ORION is an AI-native reconnaissance engine that goes beyond port scanning. It discovers hosts, maps services, pulls OSINT from 8 sources, reasons about the results with an LLM, generates prioritised attack plans, and renders the entire attack surface as an interactive graph.
Traditional scanners tell you what's open. ORION tells you what's possible. Every scan routes through VOID's anonymity engine with 4 stealth levels.
pip install red-specter-orion orion --help
| # | Subsystem | Function |
|---|---|---|
| 1 | SENTINEL | Host discovery — ARP, ICMP, TCP SYN, UDP probes. Adaptive timing across subnets and cloud ranges |
| 2 | SCOPE | Port scanning — SYN, connect, UDP, FIN, XMAS, NULL, idle scans. Full 65535 or top ports. Rate-limited |
| 3 | SIGNAL | Fingerprinting — OS detection, service banners, TLS certificates, application-layer probes, tech stack identification |
| 4 | ECHO | DNS intelligence — forward/reverse lookups, zone transfers, subdomain enumeration, cloud endpoint mapping |
| 5 | GHOST | OSINT aggregation — 8 external sources correlated with active scan results |
| 6 | HUNTER | LLM reasoning — feeds all recon data into LLM to identify attack paths, misconfigurations, and exposure patterns |
| 7 | PATHFINDER | Attack plans — prioritised playbooks mapping services to exploits, ranked by impact and feasibility |
| 8 | VOID | Anonymity engine — 4 stealth levels from direct to distributed multi-hop with timing randomisation |
| 9 | CONSTELLATION | Attack surface graph — interactive visualisation of hosts, ports, services, vulns, OSINT, and attack paths |
| # | Source | Intelligence |
|---|---|---|
| 1 | Shodan | Internet-wide scan data, banners, vulnerabilities, device metadata |
| 2 | Censys | Certificate transparency, host enumeration, protocol analysis |
| 3 | VirusTotal | Domain/IP reputation, malware associations, passive DNS history |
| 4 | SecurityTrails | Historical DNS, WHOIS changes, associated domains, IP neighbours |
| 5 | crt.sh | Certificate transparency logs, subdomain discovery via issued certificates |
| 6 | WHOIS | Domain registration, registrar, nameservers, creation/expiry dates |
| 7 | BGP | AS numbers, IP prefixes, peering relationships, routing anomalies |
| 8 | Passive DNS | Historical resolution data, domain-to-IP mappings over time |
| Level | Name | Method | Detection Risk |
|---|---|---|---|
| 1 | Direct | No anonymisation. Scans from operator IP. Fastest. | High |
| 2 | Proxy | SOCKS5/HTTP proxy chains. Single-hop anonymisation. | Medium |
| 3 | Tor | Onion routing through Tor network. Multi-hop. | Low |
| 4 | Distributed | Multi-hop with timing randomisation, source rotation, and traffic shaping. | Minimal |
| Mode | Flags | What It Does |
|---|---|---|
| Standard | (none) | Passive only — OSINT, DNS, certificate transparency. No packets to target. |
| Dry Run | --override | Simulates active scanning. Shows what would be discovered. Ed25519 required. No execution. |
| Live | --override --confirm-active | Active stealth reconnaissance. All 9 subsystems engaged. Real traffic to target through VOID. |
| Command | Description |
|---|---|
orion scan <target> | Full reconnaissance — all subsystems, passive + active |
orion discover <target> | Host discovery only (SENTINEL) |
orion ports <target> | Port scanning only (SCOPE) |
orion dns <target> | DNS intelligence only (ECHO) |
orion osint <target> | OSINT aggregation only (GHOST) |
orion reason <target> | LLM reasoning on existing scan data (HUNTER) |
orion plan <target> | Generate attack plan from scan data (PATHFINDER) |
orion graph <target> | Render attack surface graph (CONSTELLATION) |
orion scan <target> --stealth 4 | Full scan through VOID level 4 (distributed) |
orion scan <target> --override --confirm-active | UNLEASHED live active reconnaissance |
CONSTELLATION takes all reconnaissance data and renders it as an interactive graph. Every host is a node. Every open port is an edge. Services, vulnerabilities, OSINT findings, and attack paths are all connected and explorable.
The graph updates in real-time as ORION discovers new information. Operators can filter by severity, service type, or attack path. Export to JSON, GraphML, or interactive HTML.
| Node | Represents |
|---|---|
| Host | Discovered IP address or hostname |
| Port | Open port with service identification |
| Service | Running application or protocol |
| Vulnerability | Known CVE or misconfiguration |
| OSINT | External intelligence finding |
| Attack Path | PATHFINDER-generated exploitation route |
Tool 25 in the Red Specter offensive pipeline. ORION is the AI-native evolution of network reconnaissance — combining traditional scanning with OSINT aggregation, LLM reasoning, and attack surface visualisation.
Nmap tells you what's open. ORION tells you what's possible.