pip install red-specter-reaper
The industry's exploit framework is written in Ruby, generates PE and ELF payloads that every EDR signatures on sight, and requires a 2GB install with dozens of dependencies. REAPER replaces the entire chain with pure Python. Python payloads. Python implants. Python C2. Harder to signature. Easier to extend. One pip install.
Metasploit requires Ruby, PostgreSQL, and hundreds of gems. One broken gem and your framework is dead. REAPER is pure Python. One pip install. No Ruby. No PostgreSQL. No fragile dependency chains.
PE and ELF payloads from msfvenom are instantly flagged by every EDR on the planet. Python payloads are inherently harder to signature. No binary compilation. No fixed headers. No static patterns for AV to match.
Metasploit doesn't know what your scanner found. You copy-paste CVE numbers manually. REAPER chains directly from WRAITH scan results. Vulnerability discovered to exploit delivered in one command.
Traditional exploit frameworks don't reason about attack paths. NEMESIS orchestrates REAPER with AI reasoning. The Supreme Commander decides which exploit, which payload, which persistence method — based on the target environment.
Nine modules. Each one replaces a core Metasploit component with pure Python engineering. No Ruby. No msfvenom. No Meterpreter. Every exploit, every payload, every implant built from scratch. 5,267 tests. 55 CVE exploits across 24 products. Complete post-exploitation chain.
55 CVE exploits across 24 products with protocol-level attacks. Buffer overflows, deserialization, authentication bypass, RCE. Every exploit pure Python. No Ruby modules.
Reverse and bind shells over TCP, HTTP, HTTPS, and DNS. Staged and stageless variants. 6 output formats. Python payloads that EDR can't signature like PE/ELF binaries.
Async multi-protocol C2 server with XOR encrypted sessions. TCP, HTTP, HTTPS, DNS channels. Full session management. Multiple simultaneous implant connections. Pure Python server.
Pure Python cross-platform agent with 10 capabilities. Full and minimal variants. File operations, process management, screenshot capture, keylogging, credential dump. No compiled binary required.
20 GTFOBins entries for SUID/sudo exploitation. 15 Linux privilege escalation checks covering kernel, cron, capabilities, writable paths. 10 LOLBAS entries for Windows environments.
SSH and SMB pivoting for lateral movement. Built-in SOCKS5 proxy for tunnelling traffic. Port forwarding. Credential reuse across compromised hosts. Network propagation without touching disk.
10 Linux persistence methods (cron, systemd, rc.local, bashrc, SSH keys, MOTD, udev, XDG autostart, APT hooks, LD_PRELOAD). 8 Windows methods. Install, verify, and remove. Stealth ratings per method.
35 Linux credential paths and 10 Windows credential paths. 25 secret regex patterns for API keys, tokens, passwords, connection strings. Automated credential extraction from compromised hosts.
XOR, AES, base64, and zlib encoding. Polymorphic engine that generates unique payload variants every execution. Sandbox detection for VM/debugger environments. 14 evasion techniques combined.
Exploit a known CVE:
Generate a reverse shell payload:
Start a C2 server:
Generate a cross-platform implant:
Check for privilege escalation vectors:
Move laterally via SSH:
Install persistence:
Harvest credentials from a compromised host:
Apply evasion to a payload:
Full 9-phase kill chain — one command:
Chain from WRAITH discovery:
Zero Ruby. Zero msfvenom. Zero Meterpreter. Every exploit, payload, implant, and C2 server built from scratch in pure Python. One pip install replaces Metasploit.
WRAITH discovers vulnerabilities. REAPER exploits them. One command chains discovery to exploitation. No copy-pasting CVE numbers between tools.
NEMESIS AI orchestrates REAPER operations. The Supreme Commander reasons about which exploit, which payload, which persistence method to use based on target context.
Python payloads are inherently harder to signature than PE/ELF binaries. Polymorphic engine generates unique variants. Sandbox detection. Anti-forensics built in.
REAPER ships with a comprehensive signature database covering CVE exploits, shell templates, privilege escalation vectors, credential paths, persistence methods, and evasion techniques. Every entry tested. Every technique validated. 5,267 tests confirm it all works.
Standard mode generates exploits, payloads, and attack plans but never sends them. Dry-run mode proves they work without delivering. UNLEASHED live mode executes the full kill chain against real targets. Ed25519 key gate required. Two flags must be passed. This is not accidental.
| Capability | Standard | Unleashed |
|---|---|---|
| Exploit | Detection & analysis only | Fire exploits against targets |
| Payload | Generate payload files | Deliver and execute on target |
| C2 | Simulate C2 protocol | Full async C2 with live sessions |
| Implant | Generate implant binary | Deploy and activate on target |
| Privesc | Enumerate vectors | Execute escalation to root/SYSTEM |
| Lateral | Map pivot paths | SSH/SMB pivot with credential reuse |
| Persist | List available methods | Install, verify, and maintain persistence |
| Harvest | Identify credential locations | Extract and exfiltrate credentials |
| Evasion | Preview transformations | Polymorphic + sandbox evasion live |
UNLEASHED mode requires an Ed25519 private key at ~/.redspecter/override_private.pem and the --override --confirm-destroy flags. Without both, REAPER operates in detection and generation mode — building exploits and payloads without delivering them. The gate is cryptographic. There is no bypass. One key. One operator. Founder's machine only.
WRAITH finds the vulnerabilities. REAPER exploits them, deploys an implant, harvests credentials, moves laterally, and persists. NEMESIS orchestrates the entire chain with AI reasoning. From discovery to full compromise — one pipeline. No manual steps.
WRAITH scan results feed directly into REAPER. CVEs discovered by WRAITH are matched to REAPER exploits automatically. One command: reaper engage --wraith-report scan.json
NEMESIS AI orchestrates REAPER operations. The Supreme Commander reasons about attack paths, selects exploits, chooses persistence methods, and coordinates lateral movement across the network.
Every exploit fired, every persistence method installed, every credential path checked — generates AI Shield blocking rules. Red team findings become blue team defences automatically.
FORGE tests the model. ARSENAL tests the agent. WRAITH scans the infrastructure. REAPER exploits it. NEMESIS orchestrates. AI Shield defends. Thirteen tools. Every layer. Nothing assumed safe.
Metasploit is a Ruby framework that generates PE and ELF payloads every EDR signatures on sight. REAPER is pure Python engineering. Every exploit engine, every payload generator, every C2 server, every implant written from scratch. Python payloads are inherently harder to signature. One pip install replaces the entire Metasploit toolchain.
REAPER is Tool 13 in the Red Specter offensive pipeline. It exploits what WRAITH discovers. Findings feed into NEMESIS for AI-orchestrated attack chains and AI Shield for runtime defence generation.
WRAITH discovers the vulnerabilities. REAPER exploits them. Pure Python. Zero Ruby. Nine modules. Complete post-exploitation chain. From discovery to persistence in one pipeline.