Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.decepticon.red/llms.txt

Use this file to discover all available pages before exploring further.

The Offensive Vaccine is the loop that gives Decepticon its name and its purpose: every offensive action becomes a defensive artifact. This page documents the five-stage pipeline and the Defender agent that closes the loop.

The Loop

attack → detection rule → verification → exploit PoC → patch
   ↑                                                       │
   └───────────────────────────────────────────────────────┘
                     regression coverage
Each stage is owned by a specialist agent. Together they implement what the security industry calls “purple teaming,” fully automated.

The Five Stages

1

Scanner — find the surface

Automated vulnerability scanning across the target. Output: candidate findings (CVE matches, configuration issues, exposed surfaces).
2

Detector — write the rule

Generate a detection signal for the candidate vulnerability — Sigma rule, YARA rule, IDS signature, or telemetry-derived heuristic. Defenders need to know what to look for before they can detect it.
3

Verifier — prove it's real

Two-method gate: confirm the vulnerability through at least two independent verification techniques. Eliminates false positives before exploit work begins.
4

Exploiter — produce the PoC

Generate a working proof-of-concept exploit that triggers the vulnerability reproducibly. The PoC is the unambiguous evidence.
5

Patcher — propose the fix

Generate a patch — code change, configuration change, compensating control — that closes the vulnerability without breaking the application.

The Vulnresearch Orchestrator

The five agents do not run as a fixed pipeline — they are orchestrated by a sixth agent, Vulnresearch, that decides the order based on findings. If the Scanner produces a high-confidence candidate, Vulnresearch may skip directly to Verifier. If the Verifier rejects a candidate, the loop terminates without burning Exploiter or Patcher resources.
AgentInputsOutputs
ScannerTarget scopeCandidate findings list
DetectorCandidate findingDetection rule (Sigma / YARA / heuristic)
VerifierCandidate + detection ruleVerified-yes or verified-no, with two methods of evidence
ExploiterVerified candidateReproducible PoC, with reliability notes
PatcherVerified candidate + PoCPatch (code or config), with regression test

The Defender Agent

The Defender is not part of the five-stage pipeline — it is a parallel agent that consumes the artifacts. It produces the Defense Brief: the document handed to the blue team at engagement out-brief. The Defense Brief contains:
  • The technique used (MITRE ATT&CK ID)
  • The detection rule produced by the Detector
  • The PoC produced by the Exploiter
  • The recommended patch from the Patcher
  • The verification status (did the patch break the PoC?)
  • The mapping to the blue team’s existing detection coverage (gaps)
This is the artifact that transforms an offensive engagement into a defensive uplift.

Why Two-Method Verification Matters

A single verification method can be fooled — a network scan might match a banner without the vulnerable code being reachable; a PoC might succeed against a honeypot. The Verifier requires two independent methods, e.g.:
  • Static evidence (version banner) + dynamic evidence (PoC payload response)
  • Network-side detection (IDS firing) + host-side detection (process artifact)
  • Source-code analysis + runtime instrumentation
Decepticon refuses to escalate a finding to Exploiter without the two-method gate. This dramatically reduces wasted compute and false alarms in the engagement record.

Knowledge Graph Integration

Every artifact produced by the pipeline lands in the Neo4j attack graph:
  • Findings become Vulnerability nodes
  • Detection rules become DefenseAction nodes with DETECTS edges
  • Patches become DefenseAction nodes with MITIGATES edges
  • Verifications become provenance edges
The graph is queryable mid-engagement and exportable as the engagement deliverable.

Knowledge Graph

How findings, detections, and patches land in the Neo4j attack graph.

Skill System

Each pipeline stage has a dedicated skill set under skills/scanner/, skills/detector/, etc.