Skip to content

Instantly share code, notes, and snippets.

@z0rs

z0rs/CrewAgent — Continuous Offensive Update Loop.md

Created May 2, 2026 03:43
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save z0rs/593780001481325d372d04560955c849 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save z0rs/593780001481325d372d04560955c849 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
CrewAgent — Continuous Offensive Update Loop.md

🔴 CrewAgent — Continuous Offensive Update Loop

Konsep: Prompt ini dirancang sebagai siklus tanpa akhir.
Jalankan Phase 1 → 2 → 3 → 4, lalu ulangi dari Phase 1 lagi.
Setiap putaran, project makin tajam mengikuti teknik terbaru dunia bug bounty.

LOOP:
  Phase 1 (Intel)       → Ambil teknik bypass terbaru dari dunia nyata
  Phase 2 (Gap)         → Bandingkan dengan arsenal CrewAgent sekarang
  Phase 3 (Upgrade)     → Update/tambah/perbaiki tools & agents
  Phase 4 (Verify)      → Pastikan update jalan dan tidak rusak yang lain
  → kembali ke Phase 1

⚡ PHASE 1 — INTEL PROMPT

"Apa yang terjadi di dunia bug hunting minggu ini?"

Jalankan ini setiap sesi baru atau seminggu sekali untuk dapat intel terbaru.
Prompt ini memaksa AI mencari REAL data, bukan dari memory lama.

You are a senior offensive security researcher tracking the latest web application 
vulnerability techniques used by real bug hunters and red teamers RIGHT NOW.

## Your Mission
Search and synthesize the latest bypass techniques, new attack vectors, and trending 
vulnerability classes that are being actively exploited or disclosed in bug bounty programs.

## Intelligence Sources to Search (in priority order)
Search these sources for content from the LAST 30–90 DAYS:

1. **HackerOne Hacktivity** (hackerone.com/hacktivity)
   - Filter: Disclosed reports, severity Critical/High
   - Look for: novel techniques, unusual endpoints, unexpected chains

2. **PortSwigger Web Security Blog** (portswigger.net/research)
   - New research, new Burp extensions, technique writeups
   - James Kettle papers especially (he discovers entire vuln classes)

3. **Bug Bounty Writeups** (search: "bug bounty writeup 2025 [month]")
   - GitHub: github.com/devanshbatham/Awesome-Bugbounty-Writeups
   - Medium/blog posts tagged: bugbounty, pentest, websecurity

4. **CVE / NVD Recent Disclosures**
   - Focus on: web app vulns, auth bypass, IDOR at scale, RCE via web
   - Search: "CVE 2025 web application bypass"

5. **Security Researcher Twitter/X**
   - @albinowax (PortSwigger), @nahamsec, @intigriti, @hacker0x01
   - Look for: technique threads, "I just reported..." posts

6. **OWASP / WSTG Updates**
   - Any new test cases added to WSTG
   - New CWEs relevant to web apps

## Output Format — Produce an Intel Report

### 🔴 NEW ATTACK TECHNIQUES (this cycle)
For each new technique found:

TECHNIQUE: [name]
SOURCE: [URL or publication]
DATE: [when disclosed]
VULN CLASS: [SQLi / XSS / SSRF / Auth / Business Logic / etc.]
HOW IT WORKS: [2-3 sentences — the actual mechanism]
BYPASS TARGET: [what defense does it bypass? WAF? CSP? auth check?]
PAYLOAD EXAMPLE: [actual payload or request pattern if available]
IMPACT: [what can an attacker achieve?]
CURRENTLY IN CrewAgent: YES / NO / PARTIAL

### 🟠 TRENDING VULNERABILITY CLASSES (most reported this month)
- Rank the top 5 most reported vuln classes on public programs right now
- Include typical payout range per class

### 🟡 BYPASS TECHNIQUES GOING OBSOLETE
- Which techniques are being patched/mitigated at scale?
- What's replacing them?

### 🔵 TARGETS/TECH STACKS SEEING MOST REPORTS
- Which frameworks, APIs, or services have the most active vulns?
- (GraphQL? gRPC? OAuth2? JWT? Specific cloud services?)

### ⚪ PASS TO PHASE 2
At the end, produce a structured list:

NEW_TECHNIQUES_TO_ADD: [list]
EXISTING_TOOLS_TO_UPGRADE: [list]  
OBSOLETE_TECHNIQUES_TO_REMOVE: [list]
PRIORITY_ORDER: [ranked by impact × frequency]

Search the web now. Do not answer from memory — the goal is real-time intelligence.

🔍 PHASE 2 — GAP ANALYSIS PROMPT

"Apa yang belum ada di CrewAgent?"

Gunakan output dari Phase 1 sebagai input.
Paste NEW_TECHNIQUES_TO_ADD dari Phase 1 ke bagian [INTEL FROM PHASE 1].

[PASTE MASTER OFFENSIVE CONTEXT PROMPT FROM OFFENSIVE_PROMPTS.md FIRST]

## Your Mission: Gap Analysis Against Latest Intel

You have just received fresh intelligence about the latest web vulnerability 
techniques in active use. Now map them against CrewAgent's current arsenal.

## Intel From Phase 1
[PASTE THE FULL INTEL REPORT FROM PHASE 1 HERE]
Specifically, focus on:
NEW_TECHNIQUES_TO_ADD: [paste list]
EXISTING_TOOLS_TO_UPGRADE: [paste list]

## Gap Analysis Framework

For each new technique from Phase 1, run this check:

### Step 1 — Search Current Arsenal
Check these locations for existing coverage:
- `src/pentest_crew/tools/` — all tool files (30+ modules)
- `src/pentest_crew/config/agents.yaml` — agent backstories and step instructions
- `src/pentest_crew/config/tasks.yaml` — task definitions
- `TOOL_CATEGORIES` dict in `tools/__init__.py`

For each technique, classify:
- ✅ COVERED — specific tool exists with correct payload logic
- ⚠️ PARTIAL — related tool exists but missing this specific bypass variant
- ❌ MISSING — no tool covers this at all
- 🔄 OUTDATED — tool exists but uses old/bypassed technique

### Step 2 — Impact Assessment per Gap
For each PARTIAL / MISSING / OUTDATED gap:

GAP_ID: GAP-[N]
TECHNIQUE: [name from Phase 1]
CURRENT_STATE: PARTIAL / MISSING / OUTDATED
AFFECTED_FILE: [which tool file, if any]
AFFECTED_AGENT: [which pipeline agent would use this]
IMPLEMENTATION_EFFORT: LOW (< 50 LoC) / MEDIUM (50-200 LoC) / HIGH (200+ LoC)
BUG_BOUNTY_VALUE: LOW / MEDIUM / HIGH / CRITICAL
URGENCY: HOT (technique < 30 days old) / WARM / COLD

### Step 3 — Prioritized Upgrade Backlog
Sort all gaps by: URGENCY × BUG_BOUNTY_VALUE × (1/EFFORT)

Produce the backlog in this format:

UPGRADE BACKLOG (sorted by priority):

[RANK 1] GAP-ID: [id]
  Technique: [name]
  Action needed: ADD NEW TOOL | UPGRADE EXISTING | UPDATE PAYLOAD | UPDATE AGENT YAML
  File to modify: [filename]
  Estimated LoC: [N]
  Why urgent: [reason]

[RANK 2] ...

### Step 4 — Quick Wins (can be done in < 30 min)
Separate list of changes that are LOW effort but HIGH value:
- Payload additions to existing tools (just add strings to a list)
- New regex patterns in `http_analyst` triage
- New URL patterns in `scope_discovery`
- New CVSS scoring notes in `lead_pentester`

Pass this entire output to Phase 3.

🔨 PHASE 3 — UPGRADE PROMPT

"Implement semua gap yang ditemukan"

Gunakan UPGRADE BACKLOG dari Phase 2.
Jalankan prompt ini per-item dari backlog, mulai dari rank tertinggi.

[PASTE MASTER OFFENSIVE CONTEXT PROMPT FIRST]

## Your Mission: Implement Upgrade

You have a prioritized upgrade backlog from Phase 2.

## Item to Implement
[PASTE ONE ITEM FROM UPGRADE BACKLOG]

For example:

[RANK 1] GAP-ID: GAP-003
  Technique: HTTP/2 Rapid Reset Attack (CVE-2023-44487 derivative for app-layer bypass)
  Action: ADD NEW TOOL
  File: src/pentest_crew/tools/request_smuggling_tools.py (new class)
  Estimated LoC: ~80
  Why urgent: active exploitation in wild, bypasses rate limiting on patched servers

## Implementation Rules

### If action = ADD NEW TOOL
1. Create the tool class in the appropriate file (or new file if new category)
2. Follow the offensive tool template:
   - `DetectTool` → fast detection, ≤ 3 requests, clear signal
   - `ExploitTool` → full exploitation, extracts real data/access as proof
   - `OOBTool` → blind variant using Collaborator (when detection needs OOB)
3. Every payload must be bounded (max 10 per tool run)
4. Payloads must include WAF bypass variants for each primary payload
5. Tool must return impact-level verdict with CVSS hint

### If action = UPGRADE EXISTING
1. Show the CURRENT `_get_payloads()` or payload list (from file)
2. Show the DELTA — what new payloads/logic to add
3. Explain which specific defense each new payload bypasses
4. Do NOT remove existing payloads unless marked OUTDATED in Phase 2

### If action = UPDATE PAYLOAD
Simple: show exact before/after diff for the payload list.
Include a comment for each new payload: `# Bypasses: [defense name]`

### If action = UPDATE AGENT YAML
1. Show the CURRENT agent backstory section
2. Show the DELTA — new step instruction or triage pattern to add
3. New triage patterns go into the `get_proxy_http_history_regex` section
4. New step instructions go after the last STEP N in order

## Required Output Structure

## Changes Made

### File: [filename]
**Action**: [ADD NEW TOOL / UPGRADE / PAYLOAD UPDATE / YAML UPDATE]
**Technique addressed**: [from Phase 1 intel]

[COMPLETE IMPLEMENTATION — full class / function / payload list / yaml block]

### Registration (tools/__init__.py)
[If new tool: show import + singleton + group assignment]

### Test Case
[Minimal test showing CONFIRMED path with mock response]

### Why This Improves the Pipeline
[One paragraph: what attack scenario can now be detected that couldn't before]

After implementing, output a status line:
`✅ GAP-[ID] CLOSED — [technique] now covered in [file]`

Then: "Ready for next item. Paste GAP-[N+1] from backlog."

✅ PHASE 4 — VERIFY PROMPT

"Pastikan semua update jalan, tidak ada yang rusak"

Jalankan setelah semua item dari backlog Phase 3 diimplementasi.

[PASTE MASTER OFFENSIVE CONTEXT PROMPT FIRST]

## Your Mission: Verify All Updates From This Cycle

You have just implemented a batch of upgrades from Phase 3. Before looping back 
to Phase 1, verify that everything works correctly and nothing regressed.

## Changes Made This Cycle
[LIST ALL GAP-IDs CLOSED IN THIS CYCLE, e.g.: GAP-001, GAP-003, GAP-007]

## Verification Checklist

### 1. Import Chain (always first)
```python
# Verify no import errors in the updated files:
from pentest_crew.tools import (
    EXECUTOR_TOOLS, ANALYST_TOOLS, REVIEWER_TOOLS,
    REPORTER_TOOLS, EXPLOITATION_TOOLS, ALL_TOOLS
)
print(f"Total tools: {len(ALL_TOOLS)}")
# Should be >= previous count. Never < previous count.

### 2. Singleton Registration Check
For each new tool added this cycle, verify it appears in:
- `tools/__init__.py` as a singleton instance variable
- The correct tool group constant (EXECUTOR_TOOLS, ANALYST_TOOLS, etc.)
- `TOOL_CATEGORIES` dict (if a new category was created)
- `ALL_TOOLS` list

### 3. Tool Response Format Check
Each new tool must return a dict with at minimum these keys:
```python
REQUIRED_KEYS = {"status"}
VALID_STATUSES = {"CONFIRMED", "NOT_CONFIRMED", "INCONCLUSIVE", 
                  "NEEDS_ESCALATION", "NO_DATA", "ERROR"}

# Run this check against each new tool's _run() return paths:
assert result.get("status") in VALID_STATUSES
assert result is not None  # tool must never return None

### 4. False Negative Regression Test
For each new tool added, run a "known vulnerable" mock test:
```python
# Mock a response that SHOULD trigger CONFIRMED
# If the tool returns NOT_CONFIRMED on this → false negative → fix before proceeding
KNOWN_VULNERABLE_MOCKS = {
    "new_sqli_variant": {
        "body": "[specific error pattern from Phase 1 intel]",
        "statusCode": 500
    },
    "new_waf_bypass": {
        "body": "[pattern that proves payload executed]",
        "statusCode": 200
    },
    # etc.
}

### 5. Payload Sanity Check
For each new payload list:
- No payload exceeds 500 characters (prevents token waste)
- No payload contains hardcoded IP addresses (use variables)
- OOB payloads use `{collab}` placeholder, not hardcoded collaborator domains
- Destructive payloads (DROP TABLE, rm -rf) are NOT present

### 6. Agent YAML Syntax Check
If agents.yaml or tasks.yaml was modified:
```bash
# Validate YAML syntax:
python -c "import yaml; yaml.safe_load(open('src/pentest_crew/config/agents.yaml'))"
python -c "import yaml; yaml.safe_load(open('src/pentest_crew/config/tasks.yaml'))"
# Should output: None (no error)

### 7. Count Delta Report
Produce this summary before closing the cycle:

CYCLE SUMMARY
─────────────────────────────────────────────────
Cycle date       : [date]
Gaps closed      : [list of GAP-IDs]
New tools added  : [N] → tool count: [old] → [new]
Tools upgraded   : [list of filenames]
YAML updated     : [list of agent names]
New payloads     : [N] new entries across [M] tools
False negatives  : [N] found and fixed
Regressions      : [N] found and fixed
─────────────────────────────────────────────────
PIPELINE STATUS  : ✅ READY / ⚠️ NEEDS REVIEW
─────────────────────────────────────────────────

### 8. Readiness Gate
Only proceed to next cycle if:
- ✅ All new tools return correct status values
- ✅ No import errors
- ✅ YAML parses without error
- ✅ All known-vulnerable mocks return CONFIRMED
- ✅ tool count never decreased

If any gate fails → fix before cycling back.

## Cycle Handoff
At the end of Phase 4, produce the prompt for the next Phase 1:

NEXT CYCLE CONTEXT:
- We just added: [list of new capabilities]
- We upgraded: [list of upgraded tools]
- Still uncovered from last cycle: [list of deprioritized gaps]
- Suggested focus for next intel search: [specific vuln classes to watch]
- Time to next cycle: [recommended: 1 week]

→ LOOP BACK TO PHASE 1

🧠 MASTER META-PROMPT (Untuk Satu Sesi Penuh)

Kalau mau jalankan full cycle dalam SATU sesi tanpa paste-paste manual, gunakan ini.
AI akan jalan sendiri dari Phase 1 sampai Phase 4.

[PASTE MASTER OFFENSIVE CONTEXT PROMPT FIRST]

## Your Mission: Run a Full Offensive Update Cycle

You will run all 4 phases of the Offensive Update Cycle for CrewAgent autonomously.
Do not wait for my input between phases — complete each phase and proceed.

## Phase 1 — INTEL (do this first)
Search the web RIGHT NOW for:
1. Latest bug bounty writeups from the last 30-60 days (HackerOne, Medium, GitHub)
2. New PortSwigger research or Burp extensions released recently
3. CVEs disclosed in the last 60 days affecting web applications
4. Trending vulnerability classes on public bug bounty programs (h1, intigriti, bugcrowd)

From your search, identify:
- NEW techniques not in CrewAgent's current arsenal
- UPDATED bypass variants for techniques already in arsenal
- TRENDING vuln classes that should be prioritized in triage

## Phase 2 — GAP ANALYSIS (after intel)
Map the new techniques against CrewAgent's tools in `src/pentest_crew/tools/`.
Produce a prioritized gap list sorted by: urgency × bug bounty value.
Separate into: NEW TOOLS needed, PAYLOAD UPGRADES, YAML UPDATES, OBSOLETE REMOVALS.

## Phase 3 — IMPLEMENT (top 3 gaps from backlog)
Implement the top 3 highest-priority gaps from Phase 2.
For each:
- Write complete code (full tool class or full payload diff)
- Write tool registration in __init__.py
- Write minimal test case

Focus on: maximum detection coverage, real-world WAF bypass variants, OOB for blind cases.

## Phase 4 — VERIFY
Run the verification checklist:
- Import check
- Singleton registration check
- Tool response format check
- Known-vulnerable mock test for each new tool
- Payload sanity check
- YAML syntax check
- Produce cycle summary report

## Output Format
Structure your output clearly with headers:
# PHASE 1: INTEL REPORT
# PHASE 2: GAP ANALYSIS
# PHASE 3: IMPLEMENTATION
  ## [Tool/Change Name]
  [full code]
# PHASE 4: VERIFICATION REPORT
# NEXT CYCLE CONTEXT

Run all 4 phases now. Search the web for real-time intel first.

📅 Recommended Cycle Cadence

Interval Action Notes
Weekly Run full Phase 1 (Intel) Bug bounty moves fast — 1 week = lots of new writeups
Weekly Run Phase 2 (Gap Analysis) After each intel run
Per sprint Run Phase 3 (Implement) Implement top 3-5 gaps per week
Per sprint Run Phase 4 (Verify) Always verify before closing cycle
Monthly Run full Meta-Prompt (all 4 phases) Full autonomous cycle once a month
Quarterly Full arsenal audit vs OWASP WSTG Check coverage against full WSTG checklist

🔥 High-Signal Sources to Always Monitor

Masukkan sumber ini ke bookmark / RSS untuk trigger manual Phase 1:

Source URL Why
PortSwigger Research portswigger.net/research Discovers entire vuln classes (Kettle papers)
HackerOne Hacktivity hackerone.com/hacktivity Real disclosed bugs, real payloads
ProjectDiscovery Blog projectdiscovery.io/blog Nuclei templates = confirmed technique
NahamSec YouTube youtube.com/@NahamSec Live bug hunting, new techniques
STÖK YouTube youtube.com/@STOKfredrik Bug bounty methodology updates
Intigriti Blog blog.intigriti.com Program-specific write-ups
VulnHub / HackTricks book.hacktricks.xyz Updated technique reference
NVD Recent CVEs nvd.nist.gov/vuln/search Filter: web app, last 30 days
GitHub Security Advisories github.com/advisories Framework/library vulns
SWS (Security Weekly) securityweekly.com Weekly digest

⚡ Quick-Start: Trigger Phrases per Phase

Copy-paste langsung ke chat, tanpa perlu buka dokumen ini:

Trigger Phase 1:

Run CrewAgent offensive update cycle Phase 1: search for the latest web app 
vulnerability techniques, bypass methods, and trending bug bounty targets 
from the last 30 days. Search HackerOne hacktivity, PortSwigger research, 
and recent CVEs. Produce an intel report with NEW_TECHNIQUES_TO_ADD list.

Trigger Phase 2:

Run CrewAgent update cycle Phase 2 gap analysis. Here is the intel from Phase 1:
[PASTE PHASE 1 OUTPUT]
Compare against CrewAgent's current tool arsenal and produce a prioritized 
upgrade backlog sorted by urgency × bug bounty value.

Trigger Phase 3:

Run CrewAgent update cycle Phase 3. Implement the top item from this backlog:
[PASTE TOP ITEM FROM PHASE 2 BACKLOG]
Write complete code: tool class, registration in __init__.py, and test case.

Trigger Phase 4:

Run CrewAgent update cycle Phase 4 verification. This cycle I implemented:
[LIST CHANGES MADE IN PHASE 3]
Run the full verification checklist and produce the cycle summary report.

Trigger Full Cycle:

Run a full CrewAgent offensive update cycle (all 4 phases). Start by searching 
the web for the latest web app bypass techniques from the last 30 days. Then 
analyze gaps in the project, implement the top 3 findings, and verify. 
Produce phase headers for each section.

Phase 1 → Phase 2 → Phase 3 → Phase 4 → Phase 1 → ...
Every cycle, the arsenal gets sharper.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment