.png)
3 months ago
2
Zoom image will be displayed
By John O’Boyle, Ashwin Wariar, Noah Alexander, Franco Garcia, Sophia Martinez, and Jude Canady
When a red teamer’s deep into an engagement, time and clarity are everything. Every move counts. Every misstep is a risk. And every minute spent context switching — between tools, tabs, and docs — is a minute not spent making smart, calculated decisions.
That’s where PhantomShift fits in.
PhantomShift isn’t another offensive tool or AI experiment. It’s a tactical decision assistant — built to help red teamers think faster and move smarter. It’s not trying to take over. It’s not trying to guess. It’s here to guide. And here’s how it does that, in practice.
Most tools in the red team arsenal are reactive. You run a scan, get results, pivot. Run an exploit, check the outcome, try again. Even with modern frameworks, the cognitive burden is on the operator to interpret, strategize, and plan the next step.
PhantomShift works differently.
It’s a browser-based platform running inside a containerized Kali Linux environment. The workspace integrates a command line interface, AI chat panel, and mission planner — so operators can work and think in one place.
But the core value isn’t in the layout. It’s in how PhantomShift tracks what’s happening — and responds.
At every step, PhantomShift monitors:
- Shell context and terminal output
- Current privilege and host environment
- Operator history (prior commands and tool usage)
- Engagement phase and inferred mission goals
It uses that context to suggest viable next moves, simulate potential outcomes, and surface relevant tactics — pulled from real-world playbooks.
This isn’t a generic chatbot stuck in the corner of a pentest terminal. PhantomShift’s prompts are tightly scoped and driven by structured reasoning templates.
When an operator asks, for example, “How should I escalate here?” PhantomShift doesn’t just spit out a list of potential techniques. It runs a context check first:
- What OS are we on?
- Is the target domain-joined?
- What’s the kernel version?
- What tools have been run so far?
- What’s the risk of triggering EDR with this move?
The assistant uses a retrieval-augmented generation (RAG) pipeline to gather context-aware snippets from its indexed knowledge base. That includes public exploits, prior red team reports, custom TTPs, and operator annotations.
All of this gets injected into a structured prompt designed to reason about risk, stealth, likelihood of success, and next best action.
You don’t just get an answer. You get a recommendation — with rationale.
Let’s say you’re inside a test environment simulating a typical corporate network. You’ve landed a low-privilege foothold on a Linux box after a phishing campaign. You’ve run basic enumeration, pulled some host details, and now you want to move laterally.
You bring up PhantomShift:
- It parses your session logs.
- It notes your current user context.
- It identifies that you’ve tried SSH with a user cred dump but failed authentication.
- It sees you’ve mapped open ports and local services.
Then it surfaces this:
“Lateral option: Exploit misconfigured rsync daemon on 10.1.1.22. Based on open port 873 and historical configs in similar environments, it may allow remote directory access. Use rsync -av rsync://10.1.1.22/share /tmp/test. Low detection risk. Privilege unchanged.”
It adds a note:
“Consider running this in a sandboxed shell first. Prior usage in similar environments triggered auditd logs under default config.”
You get a tactical suggestion and operational awareness. That’s what separates PhantomShift from a doc search bar or AI wrapper.
PhantomShift’s context engine is what gives it legs.
Every prompt is enriched with data from a constantly updating session context stack:
- Parsed shell logs
- Operator input history
- Fingerprinted environment variables
- Static host data (OS, architecture, open ports, AV/EDR markers)
- Knowledge base results (via similarity search)
Instead of just sending a user’s last message to the LLM, PhantomShift builds a narrative prompt:
“You are assisting a red teamer during a live engagement. The operator is currently on a Linux host (Ubuntu 20.04) with limited privileges. Previous actions include nmap, enum4linux, and local enumeration of /etc/passwd. Based on output from LinPEAS, the following misconfigs were found… Given this context and the goal of escalating privileges without triggering detection, what should they try next?”
That’s the difference between search and support.
From the start, PhantomShift was designed to augment human operators, not replace them.
That’s why:
- It never runs commands directly
- It explains its reasoning before suggesting next steps
- It flags detection risk when suggesting lateral or escalation moves
- It separates hallucinated output from retrieved factual content
Everything PhantomShift recommends is surfaced in a way that the red teamer can accept, adjust, or reject entirely.
And the assistant learns from feedback. If you downvote a suggestion, PhantomShift updates its context, suppresses that path, and offers an alternative.
PhantomShift wasn’t born from a product roadmap. It came out of real frustrations:
- Wasting time alt-tabbing between ChatGPT and internal docs
- Getting vague or high-risk suggestions in the middle of an op
- Having no memory of what happened three shells ago
- Struggling to make judgment calls under time pressure
We built PhantomShift to reduce friction, surface better decisions, and give operators their mental bandwidth back.
