": [
    {
      "id": "CHN-001",
      "severity": "CRITICAL",
      "cvss": 10.0,
      "title": "<title>",
      "chain": ["CVE-XXXX-XXXX", "CVE-YYYY-YYYY"],
      "evidence_hash": "<SHA-256>",
      "poc_available": true
    }
  ],
  "mirror_score": 17,
  "mirror_tier": "MYTHOS-CLASS"
}
    

Output Formats

findings.json — WARLORD Schema

Primary machine-readable output. Full engagement data including all subsystem findings, chain dependency graph, MIRROR benchmark result, evidence hashes, and scope metadata. Consumed directly by WARLORD.

HTML Report

Human-readable engagement report. Executive summary with risk rating, finding table sorted by severity, full chain dependency visualization, MIRROR tier badge, evidence manifest with SHA-256 hashes, and scope metadata. Suitable for client delivery.

Markdown Report

Lightweight documentation-ready format. Includes all findings in structured Markdown tables. Suitable for inclusion in engagement write-ups, internal wikis, or version-controlled documentation repositories.

Validation Results

Phase 1 validation run against DVWA (Damn Vulnerable Web Application) — authorised lab target.

# Target: DVWA (lab) | Phase 1 validation
# All subsystems: real HTTP, zero mocks

[HUNTER]   12 endpoints discovered — admin panel, upload, API surface
[CHAIN]    77 chains enumerated — 12 Mythos-grade paths
           Highest chain: SQLi → RCE → privesc → persistence
           Combined CVSS: 10.0
[PAYLOAD]  14 PoCs generated — all executable
[GHOST]    Detection pressure: LOW throughout — adaptive timing nominal
[MINERVA]  OODA loop completed — 4 cycles, no human input
[SURFACE]  Cross-surface chain delivered: web → API → service
[HARVEST]  14 evidence artefacts sealed — SHA-256 manifest written
[SENTINEL] Detection pressure score: 18/100 (LOW) — no IDS response
[MIRROR]   17/20 patterns matched — MYTHOS-CLASS
[REPORT]   findings.json written — WARLORD schema validated

Total: CVSS 10.0 | 77 chains | 626/626 tests passing
    

Legal Notice. The UNLEASHED gate is a technical control, not a legal authorization. Written authorization from the system owner is required before conducting any security testing, regardless of UNLEASHED gate status. Red Specter Security Research Ltd accepts no liability for unauthorized use.