pip install red-specter-orion
Nmap tells you what's open. It doesn't tell you what's exploitable. There's no LLM reasoning layer correlating results with known attack patterns. No OSINT integration to correlate external intelligence with active scan data. No prioritised attack plan output. No stealth architecture. No attack surface graph. Reconnaissance has been stuck at 1997 for thirty years.
Active scan results and passive OSINT data are never correlated. You run Shodan separately. You run Nmap separately. You manually connect the dots. ORION does this automatically across 8 OSINT sources simultaneously.
A scanner tells you port 443 is open running nginx 1.18.0. It doesn't tell you that version has three unpatched CVEs, that the TLS config is weak, and that the certificate expiry suggests a forgotten service. An LLM reasoning layer does.
After reconnaissance you have raw data. You manually interpret it, manually map it to exploits, manually prioritise. ORION's PATHFINDER generates prioritised attack plans directly from scan results — actionable playbooks, not raw data dumps.
Traditional scanners send packets from your IP in an identifiable pattern. There's no stealth architecture. No proxy chains. No Tor routing. No timing randomisation. ORION's VOID anonymity engine routes everything through configurable stealth levels.
Zone transfers, subdomain enumeration, cloud endpoint discovery — most assessments run one DNS lookup. ORION's ECHO subsystem maps the full DNS footprint: forward, reverse, cloud endpoints, CDN origins, and certificate transparency logs.
After weeks of scanning you have spreadsheets and text files. ORION's CONSTELLATION subsystem renders the entire attack surface as an interactive graph — hosts, ports, services, vulnerabilities, OSINT, and attack paths all connected and explorable.
ORION doesn't just find open ports. It discovers hosts, fingerprints services, maps DNS, pulls OSINT from 8 sources, reasons about what it finds with an LLM, generates attack plans, anonymises everything through 4 stealth levels, and renders the entire attack surface as an interactive graph.
| # | Subsystem | Role | What It Does |
|---|---|---|---|
| 01 | SENTINEL | Host Discovery | ARP, ICMP, TCP SYN, and UDP probes. Identifies live hosts across subnets, cloud ranges, and segmented networks. Adaptive timing to avoid detection. Feeds host list to all subsequent subsystems. |
| 02 | SCOPE | Port Scanning | SYN, connect, UDP, FIN, XMAS, NULL, and idle scans. Service version detection. Top ports or full 65535 sweep. Rate-limited and stealth-aware. All traffic routes through VOID. |
| 03 | SIGNAL | Fingerprinting | OS detection, service banners, TLS certificate analysis, application-layer probes. Identifies technology stacks, frameworks, and known vulnerable versions. Feeds HUNTER with structured service data. |
| 04 | ECHO | DNS Intelligence | Forward/reverse lookups, zone transfers, subdomain enumeration, DNS record analysis. Maps the full DNS footprint including cloud endpoints and CDN origins. Correlates with certificate transparency logs. |
| 05 | GHOST | 8 OSINT Sources | Shodan, Censys, VirusTotal, SecurityTrails, crt.sh, WHOIS, BGP, and passive DNS. Correlates external intelligence with active scan results. Surfaces exposures that active scanning alone would miss. |
| 06 | HUNTER | LLM Reasoning | Feeds all reconnaissance data into an LLM reasoning engine. Identifies attack paths, misconfigurations, and exposure patterns that automated scanners miss. Produces structured findings with severity ratings. |
| 07 | PATHFINDER | Attack Plans | Generates prioritised attack plans from HUNTER's analysis. Maps services to known exploits, ranks findings by impact and feasibility, outputs actionable playbooks for every high-severity finding. |
| 08 | VOID | 4 Stealth Levels | Anonymity engine. Level 1: direct. Level 2: proxy chains. Level 3: Tor routing. Level 4: distributed multi-hop with timing randomisation. All subsystems route through VOID — stealth is architecture, not an option. |
| 09 | CONSTELLATION | Attack Surface Graph | Renders the full attack surface as an interactive graph. Hosts, ports, services, vulnerabilities, OSINT data, and attack paths — all connected and explorable. Export to JSON, HTML, or SIEM-native format. |
Cryptographic override. Private key controlled. One operator. Founder's machine only. Three execution modes — from fully passive OSINT recon to active stealth reconnaissance across all 9 subsystems.
Passive reconnaissance only. OSINT from all 8 sources, DNS enumeration, certificate transparency. No packets sent to the target. Zero detection risk. Full external intelligence profile built without touching the network.
Simulates active scanning. Shows what would be discovered and what traffic would be generated. Ed25519 UNLEASHED key required. No packets sent — a complete simulation of the live operation.
Active stealth reconnaissance. Full scanning through VOID anonymity engine. All 9 subsystems engaged. Real traffic to target. Ed25519 UNLEASHED key required. All activity signed and logged.
THIS TOOL IS FOR AUTHORISED SECURITY TESTING ONLY. EVERY EXECUTION IS SIGNED AND LOGGED.
Red Specter ORION is intended for authorised security testing only. Unauthorised active reconnaissance against systems you do not own or have explicit written permission to test may violate the Computer Misuse Act 1990 (UK), Computer Fraud and Abuse Act (US), and equivalent legislation in other jurisdictions. The VOID anonymity engine does not provide legal cover for unauthorised scanning. Every execution is Ed25519 signed and logged. Always obtain written authorisation before conducting any security assessments. Apache License 2.0.
ORION is pure Python. Every host prober, every service fingerprinter, every OSINT fetcher, every LLM reasoning pipeline, every graph renderer — written from scratch. No subprocess calls to Nmap. No wrappers. Actual engineering.