Run any Skill in Manus with one click

engagement-lifecycle

Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.

Run Skill in Manus

Stars4,393

Forks875

UpdatedJune 12, 2026 at 09:59

Source

PurpleAILAB

PurpleAILAB/Decepticon

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

Useful forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

SKILL.md

readonly

name	engagement-lifecycle
description	Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.
allowed-tools	Read
metadata	{"subdomain":"orchestration","when_to_use":"start engagement, new engagement, engagement status, phase transition, go/no-go, deconfliction, emergency stop, engagement complete, wrap up","tags":"engagement, lifecycle, planning, phase-transition, deconfliction, emergency, completion","upstream_ref":"Decepticon engagement lifecycle — orchestrator-level planning skill, no direct attack technique"}

Engagement Lifecycle Management

Engagement Initiation

Pre-Flight Checklist

Before starting any engagement, verify:

Documents exist and are valid:
- roe.json — Rules of Engagement with scope, restrictions, contacts
- conops.json — Concept of Operations with threat profile and kill chain phases
- deconfliction.json — Deconfliction identifiers and procedures
- opplan.json — Operational Plan with sequenced, acceptance-gated objectives
- All documents cross-reference consistently
Infrastructure ready:
- Docker sandbox running with required tools
- C2 server reachable if post-exploitation is in scope: nc -z c2-sliver 31337 (gRPC port)
- Operator config exists: /workspace/.sliver-configs/decepticon.cfg
- Output directories created (<engagement>/recon/, <engagement>/exploit/, etc.)
If any document is missing: Delegate to soundwave sub-agent first.

All paths below are relative to the engagement working directory (set via cd before commands run).

Engagement Types and Implications

Type	Starting Phase	Sub-Agents Used	Key Consideration
Full Scope	Planning → Recon	All (soundwave, recon, exploit, postexploit)	Longest duration, most OPSEC-sensitive
Assumed Breach	Exploitation	exploit, postexploit	Skip recon, start from provided foothold
Recon Only	Recon	recon only	No exploitation, intelligence gathering only
Objective-Based	Varies	Targeted subset	Focus on specific crown jewels

Read plan/roe.json to determine engagement type and adjust phase ordering accordingly.

Phase Transitions

Gate Checks (Go/No-Go Decisions)

Before transitioning between phases, verify the gate criteria from the workflow skill:

Planning → Recon:    roe.json + conops.json + deconfliction.json + opplan.json exist and validated
Recon → Exploit:     Attack surface identified, targets prioritized, vulns catalogued
Exploit → PostExploit: Initial foothold established, access type documented
PostExploit → Report: All OPPLAN objectives resolved (passed or blocked)

Phase Transition Protocol

Read current phase objectives from opplan.json
Check: are all current-phase objectives resolved?
Check: does the next phase have pending objectives?
Verify gate criteria (consult workflow skill for phase-specific gates)
If gate passes → proceed. If not → identify what's missing and address it.

Handling Cross-Phase Dependencies

Some objectives may uncover new targets or invalidate assumptions:

New targets discovered during recon → Update plan/opplan.json with new objectives
Exploit fails, need more recon → Return to recon phase for that specific target
PostExploit reveals new network segments → May need additional recon/exploit cycles

Deconfliction

Blue Team Coordination

If roe.json specifies deconfliction contacts:

Record all major actions with timestamps in timeline.jsonl only when a real event occurs
If blue team detects and responds, note this as a data point (MTTD measurement)
Never reveal TTPs to blue team during active engagement unless ROE requires it

Emergency Stop Procedure

If engagement must be halted:

Immediately stop all active sub-agent tasks
Document current state: which objectives in-progress, what's deployed
Record the halt in timeline.jsonl and update the affected OPPLAN objectives
Save plan/opplan.json with current status for potential resumption

Engagement Metrics

Track these throughout the engagement for the final report:

Metric	Description	Source
MTTD	Mean Time to Detect (per objective)	Blue team detection timestamps
Dwell Time	Time from foothold to detection	`timeline.jsonl` timestamps
Objectives Completed	Passed / Total	opplan.json status counts
Attack Path Depth	Number of hops from initial access	lateral movement log
Credential Exposure	Unique credentials captured	post-exploit/creds/

Engagement Completion

Final Reporting Checklist

When all objectives are resolved:

Attack Path Documentation:
- Every hop from initial recon to final objective
- Credentials used at each step
- Privilege levels achieved on each host
Findings Synthesis:
- Read all <engagement>/findings/FIND-*.md entries
- Group by severity: Critical, High, Medium, Low
- Map each finding to MITRE ATT&CK technique
Remediation Recommendations:
- For each successful attack path, suggest defensive controls
- Prioritize by: quick wins vs. strategic improvements
- Reference where in the kill chain the control would interrupt the attack
Evidence Preservation:
- All scan outputs in <engagement>/recon/
- All exploit artifacts in <engagement>/exploit/
- All post-exploit evidence in <engagement>/post-exploit/
- Credential inventory (encrypted)
Cleanup:
- List all artifacts deployed on target systems
- Document persistence mechanisms that need removal
- Verify no active implants remain (if applicable)

More from this repository

same repository

decepticon

PurpleAILAB/Decepticon

Drive Decepticon — an autonomous multi-agent red-team framework — over MCP to run authorized penetration tests and bug-bounty engagements end to end, then watch and steer them live from chat. Launch an engagement against a target, poll its transcript to narrate progress, send messages to refocus it, and pull findings as SARIF. Use when the user asks to run a pentest/red-team engagement, hunt a bug bounty, do recon, exploit/scan a host, web app, API, network, cloud, Active Directory, mobile app, or smart contract WITH Decepticon — or to check/resume a running engagement or report what Decepticon found. Triggers: run a decepticon engagement, pentest this with decepticon, bug bounty, recon this target, red team this, scan this host, resume the engagement, what did decepticon find, decepticon status. Do NOT use for ad-hoc local tool runs (running nmap/sqlmap/ffuf directly) when no Decepticon server is involved — this drives the Decepticon orchestrator, not raw tools.

2026-06-164.4k

iot-security

PurpleAILAB/Decepticon

IoT device security reconnaissance — firmware extraction, embedded analysis, protocol identification, default credential checking, vulnerability scanning, device fingerprinting.

2026-06-154.4k

mobile-security

PurpleAILAB/Decepticon

Mobile application security reconnaissance — APK/IPA analysis, permission enumeration, certificate validation, hardcoded secret detection, insecure storage identification, network security analysis.

2026-06-154.4k

wireless-security

PurpleAILAB/Decepticon

Wireless network security reconnaissance — WiFi analysis, Bluetooth assessment, RFID/NFC evaluation, signal capture, protocol analysis, encryption testing, rogue device detection.

2026-06-154.4k

finding-protocol

PurpleAILAB/Decepticon

Operational-tier finding template — minimal fields for sub-agent decision support. Heavyweight deliverable promotion lives in skills/decepticon/final-report.

2026-06-124.4k

final-report

PurpleAILAB/Decepticon

Final engagement report generation — executive summary, technical report, findings aggregation, attack path narrative, detection gap matrix, remediation roadmap.

2026-06-124.4k

name	engagement-lifecycle
description	Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.
allowed-tools	Read
metadata	{"subdomain":"orchestration","when_to_use":"start engagement, new engagement, engagement status, phase transition, go/no-go, deconfliction, emergency stop, engagement complete, wrap up","tags":"engagement, lifecycle, planning, phase-transition, deconfliction, emergency, completion","upstream_ref":"Decepticon engagement lifecycle — orchestrator-level planning skill, no direct attack technique"}

Engagement Lifecycle Management

Engagement Initiation

Pre-Flight Checklist

Before starting any engagement, verify:

Documents exist and are valid:
- roe.json — Rules of Engagement with scope, restrictions, contacts
- conops.json — Concept of Operations with threat profile and kill chain phases
- deconfliction.json — Deconfliction identifiers and procedures
- opplan.json — Operational Plan with sequenced, acceptance-gated objectives
- All documents cross-reference consistently
Infrastructure ready:
- Docker sandbox running with required tools
- C2 server reachable if post-exploitation is in scope: nc -z c2-sliver 31337 (gRPC port)
- Operator config exists: /workspace/.sliver-configs/decepticon.cfg
- Output directories created (<engagement>/recon/, <engagement>/exploit/, etc.)
If any document is missing: Delegate to soundwave sub-agent first.

All paths below are relative to the engagement working directory (set via cd before commands run).

Engagement Types and Implications

Type	Starting Phase	Sub-Agents Used	Key Consideration
Full Scope	Planning → Recon	All (soundwave, recon, exploit, postexploit)	Longest duration, most OPSEC-sensitive
Assumed Breach	Exploitation	exploit, postexploit	Skip recon, start from provided foothold
Recon Only	Recon	recon only	No exploitation, intelligence gathering only
Objective-Based	Varies	Targeted subset	Focus on specific crown jewels

Read plan/roe.json to determine engagement type and adjust phase ordering accordingly.

Phase Transitions

Gate Checks (Go/No-Go Decisions)

Before transitioning between phases, verify the gate criteria from the workflow skill:

Planning → Recon:    roe.json + conops.json + deconfliction.json + opplan.json exist and validated
Recon → Exploit:     Attack surface identified, targets prioritized, vulns catalogued
Exploit → PostExploit: Initial foothold established, access type documented
PostExploit → Report: All OPPLAN objectives resolved (passed or blocked)

Phase Transition Protocol

Read current phase objectives from opplan.json
Check: are all current-phase objectives resolved?
Check: does the next phase have pending objectives?
Verify gate criteria (consult workflow skill for phase-specific gates)
If gate passes → proceed. If not → identify what's missing and address it.

Handling Cross-Phase Dependencies

Some objectives may uncover new targets or invalidate assumptions:

New targets discovered during recon → Update plan/opplan.json with new objectives
Exploit fails, need more recon → Return to recon phase for that specific target
PostExploit reveals new network segments → May need additional recon/exploit cycles

Deconfliction

Blue Team Coordination

If roe.json specifies deconfliction contacts:

Record all major actions with timestamps in timeline.jsonl only when a real event occurs
If blue team detects and responds, note this as a data point (MTTD measurement)
Never reveal TTPs to blue team during active engagement unless ROE requires it

Emergency Stop Procedure

If engagement must be halted:

Immediately stop all active sub-agent tasks
Document current state: which objectives in-progress, what's deployed
Record the halt in timeline.jsonl and update the affected OPPLAN objectives
Save plan/opplan.json with current status for potential resumption

Engagement Metrics

Track these throughout the engagement for the final report:

Metric	Description	Source
MTTD	Mean Time to Detect (per objective)	Blue team detection timestamps
Dwell Time	Time from foothold to detection	`timeline.jsonl` timestamps
Objectives Completed	Passed / Total	opplan.json status counts
Attack Path Depth	Number of hops from initial access	lateral movement log
Credential Exposure	Unique credentials captured	post-exploit/creds/

Engagement Completion

Final Reporting Checklist

When all objectives are resolved:

Attack Path Documentation:
- Every hop from initial recon to final objective
- Credentials used at each step
- Privilege levels achieved on each host
Findings Synthesis:
- Read all <engagement>/findings/FIND-*.md entries
- Group by severity: Critical, High, Medium, Low
- Map each finding to MITRE ATT&CK technique
Remediation Recommendations:
- For each successful attack path, suggest defensive controls
- Prioritize by: quick wins vs. strategic improvements
- Reference where in the kill chain the control would interrupt the attack
Evidence Preservation:
- All scan outputs in <engagement>/recon/
- All exploit artifacts in <engagement>/exploit/
- All post-exploit evidence in <engagement>/post-exploit/
- Credential inventory (encrypted)
Cleanup:
- List all artifacts deployed on target systems
- Document persistence mechanisms that need removal
- Verify no active implants remain (if applicable)