Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.decepticon.red/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Decepticon agents don’t operate from hardcoded playbooks. They draw from a skill system — a curated library of offensive techniques organized by kill chain phase and tagged with MITRE ATT&CK identifiers.

Progressive Disclosure

Skills use a progressive loading architecture to keep agent context windows clean:
  1. Initial load — Only skill frontmatter (name, description, ATT&CK tags, phase) is loaded
  2. On-demand — When an agent selects a skill, the full content is loaded via read_file()
  3. Clean context — Agents only carry the detail they need for their current objective
This prevents context bloat. An agent working on initial access doesn’t need the full content of lateral movement techniques — just their existence and metadata.

Skill Categories

Skills are organized by agent role, not by a single kill-chain dimension. This lets the orchestrator load only the skills relevant to the specialist it is dispatching, while still covering the full attack lifecycle. The library currently ships these categories:
CategoryOwning Agent(s)Coverage
soundwave/SoundwaveRoE / ConOps / OPPLAN templates, threat profiles, deconfliction
decepticon/Decepticon (orchestrator)OPPLAN dispatch patterns, sub-agent routing
recon/ReconPassive recon, active recon, web recon, cloud recon, OSINT
scanner/ScannerAutomated vulnerability scanning, CVE correlation
exploit/ExploitWeb exploitation, Active Directory initial access
exploiter/ExploiterReproducible PoC authoring
detector/DetectorSigma / YARA / heuristic detection-rule generation
verifier/VerifierTwo-method verification gating
patcher/PatcherPatch generation and regression tests
vulnresearch/VulnresearchFive-stage pipeline orchestration
post-exploit/Post-ExploitPrivilege escalation, lateral movement, persistence
ad/AD OperatorBloodHound, Kerberoasting, ticket forging, ACL abuse
cloud/Cloud HunterIAM analysis, metadata abuse, cloud-key extraction
contracts/Contract AuditorSolidity static analysis, Foundry PoC harness
reverser/ReverserBinary triage, packer detection, ROP gadgets, Ghidra/radare2
analyst/AnalystCross-correlation, knowledge-graph queries, narrative drafting
shared/All agentsOPSEC, defense evasion, finding protocol, deconfliction handshakes
The progressive-disclosure loader filters this catalog by ATT&CK overlap with the active threat profile — out-of-profile skills are kept off the agent’s working set entirely.

MITRE ATT&CK Integration

ATT&CK mapping is woven into every layer of Decepticon — not added after the fact:

Objectives

Each OPPLAN objective carries mitre technique IDs (e.g., T1190, T1003.001).

Skills

ATT&CK techniques declared in skill frontmatter, displayed inline in the agent’s skill catalog.

Threat Actors

ConOps defines initial_access and ttps as ATT&CK IDs, modeling specific adversary profiles.

Skill Frontmatter Example

Each skill is a directory containing a SKILL.md (frontmatter + body) and optional references/, scripts/, and assets/ subdirectories. 
---
name: passive-recon
description: "Use when gathering intelligence WITHOUT touching the target"
allowed-tools: Bash Read Write
metadata:
  subdomain: reconnaissance
  tags: passive, dns, subdomain-enum, whois, ct-logs
  mitre_attack: T1590, T1591, T1592
---
The agent sees this metadata when browsing available skills. Only when it selects the skill does the full body — commands, detection notes, references — get loaded into context. Decepticon enforces a SKILL-FIRST RULE: agents must load the relevant skill before acting on a matching trigger keyword.

Multi-Model Routing

Learn how different agent roles are routed to optimal model tiers.