redteam-report-template
The redteam-report-template skill provides a standardized six-section structure (Subject, Observations, Description, Impact, Recommendation, Proof of Concept) for packaging security findings into client-facing red-team deliverables. Use this template when delivering external penetration test reports to enterprise clients under signed statements of work, particularly when findings will reach both technical and non-technical stakeholders and require DOCX or PDF output. Do not use for bug-bounty platform submissions or internal team documentation.
git clone --depth 1 https://github.com/elementalsouls/Claude-BugHunter /tmp/redteam-report-template && cp -r /tmp/redteam-report-template/skills/redteam-report-template ~/.claude/skills/redteam-report-templateSKILL.md
## When to use Use this skill for **client-deliverable** reports: - External red-team engagements with a signed SOW - Pentest reports going to a CISO / IT-Sec team (not a triager) - Findings that will be reviewed by both technical and non-technical stakeholders - Reports that need DOCX/PDF output (not just markdown / platform UI) Do NOT use for: - Bug-bounty platform submissions (use `report-writing` / `bugcrowd-reporting` instead) - Quick proof-of-concept memos - Internal team writeups --- ## The 6-section format per finding This is the canonical structure each finding follows: ```markdown ## Finding F##: <descriptive title> **Severity:** Critical / High / Medium / Low / Informational **Status:** Confirmed / Patched mid-engagement / Suspected (1 signal) **CVSS 3.1:** <score> (<vector>) **Affected Asset:** <URL / IP / app name> ### 1. Subject <One-line statement of the issue. Plain English, no jargon.> ### 2. Observations <Bulleted list of what was observed during testing. Concrete facts only — no interpretation yet.> - <Observation 1> - <Observation 2> - ... ### 3. Description <Technical explanation of the vulnerability. 2-4 paragraphs. Reader should understand WHY the observations indicate a vulnerability, what the underlying flaw is.> ### 4. Impact <What an attacker could achieve. Concrete attacker outcomes, NOT generic CIA triad statements. Tie to the client's business — money, data, reputation, regulatory exposure.> ### 5. Recommendation <Specific, actionable remediation. Vendor patch, configuration change, code-level fix. Avoid "implement security best practices" — say what specifically.> ### 6. Proof of Concept (PoC) <Steps to reproduce, numbered. Include the exact HTTP requests, payloads, tools used.> **Step 1:** <action> ```http <full HTTP request or curl one-liner> ``` **Step 2:** <action> ``` <response excerpt> ``` **Screenshot:**  ``` --- ## Severity & status disciplines ### Severity table (client-facing — different from CVSS-only) | Severity | Business definition | CVSS rough range | |---|---|---| | Critical | Direct revenue/data loss without prerequisites | 9.0-10.0 | | High | Full account/system takeover with limited prerequisites | 7.0-8.9 | | Medium | Significant data exposure or partial compromise | 4.0-6.9 | | Low | Information disclosure with limited exploitation path | 0.1-3.9 | | Informational | Hygiene finding, no immediate exploit | N/A | ### Status field (red-team-specific) This is the field that distinguishes red-team deliverables from bug-bounty reports. Use one of: - **Confirmed** — reproduced multiple times, with full PoC - **Confirmed; patched mid-engagement** — was reproducible, client patched during the test window (still ship the finding — see `mid-engagement-ir-detection`) - **Confirmed; partially reproducible** — works but needs specific conditions - **Suspected (1 signal)** — single indicator, not confirmed (rare — usually drop) - **Out-of-band** — finding from passive recon, not actively tested --- ## Mistakes to avoid (from authorized-engagement) ### 1. Don't retract findings that stopped reproducing If a finding was confirmed and then stopped working, that is almost always a CLIENT PATCH, not a finding-was-false. The correct response is "Confirmed; patched mid-engagement" with timestamps showing when it broke. See `mid-engagement-ir-detection`. ### 2. Don't hedge in the Impact section Bad: "An attacker could potentially be able to access user data, which may lead to..." Good: "An attacker reads any user's profile data. Demonstrated on test user `victim@target.com` at 14:22 IST." ### 3. Don't generic-CIA the impact Bad: "Loss of confidentiality and integrity of customer data" Good: "Read access to 247,000 customer records including PAN cards, addresses, GST numbers. India DPDPA Section 33 mandates 72-hour breach disclosure to DPB." ### 4. Don't list every recon finding as a finding Recon notes (subdomains found, ports open, technologies fingerprinted) belong in a separate **Recon / Attack Surface** appendix, not the findings list. A finding must have an attacker-attainable outcome. ### 5. Don't bury the PoC Each finding MUST have reproducible steps. The PoC section is what proves the finding to a skeptical reader. If you can't write the PoC clearly, the finding probably isn't ready to ship. --- ## Document-level structure ``` 1. Executive Summary (1 page, non-technical) - Engagement overview (dates, scope) - Risk posture summary (heat-map: <X critical, Y high, Z medium...>) - Top 3 strategic recommendations - Comparison to industry baseline (optional) 2. Engagement Details - Scope (in-scope, out-of-scope, exclusions) - Methodology (recon → exploit → reporting; or align with PTES / OSSTMM) - Tools used - Timeline (start / end / key milestones) - Team 3. Risk Summary Table | F# | Title | Severity | Status | |----|-------|----------|--------| | F01 | ... | Critical | Confirmed | ... 4. Findings (one per ## section, in severity order — Critical first) 5. Attack Surface / Recon Appendix - Subdomains discovered - Open ports / services - Technology fingerprints - APKs found - Credentials in breach corpora (count + sample only — redact) - Identity-fabric map (IdP, MFA posture) 6. Indicators of Compromise (IoCs) - Source IPs used during testing (so SOC can correlate) - User-Agent strings - Test accounts created - Files uploaded (with cleanup status) 7. Cleanup Statement - Confirmation that all test artifacts (accounts, uploads, persistence) were removed - Outstanding cleanup items requiring client action 8. Appendices (raw output, screenshots index, full target list) ``` --- ## DOCX generation pipeline (markdown → docx with embedded images) ```bash # Prerequisite: pandoc installed brew install pandoc # Convert pandoc REPORT_FINAL.md \ -o REPORT_FINAL.docx \ --resource-path=enga
Run autonomous hunt loop on a target — scope check → recon → rank surface → hunt → validate → report with configurable checkpoints. Usage: /autopilot target.com [--paranoid|--normal|--yolo]
Build an exploit chain — given bug A, finds B and C to combine for higher severity and payout. Knows common chain patterns: IDOR→ATO, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth. Usage: /chain
Active vulnerability hunting. Two-track dispatcher — asks Red Team vs WAPT, hands off to hunt-dispatch skill and sibling commands. Usage: /hunt target.com | /hunt *.target.com | /hunt targets.txt [--vuln-class X] [--source-code P] [--chrome]
On-demand intelligence fetch for a target — CVEs, disclosed reports, new features. Wraps learn.py + hunt memory context. Usage: /intel target.com
Inspect or rotate hunt-memory JSONL files (audit.jsonl, patterns.jsonl, journal.jsonl). Caps file size and keeps N rotated backups so memory does not grow unbounded.
Pick up a previous hunt on a target — shows hunt history, untested endpoints, and memory-informed suggestions. Usage: /pickup target.com
Run full recon pipeline on a target — subdomain enum (Chaos API + subfinder), live host discovery (dnsx + httpx), URL crawl (katana + waybackurls + gau), gf pattern classification, nuclei scan. Outputs to recon/<target>/ directory. Usage: /recon target.com
Log current finding or successful pattern to hunt memory. Auto-fills from /validate output if available. Usage: /remember