Use when the engagement target is an Android (APK / AAB) or iOS (IPA) application. Covers static analysis (jadx, apktool, class-dump), dynamic instrumentation via Frida and Objection, SSL-pinning bypass, root/jailbreak detection bypass, deep-link / URL-scheme abuse, exported-component attacks, IPC redirection, WebView vulnerabilities, and biometric / Face ID / Touch ID bypass.
Use to close the Offensive Vaccine loop on the defender side. The Detector agent produces Sigma / YARA rules from offensive operations; this catalog validates those rules against real memory dumps, event logs, and forensic artifacts using Volatility 3, plaso, and sigma-cli. Without this catalog, detection rules are theoretical.
Use when the target is an industrial control system or operational technology network running Modbus, BACnet, S7Comm/S7Comm Plus, DNP3, OPC-UA, or any PLC/HMI/SCADA stack. Engagements MUST set RoE flag industrial_safety_critical=true; this catalog gates every write-scope operation behind explicit operator confirmation regardless of HITL middleware.
Use when the engagement target is IoT, embedded Linux, RTOS, or any device reachable via UART/JTAG/SWD or by extracting its firmware. Covers firmware acquisition, binwalk extraction, filesystem mounting, default-credential hunting, bootloader attacks, wireless protocol sidebands (BLE, Zigbee, Z-Wave, LoRaWAN, sub-GHz).
Use when the engagement requires passive reconnaissance only — no packets to the target's authoritative infrastructure. Splits off from the Recon agent so bug-bounty and pre-engagement work can run with outbound-only network policy. Maltego, Shodan, Censys, Hunter.io, breach-data lookups, GitHub code search, Wayback Machine archives, certificate transparency, BGP/ASN mapping.
Use ONLY when the engagement's ConOps explicitly declares phishing_engagement=true. Covers GoPhish campaign management, Evilginx2 reverse-proxy MFA bypass, Modlishka live credential capture, and the deconfliction handshake with SOC / incident response.
Use when the engagement scope includes supply-chain attack simulation — typosquatted package publication, dependency confusion, GitHub Actions secret mining, internal mirror poisoning, OAuth-app impersonation, or vendor portal credential abuse.
Hunt LLM training-data and model poisoning (OWASP LLM04:2025) — adversarial inputs that bias future model behaviour through fine-tuning, RLHF, or continuous-learning loops.