Every wall has a crack. SHROUD finds it. Five independent discovery methods — SPF record mining, certificate transparency logs, historical DNS, Shodan integration, and subdomain enumeration — converge on the real origin IP behind any CDN or WAF. Direct verification confirms the bypass. WRAITH pivots automatically.
Cloudflare, Akamai, and Fastly are reverse proxies — not shields. They sit in front of your infrastructure and filter traffic. Find the real IP behind them and every protection they offer becomes irrelevant. The WAF is bypassed. The rate limits disappear. The origin receives raw, unfiltered requests. SHROUD is built to find that IP automatically, across five independent channels, and pivot your entire offensive suite at it.
Organisations configure Cloudflare for HTTP/HTTPS traffic but forget that email often bypasses the CDN entirely. SPF records published in DNS TXT entries expose the real mail server IPs — and mail infrastructure frequently shares hosting with the web origin. SHROUD recursively resolves every ip4: mechanism in the SPF chain.
Every SSL certificate ever issued for a domain is logged publicly in certificate transparency logs. Certificates issued before CDN deployment — or for staging environments — resolve to the real origin IP. crt.sh exposes this history openly. SHROUD mines every entry and resolves every hostname it finds.
Before an organisation moved behind Cloudflare, their DNS A record pointed directly at the origin server. Historical DNS providers store those pre-CDN records. The IP hasn't changed — only the DNS entry has. SHROUD queries HackerTarget's free API for both historical and current records across all subdomains.
Mail, FTP, cPanel, staging, dev, and admin subdomains are frequently configured to resolve directly to the origin — bypassing the CDN entirely. Administrators add the primary domain to Cloudflare but forget that mail.example.com resolves straight to port 25 on the same server. SHROUD checks 52 bypass subdomains automatically.
Shodan continuously crawls the internet and indexes every open port it finds. If your origin server was ever exposed to the internet — before or after CDN deployment — Shodan has a record of its IP and open services. SHROUD queries Shodan's API and cross-references every result against the other discovery channels.
Discovery without verification produces noise. SHROUD's PROBE subsystem sends real HTTP requests directly to each candidate IP with the correct Host header — confirming the target's actual content is served, checking for WAF headers, and fingerprinting the real server. Confidence scoring ranks every candidate before STRIKE fires.
SHROUD is built from ten subsystems that cover the complete origin discovery pipeline. From SPF parsing and certificate transparency mining through subdomain enumeration, direct IP verification, server fingerprinting, confidence scoring, and automated WRAITH pivot — every phase makes real network requests. No hardcoded data. No simulations.
Parses SPF TXT records from DNS and recursively resolves every include: chain up to four levels deep. Extracts ip4: mechanisms and redirects to build a complete picture of all IPs associated with the domain's email infrastructure.
Queries the crt.sh certificate transparency API for all certificates ever issued to the target domain using the %.domain wildcard. Resolves every discovered hostname to its current IP address and checks for direct IP entries.
Queries HackerTarget's free API for historical DNS records — both the hostsearch endpoint (all subdomain:IP pairs ever seen) and the DNS lookup endpoint (current A records). Filters private IPs automatically.
Queries Shodan's API for hosts associated with the target domain. Uses DNS resolution and host search endpoints. Extracts open ports, OS fingerprints, vulnerability lists, and organisation data from every Shodan record found.
Attempts DNS resolution for 52 bypass subdomains known to frequently avoid CDN protection. Runs all queries in parallel. Detected CDN IPs are filtered out automatically, leaving only candidates that resolve to non-CDN infrastructure.
Sends real HTTP/HTTPS requests directly to each candidate IP with the correct Host header. Checks for target content, inspects response headers for WAF indicators, and tests ports 443, 80, 8443, and 8080 in sequence. No simulation.
Extracts detailed server fingerprints from HTTP response headers. Identifies web server software and version, application framework, programming language, OS hints, and hosting panel indicators. Notes security header posture.
Aggregates evidence from all five discovery channels and both verification subsystems into a unified confidence score for each candidate IP. Deduplicates across sources, applies corroboration bonuses, and ranks all candidates before STRIKE fires.
Once a CONFIRMED or HIGH confidence origin is established, STRIKE automatically invokes WRAITH against the raw origin IP — bypassing the CDN entirely. Full WARLORD ANNIHILATE chain also supported. Requires UNLEASHED gate.
Produces a complete structured JSON report for every engagement. Records every candidate IP, all discovery methods used, confidence scores, verification results, server fingerprints, and pivot execution details. Timestamped. Saved to reports/ directory.
SHROUD runs from a single CLI entry point. Discovery-only mode requires no authorisation. Full verification mode probes all candidates directly. Auto-pivot fires WRAITH at every confirmed origin and requires the UNLEASHED dual gate.
$ shroud scan --target example.com --mode discovery-only [ PHASE 1 — DISCOVERY ] Target: example.com VEIL Parsing SPF records... ✓ VEIL: 12 IP(s) via SPF — 203.0.113.1, 198.51.100.5... ATLAS Mining certificate transparency logs (crt.sh)... ✓ ATLAS: 4 IP(s) from 847 CT entries TRACE Querying historical DNS records... ✓ TRACE: 3 IP(s), 6 subdomains SWEEP Enumerating subdomains... ✓ SWEEP: 2 IP(s) from 8 resolved subdomains (14 CDN-filtered) Discovery complete: 18 unique candidate IPs
$ shroud scan --target example.com --mode full --keywords "example,contact" [ PHASE 2 — VERIFICATION ] Probing 18 candidate IPs... WAF BYPASSED: 2 confirmed origin(s): → 203.0.113.42 → 198.51.100.22 CONFIRMED ORIGIN(S): → 203.0.113.42 confidence=CONFIRMED (1.00) server=nginx/1.24.0 → 198.51.100.22 confidence=HIGH (0.85) server=LiteSpeed
$ shroud scan --target example.com --mode full \ --auto-pivot --override --confirm-destroy ━━━ UNLEASHED MODE ACTIVE ━━━ [ PHASE 3 — STRIKE ] Pivoting to 2 confirmed origin(s)... → 203.0.113.42 via wraith — SUCCESS Command: wraith scan --target 203.0.113.42 --host example.com Report: reports/wraith_203_0_113_42_a1b2c3.json
$ shroud subsystems # List all 10 subsystems $ shroud capabilities # Show discovery methods and pivot chains $ shroud unleashed status # UNLEASHED gate key fingerprint $ shroud unleashed create-scope --targets example.com --days 30 $ shroud scan -t example.com --chain annihilate --override --confirm-destroy
Three phases, executed in sequence. Phase 1 discovers candidate IPs from all available intelligence sources. Phase 2 verifies each candidate by connecting directly — confirming real content and WAF absence. Phase 3 fires WRAITH at every confirmed origin, bypassing the CDN entirely.
Discovery and verification run without any gate — SHROUD can map any target's defensive perimeter without authorisation flags. The STRIKE phase — invoking WRAITH or WARLORD against the confirmed origin — requires both UNLEASHED flags simultaneously. This gate cannot be bypassed in software. The origin will not be pivoted at without explicit operator consent on every invocation.
No flags required. SPF parsing, CT log mining, historical DNS, Shodan queries, and subdomain enumeration run freely. Maps the attack surface without touching any target infrastructure directly.
Direct HTTP probes to candidate IPs. Confirms origin with real network requests. WAF bypass confirmed. Server fingerprinted. Confidence scored. No --override required for verification alone.
Requires --override AND --confirm-destroy. Both flags must be present. WRAITH is invoked against the confirmed origin. Ed25519 key at ~/.red-specter/shroud/unleashed.key. Authorised operators only.
SHROUD is available to authorised penetration testers and red team operators under engagement contract. Not for public distribution.
Red Specter SHROUD is a commercial penetration testing tool available exclusively to authorised security professionals operating under signed engagement contracts and with explicit written permission from target system owners. Unauthorised use against systems you do not own or have permission to test is illegal in most jurisdictions and is not condoned by Red Specter Security Research Ltd (Company No. 17106988). All operator actions are logged, signed, and attributable.