hunt-dispatch

skill-set loader for /hunt. one concept (which skills to load), one place.

invocation contract:

hunt-dispatch mode=redteam
hunt-dispatch mode=wapt box=blackbox
hunt-dispatch mode=wapt box=greybox

step 1 — fingerprint (red team only)

run a one-shot fingerprint and parse recon/<target>/live-hosts.txt if present:

curl -sI "https://$TARGET" 2>/dev/null | tr -d '\r'
test -f "recon/$TARGET/live-hosts.txt" && cat "recon/$TARGET/live-hosts.txt"

look for the following signals → platform skill mapping:

okta.com | auth0.com | pingidentity         →  okta-attack
login.microsoftonline.com | outlook | sts   →  m365-entra-attack
pulse | fortinet | ivanti | citrix          →  enterprise-vpn-attack
vsphere | vcenter | :9443                   →  vmware-vcenter-attack
amazonaws | azure | googleapis | gcp        →  cloud-iam-deep
github.com/<org>/                           →  supply-chain-attack-recon
.apk | play.google.com                      →  apk-redteam-pipeline

multiple matches → load all matching platform skills.

step 2 — load skill set

invoke each skill in order via the Skill tool.

mode=redteam

always-on (load first):

redteam-mindset
mid-engagement-ir-detection

platform (load second, conditional on fingerprint matches from step 1):

okta-attack
m365-entra-attack
enterprise-vpn-attack
vmware-vcenter-attack
cloud-iam-deep
supply-chain-attack-recon
apk-redteam-pipeline

high-impact hunt-* set (load third):

hunt-rce
hunt-sqli
hunt-ssrf
hunt-ato
hunt-auth-bypass
hunt-saml
hunt-oauth
hunt-mfa-bypass
hunt-file-upload
hunt-http-smuggling
hunt-cloud-misconfig
hunt-sharepoint
hunt-aspnet

report format: redteam-report-template (subject / observations / description / impact / recommendation / poc).

mode=wapt

always-on:

bb-methodology
security-arsenal
triage-validation

full hunt-* set (all OWASP-relevant):

hunt-xss             hunt-sqli            hunt-ssrf            hunt-idor
hunt-csrf            hunt-xxe             hunt-rce             hunt-graphql
hunt-oauth           hunt-saml            hunt-mfa-bypass      hunt-auth-bypass
hunt-ato             hunt-file-upload     hunt-business-logic  hunt-race-condition
hunt-llm-ai          hunt-api-misconfig   hunt-ssti            hunt-cache-poison
hunt-http-smuggling  hunt-subdomain       hunt-cloud-misconfig hunt-misc
hunt-aspnet          hunt-sharepoint      hunt-ntlm-info

report format: report-writing (bugcrowd-reporting if the target is on bugcrowd).

box=greybox: creds already captured by /hunt, available in session memory. apply them to every authenticated test.

step 3 — taxonomy print (once, at session start)

emit a deterministic block. plain text, lowercase, colon-delimited, no decoration.

mode=redteam

loaded for red team: {N} skills
  mindset:    redteam-mindset
  platform:   {fingerprint-matched skills, or "none detected"}
  auth:       hunt-ato, hunt-auth-bypass, hunt-saml, hunt-oauth, hunt-mfa-bypass
  inj:        hunt-rce, hunt-sqli, hunt-ssrf, hunt-file-upload
  infra:      hunt-http-smuggling, hunt-cloud-misconfig
  stack:      hunt-sharepoint, hunt-aspnet
  ir:         mid-engagement-ir-detection

mode=wapt

loaded for wapt ({blackbox|greybox}): {N} skills
  inj:        hunt-xss, hunt-sqli, hunt-ssrf, hunt-rce, hunt-xxe, hunt-ssti, hunt-file-upload
  authz:      hunt-idor, hunt-auth-bypass, hunt-ato
  auth:       hunt-oauth, hunt-saml, hunt-mfa-bypass
  api:        hunt-graphql, hunt-api-misconfig
  logic:      hunt-business-logic, hunt-race-condition
  infra:      hunt-http-smuggling, hunt-cache-poison
  recon:      hunt-subdomain
  cloud:      hunt-cloud-misconfig
  ai:         hunt-llm-ai
  stack:      hunt-aspnet, hunt-sharepoint, hunt-ntlm-info
  misc:       hunt-misc, hunt-csrf
  reporting:  bb-methodology, security-arsenal, triage-validation

step 4 — return control to /hunt

after taxonomy print, hand control back to /hunt for step 3 (sibling delegation) and step 4 (active testing). do not run probes here — this skill only loads context.

privacy

never echo back, log, or persist:

• SOW / scope-of-work / engagement-letter content
• grey box credentials (kept in session memory by /hunt, never written to disk)
• client identifiers in user-level memory

Related Skills & Chains

• bb-methodology — When PART 0 mode confirmation completes. Workflow primitive: bb-methodology confirms engagement type (red team vs WAPT vs bug bounty); the answer feeds directly into this skill's mode=redteam / mode=wapt invocation.
• redteam-mindset + mid-engagement-ir-detection — When mode=redteam is loaded. Workflow primitive: these are the always-on skills loaded first by step 2 of the redteam flow before any platform skill or hunt-* skill.
• okta-attack / m365-entra-attack / enterprise-vpn-attack / vmware-vcenter-attack / cloud-iam-deep / supply-chain-attack-recon / apk-redteam-pipeline — When fingerprint signals match. Workflow primitive: step 1's curl fingerprint scan against recon/<target>/live-hosts.txt maps banner / domain signals to one or more of these platform skills.
• hunt-rce / hunt-sqli / hunt-ssrf / hunt-ato / *all other hunt- skills** — When the mode-specific skill set is being printed. Workflow primitive: this skill is the loader; it names the hunt-* skills but does not run probes — actual hunting happens after step 4 returns control to /hunt`.
• report-writing vs redteam-report-template — When the taxonomy print specifies the report format. Workflow primitive: mode=wapt ends with report-writing as the deliverable format; mode=redteam ends with redteam-report-template instead.