Documentation Index
Fetch the complete documentation index at: https://docs.decepticon.red/llms.txt
Use this file to discover all available pages before exploring further.
Agent Architecture
Decepticon operates through seventeen specialist agents, each with its own tools, skills, and clean context window. Agents are spawned fresh per objective — no accumulated noise, no degraded reasoning across long engagements. The agents are not a flat list. They are organized by the engagement phase they serve, and routed by the Decepticon orchestrator through the OPPLAN.Orchestration Layer
Decepticon (Orchestrator)
The central coordinator. Owns the OPPLAN, sequences objectives, resolves dependencies, dispatches specialists via SubAgent middleware, streams results to the operator. Runs on the most capable model tier.
Soundwave (Planner)
Engagement planning specialist. Interviews the operator and generates the complete engagement package — RoE, ConOps, Deconfliction Plan, OPPLAN, and threat profile. No bash access; produces documents only.
Reconnaissance Phase
Recon
Active and passive recon — port scanning, service enumeration, OSINT, subdomain discovery, certificate-transparency mining. Operates inside the Kali sandbox.
Scanner
Automated vulnerability scanning. Runs nuclei, custom signature matching, and CVE correlation against discovered services.
Exploitation & Vulnerability Research
Exploit
General exploitation specialist. Vulnerability triage, exploit selection, initial access. Coordinates with Exploiter on PoC generation.
Exploiter
Reproducible PoC author. Produces working proof-of-concept exploits for verified vulnerabilities, with reliability notes.
Detector
Detection-rule generator. Produces Sigma, YARA, or telemetry-derived detections for each technique used. Feeds the Defense Brief.
Verifier
Two-method verification gate. Confirms candidate findings through at least two independent evidence channels before downstream work begins.
Patcher
Patch generator. Produces a code or configuration change that closes the vulnerability without breaking the application, plus a regression test.
Vulnresearch
Five-stage pipeline orchestrator. Drives Scanner → Detector → Verifier → Exploiter → Patcher with intelligent skipping based on confidence.
Post-Exploitation & Specialist Operators
Post-Exploit
General post-exploitation. Privilege escalation, lateral movement, credential harvesting, persistence, often via Sliver C2.
AD Operator
Active Directory specialist. BloodHound path analysis, Kerberoasting, ticket forging, ACL abuse, GPO manipulation.
Cloud Hunter
Cloud-platform specialist. IAM policy analysis, metadata-service abuse, S3/Azure storage, escalation paths in AWS/Azure/GCP.
Contract Auditor
Smart-contract specialist. Solidity static analysis (Slither), Foundry PoC harness, common DeFi vulnerability patterns.
Reverser
Binary reverse-engineering specialist. Triage, packer detection, string/symbol extraction, ROP gadget hunting, Ghidra/radare2 scripting.
Defense & Analysis
Defender
Offensive Vaccine closer. Consumes findings, detection rules, and patches; produces the Defense Brief that goes to the blue team at out-brief.
Analyst
Research and reporting specialist. Cross-correlates findings, queries the knowledge graph, and drafts the engagement narrative.
Clean Context Per Objective
Every agent spawns with a fresh context window for every objective:- No accumulated noise — Context doesn’t degrade across a 100-objective engagement.
- Targeted context — Each agent receives only the findings relevant to its objective.
- Persistent state — Findings live on disk and in Neo4j, not in agent memory.
Agent Middleware Stack
Each agent runs with a stack of middleware that provides cross-cutting concerns. The exact stack depends on the agent’s role.| Agent Role | Middleware Stack |
|---|---|
| Decepticon (Orchestrator) | SafeCommand → Skills → Filesystem → SubAgent → OPPLAN → ModelFallback → Summarization → PromptCaching → PatchToolCalls |
| Soundwave (Planner) | Skills → Filesystem → ModelFallback → Summarization → PromptCaching → PatchToolCalls |
| Specialist (Recon, Exploit, …) | Skills → Filesystem → SafeCommand → ModelFallback → Summarization → PromptCaching → PatchToolCalls |
What Each Layer Does
- SafeCommand — Refuses commands that violate the RoE or OPSEC posture.
- Skills — Progressive-disclosure skill loading filtered by ATT&CK overlap with the active threat profile.
- Filesystem — Sandboxed file access scoped to the engagement workspace.
- SubAgent —
task()tool for the orchestrator to dispatch work to specialists. - OPPLAN — Five CRUD tools and dynamic state injection of objectives into every LLM call.
- EngagementContext — Auto-injects RoE/ConOps into every iteration so guardrails are evaluated continuously.
- ModelFallback — Provider failover (Anthropic → OpenAI → Google → MiniMax) when a model is rate-limited or down.
- Summarization — Conversation-window compression for long-running specialists.
- PromptCaching — Anthropic prompt-cache boundary markers that separate static and dynamic prompt sections.
- PatchToolCalls — Rewrites tool-call shapes for cross-provider compatibility.
Agent–Tool Interaction
Agents interact with offensive tools through persistent tmux sessions inside the Kali sandbox:sliver >, msf6 >, PS C:\>), the agent:
- Detects the prompt pattern.
- Interprets the tool’s output.
- Sends the appropriate follow-up command.
- Handles control signals (
C-c,C-z) when needed.
- Inline (≤15K) — Returned directly to the agent.
- Offload (15K–100K) — Written to
/workspace/.scratch/and referenced by path. - Watchdog (>5M) — The session is killed and the agent is asked to refine.
OPPLAN System
The structured plan that the orchestrator dispatches to these agents.
Infrastructure
The isolated network architecture these agents operate within.