Map the target's network topology, identify live hosts, open ports, and external-facing services within the authorized scope. Build a comprehensive picture of the attack surface from a network perspective.

Osint Analyst

Collect publicly available information about the target using open-source intelligence techniques. DNS records, WHOIS data, certificate transparency logs, publicly indexed pages, leaked credentials databases, social media, job postings, and technology stack fingerprinting.

EnumerationAsk review

Service discovery, version detection, vulnerability scanning, and attack surface mapping

Hats

Enumerator

Deep-dive into discovered services to extract version information, configuration details, supported protocols, authentication mechanisms, and exposed functionality. Turn the reconnaissance map into a detailed service inventory.

Vulnerability Scanner

Identify known vulnerabilities in discovered services using version correlation, configuration analysis, and targeted vulnerability checks. Classify findings by severity and verify where possible without exploitation.

Requires: target-profile from Reconnaissance

ExploitationAsk review

Controlled exploitation of discovered vulnerabilities with proper scoping and authorization

Hats

Attack Operator

Execute exploitation attempts against authorized targets using developed proof-of-concepts. Maintain detailed logs of every action taken, monitor for unintended side effects, and abort immediately if scope boundaries are approached.

Exploit Developer

Develop or adapt exploits for confirmed vulnerabilities. Build reliable, controlled proof-of-concept code that demonstrates impact without causing destruction or denial of service. Prioritize exploits by potential impact and likelihood of success.

Requires: vulnerability-catalog from Enumeration

Post ExploitationAsk review

Assess impact, test lateral movement, evaluate data exposure, and document access chains

Hats

Impact Assessor

Evaluate the business impact of each successful access chain. Classify data exposure by sensitivity, assess regulatory implications, estimate blast radius, and determine the real-world consequences if each vulnerability were exploited by a malicious actor.

Post Exploit Analyst

From established footholds, map lateral movement possibilities, identify privilege escalation paths, and assess what an attacker could reach from each compromised position. Document the full attack graph without causing additional harm.

Requires: access-log from Exploitation

ReportingExternal review

Formal findings report with severity ratings, reproduction steps, remediation guidance, and executive summary

Hats

Remediation Advisor

Develop actionable remediation guidance for each finding. Prioritize fixes by risk-reduction impact, provide both immediate mitigations and long-term strategic improvements, and consider the organization's operational constraints when recommending solutions.

Report Writer

Compile all findings into a structured, professional security assessment report. Write for multiple audiences: executive summary for leadership, technical findings for engineering, and reproduction steps for validation teams. Ensure every claim is backed by evidence from earlier stages.

Requires: impact-assessment from Post Exploitation

Security Assessment Studio

Security assessment lifecycle for penetration testing, vulnerability assessments, and security audits of existing systems. Follows the standard pentest methodology: passive/active reconnaissance, service enumeration, controlled exploitation, post-exploitation analysis, and formal reporting. Uses git persistence for auditable findings and reproducible test cases.