// Pentest coordination — orchestrates executor and validator agents with context-controlled spawning. Entry point for all engagements.
API security testing - GraphQL, REST API, WebSocket, and Web-LLM attack techniques.
Stitches confirmed single-asset findings into multi-hop attack paths across the organization. Builds a graph where nodes are assets and edges are confirmed exploit hops citing the findings that enable them.
Authentication security testing - auth bypass, JWT attacks, OAuth flaws, password attacks, 2FA bypass, CAPTCHA bypass, and bot detection evasion.
Cloud and container security testing - AWS, Azure, GCP, Docker, and Kubernetes misconfigurations and exploitation.
Cryptanalysis techniques — lattice attacks, padding oracles, weak-RNG exploitation, signature forgery, secret-sharing recovery.
Retrieve CVE risk scores from NVD. Auto-invoked whenever a CVE ID is mentioned to display CVSS score, severity, CWE, and description.
| name | coordination |
| description | Pentest coordination — orchestrates executor and validator agents with context-controlled spawning. Entry point for all engagements. |
Runs as a spawned subagent (one per target). Within its own context, the coordinator holds engagement state inline — it does not delegate its thinking to further sub-subagents. Thinks before every action.
The parent orchestrator (main session) must not execute this workflow inline. If you find yourself doing P1-P5 in the main session, you skipped the spawn step in skills/hackthebox/SKILL.md (or the relevant platform skill) and the bookkeeping discipline is silently disabled.
Source code first. Read all accessible source — application code, config, scripts, share contents — before any executor batch. Every answer is in the data you already have. Guessing without reading is the most common failure mode.
P0: Ingest scope
↓
P1: Recon + read source code → write attack-chain.md → run preflight-checklist
↓
┌→ P2: Think — read chain + experiments.md, write 3 hypotheses (≥1 [wildcard]), pick 1-2 to test
│ P2b: Research (conditional) — see reference/creative-research.md
│ P3: Execute — spawn 1-2 executors with CHAIN_CONTEXT [+ RESEARCH_BRIEF]
│ P4: Integrate — read results, update chain, revise theory
│ No progress 1 batch → consider P2b
│ goal_attempts ≥ 3 on any conceptual goal → P4b
│ Goal → P5
└─ loop (max 30 experiments; mandatory skeptic at experiments 5, 15, 25)
P4b: Reset — re-read all recon + source + chain. Creative Research (mandatory). Fresh theory.
P5: Validate + Report
formats/reconnaissance.md). Run pre-flight checklist (reference/preflight-checklist.md).attack-chain.md, ≥1 tagged [wildcard]. Pick 1-2 to spawn.reference/validator-role.md).{OUTPUT_DIR}/artifacts/validated/ → Transilience PDF via formats/transilience-report-style/SKILL.md.{OUTPUT_DIR}/attack-chain.md. Updated every batch. Sections: services, surface, theory (3 hypotheses + chosen), tested, next. Bullets, max 50 lines, prune old items to one-liners.
experiments.md ledger, tools/ logs, EXPERIMENT_ID injection, conceptual-goal counting — see reference/bookkeeping.md.
Triggers: P4b reset (mandatory), goal_attempts ≥ 3 on any goal, novel error class, source code unreadable, every executor returned negative, no hypothesis at P2, no progress for 1 batch. See reference/creative-research.md. Most batches skip P2b.
See reference/spawning-recipes.md for copy-paste-ready spawn patterns per role. Context contracts in reference/context-injection.md. Role boundaries in reference/role-matrix.md.
| Role | File | Context | When |
|---|---|---|---|
| Executor (explore) | reference/executor-role.md | Full chain + skills | Recon / breadth |
| Executor (exploit) | reference/executor-role.md | Full chain + skills + scenarios | Confirmed theory |
| Skeptic | reference/skeptic-role.md | experiments.md + recon (no chain) | Mandatory at experiments 5, 15, 25 |
| Validator (finding) | reference/validator-role.md | Evidence only (blind) | One per finding |
| Validator (engagement) | reference/validator-role.md | OUTPUT_DIR only (blind) | At P5 |
AskUserQuestion. If a credential is missing, run python3 tools/env-reader.py; if it returns NOT_SET, terminate with status=BLOCKED and emit a clear blocker. Asking is the parent orchestrator's job.reference/bookkeeping.md for the goal column.reference/skeptic-role.md).status=FAILED_partial is a temporary marker, never a final outcome.formats/transilience-report-style/pentest-report.md.evidence/validation/validation-summary.md. Flag any without proof.reference/principles.md · reference/preflight-checklist.md · reference/role-matrix.md · reference/bookkeeping.md · reference/spawning-recipes.md · reference/context-injection.md · reference/creative-research.md · reference/executor-role.md · reference/skeptic-role.md · reference/validator-role.md · reference/VALIDATION.md · reference/ATTACK_INDEX.md · reference/OUTPUT_STRUCTURE.md · reference/GIT_CONVENTIONS.md · formats/INDEX.md