Skip to content

Mandate active exploitation and data extraction in all pentest workflows#67

Merged
valITino merged 1 commit intomainfrom
claude/enhance-pentest-playbook-Shcd3
Mar 8, 2026
Merged

Mandate active exploitation and data extraction in all pentest workflows#67
valITino merged 1 commit intomainfrom
claude/enhance-pentest-playbook-Shcd3

Conversation

@valITino
Copy link
Owner

@valITino valITino commented Mar 7, 2026

Summary

This PR fundamentally reframes the blhackbox penetration testing framework from a vulnerability detection and validation tool to an active exploitation and impact demonstration platform. All playbooks, templates, and agent prompts have been updated to mandate that vulnerabilities be exploited, data be extracted, and real-world impact be proven — not just detected.

Key Changes

Core Playbook Updates

  • claude_playbook.md: Completely restructured to emphasize exploitation over detection
    • Added explicit authorization context stating targets have "explicit written authorization" for "active exploitation, data extraction, credential harvesting, and post-exploitation activities"
    • Reframed mandate: "Your mandate is not just to find vulnerabilities — it is to EXPLOIT them, EXTRACT data proving impact, and DOCUMENT every step"
    • Expanded Phase 3 (Enumeration & Exploitation) with detailed exploitation requirements per vulnerability class (SQL injection, XSS, RCE, LFI, SSRF, auth bypass, IDOR, etc.)
    • Added Phase 3B (Active Exploitation) with mandatory exploitation table specifying what must be extracted for each vulnerability type
    • Added Phase 3C (Post-Exploitation & Impact Demonstration) requiring lateral movement testing and blast radius mapping
    • Added Phase 3D (Evidence Collection) requiring actual extracted data samples, not just vulnerability confirmation
    • Updated Phase 4 & 5 to require inclusion of extracted data in evidence fields and reports

Template Updates (all 8 templates)

  • full-pentest.md, full-attack-chain.md, web-app-assessment.md, api-security.md, vuln-assessment.md, network-infrastructure.md, quick-scan.md, bug-bounty.md:
    • Added authorization context to each template header
    • Reframed exploitation phases to mandate active exploitation, not just validation
    • Added specific exploitation requirements for each vulnerability class with data extraction mandates
    • Updated PoC requirements to include "extracted data" as mandatory field (database rows, file contents, credentials, tokens)
    • Added lateral movement and credential reuse testing requirements
    • Updated report sections to include "real-world impact statement" and "extracted data inventory"
    • Changed language from "validate vulnerabilities" to "exploit vulnerabilities and extract data"

Agent Prompt Updates

  • ingestionagent.md: Added emphasis that "Exploitation data is critical" and must be preserved in full in evidence fields
  • processingagent.md: Added critical note to "NEVER discard or compress exploitation evidence" — extracted data is proof of impact
  • synthesisagent.md: Added requirement to "Preserve all exploitation evidence and extracted data" in final payload

Template README

  • Updated descriptions to emphasize exploitation and data extraction focus
  • Changed "vulnerability detection" language to "exploitation and impact demonstration"

Notable Implementation Details

  1. Exploitation is now mandatory, not optional — every vulnerability discovered must be exploited; findings without exploitation evidence are downgraded to "info" severity

  2. Data extraction is the proof of impact — the framework now requires actual extracted data (database rows, file contents, credentials, tokens, command output) to be captured and included in evidence fields

  3. Lateral movement and credential reuse testing — all templates now mandate testing discovered credentials against all other discovered services to map the full blast radius

  4. Specific exploitation requirements per vulnerability class — detailed tables specify exactly what must be extracted/demonstrated for SQL injection, XSS, RCE, LFI, SSRF, auth bypass, IDOR, etc.

  5. Evidence preservation throughout pipeline — ingestion, processing, and synthesis agents are explicitly instructed to preserve exploitation evidence and extracted data intact, not compress or discard it

  6. Authorization context — all templates and playbooks now explicitly state that targets have "explicit written authorization" for "active exploitation, data extraction, credential harvesting, and post-exploitation activities"

https://claude.ai/code/session_019BHf7EGPVV9RzYnYScnkcM

@claude
Enhance playbook and all templates with exploitation-first mandate
81d93fc 
Overhauls the entire pentest playbook and all 9 templates (+ agent prompts)
to mandate active exploitation, data extraction, and demonstrated impact
rather than just vulnerability detection. Key changes:

- Playbook: Added authorized operations context, exploitation decision tree,
  exploitation-by-vuln-class table, extracted data inventory section, and
  lateral movement requirements
- All templates: Added pre-authorization context, exploitation phases with
  specific instructions per vuln class (SQLi extraction, RCE proof commands,
  LFI file reads, IDOR data comparison, credential reuse testing)
- Templates now require "Extracted Data Inventory" section in reports showing
  DB rows, credentials, files read, tokens/secrets obtained
- vuln-assessment: Removed "do not exploit beyond safe checks" — replaced
  with full exploitation mandate
- Agent prompts: Updated ingestion/processing/synthesis agents to preserve
  exploitation evidence and extracted data through the pipeline
- All guidelines sections updated to emphasize "show the data, not describe it"

https://claude.ai/code/session_019BHf7EGPVV9RzYnYScnkcM
@valITino valITino marked this pull request as ready for review March 8, 2026 09:07
@valITino valITino merged commit 45fe9bf into main Mar 8, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@valITino @claude