Red Team Assessment
CyberDoc's Red Team feature provides AI-powered autonomous penetration testing using PentestAgent. An AI agent (Claude Sonnet) autonomously decides what to scan, adapts based on findings, chains tools together, and produces a comprehensive assessment report with structured findings and remediation steps.
How It Works
- Domain Verification — Users must verify ownership of the target domain via DNS TXT record or file upload before launching an engagement. Admins bypass this requirement.
- Launch Engagement — Select a target, playbook (Recon, Web, Network, or Full), and infrastructure mode. The request is proxied to the PentestAgent backend.
- AI Agent Loop — PentestAgent creates a fresh AI agent that autonomously executes security tools, analyses results, and decides next steps. The agent runs until the task is complete or max iterations reached.
- Structured Findings — All discoveries are saved as structured notes (credentials, vulnerabilities, findings, artifacts) and mapped to CyberDoc's severity format.
- Report — A comprehensive markdown report is generated with executive summary, findings by severity, technical details, risk matrix, and remediation recommendations.
Infrastructure Modes
| Mode | Backend | Tools | Max Iterations | Access |
|---|---|---|---|---|
| Standard | Containerised | Reconnaissance, web scanning, vulnerability detection | 60 | Business, Enterprise |
| Advanced | Enhanced container | Standard + exploitation frameworks, credential testing, directory brute-forcing | 80 | Enterprise only |
| Expert | Dedicated instance | Full offensive toolkit with privileged capabilities | 100 | Enterprise only |
Playbooks
| Playbook | Focus | Typical Duration |
|---|---|---|
| Recon | Subdomain enumeration, port scanning, service fingerprinting, DNS configuration, exposed endpoints | 10-30 minutes |
| Web | OWASP Top 10, security headers, TLS config, cookie security, directory discovery, injection testing | 30-60 minutes |
| Network | Port/service enumeration, known CVEs, default credentials, network segmentation | 30-60 minutes |
| Full Red Team | All phases: Recon, Web, Network, then Report generation with remediation steps | 1-3 hours |
Agent Tools
The PentestAgent has access to these tool categories:
- terminal — Execute shell commands (nmap, nuclei, curl, sqlmap, metasploit, etc.). Output truncated at 50K chars.
- browser — Playwright headless browser for web interaction (navigate, click, type, screenshot, extract links/forms).
- notes — Structured finding storage with category validation (credential, vulnerability, finding, artifact). Persists across the engagement.
- web_search — Web search integration for OSINT and CVE lookup.
Finding Severity Mapping
PentestAgent's structured notes are mapped to CyberDoc severity levels:
| Note Category | Confidence | CyberDoc Severity |
|---|---|---|
| credential | any | Critical |
| vulnerability | high | Critical |
| vulnerability | medium | High |
| vulnerability | low | Medium |
| finding | high | Medium |
| finding | medium/low | Info |
Domain Verification
Before launching a red team engagement, you must verify ownership of the target domain. Two methods are supported:
- DNS TXT Record — Add a TXT record to the domain with a generated verification token.
- File Upload — Place a file at
/.well-known/cyberdoc-verify.txtcontaining the token.
Verification is checked in real time via Google DNS (for TXT) or HTTP fetch (for file). Once verified, the domain remains verified for future engagements.
Security Guardrails
Tool output from untrusted sources is filtered through prompt injection guardrails adapted from the CAI framework:
- 40+ regex patterns detecting instruction overrides, hidden commands, encoding tricks
- Unicode homograph normalization (Cyrillic/Greek to Latin)
- Content sanitization with security delimiters
- Prevents target servers from hijacking the agent via crafted responses
API Endpoints
All red team endpoints require authentication. Business or Enterprise plan required.
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/redteam/launch | Start engagement (target, playbook, scope, mode) |
| GET | /api/redteam/status?id= | Poll engagement status |
| GET | /api/redteam/result?id= | Get full results with mapped findings |
| POST | /api/redteam/cancel | Cancel running engagement |
| GET | /api/redteam/engagements | List workspace engagements |
| POST | /api/redteam/verify-domain | Request domain verification token |
| POST | /api/redteam/check-verification | Check domain verification status |