## https://sploitus.com/exploit?id=B201DF04-51B6-52D3-A8EA-718A6037086E
# redteam-threat-exploits
A Claude Code skill that turns OpenCTI threat intelligence into red team
exercise material: rank top threats from OpenCTI, then generate either an
ATT&CK-mapped adversary emulation plan or (with explicit authorized scope) a
PoC exploit scaffold โ and write the emulation plan back into OpenCTI as a
linked Note.
## Layout
- [`SKILL.md`](SKILL.md) โ the skill definition Claude Code loads: how to
query OpenCTI, rank threats, generate output, and push notes back.
- [`scripts/demo_pipeline.py`](scripts/demo_pipeline.py) โ runnable
implementation of the pipeline (ranking, emulation plan, PoC scaffold,
OpenCTI note push).
- [`demo/`](demo/README.md) โ mock OpenCTI data and instructions for running
the pipeline without live credentials.
- [`redteam/`](redteam/) โ generated output, one directory per threat.
## Quick start
```bash
# Set these to point at a real OpenCTI instance; omit them to run the
# demo pipeline in dry-run mode against mock data instead.
export OPENCTI_URL=https://your-opencti-instance
export OPENCTI_TOKEN=...
python3 scripts/demo_pipeline.py --sector "Financial Services" --top 5
python3 scripts/demo_pipeline.py --select "LockBit 3.0" --mode emulation
```
See [`demo/README.md`](demo/README.md) for the full walkthrough, including
the PoC mode authorization gate.
## Safety
- PoC exploit code mode refuses to generate anything without an explicit
authorized target (`--target`).
- Generated PoC code is scaffolding only โ the actual exploitation primitive
is left as a TODO, never auto-pushed to OpenCTI, and stays local under
`redteam//poc/`.
- No scanning, discovery, or self-propagating logic is generated.