Red Specter Red Team — Stage 4

Red Specter POLTERGEIST

10
Attack Agents
55
Attack Vectors
10
Campaigns
930
Tests Passing
pip install red-specter-poltergeist COPY
The Swarm
Ten Autonomous Attack Agents
Each agent specialises in a distinct phase of web application assault. Together they form the most comprehensive automated penetration testing swarm ever built.
G-01
Wraith
Reconnaissance
Surface mapping, technology fingerprinting, hidden endpoint discovery, JS route extraction, API discovery.
V-001V-002V-003V-004V-005
G-02
Specter
Injection
SQL injection, XSS, SSRF, RCE, SSTI, XXE, LDAP injection, advanced command injection.
V-006V-007V-008V-009V-010V-011V-012V-013
G-03
Shade
Evasion
WAF bypass, encoding chains, payload mutation, fingerprint rotation, rate limit evasion.
V-014V-015V-016V-017V-018
G-04
Banshee
Authentication
Session hijack, default credentials, OAuth abuse, JWT attacks, MFA bypass, cookie analysis.
V-019V-020V-021V-022V-023V-024
G-05
Phantom
API Assault
REST, GraphQL, WebSocket, gRPC assault, BOLA, BFLA, mass assignment, schema abuse.
V-025V-026V-027V-028V-029V-030V-031V-032
G-06
Ghoul
Client-Side
DOM XSS, prototype pollution, CSP bypass, JavaScript dependency scanning, clickjacking.
V-033V-034V-035V-036V-037
G-07
Lich
Infrastructure
Path traversal, LFI/RFI, misconfigurations, CORS abuse, header injection, TLS weakness.
V-038V-039V-040V-041V-042V-043
G-08
Wendigo
Business Logic
Race conditions, IDOR, privilege escalation, workflow bypass, payment tampering.
V-044V-045V-046V-047V-048
G-09
Poltergeist
Swarm Commander
Attack chain discovery, finding correlation, effort redistribution across the entire swarm.
V-049V-050V-051
G-10
Revenant
Exfiltration & Persistence
Data extraction, CSRF/session riding, lateral movement, persistent backdoor detection.
V-052V-053V-054V-055
Coordinated Assault
10 Named Campaign Playbooks
Each campaign orchestrates specific agents and vectors for a targeted objective. From silent reconnaissance to full swarm assault.
$ poltergeist scan https://target.com --campaign full_assault ____ ___ _ _____ _____ ____ ____ _____ ___ ____ _____ | _ \ / _ \| | |_ _| ____| _ \ / ___| ____|_ _/ ___|_ _| | |_) | | | | | | | | _| | |_) | | _| _| | |\___ \ | | | __/| |_| | |___| | | |___| _ <| |_| | |___ | | ___) || | |_| \___/|_____|_| |_____|_| \_\\____|_____|___|____/ |_| [*] Campaign: FULL ASSAULT [*] Target: https://target.com [*] Deploying 10 agents across 55 vectors... [G-01 WRAITH] Surface mapping... 42 endpoints discovered [G-01 WRAITH] Technology fingerprint: nginx/1.25 | React 18 | Node.js [G-02 SPECTER] SQL injection test... CRITICAL: V-006 blind SQLi in /api/users?id= [G-02 SPECTER] XSS scan... HIGH: V-007 reflected XSS in /search?q= [G-03 SHADE] WAF detected: Cloudflare. Engaging bypass... 2 bypass techniques found [G-04 BANSHEE] JWT alg:none... CRITICAL: V-022 algorithm confusion accepted [G-05 PHANTOM] BOLA test... HIGH: V-029 IDOR via sequential /api/orders/{id} [G-06 GHOUL] Prototype pollution... MEDIUM: V-034 __proto__ accepted [G-07 LICH] Path traversal... HIGH: V-038 /download?file=../../../etc/passwd [G-08 WENDIGO] Race condition... CRITICAL: V-044 double-spend in /api/transfer [G-09 POLTERGEIST] Chain discovered: V-006 + V-046 = admin DB access [G-10 REVENANT] CSRF... HIGH: V-053 no CSRF token on state-changing endpoints [*] Scan complete: 55 vectors tested | 14 findings [*] Risk grade: F (87% risk score) [*] Report signed with Ed25519 [*] Saved: reports/poltergeist-full_assault-2026-03-11.json [*] Saved: reports/poltergeist-full_assault-2026-03-11.html
CampaignCommandDescription
Full Assault--campaign full_assaultAll 10 agents, all 55 vectors, maximum aggression
Silent Recon--campaign silent_reconPassive reconnaissance, zero active probing
Auth Blitz--campaign auth_blitzFull authentication and session attack battery
API Siege--campaign api_siegeREST, GraphQL, WebSocket, gRPC total assault
Client Harvest--campaign client_harvestClient-side XSS, DOM, prototype pollution, CSP
Infrastructure Sweep--campaign infrastructure_sweepPath traversal, misconfig, CORS, TLS weakness
Injection Storm--campaign injection_stormSQLi, XSS, SSRF, RCE, SSTI, XXE, LDAP, command injection
Logic Bomb--campaign logic_bombRace conditions, IDOR, privilege escalation, workflow bypass
Exfil Express--campaign exfil_expressData extraction, CSRF, lateral movement, persistence
WAF Buster--campaign waf_busterWAF bypass, encoding chains, payload mutation, evasion
Attack Surface
55 Attack Vectors
Full web application attack surface coverage across 10 categories. Every finding mapped to OWASP Web Top 10, OWASP API Top 10, and CWE IDs.

Reconnaissance (5)

  • Surface Mapper
  • Technology Fingerprint
  • Hidden Endpoint Discovery
  • JavaScript Route Extraction
  • API Discovery

Injection (8)

  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Server-Side Request Forgery
  • Remote Code Execution
  • Server-Side Template Injection
  • XML External Entity (XXE)
  • LDAP Injection
  • Advanced Command Injection

Evasion (5)

  • WAF Bypass
  • Encoding Chain Evasion
  • Payload Mutation Evasion
  • Fingerprint Rotation
  • Rate Limit Evasion

Authentication (6)

  • Session Hijack Analysis
  • Default Credential Test
  • OAuth Abuse
  • JWT Attacks
  • MFA Bypass
  • Cookie Security Analysis

API (8)

  • REST API Assault
  • GraphQL Assault
  • WebSocket Assault
  • gRPC Assault
  • BOLA / IDOR
  • BFLA
  • Mass Assignment
  • Schema Abuse

Client-Side (5)

  • DOM-based XSS Analysis
  • Prototype Pollution
  • CSP Bypass Analysis
  • JS Dependency Vulnerabilities
  • Clickjacking Protection

Infrastructure (6)

  • Path Traversal
  • LFI / RFI
  • Misconfiguration Test
  • CORS Abuse
  • Header Injection
  • TLS Weakness

Business Logic (5)

  • Race Conditions
  • IDOR Test
  • Privilege Escalation
  • Workflow Bypass
  • Payment Tampering

Orchestration (3)

  • Attack Chain Discovery
  • Finding Correlator
  • Effort Redistributor

Exfiltration (4)

  • Data Extraction
  • Session Riding (CSRF)
  • Lateral Movement
  • Respawn (Persistence)
Red Specter Red Team
The Complete Offensive Pipeline
Five stages from LLM testing to runtime defence. No competitor has all five. One company. Full stack.
Stage 1
Forge
LLM Security Testing
Stage 2
Arsenal
Agent Pen Testing
Stage 3
PHANTOM
Multi-Agent AI Assault
Stage 4
POLTERGEIST
Web App Assault
Stage 5
AI Shield
Runtime Defence
Capabilities
Key Features
10 Autonomous Agents Coordinated swarm with distinct specialisations
55 Attack Vectors Full web application attack surface coverage
532 Static Payloads SQLi, XSS, RCE, SSRF, SSTI, path traversal
17 Mutation Techniques Payload mutation engine generates unlimited variants
Triple OWASP + CWE Mapping OWASP Web Top 10, OWASP API Top 10, CWE IDs
CVSS 3.1 Scoring Every finding scored with CVSS 3.1 severity
Ed25519 Signed Reports SHA-256 evidence chains, RFC 3161 timestamps
930 Tests Passing Full test suite, zero failures
Scope Enforcement Built-in scope controls and rate limiting
10 Named Campaigns Pre-built coordinated assault playbooks
HTML + JSON Reports Board-ready HTML and machine-readable JSON
CI/CD Grade Gate poltergeist grade --fail-below C
Ed25519 Cryptographic Override
POLTERGEIST UNLEASHED

Live destructive actions are locked behind a built-in cryptographic override and intended only for explicitly authorised validation environments. Only one key in the world can unlock it.

The Lock
Ed25519 Public-Key Cryptography

Every copy of POLTERGEIST embeds an Ed25519 public key. Override activation requires a cryptographic challenge-response signed by the corresponding private key. No password. No shared secret. Pure asymmetric cryptography.

The Key
One Private Key. One Person.

The private key exists on exactly one machine. It never touches a network. It never enters a repository. It never gets backed up to cloud storage. Without it, POLTERGEIST is a scanner. With it, POLTERGEIST is a weapon.

The Gate
Dual-Gate Safety Protocol

Even with the key, activation requires two gates. Gate 1: dry-run mode — all destructive actions logged but not executed. Gate 2: explicit confirmation to go live. Scope-locked to pre-authorised targets only.

# Gate 1: Dry-run — actions logged, not executed
$ poltergeist scan https://target.com --override
OVERRIDE DRY-RUN — Ed25519 VERIFIED
Destructive actions will be logged but NOT executed.
# Gate 2: Live — agents execute real destructive actions
$ poltergeist scan https://target.com --override --confirm-destroy
DESTRUCTIVE MODE ACTIVE — Ed25519 VERIFIED
Agents will execute real destructive actions.
Ed25519
Crypto Algorithm
256-bit
Key Strength
2
Safety Gates
1
Key Holder
Challenge-Response Signing
Unique nonce + timestamp per activation. No replay possible.
Scope Lock
Targets must be pre-authorised. No wildcards. No drift.
Full Audit Trail
Every destructive action logged, timestamped, signed into the report.
Signed Evidence Chain
Override audit embedded in Ed25519-signed scan reports.
Destroy Before They Do

Ten agents. 55 vectors. 532 payloads. One command. The most comprehensive web application penetration testing swarm ever built.

Documentation Contact
Pure Engineering
Zero External Tools. Zero Wrappers.

Most pen-testing frameworks are menus that shell out to sqlmap, nikto, and nmap behind a terminal UI. POLTERGEIST is actual engineering. Every payload, every mutation, every detection algorithm, every scoring engine — written from scratch in pure Python. Zero subprocess calls. Zero external tool dependencies.

532
Custom Payloads
17
Mutation Techniques
0
Subprocess Calls
0
External Dependencies