Toolkit
Each audit runs in a fresh darkops sandbox — a hardened Ubuntu desktop with the offensive security toolkit pre-installed and ready. GigaOps has full bash access to all of these tools. The sandbox is provisioned per-audit, used for the duration of the engagement, and destroyed at completion. No state leaks between engagements.Reconnaissance & scanning
| Tool | Purpose |
|---|---|
nmap | Port and service scanning. Default -T2 for stealth, configurable per engagement. |
masscan | High-speed port scanning across wide IP ranges |
httpx | HTTP probing, fingerprinting, status discovery |
whatweb | Web application fingerprinting |
wafw00f | WAF identification |
subfinder | Active subdomain discovery (used after passive OSINT) |
dnsx | DNS resolution and validation |
Content discovery
| Tool | Purpose |
|---|---|
feroxbuster | Recursive content discovery |
ffuf | Web fuzzer for endpoints, parameters, and headers |
gobuster | Directory and DNS brute force |
katana | Web crawler for endpoint discovery |
Vulnerability scanning
| Tool | Purpose |
|---|---|
nuclei | Templated vulnerability scanning with curated template sets |
dalfox | XSS scanner with DOM and reflected payload coverage |
xsstrike | Advanced XSS detection with payload mutation |
wfuzz | Parameter fuzzing for injection points |
jwt_tool | JWT vulnerability scanner |
Exploitation
| Tool | Purpose |
|---|---|
sqlmap | SQL injection detection and exploitation. Deep mode: --level 5 --risk 3 --delay 2. |
commix | Command injection scanner and exploiter |
tplmap | Server-side template injection exploitation |
XXEinjector | XML External Entity exploitation |
ssrfmap | Server-side request forgery exploitation |
Authentication attacks
| Tool | Purpose |
|---|---|
hydra | Network service brute force (rate-limited by default) |
hashcat | Hash cracking |
john | Password cracking |
CeWL | Custom wordlist generation from target content |
cupp | Common user password profiler |
Post-exploitation (Deep & Autonomous only)
| Tool | Purpose |
|---|---|
linpeas | Linux privilege escalation enumeration |
pspy | Linux process snooping |
impacket suite | Windows / Active Directory toolset (secretsdump, smbexec, psexec, etc.) |
bloodhound | Active Directory attack path analysis |
crackmapexec | Multi-protocol AD attack tool (SMB, WinRM, RDP, LDAP, etc.) |
evil-winrm | Interactive WinRM shells |
Cloud
| Tool | Purpose |
|---|---|
pacu | AWS exploitation framework |
awscli | AWS CLI for resource enumeration and access testing |
s3scanner | S3 bucket enumeration and access checking |
cloud_enum | Multi-cloud (AWS, Azure, GCP) public asset enumeration |
Exfiltration testing
| Tool | Purpose |
|---|---|
dnscat2 | DNS tunneling for exfil path validation |
iodine | IP-over-DNS tunneling |
Wordlists
Standard offensive wordlists are pre-loaded:rockyou.txtcommon.txt- SecLists collection
- API endpoint wordlists
- Subdomain wordlists
CeWL for engagements that benefit from custom dictionaries.
Browser
The sandbox includes a full Chromium installation for any web target interaction that requires a real browser — JavaScript-heavy SPAs, complex auth flows, CSRF token handling, etc.Adding your own tools
The sandbox runs Ubuntu with full apt access. GigaOps can install additional tools on demand within an engagement — for example, fetching the latest version ofnuclei’s template set, or installing a CVE-specific PoC repo from GitHub.
For Autonomous engagements, you can specify required tooling in your brief:
Tool versions
Tools are kept on the current stable release. The sandbox image is rebuilt regularly to keepnuclei templates, metasploit modules, and exploitation tooling up to date.
Next steps
Methodology
How GigaOps uses these tools across the 10 phases.
The Agent
How the agent decides which tool to reach for.