90 min · Kill Chain State · Plan Correction · Sandbox Inversion · Report Generation
Prerequisite: S00, S01, S02
S02's engagement memory was a flat surface — independent findings. A red team kill chain is a sequence with dependencies: foothold requires initial access, lateral movement requires foothold, exfiltration requires privilege.
The state is not a set of findings; it is a graph of dependent objectives.
Each ATT&CK technique is a node. The kill chain is a path. Node states:
Explicit prerequisites and edges. The harness must answer: "why am I allowed to attempt lateral movement now?"
| Field | Purpose |
|---|---|
tactic / technique | ATT&CK labels (e.g. T1190 Exploit Public-Facing App) |
prerequisites | node IDs that must be succeeded |
evidence_refs | linkage to the evidence chain (S02.3) |
Switch mid-engagement: start linear, promote to graph the moment a step fails or a second objective appears. A linear plan is a degenerate single-chain graph.
Anti-pattern: collapsing a dense graph back to a linear plan "for simplicity." Throws away the alternative paths you'll need when the primary technique fails.
Two specific failure modes for multi-stage kill chains:
Cure: the attack graph is persisted OUTSIDE the context window, queried before every step.
An "error" in an offensive engagement is an exploit that didn't land. The correct response is not retry — it is re-plan. This is the single biggest differentiator between a script and a harness.
Source: RedTeamLLM (Brown et al., 2024) — the four-step plan correction loop.
Key invariant: failed techniques are removed from the candidate set → forces genuine substitution, not variation. Cure for exploit lock-in.
| Strategy | When | Tradeoff |
|---|---|---|
| Specialize | High-confidence intel (exact version, confirmed config) | High impact if it works; fails immediately if intel is wrong |
| Generalize | Low-confidence intel, OR specialized technique already failed | Reliable, noisier, broad pattern |
RedTeamLLM ablation: harnesses with a generalize-on-failure fallback complete 40% more objectives. In adversarial environments, specialized intel is frequently wrong.
Course 1: sandbox CONTAINS the agent to protect the host.
Offensive: agent must reach OUT to attack the target — but a compromised agent (prompt injection, S01.3) can attack YOU.
This is the load-bearing sub-section. The offensive sandbox inverts the Course 1 model.
Both required. Middleware checks intent; network layer enforces outcome. If one is bypassed, the other catches it.
Engagement-discovered credentials (DB passwords, API keys, hashes) must never touch host credential stores (SSH agent, keychain, ~/.aws/credentials).
Cure: a separate encrypted vault inside the container, own key, destroyed on teardown. Host stores not mounted at all.
The metadata trap: deny 169.254.169.254 at the proxy. A compromised agent reaching the cloud metadata endpoint steals the HOST's cloud credentials. Always denied.
A harness that has not verified containment is making an untested safety claim. Verification = attempt the forbidden thing, observe the block.
| Direction | Test |
|---|---|
| Outbound | From container, connect to an out-of-scope canary → REFUSED. Connect to in-scope → SUCCEEDS. |
| Inbound | From target segment, connect back to host/management → REFUSED. Only control plane traverses the boundary. |
The deliverable is not the attack. The client cannot invoice a reverse shell. The deliverable is the report.
Report generation is a first-class harness output, designed from the start — generated from structured data accumulated through the engagement.
CVSS scoring is a known LLM weakness. The model produces plausible vector strings — and gets them wrong by 2+ points regularly. Overstates on scary descriptions, understates on subtle paths.
Policy: CVSS is always auto-scored, always flagged "DRAFT — pending analyst review", always routed to human review before the client. Never trained on as ground truth.
One source of truth, three renderings. Separate report data from engagement data → two sources → they drift.
The red team harness is operational: attack graph state, plan correction, dual containment, client-ready reporting.
S04 applies these patterns to CTF harness engineering: shorter engagements, known-flag objectives, the specific harness tweaks that win competitions.