KeroxLabsKEROXLABS
FROM THE WORKSHOP

An adversary,
under discipline.

KeroxLabs is a small lab building Kerox — a Rust-native, terminal-first, vendor-neutral autonomous red team. An orchestrator reads an engagement plan and works an objective the way an adversary would — recon, exploitation, privilege escalation, lateral movement, C2 — not the way a scanner does. Every live action is dry-run by default and gated behind a human. Built in the open, by hand.

HOW IT WORKSGITHUB
SINCE
JAN 2026
FOCUS
OFFENSIVE AI
STAGE
BUILDING
KeroxLabs cobra
FIG. 01Kerox · the lab cobra2025
CONTENTS

In this
issue.

Five pieces — the orchestrator that runs an engagement, the Spearhead LLM agent, the discipline that gates every action, the forum we are opening, and the roster of agents behind it all.

I.
CHAPTER ONE · THE ORCHESTRATOR

An adversary, not a scanner.

krx@kerox · /engagement
DRY-RUN
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
░▓█ ORCHESTRATOR █▓░v0.0.1-α
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
reconT1595[plan]·· active scan · surface mapped
accessT1190[plan]·· public-facing app · entry
privescT1068[plan]·· exploit · escalate to root
lateralT1021[plan]·· remote svc · pivot inward
collectT1119[plan]·· objective data located
c2T1071[plan]·· app-layer channel · beacon
[ HOLD ] live actions await human approval
krx@kerox:/engagement$

Kerox is not a scanner that runs nmap and prints a report. An orchestrator reads an engagement plan, fixes on an objective, and works toward it through whatever path actually opens up — chaining reconnaissance, exploitation, privilege escalation, lateral movement, and C2 the way a real operator would. When a door closes it tries another. Findings are designed to feed a planned attack → defend → verify loop, so every result is something a defender can act on.

STATUS BUILDINGSEED 0x0FF5E7SEE THE CHAIN
II.
CHAPTER TWO · SPEARHEAD

An LLM red team.

krx@kerox · ~/spearhead
DRY-RUN
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
░▓█ SPEARHEAD █▓░llm red-team
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
$ krx spearhead --target agent --plan
→ loading OWASP LLM Top 10 · MITRE ATLAS [ OK ]
prompt injectionLLM01AML.T0051
system-prompt leakLLM07AML.T0054
guardrail bypassLLM02AML.T0054
tool-call exfilLLM06AML.T0057
[ INFO ] 4 probes mapped · queued for approval
krx@kerox:~/spearhead$

Spearhead is the agent pointed at the AI in the stack. It probes the things only a language model gets wrong — prompt injection, system-prompt leakage, guardrail bypass, tool-call exfiltration — and is designed to report every finding against the OWASP LLM Top 10 and MITRE ATLAS, so it lands in a framework defenders already use. It leads; the network agent follows it onto the rest of the attack surface, and the report agent turns the run into something a defender can use.

STATUS BUILDINGSEED 0xA71A5MEET SPEARHEAD
III.
CHAPTER THREE · ENGAGEMENT DISCIPLINE

Discipline before the first packet.

krx@kerox · ~/engagement
PRE-FLIGHT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
░▓█ ENGAGEMENT █▓░package
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
$ krx plan --scope authorized.yaml
01[ OK ]ROE·· rules of engagement
02[ OK ]CONOPS·· concept of operations
03[ OK ]DECONF·· deconfliction plan
04[ ·· ]OPPLAN·· ATT&CK-mapped
→ package · 3 / 4 artifacts drafted
[ HOLD ] authorized scope · dry-run · awaiting sign-off
krx@kerox:~/engagement$

Before a packet leaves the wire, Kerox writes the engagement down — Rules of Engagement, a ConOps, a Deconfliction Plan, and an OPPLAN mapped to MITRE ATT&CK — and then is built to refuse to step outside it. Every live action is dry-run by default and waits on an explicit human approval; nothing runs outside authorized scope. The whole thing is meant to read like a real operation, paperwork and safeties included — offense you could actually sign off on.

STATUS BUILDINGSEED 0xC02FF1READ THE RULES
IV.
CHAPTER FOUR · THE DEN

A forum, for people who run real engagements.

The Den is the slow, threaded forum we are building for people who do this for real — operators, red teamers, and the defenders on the other side of them. Pre-flight RoE arguments, ATLAS mapping threads, engagement postmortems, and the long debates about offensive AI that nobody else wants to host.

No articles. No engagement metrics. Just a room with the right people in it. Opening Q2 2026.

we email once, when the doors open
forum.kerox.dev · /the-denPRE-LAUNCH
  • RFCWriting a ConOps an agent can actually follow POSTS
  • ATLASMapping a tool-call exfil chain to MITRE ATLAS POSTS
  • TRADECRAFTKeeping evil-winrm sessions alive across a pivot POSTS
  • REVIEWWhat does a clean deconfliction plan look like? POSTS
░▓█ OPENING SOON █▓░
A forum, not a feed.
V.
CHAPTER FIVE · THE AGENTS

Specialist agents, run in a sealed lab.

The orchestrator does not do the work itself — it dispatches specialists. Spearhead leads on the AI; the network agent takes the conventional surface; the report agent turns the run into a deliverable. Each one drives real, interactive tools — msfconsole, sliver-client, evil-winrm — inside persistent terminal sessions, answering prompts the way a person would instead of scripting around them.

Everything is designed to run in an isolated Kali sandbox on its own operational network, walled off from the machine that drives it. Offense stays in the box.

  • spearheadBUILDING
    LLM / AI RED TEAM

    Prompt injection, system-prompt leakage, guardrail bypass, tool-call exfil — mapped to OWASP LLM Top 10 and MITRE ATLAS.

  • networkPLANNED
    RECON · NETWORK

    Maps the attack surface and works services and trust paths — recon, enumeration, and lateral movement on authorized scope.

  • reportPLANNED
    SYNTHESIS · REPORTING

    Turns the engagement into a deliverable — narrative plus findings, mapped to MITRE ATT&CK and ATLAS, as Markdown, JSON, or SARIF.

  • webPLANNED
    WEB APPLICATIONS

    The web surface — injection, access-control, and logic flaws — once the wedge and recon are solid.

EDITOR'S LETTER
// a short note
An adversary with no rules teaches you nothing — the discipline is what turns an attack into an answer.
KEROXLABS · MAY 2026
SIGNOFF

Read the code.
Break it.
Write back.

KeroxLabs builds in the open. Patches, exploits, and hard questions about doing offense responsibly — bring them. The bar is technical, the reply is fast, the door is unlocked.

OPEN GITHUBCONTACT@KEROX.DEV