Red Specter POLTERGEIST — 10-Agent Web Application Penetration Testing Swarm

The Problem

DAST Scanners Miss the Hard Stuff

Every serious web application has surfaces that automated scanners never reach. Business logic. Race conditions. GraphQL introspection. JWT algorithm confusion. DOM XSS in SPA routes. Prototype pollution chains. POLTERGEIST fields a 10-agent swarm that attacks every surface simultaneously, coordinating chains that no single scanner could discover.

Race Conditions Ship Unseen

Concurrent request testing requires tight timing coordination. WENDIGO fires controlled race condition attacks against every state-changing endpoint simultaneously. Payment double-spend. Coupon reuse. Transfer duplication. All systematically tested.

API Surface Keeps Expanding

REST, GraphQL, WebSocket, gRPC — each has its own attack surface. PHANTOM assaults all four in one coordinated operation. BOLA via sequential IDs. BFLA across role boundaries. Mass assignment in every endpoint. Schema abuse and introspection.

WAF Creates False Safety

A WAF blocks known signatures. SHADE breaks through with encoding chains, payload mutation, fingerprint rotation, and rate limit evasion. Every injection campaign runs through SHADE first. The WAF is the obstacle, not the end state.

Authentication Complexity Hides Flaws

JWT algorithm confusion. OAuth redirect abuse. Session fixation. Default credentials. MFA bypass. Cookie security gaps. BANSHEE runs the complete authentication attack battery against every auth mechanism the application exposes.

Client-Side Is the New Server-Side

Modern SPAs run complex logic in the browser. DOM XSS in React routing. Prototype pollution chains. CSP bypasses. Vulnerable JS dependencies. Clickjacking on overlooked flows. GHOUL finds what server-side scanners never see.

Chain Attacks Go Undetected

The most dangerous findings aren't single vulnerabilities — they're chains. A reflected parameter plus an IDOR plus a race condition equals full account takeover. POLTERGEIST the swarm commander correlates findings and discovers these chains automatically.

The Swarm

Ten Autonomous Attack Agents

Each agent specialises in a distinct phase of web application assault. Together they form the most comprehensive automated penetration testing swarm ever built.

G-01

Wraith

Reconnaissance

Surface mapping, technology fingerprinting, hidden endpoint discovery, JS route extraction, API discovery.

V-001V-002V-003V-004V-005

G-02

Specter

Injection

SQL injection, XSS, SSRF, RCE, SSTI, XXE, LDAP injection, advanced command injection.

V-006V-007V-008V-009V-010V-011V-012V-013

G-03

Shade

Evasion

WAF bypass, encoding chains, payload mutation, fingerprint rotation, rate limit evasion.

V-014V-015V-016V-017V-018

G-04

Banshee

Authentication

Session hijack, default credentials, OAuth abuse, JWT attacks, MFA bypass, cookie analysis.

V-019V-020V-021V-022V-023V-024

G-05

Phantom

API Assault

REST, GraphQL, WebSocket, gRPC assault, BOLA, BFLA, mass assignment, schema abuse.

V-025V-026V-027V-028V-029V-030V-031V-032

G-06

Ghoul

Client-Side

DOM XSS, prototype pollution, CSP bypass, JavaScript dependency scanning, clickjacking.

V-033V-034V-035V-036V-037

G-07

Lich

Infrastructure

Path traversal, LFI/RFI, misconfigurations, CORS abuse, header injection, TLS weakness.

V-038V-039V-040V-041V-042V-043

G-08

Wendigo

Business Logic

Race conditions, IDOR, privilege escalation, workflow bypass, payment tampering.

V-044V-045V-046V-047V-048

G-09

Poltergeist

Swarm Commander

Attack chain discovery, finding correlation, effort redistribution across the entire swarm.

V-049V-050V-051

G-10

Revenant

Exfiltration & Persistence

Data extraction, CSRF/session riding, lateral movement, persistent backdoor detection.

V-052V-053V-054V-055

Coordinated Assault

10 Named Campaign Playbooks

Each campaign orchestrates specific agents and vectors for a targeted objective. From silent reconnaissance to full swarm assault.

$ poltergeist scan https://target.com --campaign full_assault ____ ___ _ _____ _____ ____ ____ _____ ___ ____ _____ | _ \ / _ \| | |_ _| ____| _ \ / ___| ____|_ _/ ___|_ _| | |_) | | | | | | | | _| | |_) | | _| _| | |\___ \ | | | __/| |_| | |___| | | |___| _ <| |_| | |___ | | ___) || | |_| \___/|_____|_| |_____|_| \_\\____|_____|___|____/ |_| [*] Campaign: FULL ASSAULT [*] Target: https://target.com [*] Deploying 10 agents across 55 vectors... [G-01 WRAITH] Surface mapping... 42 endpoints discovered [G-01 WRAITH] Technology fingerprint: nginx/1.25 | React 18 | Node.js [G-02 SPECTER] SQL injection test... CRITICAL: V-006 blind SQLi in /api/users?id= [G-02 SPECTER] XSS scan... HIGH: V-007 reflected XSS in /search?q= [G-03 SHADE] WAF detected: Cloudflare. Engaging bypass... 2 bypass techniques found [G-04 BANSHEE] JWT alg:none... CRITICAL: V-022 algorithm confusion accepted [G-05 PHANTOM] BOLA test... HIGH: V-029 IDOR via sequential /api/orders/{id} [G-06 GHOUL] Prototype pollution... MEDIUM: V-034 __proto__ accepted [G-07 LICH] Path traversal... HIGH: V-038 /download?file=../../../etc/passwd [G-08 WENDIGO] Race condition... CRITICAL: V-044 double-spend in /api/transfer [G-09 POLTERGEIST] Chain discovered: V-006 + V-046 = admin DB access [G-10 REVENANT] CSRF... HIGH: V-053 no CSRF token on state-changing endpoints [*] Scan complete: 55 vectors tested | 14 findings [*] Risk grade: F (87% risk score) [*] Report signed with Ed25519 [*] Saved: reports/poltergeist-full_assault-2026-04-28.json

Campaign	Command	Description
Full Assault	--campaign full_assault	All 10 agents, all 55 vectors, maximum aggression
Silent Recon	--campaign silent_recon	Passive reconnaissance, zero active probing
Auth Blitz	--campaign auth_blitz	Full authentication and session attack battery
API Siege	--campaign api_siege	REST, GraphQL, WebSocket, gRPC total assault
Client Harvest	--campaign client_harvest	Client-side XSS, DOM, prototype pollution, CSP
Infrastructure Sweep	--campaign infrastructure_sweep	Path traversal, misconfig, CORS, TLS weakness
Injection Storm	--campaign injection_storm	SQLi, XSS, SSRF, RCE, SSTI, XXE, LDAP, command injection
Logic Bomb	--campaign logic_bomb	Race conditions, IDOR, privilege escalation, workflow bypass
Exfil Express	--campaign exfil_express	Data extraction, CSRF, lateral movement, persistence
WAF Buster	--campaign waf_buster	WAF bypass, encoding chains, payload mutation, evasion

Attack Surface

55 Attack Vectors

Full web application attack surface coverage across 10 categories. Every finding mapped to OWASP Web Top 10, OWASP API Top 10, and CWE IDs.

Reconnaissance (5)

Surface Mapper
Technology Fingerprint
Hidden Endpoint Discovery
JavaScript Route Extraction
API Discovery

Injection (8)

SQL Injection
Cross-Site Scripting (XSS)
Server-Side Request Forgery
Remote Code Execution
Server-Side Template Injection
XML External Entity (XXE)
LDAP Injection
Advanced Command Injection

Evasion (5)

WAF Bypass
Encoding Chain Evasion
Payload Mutation Evasion
Fingerprint Rotation
Rate Limit Evasion

Authentication (6)

Session Hijack Analysis
Default Credential Test
OAuth Abuse
JWT Attacks
MFA Bypass
Cookie Security Analysis

API (8)

REST API Assault
GraphQL Assault
WebSocket Assault
gRPC Assault
BOLA / IDOR
BFLA
Mass Assignment
Schema Abuse

Client-Side (5)

DOM-based XSS Analysis
Prototype Pollution
CSP Bypass Analysis
JS Dependency Vulnerabilities
Clickjacking Protection

Infrastructure (6)

Path Traversal
LFI / RFI
Misconfiguration Test
CORS Abuse
Header Injection
TLS Weakness

Business Logic (5)

Race Conditions
IDOR Test
Privilege Escalation
Workflow Bypass
Payment Tampering

Orchestration (3)

Attack Chain Discovery
Finding Correlator
Effort Redistributor

Exfiltration (4)

Data Extraction
Session Riding (CSRF)
Lateral Movement
Respawn (Persistence)

Capabilities

Key Features

10 Autonomous Agents Coordinated swarm with distinct specialisations

55 Attack Vectors Full web application attack surface coverage

532 Static Payloads SQLi, XSS, RCE, SSRF, SSTI, path traversal

17 Mutation Techniques Payload mutation engine generates unlimited variants

Triple OWASP + CWE Mapping OWASP Web Top 10, OWASP API Top 10, CWE IDs

CVSS 3.1 Scoring Every finding scored with CVSS 3.1 severity

Ed25519 Signed Reports SHA-256 evidence chains, RFC 3161 timestamps

1,189 Tests Passing Full test suite including unleashed tests, zero failures

Scope Enforcement Built-in scope controls and rate limiting

10 Named Campaigns Pre-built coordinated assault playbooks

HTML + JSON Reports Board-ready HTML and machine-readable JSON

CI/CD Grade Gate poltergeist grade --fail-below C

Red Specter Red Team

The Complete Offensive Pipeline

Ten tools. Every layer. Nothing assumed safe. One company. Full stack.

Stage 1

FORGE

LLM Testing

Stage 2

ARSENAL

Agent Testing

Stage 3

PHANTOM

Swarm Assault

Stage 4

POLTERGEIST

Web Siege

Stage 5

GLASS

Traffic Interception

Stage 6

NEMESIS

Adversarial AI

Stage 7

SPECTER SOCIAL

Human Layer

Stage 8

PHANTOM KILL

OS/Kernel

Stage 9

GOLEM

Physical Layer

Stage 10

HYDRA

Supply Chain

Discovery

IDRIS

Governance

Defence

AI Shield

Defence

SIEM

redspecter-siem

SIEM Integration

Standards Coverage

Every Finding Mapped

10 / 10

OWASP Web Top 10

A01 Broken Access Control
A02 Cryptographic Failures
A03 Injection
A04 Insecure Design
A05 Security Misconfiguration
A06 Vulnerable Components
A07 Auth Failures
A08 Software & Data Integrity
A09 Security Logging Failures
A10 SSRF

10 / 10

OWASP API Top 10

API1 Broken Object Level Auth
API2 Broken Authentication
API3 Broken Object Property Auth
API4 Unrestricted Resource Consumption
API5 Broken Function Level Auth
API6 Unrestricted Access to Flows
API7 Server Side Request Forgery
API8 Security Misconfiguration
API9 Improper Inventory Management
API10 Unsafe API Consumption

Cryptographic

Report Integrity

Ed25519 digital signatures
SHA-256 evidence chains
RFC 3161 timestamps
Tamper-evident by design
CVSS 3.1 severity scoring
Machine-ingestible JSON output

Available On

Security Distros & Package Managers

Kali Linux

.deb package

Parrot OS

.deb package

BlackArch

PKGBUILD

REMnux

.deb package

Tsurugi

.deb package

PyPI

pip install

macOS

pip install

Windows

pip install

Docker

docker pull

Authorised Use Only

Red Specter POLTERGEIST is intended for authorised security testing only. Unauthorised use against systems you do not own or have explicit permission to test may violate the Computer Misuse Act 1990 (UK), Computer Fraud and Abuse Act (US), and equivalent legislation in other jurisdictions. Always obtain written authorisation before conducting any security assessments. Apache License 2.0.