Finding Red Team TTPs - The Easy way
I just published Part 2 of the Rogue Architect series, covering the four Claude Code plugins we built on top of our MCP toolkit. Three of them are Architect-flavored and focus on building labs (Check them out here!).
This post is about the fourth one, which has nothing to do with Architect and is potentially the biggest of all.
It's called /rogue-active-deployment. It plugs Claude directly into a Rogue Arena deployment and lets you operate in the environment via natural language. List machines, run commands, read files, manage snapshots, transfer artifacts, test tools, all through Claude, all lightning fast.
Automated red team TTP development
Give Claude a technique, a threat actor, or even a whole class of techniques, such as lateral movement or user persistence. Here's what happens next:
Claude flips into brainstorm mode and scrapes the internet for novel Red Team TTPs matching your ask. MITRE ATT&CK, Elastic detection rules, Sigma, blog posts, whatever is current.
It generates a playbook tailored to each TTP it found.
It pulls the virtual machines from your active deployment to map the playbook to real targets. (I'd recommend running this against our Elastic detection lab.)
It snapshots every target VM before touching anything, so every TTP runs against a clean baseline. No cross-contamination between techniques, and you can re-test any step instantly.
It executes the playbook step by step against real machines in whatever scenario you built.
It queries the SIEM (Elastic) after each step and tells you exactly which detections fired and which didn't.
Everything runs over a raw shell with no C2 in the loop, so you see the technique-level signal before your implant ever muddies the water. Ready to add C2? Set up your C2 infrastructure, tell Claude how to loop-test using your C2, and snapshot the scenario for easy clean reverts. Claude will then get to work testing your full TTP playbook in a loop.
Think about what that unlocks. Claude can sift through Red Team TTPs, finding novel techniques that not only work well but also slip past Defensive tools undetected. Test a detection ruleset against fifty TTPs in an afternoon. Walk your SOC through a live emulation that adapts to whatever you've deployed, not a scripted canned demo.
We've been running this internally, and it has changed the game.
The rest of the plugin
The TTP loop is the headline, but the plugin also covers the everyday operator workflow.
VM control. Everything you'd normally do across a pile of terminal windows, now in Claude:
ListMachines - list every VM in your deployment with credentials attached
ExecCommand - run commands with the right shell syntax per OS (bash, cmd, PowerShell)
ReadFile / GrepFile - read and search file contents on any target
ListProcesses - enumerate running processes on a VM
ManageSnapshots - create and revert VM snapshots on demand
TransferFiles - upload payloads or pull loot back to your box
GuiControl - Claude can screenshot and drive the GUI when shell isn't enough
File Upload/Download - Claude can seamlessly upload user-directed files to any virtual machine in a scenario. Seamless testing of your tools in Rogue Arena labs.
No more hopping between Guacamole tabs and SSH sessions.
Deployment diary. Claude can take notes and tag them to your deployment. This makes it easy to track which Red Team TTPs have been tested, and which remain. Come back two days later, and Claude remembers exactly where you left off.
Why this matters
For years, red team exercises have been bottlenecked on a handful of skilled operators carrying the cognitive load of technique research, environment prep, detection validation, and reporting. Every engagement starts with weeks of setup.
Automating that work doesn't replace red teamers. It frees them to think about tradecraft instead of plumbing. It also makes serious red team testing accessible to teams that don't have a full offensive capability in-house.
This is early. We'll keep iterating. But the direction is clear, and it's working.