Decepticon: an autonomous red team agent that executes professional attack chains and kill chains within a hardened sandbox

Decepticon: an autonomous red team agent that executes professional attack chains and kill chains within a hardened sandbox

What it solves

Decepticon is an autonomous red team agent designed to move beyond simple vulnerability scanning. It automates complex, realistic attack chains—including reconnaissance, exploitation, privilege escalation, and lateral movement—while adhering to professional engagement standards like Rules of Engagement (RoE) and operational plans (OPPLAN) mapped to the MITRE ATT&CK framework.

How it works

The system uses a two-network architecture to isolate the management plane (orchestration, LLMs, and databases) from the sandbox plane (where attacks are executed). It employs a team of 16 specialist agents organized by kill chain phase, each with a fresh context window to minimize noise.

Key technical features include:

  • Interactive Shell Support: Runs commands in persistent tmux sessions with automatic prompt detection, allowing it to use interactive tools like msfconsole or sliver-client.
  • Hardened Isolation: Executes all actions within a Kali Linux sandbox via the Docker socket.
  • Knowledge Persistence: Uses Neo4j to maintain a knowledge graph of findings across the engagement.
  • Dynamic Workloads: Spawns specialist containers (e.g., BloodHound CE, Ghidra MCP) on demand via an orchestrator.

Who it’s for

It is built for professional red teamers and security researchers who need to automate complex offensive operations or develop an "Offensive Vaccine" loop to improve defenses by verifying them through simulated attacks.

Highlights

  • Professional Discipline: Generates RoE, ConOps, and Deconfliction Plans before executing any packets.
  • High Performance: Achieved a 98.08% pass rate on XBOW validation benchmarks across all difficulty levels.
  • Multi-Model Support: Features a tier-based fallback chain supporting providers like Anthropic, OpenAI, Google Gemini, and local models via Ollama.
  • SDK Availability: Can be used as a Python library for integrating agent factories and tools into other research or products.

Sources