Skip to content

THE MECHANISM

How the operator works.

Riposte runs one continuous loop from your terminal. The offense side finds and reproduces a real opening; the defense side writes a rule from that exact evidence to catch it next time. You stay in command of every step in between.

THE OPERATOR LOOP

Recon, probe, exploit, hand-off.

  1. 01recon

    Map the scope.

    It enumerates the authorized target and records every host, port, and surface that answers back. Nothing outside the scope you set is ever touched.

  2. 02probe

    Test the inputs.

    It exercises each surface the way a person would, ranking the inputs most likely to give and working them one at a time.

  3. 03exploit

    Press the opening.

    When a surface yields, it lands the opening against a reference and captures exactly what happened, so the finding stands on its own evidence.

  4. 04hand-off

    Your call next.

    Every consequential move stops for you. Press on, log it, or stop. The operator never escalates on its own.

A RUN, LINE BY LINE

Watch it work.

A single run, streamed the way you would see it in the terminal: surface mapped, inputs tested, an opening landed, then it stops and hands the decision to you.

THE VERIFIED-DETECTION LOOP

Offense feeds defense.

When the offense side reproduces a finding, the defense side drafts a detection from that exact evidence: a Sigma rule keyed to what actually happened, not to a loose description of it. That draft is not trusted on sight. It is compiled, replayed, and measured against an instrumented SIEM double before anything is written down.

A rule ships only if it clears all four gates below. Miss one and it is held back for a human to review. The gates fail closed, so silence always means held, never shipped.

G1

It compiles.

The drafted rule compiles cleanly to your SIEM's own query language.

G2

It fires.

The rule matches the exact exploit that produced it, replayed against an instrumented double.

G3

It survives a variant.

It still fires after the attack is mutated, so it catches the technique and not one literal payload.

G4

It stays quiet.

It stays under a false-positive threshold on benign traffic, so it will not drown the analyst who deploys it.

ON THE OFFLINE DEMO

The demo runs with no network and no keys. In it, the sample detection ships from a bundled template rather than a live model, so the walkthrough is identical on any machine. The loop and the four gates are the real ones; only the evidence is canned.

pre-alpha . apache-2.0 . no telemetry . runs offline

How it works · Riposte