RedAmon
RedAmon (samugit83/redamon on GitHub) is an AI-powered agentic red team framework with two distinct modes: an offensive agent that runs a 6-phase recon engine, validates CVE exploitability, tests credential policies, and maps lateral movement paths; and a CodeFix agent that autonomously clones target repositories, navigates codebases with 11 specialized tools, implements security fixes, and opens pull requests — all with zero human intervention.
Installation
From Source
git clone https://github.com/samugit83/redamon
cd redamon
# Install Python dependencies
pip install -r requirements.txt
# Install Node.js dependencies (for CodeFix agent)
npm install
# Copy and configure environment
cp .env.example .env
# Edit .env with your API keys and settingsDocker
# Build the full stack image
docker build -t redamon:latest .
# Run red team agent
docker run -it \
-e ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY \
-e GITHUB_TOKEN=$GITHUB_TOKEN \
-v $(pwd)/results:/app/results \
redamon:latest redteam
# Run CodeFix agent
docker run -it \
-e ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY \
-e GITHUB_TOKEN=$GITHUB_TOKEN \
redamon:latest codefixDocker Compose
# Start all services (agent, dashboard, report server)
docker-compose up -d
# Check service health
docker-compose ps
docker-compose logs -f redamon-agentConfiguration
Environment Variables (.env)
# AI provider
ANTHROPIC_API_KEY=sk-ant-...
ANTHROPIC_MODEL=claude-opus-4-5
# GitHub access for CodeFix agent
GITHUB_TOKEN=ghp_...
GITHUB_USERNAME=your-username
# External intelligence
SHODAN_API_KEY=...
NVD_API_KEY=... # NIST NVD for CVE lookups
VULNERS_API_KEY=...
# Callback/exfil settings
CALLBACK_HOST=your-vps.example.com
CALLBACK_PORT=8080
# Output settings
RESULTS_DIR=./results
REPORT_FORMAT=html # html | json | markdown
LOG_LEVEL=infoRed Team Configuration (redteam-config.yaml)
target:
primary: "example.com"
ip_ranges:
- "192.168.1.0/24"
- "10.0.0.0/8"
exclude:
- "192.168.1.1" # Gateway — skip
recon:
phases:
- passive_osint
- dns_enumeration
- port_scanning
- service_fingerprinting
- vulnerability_discovery
- attack_surface_mapping
timeout_per_phase: 1800 # 30 minutes max per phase
parallel_workers: 3
validation:
cve_check: true
credential_test: true
lateral_movement_map: true
safe_mode: true # No destructive exploits without confirm
output:
dir: ./results/
save_raw_tool_output: trueCodeFix Configuration (codefix-config.yaml)
target_repo: "https://github.com/org/vulnerable-app"
branch: "main"
pr_target_branch: "security-fixes"
scan:
depth: 5 # Directory traversal depth
focus:
- sql_injection
- xss
- insecure_deserialization
- path_traversal
- hardcoded_secrets
fix:
style: minimal # minimal | comprehensive
add_tests: true
add_comments: true
pr:
title_prefix: "[Security]"
auto_submit: false # Set true for zero-touch
reviewers:
- security-team
labels:
- security
- automatedCore Commands
| Command | Description |
|---|---|
python redamon.py redteam | Start red team agent with configured target |
python redamon.py redteam --target <host> | Red team a specific target |
python redamon.py redteam --phase <phase> | Run a single recon phase |
python redamon.py codefix | Start CodeFix agent on configured repo |
python redamon.py codefix --repo <url> | Fix vulnerabilities in a specific repo |
python redamon.py codefix --pr-only | Open PRs for already-identified fixes |
python redamon.py validate --cve <id> | Validate a specific CVE against target |
python redamon.py lateral --from <ip> | Map lateral movement from a host |
python redamon.py report <session-id> | Generate session report |
python redamon.py status | Show active agent status |
python redamon.py history | List all previous sessions |
python redamon.py config validate | Validate configuration files |
Advanced Usage
The 6-Phase Recon Engine
| Phase | Name | What It Does |
|---|---|---|
| 1 | Passive OSINT | WHOIS, certificate transparency, Google dorks, Shodan |
| 2 | DNS Enumeration | Subdomain brute-force, zone transfer, DNS record analysis |
| 3 | Port Scanning | Full TCP/UDP scan, service version detection |
| 4 | Service Fingerprinting | OS detection, framework identification, CMS detection |
| 5 | Vulnerability Discovery | CVE correlation, known-vuln matching, config checks |
| 6 | Attack Surface Mapping | Prioritized attack path generation |
# Run all 6 phases against a target
python redamon.py redteam \
--target example.com \
--phases all \
--output ./results/example-recon/
# Run only specific phases
python redamon.py redteam \
--target example.com \
--phases "passive_osint,dns_enumeration,vulnerability_discovery"
# Phase 6 only — map attack surface from existing recon data
python redamon.py redteam \
--phase attack_surface_mapping \
--recon-data ./results/example-recon/phase5-output.jsonAutonomous CVE Validation
# Validate all discovered CVEs against the live target
python redamon.py validate \
--target https://example.com \
--recon-session session-001 \
--safe-mode \
--output cve-validation-report.html
# Validate a specific CVE
python redamon.py validate \
--cve CVE-2024-12345 \
--target 192.168.1.50:8080 \
--auto-poc \
--poc-format curl
# Batch validate a CVE list
python redamon.py validate \
--cve-list cves.txt \
--target 192.168.1.50 \
--parallel 5Lateral Movement Mapping
# Map all possible lateral movement paths
python redamon.py lateral \
--from 192.168.1.100 \
--network 192.168.0.0/16 \
--credentials ./loot/creds.json \
--techniques "smb,winrm,ssh,rdp,kerberos" \
--output lateral-map.html
# Find shortest path to target
python redamon.py lateral \
--from 192.168.1.100 \
--goal "domain-controller" \
--network 192.168.0.0/16 \
--output attack-path.jsonCodeFix Agent — 11 Navigation Tools
| Tool | Purpose |
|---|---|
repo_clone | Clone target repository to sandbox |
dir_tree | Recursively map directory structure |
file_read | Read file contents with line numbers |
file_search | Search for patterns across codebase |
ast_parse | Parse AST for language-aware analysis |
grep_sink | Find dangerous function calls and sinks |
grep_source | Find user-controlled input sources |
dep_check | Analyze dependency vulnerabilities |
file_write | Write fixed file contents |
git_diff | Show changes made by the agent |
pr_create | Open pull request with fixes |
# Full CodeFix workflow
python redamon.py codefix \
--repo https://github.com/org/vulnerable-app \
--focus "sql_injection,xss,path_traversal" \
--fix-style comprehensive \
--add-tests \
--pr-title "[Security] AI-Generated Vulnerability Fixes" \
--output ./codefix-results/Credential Policy Testing
# Test password policies across discovered services
python redamon.py credential-test \
--target 192.168.1.50 \
--services "ssh,rdp,ftp,smb,http" \
--wordlist /usr/share/wordlists/rockyou.txt \
--users ./loot/discovered-users.txt \
--safe-mode \
--output cred-test-report.htmlCommon Workflows
Full Autonomous Red Team + Remediation
# Step 1: Run 6-phase recon
python redamon.py redteam \
--target example.com \
--phases all \
--session-name "example-q2-2025" \
--output ./results/
# Step 2: Validate discovered CVEs
python redamon.py validate \
--session "example-q2-2025" \
--safe-mode \
--output ./results/cve-validation.html
# Step 3: Map lateral movement
python redamon.py lateral \
--session "example-q2-2025" \
--output ./results/lateral-map.html
# Step 4: Run CodeFix on the target source repo
python redamon.py codefix \
--repo https://github.com/example-org/app \
--findings ./results/cve-validation.html \
--auto-pr \
--output ./results/codefix/
# Step 5: Generate unified report
python redamon.py report \
--session "example-q2-2025" \
--include-codefix \
--format html \
--output ./results/final-report.htmlContinuous Security Monitoring
# Schedule daily recon + CVE validation
cat > monitor.sh << 'EOF'
#!/bin/bash
DATE=$(date +%Y-%m-%d)
python redamon.py redteam \
--target example.com \
--phases "vulnerability_discovery,attack_surface_mapping" \
--session-name "daily-$DATE" \
--output ./results/daily/$DATE/
python redamon.py validate \
--session "daily-$DATE" \
--new-only \
--alert-on-critical \
--alert-email security@example.com
EOF
chmod +x monitor.sh
# Add to cron: 0 2 * * * /path/to/monitor.shZero-Touch Secure Code Review
# Fully automated code review with PR creation
python redamon.py codefix \
--repo https://github.com/org/new-feature-branch \
--branch "feature/new-api" \
--pr-target "main" \
--pr-auto-submit true \
--reviewers "security-team,lead-dev" \
--labels "security-review,automated"Tips and Best Practices
Start with safe-mode — Always run --safe-mode for the first engagement against any target. This skips destructive validation and exploitation, letting you review CVE findings before allowing active testing.
Use session names consistently — All commands accept --session-name and can reload prior session data, so phases 1-3 from yesterday don’t need to be rerun before starting phase 4 today.
Tune parallel workers — Set parallel_workers: 2 on low-bandwidth VPSes; the default of 3-5 can overwhelm small upstream links during port scanning phases.
NVD API key is critical — Register for a free NIST NVD API key and set NVD_API_KEY in .env; without it, CVE lookups are severely rate-limited and phase 5 will be slow.
CodeFix in review-only mode first — Run codefix with auto_submit: false to review proposed code changes before letting the agent open PRs; AI-generated fixes occasionally need human judgement on context.
Combine with Shannon Lite — RedAmon’s recon output pairs well with Shannon Lite’s white-box source analysis; feed discovered endpoints from phase 6 directly into Shannon Lite’s --focus parameter.
Archive raw tool output — Keep save_raw_tool_output: true; raw nmap, nessus, and nuclei output is required evidence for compliance-based engagements and dispute resolution.
Alert on new critical CVEs — Use --new-only --alert-on-critical in continuous monitoring mode to avoid alert fatigue from known-accepted findings.