A red team engagement is not a vulnerability scan with extra steps. It is a structured campaign against a real-world threat profile, executed in three phases, governed by formal documents (RoE, ConOps, OPPLAN), and adjudicated against the eight canonical engagement goals.Documentation Index
Fetch the complete documentation index at: https://docs.decepticon.red/llms.txt
Use this file to discover all available pages before exploring further.
The Three Phases
Get In
Establish initial access without tipping the blue team. The footprint is the cost — the smaller, the better. Decepticon executes Get In through the Recon and Exploit agents, driven by the OPPLAN’s
INITIAL_ACCESS objectives.Stay In
Persistence and command-and-control. The objective is survivability — beacons that survive reboots, defender response, and EDR sweeps. Decepticon establishes Sliver C2 sessions and tiered callbacks here.
C2 Tiering
During Stay In, command-and-control is structured into tiers. Each tier balances responsiveness against detection risk.| Tier | Callback Cadence | OPSEC Profile | Use Case |
|---|---|---|---|
INTERACTIVE | Seconds | High exposure | Live operator control during a hot objective |
SHORT_HAUL | 1–24 hours | Moderate | Reliable operational access for ongoing objectives |
LONG_HAUL | 24+ hours | Low exposure | Persistent fallback channel that survives defender hunting |
C2Tier so the agent knows which channel to use for each action.
The Eight Engagement Goals
A red team engagement is judged against canonical goals — what was the team trying to achieve, and did the blue team detect it? Decepticon adopts the same eight categories used across the industry:Physical Access Assessment
Evaluate physical and badge controls — door access, tailgating, RFID cloning.
Critical System Access
Reach a named crown-jewel system (SWIFT, ERP, prod database, code-signing infra).
Network Lateral Movement
Pivot across segments — DMZ to corp, corp to OT, cloud to on-prem.
Privilege Escalation
Promote from low-privilege user to local admin, domain admin, or cloud-tenant root.
Information Discovery
Locate sensitive data — secrets, source code, customer records, IP.
Data Exfiltration
Move data out without DLP catching it. The route matters as much as the bytes.
Detection Evasion
Operate without triggering SIEM, EDR, NDR, or human analyst tickets.
Operational Impact
Demonstrate the consequence — business disruption, integrity, availability.
How Decepticon Maps to the Lifecycle
Decepticon’s agent topology is built around this lifecycle, not around tools.| Phase | Primary Agents | Skills Surface |
|---|---|---|
| Plan (pre-engagement) | Soundwave | RoE, ConOps, Deconfliction, OPPLAN, Threat Profile |
| Get In | Recon, Scanner, Exploit, Exploiter | Passive/active recon, web exploitation, AD initial access |
| Stay In | Post-Exploit, AD Operator, Cloud Hunter | Persistence, C2 sessions, defense evasion, OPSEC |
| Act | Post-Exploit, Analyst, Defender | Lateral movement, credential access, finding capture, defense brief |
Engagement Documents
Every Decepticon engagement produces — and is bound by — four documents:RoE (Rules of Engagement)
Scope, restrictions, communication plan, deconfliction. Authority to operate.
ConOps (Concept of Operations)
Threat profile, methodology, success criteria, infrastructure plan.
Deconfliction Plan
How the red team separates its activity from real-world incidents during the engagement.
OPPLAN
Objective list — each with MITRE ATT&CK IDs, kill chain phase, dependencies, acceptance criteria.