# Architecture & Design Philosophy
## The two-skill split
The skills are deliberately split into **methodology** ("how to think") and **arsenal** ("what to reach for"). This reflects two different mental modes practitioners use:
- **Methodology mode** β "I have a target. How do I approach this?" β strategic + procedural.
- **Arsenal mode** β "I need a Swagger probe path / secret regex / curl one-liner." β tactical + reference.
A single mega-skill of ~5,500 lines would have noisier triggering and worse retrieval. The split lets each skill have a tight, distinct trigger vocabulary.
```mermaid
flowchart TD
U["USER ASKS:
'How do I find an origin behind Cloudflare?'"]
M["π methodology Β§27
technique catalog + confidence rules"]
A["π οΈ arsenal Β§16.15
actual curl commands"]
O["β
Composed answer"]
U --> M
U --> A
M --> O
A --> O
style U fill:#3b82f6,color:#fff
style M fill:#1e293b,color:#f1f5f9
style A fill:#7c2d12,color:#fef3c7
style O fill:#14532d,color:#dcfce7
```
> Most prompts pull both. They're complementary, not overlapping.
## Confidence model
Every assertion carries a graded confidence level:
```mermaid
flowchart LR
T["π‘ TENTATIVE
1 source Β· inferred pattern"]
F["π FIRM
2+ sources OR direct observation"]
C["π’ CONFIRMED
verified + multiple independent corroborations"]
T -->|+ corroborating evidence| F
F -->|+ verification| C
style T fill:#ca8a04,color:#fff
style F fill:#ea580c,color:#fff
style C fill:#16a34a,color:#fff
```
Per-asset-type upgrade workflows in `methodology` Β§2.1 specify exactly what evidence moves an asset between levels.
## Severity model
Severity is **operational**, anchored on examples. The methodology rubric (Β§9) defines tiers:
```mermaid
flowchart TD
CRIT["π΄ CRITICAL
Pre-auth RCE Β· valid creds Β· listable prod data Β· trust violations"]
HIGH["π HIGH
Sourcemap Β· open GraphQL introspection Β· takeover Β· reflected CORS+creds Β· exposed admin UI"]
MED["π‘ MEDIUM
Missing headers Β· info disclosure Β· hardening gaps Β· brute-force exposure"]
LOW["π’ LOW
Cosmetic Β· marginal hardening"]
INFO["βͺ INFO
Recordable Β· no immediate action"]
CRIT --> HIGH --> MED --> LOW --> INFO
style CRIT fill:#7f1d1d,color:#fff
style HIGH fill:#9a3412,color:#fff
style MED fill:#a16207,color:#fff
style LOW fill:#15803d,color:#fff
style INFO fill:#475569,color:#fff
```
The arsenal severity matrix (Β§40) provides 80+ worked examples for triage. Escalation rules cover special cases (HSTS missing on `/login` β MEDβHIGH, etc.).
## Detectability model
Every probe carries a detectability tag:
```mermaid
flowchart LR
L["π’ LOW
Passive sources
CT logs Β· Wayback Β· Shodan InternetDB Β· Hunter.io"]
M["π‘ MEDIUM
Targeted probes
user-enum Β· validator queries Β· GraphQL probes Β· screenshots"]
H["π΄ HIGH
Active scans
port scans Β· Nuclei full templates Β· web fuzzing Β· brute-force"]
L --> M --> H
style L fill:#15803d,color:#fff
style M fill:#a16207,color:#fff
style H fill:#7f1d1d,color:#fff
```
The detection-aware probing section (`methodology` Β§6.4) provides the back-off ladder for when you start hitting active defenses.
## Asset graph model
```mermaid
flowchart TD
Domain["π Domain"]
Subdomain["π Subdomain"]
IP["π‘ IP"]
ASN["π’ ASN"]
WebApp["π» WebApp"]
ApiSpec["π ApiSpec"]
Secret["π Secret"]
Email["π§ Email"]
Person["π€ Person"]
Breach["π₯ Breach"]
Domain -->|ALIAS_OF / RESOLVES_TO| Subdomain
Subdomain -->|RESOLVES_TO| IP
IP -->|IN_NETBLOCK| ASN
Subdomain -->|HOSTED_ON| ASN
Subdomain -->|EXPOSES| WebApp
WebApp -->|DOCUMENTED_BY| ApiSpec
WebApp -->|CONTAINS_SECRET| Secret
Secret -->|BREACHED_FROM| Breach
Breach -->|CONTAINS| Email
Email -->|EMPLOYED_BY| Person
style Domain fill:#1e40af,color:#fff
style Subdomain fill:#1e40af,color:#fff
style IP fill:#0891b2,color:#fff
style ASN fill:#0891b2,color:#fff
style WebApp fill:#7c3aed,color:#fff
style ApiSpec fill:#7c3aed,color:#fff
style Secret fill:#dc2626,color:#fff
style Breach fill:#dc2626,color:#fff
style Email fill:#ea580c,color:#fff
style Person fill:#ea580c,color:#fff
```
29 asset types organized in 9 categories. 23 typed edges. Discipline: every discovery is a typed asset (never a free-floating string), with provenance tracked.
## Output schema
Findings are structured for ingestion by asset-management tools:
```yaml
Finding:
id:
module:
asset_key:
category:
severity: critical | high | medium | low | info
confidence: confirmed | firm | tentative
title:
description: <2-5 sentences>
evidence:
url:
timestamp:
sha256:
raw:
references:
-
remediation:
```
This shape is portable to any asset / findings store (ASM platforms, ticketing systems, custom DBs).
## Cross-module sidecar coordination
When techniques produce outputs that feed other techniques, sidecar JSON files enable late binding:
```mermaid
flowchart LR
M["π± mobile_attack_surface"] -->|writes| J["π mobile_endpoints.json"]
J -->|reads| A["π api_discovery"]
style M fill:#7c3aed,color:#fff
style J fill:#475569,color:#f1f5f9
style A fill:#7c3aed,color:#fff
```
Patterns documented in `methodology` Β§24.2.
## Validator discipline
Credential validators are **read-only by design**. Never destructive.
```mermaid
flowchart LR
D["π Discovery
catalog regex"]
V["β
Validation
read-only
/me Β· /user Β· auth.test"]
S["πΊοΈ Scope-enum
read-only
IAM Β· repo Β· workspace"]
A["π― Attack-path-hint
operator pivots from here"]
D --> V --> S --> A
style D fill:#1e40af,color:#fff
style V fill:#15803d,color:#fff
style S fill:#7c3aed,color:#fff
style A fill:#9a3412,color:#fff
```
9 providers covered (Postman, AWS, GitHub, Slack, Anthropic, OpenAI, npm, Atlassian, DataDog). Hard rule: never create / delete / send. Tag every validation with detectability + `checked_at`.
## Trigger frontmatter discipline
Each skill declares ~50β110 trigger phrases in YAML frontmatter. Triggers are:
- The exact wording a user would type (`kubelet exposed`, not `Kubernetes Kubelet API exposure on port 10250`).
- Inclusive of common synonyms (`SSO discovery`, `IdP fingerprinting`, `tenant fingerprinting` all map to identity-fabric work).
- Domain-specific jargon (`JARM`, `mmh3`, `BGP`, `KEV`).
- Operator slang (`grease the rails`, `pop the recon`).
## Versioning
Semantic versioning. The `version:` field in YAML frontmatter is authoritative.
- **MAJOR** β section renumbering, breaking trigger changes, schema changes to Finding output.
- **MINOR** β new sections, new techniques, expanded catalogs.
- **PATCH** β typo fixes, link updates, severity-tier corrections.
Current: `2.1`.
## Renumbering policy
When new top-level sections are added in a minor release, existing sections may renumber. The CHANGELOG records mappings (e.g., "v2.0 Β§27 Self-Test β v2.1 Β§32 Self-Test").
Subsection numbering is generally additive (Β§7.6 added without renumbering Β§7.5).
## What's deliberately excluded
By design, the skills do NOT cover:
- **Active exploitation** (PoC code, exploit chains)
- **Post-exploitation** (lateral movement, privesc, persistence)
- **Active Directory** (BloodHound, Kerberoasting, SMB relay)
- **Malware development** (payload crafting, AV/EDR evasion)
- **C2 frameworks** (Cobalt Strike, Sliver, Mythic, Havoc)
- **Real PII / credentials / breach corpus content** in examples
- **Defensive / blue-team detection** content (different domain)
- **Pricing / NDA / SOW templates** (business operations, not technical)
These exclusions are intentional. A "comprehensive offensive security" skill would be a textbook, not a focused tool. We'd rather do one thing well than many things adequately.
## Engagement-platform agnostic
These skills are extracted from operational tradecraft accumulated across external attack-surface engagements. The 90+ modules generalize to any OSINT engagement and slot into any ASM / ticketing / asset-graph platform you already use β or none.
Use the skills standalone (paste a SKILL.md into a Claude Project) or wired into your own pipeline.