Claude Code Integration

BlackRainbow integrates with Claude Code for AI-assisted security assessments. Claude reads engagement configs, builds kill chains, analyzes results, and generates remediation guidance, all from your terminal.

What This Gets You

Claude builds and refines kill chain configs based on your target description
Claude reads engagement results and identifies the most promising attack paths
Claude generates remediation reports with detection rules
Claude explains findings in stakeholder-ready language
You stay in the terminal the entire time

Setup

1. Install BlackRainbow

pip install blackrainbow

2. Install Claude Code

Follow the Claude Code installation guide.

3. Configure the Integration

Add BlackRainbow as a tool in your Claude Code configuration:

br integrations enable claude-code

This registers BlackRainbow commands as available tools for Claude Code.

Workflow

Build a Kill Chain

Describe what you want to test. Claude builds the config.

You: I need to assess an Active Directory environment at 192.168.1.0/24.
     The domain controller is at 192.168.1.10. Standard rules of engagement,
     no DoS, no data destruction. Full chain from recon to DA.

Claude: I'll create an AD assessment config for you.
        [Creates blackrainbow.yaml with full kill chain]

        This config includes 4 stages:
        1. Recon - network enumeration + AD-specific enumeration
        2. Credential access - kerberoasting + password spraying (lockout-safe)
        3. Lateral movement - pass-the-hash + remote execution
        4. Privilege escalation - DCSync + delegation abuse

        Want me to run a dry run first?

Preview the Plan

You: Yes, dry run it.

Claude: [Runs: br run --dry-run]

        The dry run shows 14 sequences across 4 stages.
        Stage 1 will run 5 nmap scans and LDAP enumeration.
        Stage 2 will attempt kerberoasting and spray against
        discovered services with a 30-second delay between attempts.

        The spray plugin is configured with lockout_threshold: 3
        to stay under typical AD lockout policies.

        Ready to execute?

Run and Analyze

You: Run it.

Claude: [Runs: br run]

        Engagement complete. Key findings:

        1. Kerberoasting succeeded - 3 service accounts with
           crackable tickets (svc-backup, svc-sql, svc-web)
        2. SMB signing disabled on 4 hosts, enabling relay attacks
        3. svc-backup has Domain Admin privileges via group nesting

        The fastest path to DA: kerberoast svc-backup → crack the
        ticket → use the credentials directly. No lateral movement
        needed because svc-backup is already a DA.

        Want me to generate the report?

Generate Reports

You: Generate a PDF report and include detection rules.

Claude: [Runs: br report --format pdf]

        Report generated at ./reports/engagement-report.pdf

        12 findings total:
        - 2 Critical (DA path via kerberoasting, SMB relay)
        - 3 High (disabled SMB signing, weak service account passwords,
          excessive DA group membership)
        - 4 Medium
        - 3 Low

        Each finding includes Sigma detection rules.
        The kerberoasting detection rule watches for
        EventID 4769 with RC4 encryption (0x17).

Example: Iterative Assessment

Claude Code excels at iterative work. Run recon, analyze the results, then let Claude suggest the next steps.

You: Start with just recon against 192.168.1.0/24.

Claude: [Creates config with recon plugin only]
        [Runs: br run]

        Recon found 12 hosts with 47 services.
        Notable:
        - 192.168.1.10: DC (Kerberos, LDAP, DNS, SMB)
        - 192.168.1.20: SQL Server on 1433
        - 192.168.1.30: IIS on 80/443 with an interesting /api endpoint
        - 192.168.1.40-45: Workstations with SMB signing disabled

        Three attack paths I'd explore:
        1. Kerberoast against the DC (high probability, known SPN accounts)
        2. SQL injection against the web API on .30
        3. SMB relay using the 6 hosts without signing

        Which direction?

You: Start with kerberoast, then try the web API.

Claude: [Updates config to add credential-access and web-exploit plugins]
        [Runs: br run --start-stage credential-access]
        ...

Tips

Let Claude read the results. After br run, Claude can analyze the raw output in captures/ and identify patterns humans might miss.

Use dry runs liberally. Have Claude build the config, dry run it, review the plan, adjust, then execute.

Iterate on remediation. Ask Claude to explain findings for different audiences: technical team, management, compliance.

Chain sessions. Start a recon session, close it, start a new session for exploitation. Claude Code reads the previous results from the captures/ directory.

What Claude Code Cannot Do

Claude Code drives BlackRainbow but does not replace operator judgment:

It cannot authorize testing against targets you do not own
It does not decide scope; you define the rules of engagement
It suggests attack paths but the operator approves execution
It generates remediation but a human validates the recommendations

BlackRainbow handles authorization and scope enforcement. Claude Code handles analysis and generation. You handle the decisions.

What This Gets You​

Setup​

1. Install BlackRainbow​

2. Install Claude Code​

3. Configure the Integration​

Workflow​

Build a Kill Chain​

Preview the Plan​

Run and Analyze​

Generate Reports​

Example: Iterative Assessment​

Tips​

What Claude Code Cannot Do​