Module S03 — Pentest and Red Team Harnesses

Pentest and Red Team Harnesses

Kill chain state as an attack graph, plan correction when exploits fail, the sandbox inversion problem, and the report as the actual deliverable.

90
minutes
8
artifacts
4
sub-sections
A harness that conducts full-engagement autonomous operations across multi-stage kill chains. This module builds the four structures that distinguish a red team harness from a bug bounty harness: MITRE ATT&CK attack graph state, RedTeamLLM plan correction on exploit failure, dual containment (the sandbox inversion problem), and report generation as a first-class harness output.
Key Claims
Load-Bearing Claims

A red team kill chain is a graph of dependent objectives, not a flat set of findings. The attack graph — with MITRE ATT&CK node labels, per-node states, and explicit prerequisites — is the only state structure that survives a multi-stage engagement.

An exploit failure is a re-plan event, not a retry. RedTeamLLM's four-step loop (detect, re-hypothesize, re-plan, retry) forces genuine technique substitution, defeating exploit lock-in.

The offensive sandbox inverts the Course 1 model. The agent must reach OUT to the target, but dual containment — outbound scope enforcement at the network layer plus inbound isolation — prevents lateral movement if the agent is compromised.

The deliverable is the report, not the attack. CVSS is always a human-reviewed draft (LLMs mis-score by 2+ points); CWE-to-OWASP mapping is a deterministic lookup that cannot hallucinate.

After This Module
01
Design an attack graph as the harness's primary state structure, with MITRE ATT&CK node labels and the five-state lifecycle (unexplored, attempted, succeeded, failed, out_of_scope).
02
Implement RedTeamLLM-style plan correction: detect failure, re-hypothesize, re-plan, retry with an alternative — and defend the generalize-vs-specialize choice.
03
Configure dual containment (outbound scope enforcement + inbound isolation) for an offensive harness in Docker, and verify both directions independently.
04
Build a report generator that turns structured findings into client-ready HTML/PDF/JSON with CVSS drafts flagged for review and CWE/OWASP-mapped remediation.
05
Diagnose the failure modes specific to multi-stage adversarial harnesses: intermediate state loss, plan lock-in, sandbox inversion, and report hallucination.
Artifacts