POLTERGEIST Documentation

Red Specter POLTERGEIST

10-agent web application penetration testing swarm — 55 attack vectors, 532 payloads, 17 mutation techniques, triple OWASP + CWE mapping.

v1.0.0
Contents
Overview Installation Quick Start The Ten Agents Attack Campaigns Attack Vectors (55) Payloads & Mutations Output & Reports Flags & Options Key Features The Pipeline Packaging Disclaimer

Overview

POLTERGEIST is a 10-agent web application penetration testing swarm. Ten coordinated autonomous attack agents probe web applications across 55 attack vectors simultaneously — reconnaissance, injection, evasion, authentication, API assault, client-side, infrastructure, business logic, orchestration, and exfiltration.

Existing web scanners run one check at a time. Real attackers don't. POLTERGEIST deploys a coordinated swarm where each agent has a distinct specialisation: Wraith maps the surface, Specter injects, Shade evades WAFs, Banshee cracks auth, Phantom storms APIs, Ghoul attacks the client, Lich probes infrastructure, Wendigo exploits logic flaws, Poltergeist commands the swarm, and Revenant persists and exfiltrates. All ten operate simultaneously.

Every finding is mapped to OWASP Web Top 10 2021, OWASP API Top 10 2023, and CWE IDs. Every report is Ed25519 signed with RFC 3161 timestamps and SHA-256 evidence chains.

Installation

$ pip install red-specter-poltergeist

Also available as .deb (Kali Linux, Parrot, REMnux, Tsurugi) and PKGBUILD (BlackArch).

Quick Start

Full swarm assault

$ poltergeist scan https://target.com

Named campaign

$ poltergeist scan https://target.com --campaign full_assault

Selective agents with stealth mode

$ poltergeist scan https://target.com --agents WRAITH,SPECTER,SHADE --stealth

Authenticated scan with scope

$ poltergeist scan https://target.com --scope "*.target.com,/api/" --auth-type bearer --token eyJ...

CI/CD grade gate

$ poltergeist grade reports/scan.json --fail-below C

The Ten Agents

IDAgentRoleVectorsDescription
G-01WraithReconnaissance5Surface mapping, fingerprinting, hidden endpoints
G-02SpecterInjection8SQLi, XSS, SSRF, RCE, SSTI, XXE, LDAP, command injection
G-03ShadeEvasion5WAF bypass, encoding chains, payload mutation
G-04BansheeAuthentication6Session hijack, OAuth, JWT, MFA bypass
G-05PhantomAPI Assault8REST, GraphQL, WebSocket, gRPC, BOLA, BFLA
G-06GhoulClient-Side5DOM XSS, prototype pollution, CSP bypass
G-07LichInfrastructure6Path traversal, LFI/RFI, misconfig, CORS, TLS
G-08WendigoBusiness Logic5Race conditions, IDOR, privilege escalation
G-09PoltergeistSwarm Commander3Attack chain discovery, finding correlation
G-10RevenantExfiltration4Data extraction, CSRF, lateral movement, persistence
G-01 Wraith Reconnaissance

Maps the entire attack surface before a single payload fires.

G-02 Specter Injection

Eight injection vectors covering the full injection attack surface.

G-03 Shade Evasion

Bypasses WAFs and security controls using adaptive evasion techniques.

G-04 Banshee Authentication

Full authentication and session management attack battery.

G-05 Phantom API Assault

Comprehensive API attack coverage across all modern API technologies.

G-06 Ghoul Client-Side

Client-side vulnerability analysis and exploitation.

G-07 Lich Infrastructure

Infrastructure-level vulnerabilities and misconfigurations.

G-08 Wendigo Business Logic

Business logic vulnerabilities that automated scanners miss.

G-09 Poltergeist Swarm Commander

Coordinates the swarm and discovers multi-step exploitation paths.

G-10 Revenant Exfiltration & Persistence

Data extraction, persistence validation, and lateral movement testing.

Attack Campaigns

Each campaign orchestrates specific combinations of agents and vectors for a targeted objective.

CampaignCommandDescription
Full Assault--campaign full_assaultAll 10 agents, all 55 vectors, maximum aggression
Silent Recon--campaign silent_reconPassive reconnaissance, zero active probing
Auth Blitz--campaign auth_blitzFull authentication and session attack battery
API Siege--campaign api_siegeREST, GraphQL, WebSocket, gRPC total assault
Client Harvest--campaign client_harvestClient-side XSS, DOM, prototype pollution, CSP bypass
Infrastructure Sweep--campaign infrastructure_sweepPath traversal, misconfig, CORS, TLS weakness
Injection Storm--campaign injection_stormSQLi, XSS, SSRF, RCE, SSTI, XXE, LDAP, commands
Logic Bomb--campaign logic_bombRace conditions, IDOR, privilege escalation, workflow
Exfil Express--campaign exfil_expressData extraction, CSRF, lateral movement, persistence
WAF Buster--campaign waf_busterWAF bypass, encoding chains, payload mutation, evasion

Attack Vectors (55)

55 vectors spanning the full web application attack surface:

  1. V-001 Surface Mapper — crawl, sitemap, robots.txt
  2. V-002 Technology Fingerprint — server, framework, CMS identification
  3. V-003 Hidden Endpoint Discovery — admin panels, debug endpoints, backups
  4. V-004 JavaScript Route Extraction — API routes from JS bundles
  5. V-005 API Discovery — OpenAPI, GraphQL, well-known configs
  6. V-006 SQL Injection — error-based, blind, time-based, UNION
  7. V-007 Cross-Site Scripting — reflected, stored, mutation
  8. V-008 SSRF — internal IPs, cloud metadata
  9. V-009 Remote Code Execution — OS command injection
  10. V-010 SSTI — template engine injection
  11. V-011 XXE — XML external entity injection
  12. V-012 LDAP Injection — filter injection
  13. V-013 Command Injection — advanced command injection
  14. V-014 WAF Bypass — chunked transfer, header tricks
  15. V-015 Encoding Chain Evasion — multi-layer encoding
  16. V-016 Payload Mutation — case, comment, whitespace
  17. V-017 Fingerprint Rotation — UA and header rotation
  18. V-018 Rate Limit Evasion — IP spoofing, timing
  19. V-019 Session Hijack — fixation, entropy, URL tokens
  20. V-020 Default Credentials — common credential testing
  21. V-021 OAuth Abuse — redirect_uri, missing state
  22. V-022 JWT Attacks — alg:none, confusion, kid injection
  23. V-023 MFA Bypass — response manipulation, step-skip
  24. V-024 Cookie Security — flag audit
  25. V-025 REST API Assault — method tampering, HPP
  26. V-026 GraphQL Assault — introspection, nesting, batch
  27. V-027 WebSocket Assault — CSWSH, message injection
  28. V-028 gRPC Assault — reflection, message tampering
  29. V-029 BOLA — IDOR via sequential IDs
  30. V-030 BFLA — privilege endpoint access
  31. V-031 Mass Assignment — hidden parameter injection
  32. V-032 Schema Abuse — type confusion, overflow
  33. V-033 DOM XSS — source-sink analysis
  34. V-034 Prototype Pollution — __proto__ injection
  35. V-035 CSP Bypass — policy weakness analysis
  36. V-036 JS Dependencies — vulnerable libraries, SRI
  37. V-037 Clickjacking — framing protection
  38. V-038 Path Traversal — directory traversal
  39. V-039 LFI/RFI — file inclusion
  40. V-040 Misconfiguration — infrastructure misconfig
  41. V-041 CORS Abuse — cross-origin access
  42. V-042 Header Injection — response splitting
  43. V-043 TLS Weakness — SSL/TLS config
  44. V-044 Race Conditions — TOCTOU, double-spend
  45. V-045 IDOR — direct object references
  46. V-046 Privilege Escalation — horizontal and vertical
  47. V-047 Workflow Bypass — logic step-skipping
  48. V-048 Payment Tampering — payment manipulation
  49. V-049 Chain Finder — multi-vuln exploitation paths
  50. V-050 Finding Correlator — compound attack discovery
  51. V-051 Effort Redistributor — dynamic effort allocation
  52. V-052 Data Extraction — exfiltration channels
  53. V-053 Session Riding — CSRF testing
  54. V-054 Lateral Movement — pivoting and expansion
  55. V-055 Respawn — persistence and backdoors

Payloads & Mutations

POLTERGEIST ships with 532 static payloads across 6 categories:

Mutation Engine

The mutation engine applies 17 mutation techniques to generate unlimited payload variants from the static corpus. This finds vulnerabilities that static payloads miss.

Output & Reports

POLTERGEIST produces structured reports in JSON and HTML formats.

Report Structure

Each JSON report includes:

Flags & Options

$ poltergeist scan --help target Target base URL [required] --scope Comma-separated scope patterns [optional] --exclude Paths to exclude [optional] --auth-type Auth type: bearer, basic, cookie, header [optional] --token Bearer token or credential [optional] --username Username for basic auth [optional] --password Password for basic auth [optional] --cookie Cookies as key=value;key2=value2 [optional] --header Extra headers as key:value,key2:value2 [optional] --proxy HTTP proxy URL [optional] --concurrency Max concurrent requests [default: 10] --rate-limit Requests per second (0 = unlimited) [default: 0] --timeout Request timeout in seconds [default: 30] --agents Comma-separated agent codenames [default: all] --vectors Comma-separated vector IDs [default: all] --campaign Named campaign playbook [optional] --stealth Enable stealth mode [default: false] --no-sign Skip Ed25519 signing [default: false] --name Target name [default: target-webapp] --output Output directory [default: reports] --format Output: json, html, or all [default: all] --config Load config from YAML [optional] --save-config Save config to YAML [optional] --no-verify-ssl Disable SSL verification [default: false] --follow-redirects Follow HTTP redirects [default: true]

Other Commands

$ poltergeist campaigns # List all campaign playbooks $ poltergeist list-agents # List all 10 agents $ poltergeist list-vectors # List all 55 vectors $ poltergeist grade report.json --fail-below C # CI/CD grade gate $ poltergeist verify report.json # Verify Ed25519 signature $ poltergeist keygen # Generate Ed25519 keypair $ poltergeist version # Show version

Key Features

10 Autonomous Agents Coordinated swarm with distinct specialisations
55 Attack Vectors Full web application attack surface coverage
532 Static Payloads SQLi, XSS, RCE, SSRF, SSTI, path traversal
17 Mutation Techniques Unlimited payload variants from mutation engine
Triple OWASP + CWE Web Top 10, API Top 10, CWE IDs on every finding
CVSS 3.1 Scoring Severity scoring on every finding
Ed25519 Signed Reports SHA-256 evidence chains, RFC 3161 timestamps
886 Tests Passing Full test suite, zero failures
Scope Enforcement Built-in scope controls and rate limiting
10 Named Campaigns Pre-built coordinated assault playbooks
CI/CD Integration Grade gate for deployment pipelines
YAML Config Save and load scan configurations

The Pipeline

POLTERGEIST is Stage 4 of the five-stage Red Specter security pipeline:

  1. Stage 1 — Forge — Automated LLM security testing
  2. Stage 2 — Arsenal — AI agent penetration testing
  3. Stage 3 — PHANTOM Swarm — Coordinated multi-agent AI assault
  4. Stage 4 — POLTERGEIST — Web application penetration testing swarm
  5. Stage 5 — AI Shield — Runtime protection in production

Forge tests models. Arsenal attacks agents. PHANTOM assaults AI systems. POLTERGEIST destroys web applications. AI Shield defends everything in production. One company. Full stack.

Packaging

POLTERGEIST is available in three package formats for security-focused Linux distributions:

For access, contact richard@red-specter.co.uk

Disclaimer

Red Specter POLTERGEIST is designed for authorised security testing, research, and educational purposes only. You must have explicit written permission from the system owner before running any POLTERGEIST tool against a target. Unauthorised use may violate the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), or equivalent legislation in your jurisdiction. The authors accept no liability for misuse.