Skip to main content

BlackRainbow

BlackRainbow is a security assurance framework. It automates red team engagements through a plugin architecture, YAML-driven configurations, kill chain sequencing, and AI-powered reasoning.

Think of it as a testing framework for security, not just a scanner. You define what you want to test, BlackRainbow generates attack sequences, executes them, grades the results, and produces actionable reports with remediation guidance.

What It Does

  • Generates attack sequences from plugins based on your target and engagement scope
  • Executes those sequences against real infrastructure using standard security tools
  • Grades results with pass/fail scoring, evidence collection, and MITRE ATT&CK mapping
  • Produces reports with findings, artifacts, remediation steps, and detection rules
  • Chains attacks through kill chain definitions that link recon to exploitation to post-exploitation

Architecture

┌─────────────┐    ┌───────────────┐    ┌─────────────┐    ┌─────────┐    ┌──────────┐
│  Generate   │ →  │   Transform   │ →  │   Execute   │ →  │  Grade  │ →  │  Report  │
│  (plugins)  │    │ (strategies)  │    │  (targets)  │    │(plugins)│    │(artifacts)│
└─────────────┘    └───────────────┘    └─────────────┘    └─────────┘    └──────────┘

Plugins generate attack sequences. Each plugin is a self-contained module that knows how to test a specific attack surface: network recon, credential attacks, web exploitation, AD compromise, privilege escalation.

Strategies control execution order. Run sequences in order, fan them out in parallel, or let the engine adapt based on what it discovers.

Targets handle execution. Each target type knows how to run tools against its environment: subprocess calls for network hosts, HTTP requests for web apps, LDAP/Kerberos for Active Directory.

Graders evaluate results. The same plugin that generated a sequence knows how to read the output and decide if it worked.

Reports collect everything: what was tried, what worked, what was found, how to fix it, and how to detect it next time.

What Makes It Different

Operator-built. BlackRainbow was built by red team operators, not compliance consultants. The attack sequences, grading logic, and kill chains come from real engagement experience.

AI-powered reasoning. BlackRainbow uses a domain-expert AI model trained on security operations. The model suggests next steps based on discovered services, analyzes tool output, and generates targeted attack sequences. It does not just run scripts; it thinks about what it sees.

Kill chain sequencing. Define multi-stage engagements in YAML. Start from any stage. Let upstream results drive downstream attacks. If recon finds an open SMB share, the credential plugin knows about it.

Artifact collection. Every tool execution captures stdout, stderr, timing, and output files. Nothing is lost. Reports link findings to the raw evidence that supports them.

Remediation suite. Findings are not just "this is broken." Each finding includes: what was exploited, why it was vulnerable, how to fix it, and detection rules to catch it in the future.

MITRE ATT&CK mapped. Every attack sequence maps to ATT&CK techniques. Reports roll up technique coverage across the engagement.

Plugin Categories

CategoryWhat It Tests
ReconNetwork enumeration, service discovery, OSINT
CredentialPassword attacks, hash extraction, token abuse
Web ExploitInjection, authentication bypass, API abuse
AD AttackDomain enumeration, Kerberos attacks, trust abuse
Lateral MovementPivoting, remote execution, session hijacking
Privilege EscalationLocal privesc, kernel exploits, misconfigurations

Target Types

TypeEnvironment
network-serviceNetwork hosts, infrastructure
web-applicationWeb applications, APIs
active-directoryAD domains, forests
cloud-serviceCloud provider environments
ai-systemAI/ML model endpoints

Next Steps