A red team engagement that does not emulate a real threat is just a structured pentest with extra paperwork. The discipline of threat emulation — mimicking the TTPs of a specific adversary — is what makes red teaming meaningful.Documentation Index
Fetch the complete documentation index at: https://docs.decepticon.red/llms.txt
Use this file to discover all available pages before exploring further.
”The Threat Gets a Vote”
The principle, codified by redteam.guide and inherited from military doctrine, is simple: engagements must be grounded in what real threats actually do, not just what defenders plan for. A blue team that prepares for the threat they wish they had — instead of the threat that actually exists — has prepared for nothing. Decepticon enforces this principle by requiring an explicit threat profile before generating an OPPLAN.The Threat Profile
Decepticon adopts the seven-field threat profile structure used across the industry. Each engagement begins by selecting or authoring a profile:| Field | Purpose | Example (AUTOBANK) |
|---|---|---|
| Description | Threat level, methods, motivation | ”Financially motivated APT inspired by Carbanak” |
| Goal & Intent | What the threat actor is trying to achieve | ”Access SWIFT infrastructure for fraudulent transfers” |
| Key IOCs | Indicators of compromise associated with the actor | Specific C2 domains, malware families, certificate patterns |
| C2 Overview | Channels, tiers, callback patterns | DNS, HTTPS, SMB; long-haul fallback to cloud-fronted CDN |
| TTPs | Tactics, techniques, procedures (mapped to MITRE ATT&CK) | T1566.001 phishing, T1059.001 PowerShell, T1003.001 LSASS |
| Exploitation | Initial access methods | Spear-phishing with macro-enabled documents |
| Persistence | How continued presence is maintained | Scheduled tasks, WMI subscriptions, service hijacking |
The threat profile is not a wishlist — it is a constraint. Decepticon will not use techniques that are out of profile, because the value of emulation is precisely that it teaches the blue team to recognize that adversary.
How Decepticon Consumes a Threat Profile
When you start an engagement, the Soundwave planning agent interviews the operator and produces:ConOps draft with embedded threat profile
Soundwave selects or composes a profile from the seven-field template, then weaves it into the Concept of Operations as the engagement’s “adversary of record.”
OPPLAN objectives constrained to in-profile TTPs
Each objective is tagged with MITRE ATT&CK IDs. The orchestrator refuses to schedule objectives whose TTPs fall outside the profile.
Skill loading filtered by profile match
Decepticon’s progressive-disclosure skill system loads only skills whose
mitre_attack tags overlap with the profile. Out-of-profile skills are kept off the agent’s working set.Threat Profile vs. Pentest Scope
A pentest scope says “these IPs, these apps, these dates.” A threat profile says “this adversary, with these capabilities, motivated by these goals.” The two are not interchangeable.| Pentest Scope | Threat Profile |
|---|---|
| ”Test web app X" | "Emulate AUTOBANK’s path to SWIFT” |
| Bounded by asset list | Bounded by TTP catalog |
| Success = vulnerabilities found | Success = blue team measured |
| Tools picked by tester | Tools picked by adversary |
Authoring a Custom Profile
Custom profiles live alongside the default ones in the Soundwave skills directory. A minimal profile is YAML frontmatter plus prose:Skill System
See how progressive-disclosure skills filter by ATT&CK overlap with the active threat profile.