Skip to main content

The Spectrum

BlackRainbow organizes all security knowledge into 11 color domains. Every training pair, every plugin, and every model filter maps to one or more colors.

Color Taxonomy

Red #dc2626

Offensive operations, exploitation, initial access.

The core attack color. Exploitation techniques, payload delivery, initial foothold establishment. Covers MITRE ATT&CK Initial Access (TA0001), Execution (TA0002), and portions of Lateral Movement (TA0008).

Examples: buffer overflows, deserialization attacks, RCE chains, exploit development, shellcode.

Orange #ea580c

Reconnaissance, enumeration, OSINT.

Everything before the first shell. Network scanning, service enumeration, subdomain discovery, open-source intelligence gathering. Maps to MITRE ATT&CK Reconnaissance (TA0043) and Discovery (TA0007).

Examples: nmap, DNS enumeration, directory brute-forcing, certificate transparency, WHOIS, Shodan queries.

Yellow #ca8a04

Credential access, password attacks.

Credential harvesting, cracking, spraying, and replay. Covers MITRE ATT&CK Credential Access (TA0006).

Examples: hashcat rules, Kerberoasting output analysis, password spray patterns, credential stuffing, NTLM relay, hash extraction.

Green #059669

Infrastructure, networking, protocols.

The plumbing. Network protocols, routing, DNS, firewall rules, VPN tunneling, pivoting infrastructure. Foundational knowledge that every other color depends on.

Examples: TCP/IP internals, SSH tunneling, SOCKS proxies, port forwarding, network segmentation, protocol analysis.

Blue #2563eb

Defensive operations, detection engineering.

The other side of the blade. Detection rules, log analysis, SIEM queries, incident response procedures, threat hunting. Maps to MITRE ATT&CK mitigations and detection guidance.

Examples: Sigma rules, Splunk queries, EDR bypass indicators, YARA signatures, forensic artifact analysis, Windows event log correlation.

Indigo #7c3aed

Privilege escalation, persistence, post-exploitation.

Everything after the initial foothold and before the objective. Privilege escalation vectors, persistence mechanisms, lateral movement techniques. Covers MITRE ATT&CK Privilege Escalation (TA0004), Persistence (TA0003), and Defense Evasion (TA0005).

Examples: kernel exploits, SUID abuse, scheduled tasks, DLL hijacking, token manipulation, registry persistence.

Violet #a855f7

Web application security.

Application-layer attacks. SQL injection, XSS, SSRF, authentication bypass, API abuse, deserialization in web contexts. Overlaps with Red for exploitation but scoped to web application attack surface.

Examples: SQLi payloads, XXE exploitation, JWT manipulation, OAuth flows, IDOR chains, GraphQL introspection abuse.

Grey #6b7280

Governance, compliance, methodology.

Frameworks, methodologies, reporting standards, rules of engagement. The operational wrapper around technical work.

Examples: PTES methodology, OWASP testing guides, report writing, scope definitions, rules of engagement templates, compliance mappings.

Gold #d97706

Active Directory / Kerberos, identity attacks.

The crown jewels of enterprise environments. AD enumeration, Kerberos attacks, trust abuse, Group Policy exploitation. A specialized sub-domain of Yellow and Indigo that earns its own color due to depth and importance.

Examples: BloodHound queries, Kerberoasting, AS-REP roasting, DCSync, Golden/Silver tickets, trust hopping, GPO abuse, ADCS attacks.

Cyan #0891b2

AI/ML security, adversarial ML.

Attacks against machine learning systems. Prompt injection, model poisoning, adversarial examples, ML pipeline exploitation. The newest color, growing rapidly.

Examples: prompt injection chains, training data poisoning, model extraction, adversarial image generation, LLM jailbreaks, ML supply chain attacks.

Pink #db2777

Social engineering, phishing.

Human-layer attacks. Phishing campaign design, pretexting, vishing scripts, physical social engineering. Maps to MITRE ATT&CK Phishing (T1566) and related techniques.

Examples: phishing templates, pretext development, payload delivery via social channels, callback phishing, QR code attacks.

Color Mapping in Practice

Training Data

Every pair in the corpus carries a colors array:

{
  "instruction": "...",
  "output": "...",
  "colors": ["red", "indigo"]
}

Plugins

Plugins declare their color affinity as a class attribute:

class ReconPlugin(PluginBase):
    colors = ["orange", "red", "green"]

Model Filtering

The model hierarchy uses color filters to build specialized models from the same corpus:

ModelColors
BlackRainbowAll 11
ShinobitRed, Orange, Yellow
OnibitBlue, Grey
Immortal BladeRed + Blue (combined)

See Model Hierarchy for details on each model variant.