Skip to content

Latest commit

 

History

History
106 lines (81 loc) · 6.39 KB

File metadata and controls

106 lines (81 loc) · 6.39 KB

Coverage Analysis

Honest assessment of what these skills cover vs. what real practitioners need.

Headline number

~85–90% coverage of what an experienced practitioner would reach for during the OSINT/recon phase of an authorized external red-team engagement.

~35–45% coverage of what a full external red-team operator does in their job (because most red-team work is exploitation + post-exploit, intentionally out of scope).

By practitioner archetype

Archetype Coverage of their needs Why
Pure OSINT analyst ~90% Skills are built for this.
External attack-surface analyst (CyCognito-style) ~85–90% Direct overlap with the methodology.
Bug bounty hunter ~75–80% Strong on recon; thin on exploit techniques.
Threat intel investigator ~70% RU/CN pivots, attribution discipline, malware basics — but no infrastructure-tracking-over-time.
External red teamer (recon phase) ~85–90% The OSINT phase is well-covered.
External red teamer (full engagement) ~35–45% Recon is ~30–40% of a full engagement; rest (exploitation, post-exploit, lateral, reporting) is mostly out of scope.
Internal red teamer (assumed-breach) ~10% Almost entirely out of scope.
Adversary emulation / TTP-driven ~25% Threat-actor section exists; specific TTP playbooks per APT don't.
Physical pentester ~25% Sat imagery + LinkedIn intel cover scouting; physical execution doesn't.
Social engineer ~50% Pretext development covered; payload crafting + voice tradecraft not.
Purple teamer ~30% No SOC-coordination guidance.

By engagement phase

Phase Coverage
Pre-engagement (RoE, scoping, NDAs, SOW, pricing) ~10%
External OSINT / passive recon ~85–90%
External active recon (light probing) ~75–85%
Phishing payload crafting + delivery 0% (out of scope)
Initial access (exploit execution) ~5% (we identify, don't exploit)
Foothold / persistence 0% (out of scope)
Privilege escalation (local + AD) 0% (out of scope)
Lateral movement 0% (out of scope)
C2 infrastructure 0% (out of scope)
AV/EDR evasion 0% (out of scope)
Domain dominance 0% (out of scope)
Data exfiltration tradecraft 0% (out of scope)
Cleanup / artifact removal 0% (out of scope)
Reporting (technical + exec) ~75%
Disclosure / vendor coordination ~60%
Re-test / continuous monitoring ~30%
Purple-team / SOC-coordination 0%
Lessons-learned / engagement retrospective ~20%

What's deliberately out of scope (and why)

  • Active exploitation, post-exploitation, malware — operational tradecraft, different domain, safety posture concerns.
  • C2 frameworks, AV/EDR evasion — operational tradecraft, large body of separate knowledge.
  • AD attacks, BloodHound, Kerberos — internal recon, not external.
  • Specific client-portal report formats — too company-specific to template usefully.
  • Pricing, NDA, SOW templates — business operations, not technical.
  • Real PII / breach corpus content — privacy + opsec.

Smoke-test results (32 prompts)

The repo ships 32 self-test prompts (tests/smoke-test-prompts.md) covering the major capability areas.

Run PASS PARTIAL FAIL Grade
v2.0 (initial) 1 9 22 C
v2.1 (current) 31 1 0 A

The single PARTIAL is Test 5 (cloud-bucket combinatorial generation) — acceptable; the inputs + technique are documented, runtime synthesis is appropriate.

Caveats

The smoke-test number (96.9% PASS) is Claude grading itself on tests Claude designed. It's a useful signal for tracking gaps but not an objective measure of real-world coverage. A real practitioner would find more gaps. Treat it as "the skills now answer the obvious questions"; non-obvious questions may need a follow-on iteration.

What experienced practitioners would say is still missing (within OSINT scope)

If a senior offensive consultant reviewed v2.1 and stayed within OSINT scope, here's what they'd flag as still missing:

  1. Specific tool-chaining recipes — "use spiderfoot → export CSV → maltego transforms → asset graph" workflows. We name tools; we don't compose them step-by-step.
  2. Recon-ng / SpiderFoot / Maltego module-by-module configuration — these are full ecosystems; we treat them as pointers.
  3. Custom Burp Suite / OWASP ZAP setup for engagements — the "configure your active proxy for an engagement" guide.
  4. OPSEC infrastructure as code — Terraform/Ansible to spin up clean engagement infrastructure (proxy stacks, redirectors).
  5. Sector-specific deep dives — §47 is a starting point, not a deep dive (real healthcare RT specialists know HL7 trafficking like a second language).
  6. Adversary-emulation playbooks per APT — "to simulate APT29's external recon, use these specific tools/techniques."
  7. Continuous-monitoring orchestration — daily diff scripts, alert pipelines, false-positive tuning.
  8. Multi-tenant engagement workflow — how an MSSP runs 30 concurrent ASM engagements without crossing wires.
  9. Client-specific report styling — every Big-4 consultancy has their own template.
  10. Tool failure recovery — when Shodan rate-limits during a critical phase, what's plan B/C/D?

These would push coverage to ~95% of OSINT-phase work. Each would add 200–500 lines and approach the limits of what a single skill can usefully encode.

Roadmap

Phase Status Description
v1.0 ✅ Done Original framework
v2.0 ✅ Done External-red-team posture rewrite
v2.1 ✅ Current Comprehensive expansion (this version)
v2.2 🔜 Continuous-monitoring playbook + multi-tenant workflow + Burp extension recipes
v3.0 🔜 Plugin manifest for one-click Claude Code install + optional MCP server companion

Bottom line

For "external OSINT for authorized red-team operations": ~85–90% coverage of what an experienced practitioner reaches for. For "everything a full red-team operator does in their job": ~35–45% — the gap is mostly intentional (out of scope).

The skills are production-ready for OSINT-phase work. They are not a replacement for a senior red teamer on a full engagement.