菜单
Rules of Engagement document creation — scope definition, prohibited/permitted actions, testing windows, escalation contacts, incident procedures.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | roe-template |
| description | Rules of Engagement document creation — scope definition, prohibited/permitted actions, testing windows, escalation contacts, incident procedures. |
| allowed-tools | Read Write Edit |
| metadata | {"subdomain":"planning","when_to_use":"create RoE, define scope, engagement boundaries, start new engagement","tags":"roe, scope, engagement, authorization, legal","upstream_ref":"Soundwave Rules of Engagement template — scope / window / escalation / incident procedures"} |
The RoE is the legally binding foundation of every red team engagement. All other documents build on it.
Drive each dimension through one ask_user_question call (per CRITICAL_RULES #8 — every operator-facing question goes through the tool). Cover these roughly in order, never bundling multiple questions in one turn:
Identity & Scope
allow_other=true with sensible guesses)allow_other=true)external / internal / hybrid / assumed-breach / physicalallow_other=true — suggest defaults like "Mon-Fri 09:00-18:00 client TZ")allow_other=true — domains, IP ranges, cloud resources, applications)allow_other=true)Boundaries & Escalation
7. Additional prohibited actions beyond schema defaults (multi-select with sensible options + allow_other=true)
8. Special permitted actions — phishing, password spraying, raw-socket scans (multi-select)
9. Escalation contacts — minimum 2 (client + red team lead). One ask per contact slot covering name, role, channel
10. Authorization reference / contract # (free-form, allow_other=true)
Use the RoE schema from decepticon.core.schemas. Write to the engagement directory.
See references/roe-example.json for a complete example and ../references/schema-quick-reference.md for all required fields and valid values.
Run through the checklist in references/validation-checklist.md before presenting to user.
Write plan/roe.json to the engagement directory, then present a human-readable summary to the user for confirmation.
Drive Decepticon — an autonomous multi-agent red-team framework — over MCP to run authorized penetration tests and bug-bounty engagements end to end, then watch and steer them live from chat. Launch an engagement against a target, poll its transcript to narrate progress, send messages to refocus it, and pull findings as SARIF. Use when the user asks to run a pentest/red-team engagement, hunt a bug bounty, do recon, exploit/scan a host, web app, API, network, cloud, Active Directory, mobile app, or smart contract WITH Decepticon — or to check/resume a running engagement or report what Decepticon found. Triggers: run a decepticon engagement, pentest this with decepticon, bug bounty, recon this target, red team this, scan this host, resume the engagement, what did decepticon find, decepticon status. Do NOT use for ad-hoc local tool runs (running nmap/sqlmap/ffuf directly) when no Decepticon server is involved — this drives the Decepticon orchestrator, not raw tools.
IoT device security reconnaissance — firmware extraction, embedded analysis, protocol identification, default credential checking, vulnerability scanning, device fingerprinting.
Mobile application security reconnaissance — APK/IPA analysis, permission enumeration, certificate validation, hardcoded secret detection, insecure storage identification, network security analysis.
Wireless network security reconnaissance — WiFi analysis, Bluetooth assessment, RFID/NFC evaluation, signal capture, protocol analysis, encryption testing, rogue device detection.
Operational-tier finding template — minimal fields for sub-agent decision support. Heavyweight deliverable promotion lives in skills/decepticon/final-report.
Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.