-
Notifications
You must be signed in to change notification settings - Fork 384
Home
Samuele Giampieri edited this page May 2, 2026
·
35 revisions
Legal Disclaimer: This tool is intended for authorized security testing, educational purposes, and research only. Never use this system to scan, probe, or attack any system you do not own or have explicit written permission to test. Read the full disclaimer.
Welcome to the RedAmon user guide — a comprehensive, step-by-step reference for getting started with and mastering every feature of the RedAmon AI-powered red team framework.
New here? Start with Getting Started to install and launch RedAmon, then follow the guide sequentially.
Want the deep technical view? This wiki is the operator-facing user guide. For the architectural deep dive — the Scatter-Gather ReAct (SG-ReAct) pattern, every node of the agent state machine, the four-layer guardrail stack, the EvoGraph schema, the fireteam fan-out internals, and an impartial code-verified benchmark against other ai pentesting repos — read the RedAmon Agentic System — Technical Whitepaper in the project repository.
| Page | What You'll Learn |
|---|---|
| Getting Started | Prerequisites, installation, environment setup, first launch |
| User Management | Creating users, switching between users, deleting users |
| Creating a Project | Setting up a target (domain or IP/CIDR), configuring scan modules, the 16-tab project form |
| Recon Presets | 21 built-in presets, user-saved presets, AI-generated presets -- configure 328+ parameters in one click |
| Global Settings | LLM providers, tool API keys (Tavily, Shodan, SerpAPI), agent skill management |
| Page | What You'll Learn |
|---|---|
| Red Zone | Main interface tour -- toolbar, 2D/3D graph, data table, node details, bottom bar |
| Recon Pipeline Workflow | Interactive visual pipeline diagram -- data flow, chain breaking, tool dependencies, produces/consumes reference |
| Running Reconnaissance | Starting scans, real-time logs, the parallelized fan-out/fan-in pipeline, downloading results |
| AI Agent Guide | Chat interface, agent phases, Wave Runner (parallel tools), approval workflows, guidance, reports |
| Fireteam — Parallel Specialists | Fan-out the agent into N specialist sub-agents on independent angles; per-member panels, per-member tool approvals, every project parameter explained |
| Reverse Shells | Live session interaction, Command Whisperer, meterpreter/shell management, session upgrade |
| RedAmon Terminal | Direct interactive Kali sandbox shell via xterm.js — fullscreen, auto-reconnect, all pentesting tools |
| Page | What You'll Learn |
|---|---|
| JS Reconnaissance | Deep JavaScript analysis -- secrets, endpoints, dependency confusion, source maps, DOM sinks, framework detection |
| GraphQL Security Testing | Dedicated GraphQL scanner -- endpoint discovery, introspection leaks, schema extraction, sensitive-field detection, 12 graphql-cop misconfig checks |
| Subdomain Takeover Detection | Layered takeover scanner -- Subjack + Nuclei takeover templates + BadDNS (AGPL-3.0 isolated sidecar), dedup across tools, confidence scoring, verdicts |
| VHost & SNI Enumeration | Hidden virtual host discovery via L7 (HTTP Host header) + L4 (TLS SNI) probes per candidate hostname; reveals reverse-proxy / k8s ingress / Cloudflare routing |
| GVM Vulnerability Scanning | Network-level scanning with OpenVAS, scan profiles, viewing results |
| GitHub Secret Hunting | Creating a GitHub token, configuring and running secret scans |
| TruffleHog Secret Scanning | TruffleHog 700+ detector secret scanning with live API verification |
| Page | What You'll Learn |
|---|---|
| AI Model Providers | Setting up OpenAI, Anthropic, Gemini, DeepSeek, GLM, Kimi, Qwen, xAI, Mistral, OpenRouter, AWS Bedrock, OpenAI-Compatible (Ollama, vLLM, …) |
| Agent Skills | Built-in skills (CVE, SQLi, XSS, brute force, phishing, DoS), user-defined agent skills, classification badge, skill authoring |
| Chat Skills | On-demand reference injection via /skill command -- tool playbooks, vulnerability guides, framework notes |
| CypherFix — Automated Remediation | Vulnerability triage, remediation dashboard, CodeFix agent, diff review, PR creation |
| Rules of Engagement (RoE) | Document upload, LLM parsing, enforcement layers, RoE viewer, settings reference |
| Page | What You'll Learn |
|---|---|
| Insights Dashboard | Analytics overview — KPI cards, attack chain charts, vulnerability intelligence, graph overview |
| Pentest Reports | Report generation, templates, export formats |
| Attack Surface Graph | Neo4j graph schema -- 22 node types, 20+ relationships |
| Surface Shaper | Define focused attack surfaces from the full graph using natural language and AI-generated Cypher queries |
| EvoGraph — Attack Chain Evolution | Evolutive attack chain graph — 5 node types, bridge relationships, cross-session learning |
| Data Export & Import | Exporting projects, downloading scan data, Excel export |
| Page | What You'll Learn |
|---|---|
| AI-Assisted Development | Ship perfect PRs using AI coding agents — integration prompts, iterative review workflow, Claude Code setup |
| Page | What You'll Learn |
|---|---|
| Project Settings Reference | Complete reference for all 245+ configurable parameters |
| Troubleshooting | Common issues, container management, GVM feed sync |
RedAmon is an AI-powered agentic red team framework that automates offensive security operations — from reconnaissance to exploitation to post-exploitation — with zero human intervention. Everything runs inside Docker containers: no security tools needed on your host machine.
Key capabilities:
- Automated Reconnaissance — parallelized fan-out/fan-in scanning pipeline that maps an entire attack surface from a domain or IP/CIDR targets
- AI-Powered Pentesting — autonomous agent that reasons, selects tools, executes exploits, and runs independent tools in parallel via Wave Runner
- Network Vulnerability Scanning — GVM/OpenVAS integration with 170,000+ NVTs
- GitHub Secret Hunting — discover leaked credentials and API keys
- TruffleHog Secret Scanning — 700+ secret detectors with optional live API verification
- JS Reconnaissance -- deep JavaScript analysis with 90+ secret patterns, source map discovery, dependency confusion detection, and endpoint extraction
- GraphQL Security Testing -- dedicated scanner for GraphQL APIs with introspection detection, schema extraction, sensitive-field flagging, and 12 graphql-cop misconfig checks
- Subdomain Takeover Detection -- three-engine layered scanner (Subjack + Nuclei takeover templates + BadDNS AGPL-3.0 sidecar) with cross-tool dedup, 12+ auto-exploitable providers, and confidence-scored verdicts
- VHost & SNI Enumeration -- finds hidden virtual hosts on every target IP by probing each candidate at both the HTTP Host header (L7) and the TLS SNI (L4); reveals admin panels, k8s ingress backends, staging environments, and proxy-routing inconsistencies that DNS doesn't expose
- Attack Surface Graph -- Neo4j knowledge graph with 22 node types + EvoGraph evolutionary attack chain tracking
- Recon Presets -- 21 built-in reconnaissance configurations plus AI-generated custom presets for instant project setup
- 245+ Project Settings — fine-grained control over every tool and behavior
- 400+ AI Models — support for 12 providers (OpenAI, Anthropic, Gemini, DeepSeek, GLM, Kimi, Qwen, xAI, Mistral, OpenRouter, Bedrock, OpenAI-Compatible) plus local models via Ollama
Getting Started
Core Workflow
- Red Zone
- Recon Pipeline Workflow
- Running Reconnaissance
- AI Agent Guide
- Fireteam — Parallel Specialists
- Reverse Shells
Scanning & OSINT
- JS Reconnaissance
- GraphQL Security Testing
- Subdomain Takeover Detection
- VHost & SNI Enumeration
- GVM Vulnerability Scanning
- GitHub Secret Hunting
- TruffleHog Secret Scanning
AI & Automation
- AI Model Providers
- Knowledge Base & Web Search
- Agent Skills
- Chat Skills
- Tradecraft Lookup
- Playwright Browser Automation
- CypherFix — Automated Remediation
- Rules of Engagement (RoE)
HackLab
Analysis & Reporting
- Insights Dashboard
- Pentest Reports
- Attack Surface Graph
- Surface Shaper
- EvoGraph — Attack Chain Evolution
- Data Export & Import
Contributing
Reference & Help