Configuration
BlackRainbow engagements are defined in YAML. Every field is validated at load time.
Quick Reference
target:
type: network-service
host: 192.168.1.100
label: target-env
scope:
networks:
- 192.168.1.0/24
exclude:
- 192.168.1.1
engagement:
purpose: |
Security assessment of target environment.
rules:
- No denial of service
- No data destruction
operator: your-name
plugins:
- recon
- id: credential-access
numTests: 10
severity: high
config:
wordlist: /usr/share/wordlists/rockyou.txt
strategies:
- sequential
model:
provider: ollama
model: blackrainbow
host: http://localhost:11434
temperature: 0.3
output:
report: ./reports/
capture: ./captures/
format: markdown
Config File
Default filename: blackrainbow.yaml. Override with br run --config <path>.
Generate from a template:
br init --template network # Network/infrastructure assessment
br init --template webapp # Web application assessment
br init --template ad # Active Directory assessment
Top-Level Keys
| Key | Type | Required | Description |
|---|---|---|---|
target | Object | Yes | What you are testing |
engagement | Object | Yes | Scope, rules, operator |
plugins | List | No | Attack modules to run |
strategies | List | No | Execution strategies |
model | Object | No | AI model configuration |
output | Object | No | Report and capture settings |
target
Defines the assessment target.
target:
type: network-service
host: 192.168.1.100
label: target-env
port: 443
protocol: tcp
url: https://192.168.1.100
scope:
networks:
- 192.168.1.0/24
exclude:
- 192.168.1.1
| Field | Type | Default | Description |
|---|---|---|---|
type | string | network-service | Target type |
host | string | required | Target hostname or IP |
label | string | -- | Human-readable name for reports |
port | integer | -- | Specific port to target |
protocol | string | -- | Protocol (tcp, udp) |
url | string | -- | Full URL (for web targets) |
scope | object | -- | Network scope constraints |
Target Types
| Type | Use Case |
|---|---|
network-service | Network hosts, infrastructure |
web-application | Web applications, APIs |
active-directory | AD domains |
cloud-service | Cloud environments |
ai-system | AI/ML endpoints |
custom | User-defined |
scope
scope:
networks:
- 10.0.0.0/8
- 172.16.0.0/12
exclude:
- 10.0.0.1
| Field | Type | Default | Description |
|---|---|---|---|
networks | list of strings | [] | In-scope CIDRs |
exclude | list of strings | [] | Excluded hosts or CIDRs |
engagement
Engagement metadata: what you are doing and what the rules are.
engagement:
purpose: |
Full security assessment of target environment.
Demonstrate attack paths from initial access to objective.
rules:
- No denial of service
- No data destruction
- No attacking out-of-scope hosts
operator: your-name
| Field | Type | Default | Description |
|---|---|---|---|
purpose | string | required | What this engagement is trying to prove |
rules | list of strings | [] | Rules of engagement |
operator | string | unknown | Your operator name |
plugins
List of attack modules to run. Supports short form and long form.
Short form
Just the plugin ID:
plugins:
- recon
- credential-access
- web-exploit
Long form
Plugin ID with configuration overrides:
plugins:
- id: recon
numTests: 5
severity: medium
- id: credential-access
numTests: 10
severity: high
config:
wordlist: /usr/share/wordlists/rockyou.txt
timeout: 600
- id: web-exploit
config:
scan_type: aggressive
| Field | Type | Default | Description |
|---|---|---|---|
id | string | required | Plugin ID from registry |
numTests | integer | 5 | Number of test sequences to generate |
severity | string | medium | Minimum severity (info, low, medium, high, critical) |
config | object | {} | Plugin-specific configuration |
File references
Load a plugin from a local file:
plugins:
- file://./my-custom-plugin.py
strategies
Execution strategies control how attack sequences are ordered and delivered.
strategies:
- sequential
| Strategy | Behavior |
|---|---|
sequential | Execute in order, one at a time |
parallel | Fan-out, multiple sequences concurrently |
adaptive | Dynamic reordering based on results |
An empty list means sequences execute in generation order:
strategies: []
model
AI model configuration for intelligent sequencing and analysis.
model:
provider: ollama
model: blackrainbow
host: http://localhost:11434
temperature: 0.3
| Field | Type | Default | Description |
|---|---|---|---|
provider | string | ollama | Model provider |
model | string | blackrainbow | Model name |
host | string | http://localhost:11434 | Provider API endpoint |
temperature | float | 0.3 | Inference temperature (lower = more focused) |
The model enhances plugin behavior: suggesting targeted enumeration based on discovered services, analyzing tool output for attack paths, and generating context-aware sequences.
output
Report and artifact settings.
output:
report: ./reports/
capture: ./captures/
format: markdown
| Field | Type | Default | Description |
|---|---|---|---|
report | string | ./reports/ | Report output directory |
capture | string | ./captures/ | Artifact capture directory |
format | string | markdown | Report format |
Output formats
| Format | Description |
|---|---|
markdown | Markdown report with embedded code blocks |
json | Structured JSON for programmatic consumption |
html | Standalone HTML report |
pdf | PDF report for stakeholder delivery |
CLI Overrides
Override any config value from the command line:
# Override target
br run --target 10.0.0.50
# Override plugins
br run --plugins recon,credential-access
# Use a different config
br run --config engagements/webapp.yaml
# Combine
br run --target 10.0.0.50 --plugins recon --dry-run
CLI flags take precedence over config file values.
Templates
Generate a starter config:
br init --template network
br init --template webapp
br init --template ad
br init --output engagements/custom.yaml
Templates include placeholder values. Replace everything marked CHANGEME before running.