Ghost-Target: Exploit Synthesizer

Actor 3 of 3 in the Ghost-Target Autonomous Red Team Pipeline.

Reads vulnerability findings from the shared KV Store, sends them to GPT-4o with a red-team system prompt, and receives back realistic multi-stage attack chains. Sends rich Slack Block Kit alerts with MITRE ATT&CK mapping, CISA KEV highlights, and a one-click re-scan button that re-triggers the full pipeline directly from Slack. Tracks historical drift to alert only on what changed since last scan.

---

What It Does

Phase 1 — Load & Filter Findings

Reads findings__{domain} from the shared KV Store — the enriched Nuclei output written by Actor 2. Filters to findings at or above minChainSeverity to focus the LLM on the most exploitable surface.

Phase 2 — GPT-4o Attack Chain Synthesis

Sends the top findings to GPT-4o with a specialized red-team system prompt:

"You are an elite red team lead and offensive security expert. Analyze raw vulnerability findings and synthesize them into realistic, multi-stage attack chains. Think like an APT actor."

The model returns up to 3 attack chains per run, each containing:

• Entry point (exact asset + vulnerability)
• Step-by-step attack path (max 5 steps, specific asset names)
• Likelihood assessment
• Business impact summary
• MITRE ATT&CK tactic mapping
• Remediation priority

Phase 3 — MITRE ATT&CK Enrichment

Each chain's tactic list is further enriched by cross-referencing the finding tags against a built-in ATT&CK mapping:

Finding Tag	ATT&CK Tactics
exposure / secrets	T1552 - Unsecured Credentials, T1530 - Cloud Storage
misconfig	T1190 - Exploit Public-Facing App, T1133 - External Remote Services
default-login	T1078 - Valid Accounts, T1110 - Brute Force
takeover	T1584 - Compromise Infrastructure
leaked-credential	T1078 - Valid Accounts, T1552.001 - Credentials in Files

Phase 4 — Slack Block Kit Alerting

Sends a rich formatted alert to Slack for each chain at or above the severity threshold. The Block Kit payload includes:

• Chain ID, severity badge (🔴🟠🟡), entry point, target
• Step-by-step attack path in a code block
• Business impact statement
• CISA KEV findings callout (⚠️)
• MITRE ATT&CK tactic list
• Remediation priority

One-Click Re-Scan button — links directly to the Apify Console with pre-filled input to re-run Actor 1 against the same domain. No copy-pasting, no context switching.

View Full Report button — links to the current actor run's output in the Apify Console.

Phase 5 — Drift Alert

If new CISA KEV findings appeared since the last scan that weren't there before, a separate DRIFT ALERT is sent to Slack — even if no new attack chains were synthesized. Includes a red "Re-Scan Now" button.

Phase 6 — Persist Report

Saves the full synthesis report to report__{domain} in the shared KV Store for use in future drift comparisons.

---

Input

Field	Type	Required	Default	Description
targetDomain	string	✅	—	Root domain. Must match Actors 1 and 2
openaiApiKey	string	✅	—	OpenAI API key (sk-...)
globalKvsName	string	—	ghost-target-brain	Shared KVS name. Must match Actors 1 and 2
apifyApiToken	string	—	—	Apify API token. Required when triggered by Actor 2 — automatically forwarded
openaiModel	string	—	gpt-4o	GPT model to use (gpt-4o, gpt-4-turbo, gpt-4, gpt-3.5-turbo)
slackWebhookUrl	string	—	—	Slack incoming webhook URL for Block Kit alerts
shadowDiscoveryActorId	string	—	—	Actor 1's ID — used to generate the one-click re-scan URL in Slack
minChainSeverity	string	—	high	Only alert on chains at or above this severity (low / medium / high / critical)
historicalDiffEnabled	boolean	—	true	Compare with previous scan to detect newly opened attack surface

---

Output

Dataset

One row per synthesized attack chain:

{
  "chainId": "CHAIN-A1B2C",
  "severity": "critical",
  "entryPoint": "Exposed .env file at https://dev.example.com/.env containing DB_PASSWORD and AWS_SECRET_ACCESS_KEY",
  "targetAsset": "Production PostgreSQL database and AWS S3 buckets",
  "steps": [
    "Fetch dev.example.com/.env via HTTP GET (nuclei: exposure/config/exposed-env-file)",
    "Extract DB_HOST=db.example.com, DB_PASSWORD=s3cr3t, AWS_SECRET_ACCESS_KEY=AKIA... from file",
    "Connect to db.example.com:5432 using extracted credentials (open port confirmed by Shodan)",
    "Dump users table containing 450k PII records",
    "Use AWS_SECRET_ACCESS_KEY to list and exfiltrate S3 bucket: example-customer-backups"
  ],
  "likelihood": "high",
  "impactSummary": "Full production database compromise and cloud storage exfiltration exposing 450k customer records — GDPR and PCI-DSS breach event.",
  "mitreTactics": [
    "T1552.001 - Credentials in Files",
    "T1190 - Exploit Public-Facing Application",
    "T1530 - Data from Cloud Storage"
  ],
  "remediationPriority": "CRITICAL: Remove .env from web root immediately. Rotate DB credentials and AWS keys. Restrict port 5432 to VPN only.",
  "notifiedAt": "2026-05-15T10:01:23.000Z",
  "domain": "example.com",
  "synthesizedAt": "2026-05-15T10:01:20.000Z"
}

Key-Value Store (ghost-target-brain)

Writes report__{domain}:

{
  "domain": "example.com",
  "synthesizedAt": "2026-05-15T10:01:20.000Z",
  "chains": [...],
  "topFindingsSnapshot": [...],
  "stats": {
    "totalFindings": 12,
    "highCritical": 7,
    "kevMatches": 1,
    "chainsGenerated": 3,
    "alertsSent": 2
  }
}

Actor Output (OUTPUT)

{
  "totalFindings": 12,
  "highCritical": 7,
  "kevMatches": 1,
  "chainsGenerated": 3,
  "alertsSent": 2
}

---

Slack Alert Preview

🔴 Ghost-Target Alert: Attack Chain on example.com
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Chain ID:     CHAIN-A1B2C        Severity: 🔴 CRITICAL
Entry Point:  Exposed .env on dev.example.com
Target:       Production database + S3 buckets
Likelihood:   HIGH               CISA KEV: ⚠️ 1

Attack Steps:
  1. Fetch dev.example.com/.env via HTTP GET
  2. Extract DB_PASSWORD, AWS_SECRET_ACCESS_KEY
  3. Connect to db.example.com:5432 (open port)
  4. Dump users table — 450k PII records
  5. Exfiltrate S3 bucket: example-customer-backups

Business Impact:
  GDPR breach event. 450k customer records exposed.

MITRE ATT&CK: T1552.001, T1190, T1530
Remediation:  Remove .env immediately. Rotate credentials.

⚠️ CISA KEV Matches:
  • CVE-2021-44228 — Apache Log4j RCE on api.example.com (added 2021-12-10)

[ 🔁 One-Click Re-Scan ]  [ 📊 View Full Report ]

---

Usage Examples

Standalone (after Actors 1 and 2 have run)

{
  "targetDomain": "example.com",
  "globalKvsName": "ghost-target-brain",
  "apifyApiToken": "apify_api_xxxxxxxxxxxxxxxxxxxxxxxx",
  "openaiApiKey": "sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "slackWebhookUrl": "https://hooks.slack.com/services/T.../B.../xxxx",
  "shadowDiscoveryActorId": "YOUR_USERNAME/ghost-shadow-discovery",
  "minChainSeverity": "high"
}

Force synthesis on all findings (including medium/low)

{
  "targetDomain": "example.com",
  "globalKvsName": "ghost-target-brain",
  "apifyApiToken": "apify_api_xxxxxxxxxxxxxxxxxxxxxxxx",
  "openaiApiKey": "sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "minChainSeverity": "low",
  "historicalDiffEnabled": false
}

---

Setting Up Slack Notifications

1. Go to api.slack.com/apps → Create New App → From scratch
2. Navigate to Incoming Webhooks → Enable → Add New Webhook to Workspace
3. Choose your alert channel (e.g. #security-alerts)
4. Copy the webhook URL (https://hooks.slack.com/services/...)
5. Paste it into the slackWebhookUrl input

---

Model Selection

Model	Speed	Cost	Best For
gpt-4o	Fast	Medium	Default — best balance
gpt-4-turbo	Medium	Medium	High-context scans
gpt-4	Slow	High	Maximum reasoning quality
gpt-3.5-turbo	Very fast	Low	Budget runs, testing

For real-world red team reporting, gpt-4o or gpt-4-turbo recommended.

---

Legal Notice

This tool is for authorized penetration testing and security research only. The AI-synthesized attack chains are for defensive awareness — to help security teams understand and prioritize remediation. Never use this output to conduct unauthorized attacks.