name	engagement-lifecycle
description	Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.
allowed-tools	Read
metadata	{"subdomain":"orchestration","when_to_use":"start engagement, new engagement, engagement status, phase transition, go/no-go, deconfliction, emergency stop, engagement complete, wrap up","tags":"engagement, lifecycle, planning, phase-transition, deconfliction, emergency, completion","upstream_ref":"Decepticon engagement lifecycle — orchestrator-level planning skill, no direct attack technique"}

Engagement Lifecycle Management

Engagement Initiation

Pre-Flight Checklist

Before starting any engagement, verify:

Documents exist and are valid:
- roe.json — Rules of Engagement with scope, restrictions, contacts
- conops.json — Concept of Operations with threat profile and kill chain phases
- deconfliction.json — Deconfliction identifiers and procedures
- opplan.json — Operational Plan with sequenced, acceptance-gated objectives
- All documents cross-reference consistently
Infrastructure ready:
- Docker sandbox running with required tools
- C2 server reachable if post-exploitation is in scope: nc -z c2-sliver 31337 (gRPC port)
- Operator config exists: /workspace/.sliver-configs/decepticon.cfg
- Output directories created (<engagement>/recon/, <engagement>/exploit/, etc.)
If any document is missing: Delegate to soundwave sub-agent first.

All paths below are relative to the engagement working directory (set via cd before commands run).

Engagement Types and Implications

Type	Starting Phase	Sub-Agents Used	Key Consideration
Full Scope	Planning → Recon	All (soundwave, recon, exploit, postexploit)	Longest duration, most OPSEC-sensitive
Assumed Breach	Exploitation	exploit, postexploit	Skip recon, start from provided foothold
Recon Only	Recon	recon only	No exploitation, intelligence gathering only
Objective-Based	Varies	Targeted subset	Focus on specific crown jewels

Read plan/roe.json to determine engagement type and adjust phase ordering accordingly.

Phase Transitions

Gate Checks (Go/No-Go Decisions)

Before transitioning between phases, verify the gate criteria from the workflow skill:

Planning → Recon:    roe.json + conops.json + deconfliction.json + opplan.json exist and validated
Recon → Exploit:     Attack surface identified, targets prioritized, vulns catalogued
Exploit → PostExploit: Initial foothold established, access type documented
PostExploit → Report: All OPPLAN objectives resolved (passed or blocked)

Phase Transition Protocol

Read current phase objectives from opplan.json
Check: are all current-phase objectives resolved?
Check: does the next phase have pending objectives?
Verify gate criteria (consult workflow skill for phase-specific gates)
If gate passes → proceed. If not → identify what's missing and address it.

Handling Cross-Phase Dependencies

Some objectives may uncover new targets or invalidate assumptions:

New targets discovered during recon → Update plan/opplan.json with new objectives
Exploit fails, need more recon → Return to recon phase for that specific target
PostExploit reveals new network segments → May need additional recon/exploit cycles

Deconfliction

Blue Team Coordination

If roe.json specifies deconfliction contacts:

Record all major actions with timestamps in timeline.jsonl only when a real event occurs
If blue team detects and responds, note this as a data point (MTTD measurement)
Never reveal TTPs to blue team during active engagement unless ROE requires it

Emergency Stop Procedure

If engagement must be halted:

Immediately stop all active sub-agent tasks
Document current state: which objectives in-progress, what's deployed
Record the halt in timeline.jsonl and update the affected OPPLAN objectives
Save plan/opplan.json with current status for potential resumption

Engagement Metrics

Track these throughout the engagement for the final report:

Metric	Description	Source
MTTD	Mean Time to Detect (per objective)	Blue team detection timestamps
Dwell Time	Time from foothold to detection	`timeline.jsonl` timestamps
Objectives Completed	Passed / Total	opplan.json status counts
Attack Path Depth	Number of hops from initial access	lateral movement log
Credential Exposure	Unique credentials captured	post-exploit/creds/

Engagement Completion

Final Reporting Checklist

When all objectives are resolved:

Attack Path Documentation:
- Every hop from initial recon to final objective
- Credentials used at each step
- Privilege levels achieved on each host
Findings Synthesis:
- Read all <engagement>/findings/FIND-*.md entries
- Group by severity: Critical, High, Medium, Low
- Map each finding to MITRE ATT&CK technique
Remediation Recommendations:
- For each successful attack path, suggest defensive controls
- Prioritize by: quick wins vs. strategic improvements
- Reference where in the kill chain the control would interrupt the attack
Evidence Preservation:
- All scan outputs in <engagement>/recon/
- All exploit artifacts in <engagement>/exploit/
- All post-exploit evidence in <engagement>/post-exploit/
- Credential inventory (encrypted)
Cleanup:
- List all artifacts deployed on target systems
- Document persistence mechanisms that need removal
- Verify no active implants remain (if applicable)

Más de este repositorio

mismo repositorio

finding-protocol

PurpleAILAB/Decepticon

Operational-tier finding template — minimal fields for sub-agent decision support. Heavyweight deliverable promotion lives in skills/decepticon/final-report.

2026-06-124.4k

final-report

PurpleAILAB/Decepticon

Final engagement report generation — executive summary, technical report, findings aggregation, attack path narrative, detection gap matrix, remediation roadmap.

2026-06-124.4k

orchestration

PurpleAILAB/Decepticon

Decepticon orchestrator patterns — delegation, state management, adaptive re-planning, context handoff protocols.

2026-06-124.4k

exploit-reporting

PurpleAILAB/Decepticon

Exploitation finding documentation — initial access reports, exploit chain documentation, CVSS v4.0 scoring, shell/credential inventory, detection gap analysis.

2026-06-124.4k

post-exploit-reporting

PurpleAILAB/Decepticon

Post-exploitation finding documentation — credential access, privilege escalation, lateral movement reports, detection gap analysis, attack path documentation, CVSS v4.0 scoring.

2026-06-124.4k

recon-reporting

PurpleAILAB/Decepticon

Recon output formatting — report structure, CVSS v4.0 scoring (primary), MITRE ATT&CK mapping, finding prioritization, Markdown output, detection gap tracking, handoff checklists.

2026-06-124.4k

name	engagement-lifecycle
description	Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.
allowed-tools	Read
metadata	{"subdomain":"orchestration","when_to_use":"start engagement, new engagement, engagement status, phase transition, go/no-go, deconfliction, emergency stop, engagement complete, wrap up","tags":"engagement, lifecycle, planning, phase-transition, deconfliction, emergency, completion","upstream_ref":"Decepticon engagement lifecycle — orchestrator-level planning skill, no direct attack technique"}

Engagement Lifecycle Management

Engagement Initiation

Pre-Flight Checklist

Before starting any engagement, verify:

Documents exist and are valid:
- roe.json — Rules of Engagement with scope, restrictions, contacts
- conops.json — Concept of Operations with threat profile and kill chain phases
- deconfliction.json — Deconfliction identifiers and procedures
- opplan.json — Operational Plan with sequenced, acceptance-gated objectives
- All documents cross-reference consistently
Infrastructure ready:
- Docker sandbox running with required tools
- C2 server reachable if post-exploitation is in scope: nc -z c2-sliver 31337 (gRPC port)
- Operator config exists: /workspace/.sliver-configs/decepticon.cfg
- Output directories created (<engagement>/recon/, <engagement>/exploit/, etc.)
If any document is missing: Delegate to soundwave sub-agent first.

All paths below are relative to the engagement working directory (set via cd before commands run).

Engagement Types and Implications

Type	Starting Phase	Sub-Agents Used	Key Consideration
Full Scope	Planning → Recon	All (soundwave, recon, exploit, postexploit)	Longest duration, most OPSEC-sensitive
Assumed Breach	Exploitation	exploit, postexploit	Skip recon, start from provided foothold
Recon Only	Recon	recon only	No exploitation, intelligence gathering only
Objective-Based	Varies	Targeted subset	Focus on specific crown jewels

Read plan/roe.json to determine engagement type and adjust phase ordering accordingly.

Phase Transitions

Gate Checks (Go/No-Go Decisions)

Before transitioning between phases, verify the gate criteria from the workflow skill:

Planning → Recon:    roe.json + conops.json + deconfliction.json + opplan.json exist and validated
Recon → Exploit:     Attack surface identified, targets prioritized, vulns catalogued
Exploit → PostExploit: Initial foothold established, access type documented
PostExploit → Report: All OPPLAN objectives resolved (passed or blocked)

Phase Transition Protocol

Read current phase objectives from opplan.json
Check: are all current-phase objectives resolved?
Check: does the next phase have pending objectives?
Verify gate criteria (consult workflow skill for phase-specific gates)
If gate passes → proceed. If not → identify what's missing and address it.

Handling Cross-Phase Dependencies

Some objectives may uncover new targets or invalidate assumptions:

New targets discovered during recon → Update plan/opplan.json with new objectives
Exploit fails, need more recon → Return to recon phase for that specific target
PostExploit reveals new network segments → May need additional recon/exploit cycles

Deconfliction

Blue Team Coordination

If roe.json specifies deconfliction contacts:

Record all major actions with timestamps in timeline.jsonl only when a real event occurs
If blue team detects and responds, note this as a data point (MTTD measurement)
Never reveal TTPs to blue team during active engagement unless ROE requires it

Emergency Stop Procedure

If engagement must be halted:

Immediately stop all active sub-agent tasks
Document current state: which objectives in-progress, what's deployed
Record the halt in timeline.jsonl and update the affected OPPLAN objectives
Save plan/opplan.json with current status for potential resumption

Engagement Metrics

Track these throughout the engagement for the final report:

Metric	Description	Source
MTTD	Mean Time to Detect (per objective)	Blue team detection timestamps
Dwell Time	Time from foothold to detection	`timeline.jsonl` timestamps
Objectives Completed	Passed / Total	opplan.json status counts
Attack Path Depth	Number of hops from initial access	lateral movement log
Credential Exposure	Unique credentials captured	post-exploit/creds/

Engagement Completion

Final Reporting Checklist

When all objectives are resolved:

Attack Path Documentation:
- Every hop from initial recon to final objective
- Credentials used at each step
- Privilege levels achieved on each host
Findings Synthesis:
- Read all <engagement>/findings/FIND-*.md entries
- Group by severity: Critical, High, Medium, Low
- Map each finding to MITRE ATT&CK technique
Remediation Recommendations:
- For each successful attack path, suggest defensive controls
- Prioritize by: quick wins vs. strategic improvements
- Reference where in the kill chain the control would interrupt the attack
Evidence Preservation:
- All scan outputs in <engagement>/recon/
- All exploit artifacts in <engagement>/exploit/
- All post-exploit evidence in <engagement>/post-exploit/
- Credential inventory (encrypted)
Cleanup:
- List all artifacts deployed on target systems
- Document persistence mechanisms that need removal
- Verify no active implants remain (if applicable)