RedPick Agentic Pentesting Platform¶
Welcome to the documentation for RedPick — an automated web & mobile application penetration testing suite powered by Claude Code.
The Codebase is the AI¶
395 files | 138,268 lines of AI agent code — 44% of the entire project
Unlike traditional software, this platform is primarily composed of structured instructions that AI agents execute autonomously. The "source code" is natural language orchestration.
| Component | Files | Lines | Purpose |
|---|---|---|---|
| Skill definitions (SKILL.md) | 122 | 70,418 | Agent logic: methodology, decision trees, wave orchestration |
| Knowledge packs (helpers/*.md) | 243 | 63,825 | Domain expertise: 25+ vuln classes, techniques, bypass patterns |
| Master orchestration (CLAUDE.md) | 2 | 816 | Phases, safety rules, completeness gates, tool inventory |
| Schemas & helpers | 22 | 2,639 | Codex schemas, structured output, configs |
| Hooks & automation | 6 | 570 | Doc sync, memory sync, pre-commit |
The remaining 56% (~176K lines) is the dashboard (React + FastAPI), desktop app (Flutter), docs site, eval framework, ingestion pipeline, report engine, and scripts.
Knowledge Arsenal — 1,248 Techniques Across 34 Knowledge Packs¶
Every vulnerability class is backed by a curated knowledge pack containing real-world techniques, payloads, bypass patterns, and PoC chains — sourced from 162 HackerOne disclosed CVEs, 68 security researcher videos, and 121 published research papers.
| Category | Vuln Classes | Techniques | Sources |
|---|---|---|---|
| Injection | SQLi (error/union/blind/ORM/WAF bypass), XSS (mXSS/CSP bypass/8-tier filter bypass), SSTI (Jinja2/Twig/Smarty/Nunjucks/EJS), CMDi (shell/git/ImageMagick), XXE (SXMP/file format), Path Traversal (encoding/unicode/OS-specific) | 445 | 8 knowledge packs |
| Authentication | Session hijacking, JWT (alg confusion/KID injection/JKU), OAuth/OIDC (redirect_uri/PKCE downgrade/code reuse), SAML, OTP/MFA bypass | 99 | 3 knowledge packs |
| Access Control | IDOR (numeric/UUID/GUID/hash/batch), AuthZ bypass, privilege escalation, polymorphic model bypass, GraphQL global ID enum | 93 | 1 knowledge pack, 18 H1 CVEs |
| SSRF | git:// CRLF, gopher:// chains, PDF generation, Grafana plugin chain, rogue MySQL, PlantUML/Mermaid, filter bypass (IPv6/encoding/@symbol) |
69 | 1 knowledge pack |
| Client-Side | CSRF (SameSite bypass/token prediction), CORS misconfiguration, clickjacking, DOM clobbering, CSP bypass (CDN/JSONP/nonce), service worker theft | 90 | 1 knowledge pack |
| Business Logic | Race conditions (payment/OTP/session/TOCTOU), file upload (MIME/magic bytes/polyglot/ExifTool RCE), financial logic | 64 | 2 knowledge packs |
| Infrastructure | HTTP request smuggling (CL.TE/TE.CL/TE.TE/H2 desync), cache poisoning (host header/delimiter/parameter), response queue pollution | 47 | 2 knowledge packs |
| Advanced | MFA bypass (59 techniques), CRLF injection, open redirect, WAF bypass (Cloudflare/Akamai/ModSecurity/AWS), second-order SQLi, SMT-based fuzzing | 114 | 6 knowledge packs |
| Deserialization | Java (ysoserial 7 chains), PHP (Symfony/Laravel), Python (pickle), .NET (DataContract), Ruby (Marshal) | 44 | 1 knowledge pack |
| API | GraphQL (introspection bypass/depth abuse/batching), REST mass assignment, prototype pollution, Salesforce Aura | 21 | 1 knowledge pack |
| Cloud | AWS S3/IAM/EC2 metadata, Azure RBAC/storage, GCP, Kubernetes RBAC/ETCD/kubelet, CI/CD secrets, subdomain takeover | 17 | 1 knowledge pack |
| Supply Chain | Dependency confusion, typosquatting, SRI bypass, Docker layer secrets, transitive dependency abuse | 13 | 1 knowledge pack |
| Cryptography | TLS/SSL downgrade, cipher suite weakness, padding oracle, key management, POODLE/BEAST/Heartbleed | 13 | 1 knowledge pack |
| Exception Handling | Stack trace leakage, debug mode detection, error-based enumeration, path disclosure, timing attacks | 18 | 1 knowledge pack |
| LLM Security | Direct/indirect prompt injection, jailbreaking (DAN/STAN/encoded), model extraction, training data leak, MCP attacks | 35 | 1 knowledge pack |
| Mobile | Android (ContentProvider SQLi, intent redirect, exported components), iOS (universal links, keychain, pasteboard) | 10 | 1 knowledge pack |
| Web3 | Reentrancy, integer overflow, front-running, flash loan, price oracle manipulation, signature replay | 14 | 1 knowledge pack |
| 1,248+ | 34 knowledge packs |
Key Features¶
- 6-Phase Methodology — Context init, walkthrough, recon, discovery, scanning, manual testing, verification, reporting
- Micro-Agent Architecture — Parallel wave execution with 31 sub-agents across 10 scoped skills
- V3 Pragmatica Model Routing — 3-tier Opus/Sonnet/Haiku assignment with per-scope thinking budgets
- Smart Test Router — Maps each endpoint to only relevant test scopes via 18+ signal rules
- CI/CD Code Review — Automated SAST + AI analysis on every PR (GitHub, GitLab, Azure DevOps)
- Docker-Only Execution — All pentest tools run inside containers, never on the host
- Professional Reporting — Contextual risk scoring, CVSS 4.0, HWG compliance format
Quick Start¶
/pentest https://target.com # Full pentest (stealth ON)
/pentest https://target.com --fast # Fast mode (no recon, no stealth)
/pentest https://target.com --bug-bounty # Bug bounty (aggressive)
/pentest https://api.target.com --api-spec auto # API direct testing
6-Phase Methodology Flow¶
graph LR
A["Phase 0<br/>Context Init"] --> B["Phase 0.5<br/>Walkthrough"]
B --> C["Phase 1<br/>Recon"]
C --> D["Phase 2<br/>Discovery"]
D --> E["Phase 3<br/>Scan"]
E --> F["Phase 3.5<br/>Smart Routing"]
F --> G["Phase 4<br/>Testing<br/>31 Sub-agents"]
G --> H["Phase 5<br/>Verification"]
H --> I["Phase 6<br/>Report"]
style A fill:#4a148c,color:#fff
style B fill:#6a1b9a,color:#fff
style C fill:#7b1fa2,color:#fff
style D fill:#8e24aa,color:#fff
style E fill:#9c27b0,color:#fff
style F fill:#ab47bc,color:#fff
style G fill:#0277bd,color:#fff
style H fill:#00838f,color:#fff
style I fill:#00695c,color:#fffDocumentation Structure¶
| Section | Description |
|---|---|
| Download | Admin Dashboard + Client Portal (web, Windows, macOS) |
| Getting Started | Installation, quick start, configuration |
| Architecture | Skill system, micro-agents, model routing, wave coordinator |
| Methodology | All 6 phases in detail |
| Test Skills | 17 test skills with scope routing tables |
| CI/CD Code Review | SAST + AI analysis on every PR, client onboarding |
| Operations | Safety, stealth, Docker, VPN, proxy |
| Benchmarks | 7 lab targets, eval settings, scoring |
| Architecture Decisions | Rationale behind key design choices |
| Reference | CLI flags, file structure, completeness gates |