Red Zone
The Red Zone (/graph) is the primary interface of RedAmon. This is where you visualize your attack surface, launch scans, interact with the AI agent, and explore findings. This page gives you a complete tour of every element on screen.
- Select a project from the Project Selector dropdown in the top navigation bar (or navigate from the Projects page)
- Click "Red Zone" in the top navigation bar (the crosshair icon)
- You'll land on the Graph page with your selected project loaded
The Graph page is organized into several sections:
| Area | Location | Purpose |
|---|---|---|
| Global Header | Top | Navigation, project selector, theme toggle |
| Graph Toolbar | Below header | Scan controls, view toggles, agent status |
| View Tabs | Below toolbar | Switch between Graph Map, Data Table, Reverse Shell, RedAmon Terminal, and RoE |
| Main Canvas | Center | 2D/3D graph visualization or data table |
| Bottom Bar | Bottom | Node type legend with filtering |
| Node Drawer | Left side (on click) | Detailed properties of selected node |
| Logs Drawer | Right side (during scans) | Real-time scan logs |
| AI Agent Drawer | Right side (on toggle) | AI chat interface |
The top navigation bar is present on every page.
| Element | Description |
|---|---|
| RedAmon Logo | Click to go home |
| Projects (folder icon) | Navigate to the Projects management page |
| Red Zone (crosshair icon) | Navigate to the Red Zone (current page) |
| Project Selector | Dropdown to switch between projects. Shows project name and target domain. Selection persists across sessions |
| Theme Toggle | Switch between light and dark mode |
| User Avatar | Shows the current user |
The toolbar is organized into two rows with action groups.
| Control | Description |
|---|---|
| 2D / 3D Toggle | Switch between 2D force-directed and 3D WebGL graph rendering |
| Labels Toggle | Show/hide node name labels on the graph |
| Target Info | Displays the current project's target domain and subdomain configuration |
| Stealth Indicator | Shows if stealth mode is active (passive-only scanning) |
| PAUSE ALL | Emergency button (red/yellow) — instantly freezes all running pipelines (Recon, GVM, GitHub Hunt, TruffleHog) and stops all AI agent conversations. Disabled when nothing is running. Shows "PAUSING..." with a spinner while the operation is in progress |
When to use PAUSE ALL: If you notice the recon, GVM scanner, or AI agent are targeting something unintended, click this button immediately. It freezes containers via Docker cgroups (no data loss) and cancels all running agent tasks. You can resume individual pipelines afterwards using their respective Resume buttons.
The second row contains four color-coded action groups:
| Button | Description |
|---|---|
| Start Recon | Launches the 6-phase reconnaissance pipeline. Shows a confirmation modal first. Spinner appears while running |
| Pause (pause icon) | Freezes the recon container. Only visible while running |
| Stop (square icon) | Stops and removes the recon container permanently. Only visible while running or paused |
| Resume | Resumes a paused recon from where it left off |
| Logs (terminal icon) | Opens the logs drawer to show real-time recon output. Only visible during an active scan |
| Download (download icon) | Download the recon results as JSON. Only available after recon completes |
| Button | Description |
|---|---|
| GVM Scan | Launches a GVM/OpenVAS network vulnerability scan. Disabled in stealth mode |
| Pause / Stop / Resume | Same lifecycle controls as Recon (see above) |
| Logs (terminal icon) | Opens the GVM logs drawer |
| Download (download icon) | Download GVM results as JSON |
| Button | Description |
|---|---|
| Other Scans | Opens a modal containing both GitHub Secret Hunt and TruffleHog Secret Scanner. Each scanner has independent Start, Pause, Stop, Resume, Logs, and Download controls within the modal |
The Other Scans modal provides two secret scanning modules:
| Scanner | Description |
|---|---|
| GitHub Secret Hunt | Regex-based secret scanning with 40+ patterns and Shannon entropy analysis. See GitHub Secret Hunting |
| TruffleHog Secret Scanner | 700+ secret detectors with optional verification against live APIs. See TruffleHog Secret Scanning |
Both scanners share the GitHub Access Token configured in Global Settings and can run independently with their own lifecycle controls (Start, Pause, Stop, Resume, Logs, Download).
| Element | Description |
|---|---|
| Conversation Badge | Shows the number of active AI agent conversations |
| Phase Badge | Current agent phase (Informational / Exploitation / Post-Exploitation) with phase-specific color |
| Step Counter | Current iteration number of the agent |
| AI Agent Button | Toggle the AI Agent drawer open/closed |
Just below the toolbar, five tabs let you switch views:
| Tab | Icon | Description |
|---|---|---|
| Graph Map | Waypoints | The interactive graph visualization (default) |
| Data Table | (varies) | Dropdown tab exposing 15 presets: 2 base views + 13 Red Zone finding tables. See Data Table below. |
| Reverse Shell | Terminal | Manage agent-opened sessions (meterpreter, netcat, reverse/bind shells, listeners — formerly "Remote Shells") |
| RedAmon Terminal | SquareTerminal | Direct interactive PTY shell access to the Kali sandbox container via xterm.js |
| RoE | Shield | Rules of Engagement configuration and status |
When in Data Table mode, a header chevron opens the preset picker. Each preset renders its own header row with per-table search, refresh, and XLSX export buttons.
The RedAmon Terminal tab provides full interactive shell access to the kali-sandbox Docker container directly from the browser. It uses xterm.js with a WebSocket-based PTY connection, giving you a real Kali Linux terminal with all pre-installed pentesting tools.
Browser (xterm.js) → WebSocket → Agent proxy (/ws/kali-terminal) → kali-sandbox terminal server (port 8016) → PTY /bin/bash
| Feature | Description |
|---|---|
| Full PTY | Interactive bash shell with command history, tab completion, arrow keys, Ctrl+C, etc. |
| Dark theme | Ayu-inspired color scheme with custom prompt (redamon@kali) |
| Connection status | Real-time indicator: Connected (green), Connecting (yellow pulse), Disconnected (grey), Error (red) |
| Auto-reconnect | Exponential backoff (2s, 4s, 8s, 16s, 32s) up to 5 attempts on disconnect |
| Fullscreen | Toggle fullscreen mode for immersive terminal use |
| Reconnect | Manual reconnect button (disabled during connection attempts) |
| Keepalive | Browser-side ping every 30 seconds to prevent idle disconnects |
| Resize sync | Terminal dimensions automatically sync with window size via ResizeObserver |
- Manual tool execution — run Metasploit, Nmap, Hydra, sqlmap, or any Kali tool directly
- Debugging — inspect the sandbox environment, check processes, review logs
- Scripting — write and execute custom scripts inside the container
- Supplementing the agent — perform manual steps the AI agent cannot or should not automate
Note: This tab provides direct sandbox access. For managing remote sessions opened by the AI agent (meterpreter, reverse shells, etc.), use the Reverse Shell tab instead.
The graph canvas is the main visualization area where your attack surface is displayed as an interactive node-link diagram.
- Pan: Click and drag the background
- Zoom: Mouse scroll wheel
- Select node: Click on any node to open the Node Drawer
- Nodes are color-coded by type (see Bottom Bar)
- Nodes are positioned by a force-directed layout algorithm
- Rotate: Click and drag
- Pan: Right-click and drag
- Zoom: Mouse scroll wheel
- Select node: Click on any node
- Provides a more immersive view for large graphs
During active reconnaissance, the graph auto-refreshes every 5 seconds to show new nodes as they're discovered. The refresh stops when the scan completes.
The Data Table tab opens a dropdown with 15 presets: 2 base views plus 13 Red Zone finding tables. Every preset shares the same shell: per-table search, refresh, and XLSX export in the header; paginated scroll body.
| # | Entry | Icon | What it is |
|---|---|---|---|
| 1 | All Nodes | Table2 | Flat list of every node in the graph. Row-expand shows all node properties. Filtered by node type via the bottom-bar legend. |
| 2 | JS Recon | Code | Full JS reconnaissance dataset with sub-tabs: Secrets, Endpoints, Dependencies, Source Maps, Security, Attack Surface. |
Every table below is a graph-native aggregation driven by a single Cypher query. Rows represent actionable pentesting findings, not raw nodes.
Row = one attack path. Walks Subdomain -> IP -> Port -> Service -> Technology -> CVE -> MitreData -> Capec, flags a KEV badge when an ExploitGvm node links the CVE. Sorted CISA-KEV first, then max CVSS. Empty until nmap + nuclei vuln_scan + CVE enrichment have run.
Per-Technology aggregate: CVE count, max CVSS, KEV count, number of BaseURLs / IPs / subdomains transitively affected by that version. Converts scattered CVE nodes into a patch-priority queue. Empty until Technology nodes have linked CVE nodes.
Every Vulnerability{source='takeover_scan'} with verdict (confirmed / likely / manual_review), provider (github-pages, heroku, aws-s3, fastly, ...), CNAME target, confidence score, evidence snippet, and the tool sources that detected it (subjack, nuclei, baddns). Sorted confirmed -> likely -> manual_review. Empty until Subdomain Takeover Detection has run.
Every :Secret node whether attached via BaseURL-[:HAS_SECRET]-> (resource_enum) or JsReconFinding{js_file}-[:HAS_SECRET]-> (js_recon). Columns: secret type, key category, redacted sample, entropy, validation status (validated / format_validated / unvalidated), detection method, source URL, subdomain. Sorted validated > format_validated > unvalidated, then by type priority. Empty until js_recon or resource_enum has discovered credentials.
Merges (a) open sensitive ports (SSH, RDP, SMB, SMTP, MySQL, Postgres, MSSQL, Mongo, Redis, Elasticsearch, K8s API, VNC, etc.) with (b) network-layer security_check vulnerabilities (direct_ip_http, direct_ip_https, waf_bypass, redis_no_auth, database_exposed, kubernetes_api_exposed, smtp_open_relay). Joins each (IP, Port) to its subdomains and ASN/country/CDN metadata. Empty until port_scan + security_checks have run.
Every Endpoint{is_graphql=true} with its graphql-scan flags (introspection, graphiql_exposed, field_suggestions_enabled, GET-allowed, batching, tracing), operation counts (queries / mutations / subscriptions), schema hash, sensitive-field sample, and linked graphql_scan / graphql_cop vulnerabilities. Sorted introspection-enabled first. Empty until graphql_scan has run.
Per-BaseURL view of auth / admin endpoints (/login, /admin/*, category = auth / admin / login), with a present/missing grid for six security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), linked web-layer vulnerabilities (login_no_https, basic_auth_no_tls, session_no_secure, session_no_httponly, cache_control_missing, csp_unsafe_inline, insecure_form_action, no_rate_limiting), and an A-to-F grade. Empty until http_probe + resource_enum + security_checks have run.
Every :Parameter{is_injectable=true} or any Parameter reached by a Nuclei DAST finding via AFFECTS_PARAMETER. Columns: parameter name, position (query / body / header / cookie / path / form), endpoint path, method, linked vulnerability, template_id, matcher_name, fuzzing_method/position, CVSS, matched_at URL. Empty until vuln_scan fuzzing has produced DAST findings.
Three cluster kinds unified into one table: Certificate SAN overlap (same cert serves multiple hostnames), ASN grouping (multiple IPs under the same autonomous system), origin-IP sharing (multiple subdomains on the same IP). Surfaces cross-tenant attack pivots and scope-creep during external engagements. Empty until http_probe has collected Certificate nodes and port_scan has enriched IP ASN.
One row per Domain: SPF presence + strictness (-all vs ~all vs +all), DMARC presence + policy (reject / quarantine / none), DNSSEC enablement, zone-transfer open flag, MX and NS records, WHOIS registrar + contact emails, days-to-expiry, VT / OTX reputation. Missing-flags derived from TXT-record absence AND spf_missing / dmarc_missing / dnssec_missing / zone_transfer security-check vulns. Empty until domain_recon + WHOIS + security_checks have run.
Unified Domain and IP view with any threat-intel signal: VT malicious / suspicious / reputation / JARM / tags, OTX pulse count + adversaries + malware families + ATT&CK IDs + TLP, CriminalIP risk grade (domain) or score + Tor/VPN/proxy/darkweb/hosting/scanner flags (IP), plus ThreatPulse and Malware linkage counts. Sorted by pulse count desc, VT malicious desc. Empty until OSINT enrichers (otx_enrich, virustotal_enrich, criminalip_enrich) have run.
JS reconnaissance findings with supply-chain impact: dependency_confusion (unclaimed npm packages in production code), source_map_exposure + source_map_reference (reachable .map files leaking original sources), framework (React / Vue / Angular version disclosure), dev_comment (leaked internal comments and TODOs), cloud_asset (S3 / GCS / Azure blob URLs leaked in client code). Columns preserve package name, version, cloud provider/type, evidence, and parent JS file URL. Empty until js_recon has run with these scanners enabled.
Per-Domain temporal view combining OTX passive-DNS history (HISTORICALLY_RESOLVED_TO edges with first_seen, last_seen, record_type), :ExternalDomain sightings from redirect chains (sources, times_seen, countries_seen, redirect_from_urls), and dangling :Subdomain nodes (has_dns_records=false or status='no_http'). Derives ASN drift and country drift by diffing historic vs current resolutions. Empty until OSINT enrichment and domain_recon have both run.
The bottom bar displays a scrollable row of color-coded chips, one for each node type present in the graph.
| Feature | Description |
|---|---|
| Color chips | Each node type has a distinct color matching the graph |
| Count badges | Shows how many nodes of each type exist |
| Click to filter | Click a chip to show/hide that node type on the graph |
| All / None | Quick actions to show all or hide all node types |
This is especially useful for large graphs where you want to focus on specific node types (e.g., only Vulnerabilities and CVEs).
When you click on a node in the graph (or a row in the data table), the Node Drawer slides in from the left.
| Element | Description |
|---|---|
| Type badge | Color-coded label showing the node type (e.g., "Subdomain", "Vulnerability") |
| Node ID | The internal identifier |
| Node name | The display name (e.g., domain name, IP address, CVE ID) |
| Properties | All properties of the node, formatted and labeled |
| Delete button | Only shown for Exploit nodes — allows removing a specific exploit record |
Internal fields like
project_idanduser_idare hidden automatically.
During any active scan (Recon, GVM, GitHub Hunt, or TruffleHog), a Logs Drawer slides in from the right showing real-time output.
| Element | Description |
|---|---|
| Phase indicator | Shows the current scanning phase (e.g., "Phase 2: Port Scanning") |
| Phase number | Progress through the pipeline |
| Log messages | Real-time streaming of scan output |
| Clear button | Clear the current log display |
Each scan type (Recon, GVM, GitHub Hunt, TruffleHog) has its own independent logs drawer, toggled by the respective "Logs" button in the toolbar or modal.
The AI Agent drawer is the most feature-rich panel. It provides a full chat interface for interacting with the autonomous AI agent. See the dedicated AI Agent Guide for a complete walkthrough.
Now that you're familiar with the Red Zone, learn how to:
- Run your first reconnaissance to populate the graph
- Use the AI Agent to analyze findings and perform automated pentesting