How to actually use these skills during an engagement.
| What you want to do | What to type | Skills triggered |
|---|---|---|
| Plan an external recon engagement | "Plan a 1-day external recon on acme.com (in-scope BB)" | both |
| Get probe paths for a specific surface | "What paths should I probe to find Swagger on a webapp?" | arsenal |
| Triage a discovered asset | "I found a hard-coded JWT in a JS bundle. Walk me through triage." | arsenal |
| Pivot a finding | "I have an AWS access key. Confirm it's live (read-only) and enumerate scope." | arsenal §23 + §23.12 |
| Map identity fabric | "Target uses Microsoft 365. Walk me through deep enum." | both |
| Origin discovery | "Target is behind Cloudflare. How do I find the origin?" | both |
| Severity assessment | "How serious is android:debuggable=true on a prod Android app?" |
arsenal §40 |
| Write a client report | "Write the executive summary for an engagement that found 2 CRIT, 5 HIGH, 12 MED" | methodology §31 |
| Submit a bug bounty report | "Format my finding as a HackerOne report. Finding: unauth POST /api/users on api.example.com" | methodology §30 |
| Generate phishing shortlist | "Generate phishing-feasibility shortlist for acme.com (authorized)" | both |
When you ask about an unverified third-party target, the skills trigger a soft scope check:
You: Run a full subdomain enumeration on chase.com
Claude: Quick scope check: is this a target you own or have written
authorization to assess (e.g., a red-team engagement, in-scope
bug-bounty asset, or your own infrastructure)? I want to make sure
we stay on the right side of the engagement boundary.
You: Yes, I'm a Chase employee testing our own asset.
Claude: [proceeds normally]
Skip the question by stating authorization upfront:
You: I'm doing in-scope external recon on chase.com (authorized red-team
engagement, ROE allows passive enumeration). Where do I start?
Claude: [no scope check needed; proceeds with §7 pipeline]
You: Walk me through a 1-week deep recon engagement on acme.com.
Authorized red team, ~500 employees, M365 + GitHub + AWS shop.
Claude: [pulls §7.6 1-week deep profile + §10.1 medium-org tactics +
§11.10 M365 deep + §22 breach × identity correlation, organizes
work day-by-day]
You: I have:
- 47 subdomains (mix of api.*, app.*, dev.*, www, blog)
- 23 emails (3 exec, 8 dev, 12 misc)
- 4 IPs
- Confirmed Entra tenant + GitHub org
What's the highest-ROI thing to do next?
Claude: [pulls §7.5 priority order + §8.5 asset-level triage:
1. Run breach lookup on the 23 emails first (HudsonRock free tier)
2. Probe Entra tenant via §11.2 endpoints; GitHub org via §16.20+§19 dorks
3. Triage subdomains: dev.* + api.* first (lower defenses + higher API surface)
4. Defer www/blog to later pass]
You: I found AKIA1234567890EXAMPLE in a public GitHub gist. What now?
Claude: [pulls §17 catalog (CRITICAL severity), §6.3 validator discipline,
§23.2 read-only AWS validator, §23.12 post-discovery IAM enum]
1. Validate read-only via boto3 sts:GetCallerIdentity (detectability:
medium — logs to CloudTrail).
2. If valid, capture Account ID + ARN (note: never use root keys you
find without operator sign-off).
3. Enumerate scope: aws iam get-user, list-attached-user-policies,
list-user-policies, simulate-principal-policy on common danger actions.
4. Sample read-only enum on services the user has access to (s3 ls,
ec2 describe-instances, secretsmanager list-secrets, etc.).
5. Document finding with §31.2 report card; risk-translate via §31.3.
6. Disclose: AWS abuse + GitHub secret scanning (§30.5).
You: Write the executive summary for an engagement that found:
- 2 CRITICAL (open Firebase RTDB, leaked GitHub PAT validated live)
- 5 HIGH (sourcemaps on prod, open GraphQL introspection, etc.)
- 12 MEDIUM (missing HSTS, internal IPs in JS, etc.)
Claude: [pulls §31.1 exec summary template + §31.3 risk translation matrix,
produces a fully filled-in template with business-language impact
statements per finding]
Add "show which sections you're using" to your prompt. Claude will cite §s, which helps you trust the answer and learn the skill structure:
You: How do I find an origin behind Cloudflare? Show which sections you're using.
Claude: [pulls methodology §27 + arsenal §16.15, cites both, walks through 8 techniques]
Treat the engagement as a graph that grows. Periodically ask:
You: Given everything I've found so far, what's the highest-ROI next probe?
Claude will re-evaluate against §7.5 priority + §8.5 triage rules.
You: I think this subdomain is a takeover candidate. How confident should I be?
Claude: [pulls §2 confidence levels + §16.12 takeover signatures, evaluates]
If you start hitting active defenses:
You: I'm getting 429s and a Cloudflare interstitial. What now?
Claude: [pulls §6.4 detection-aware probing, walks through back-off ladder]
The skills assume you have standard recon tools available (subfinder, httpx, nuclei, etc.). They don't run anything — they tell you what to run. Combine with:
- Your tooling (see
offensive-osint§46 for install one-liners). - A note-taking system (Hunchly, Obsidian, etc.).
- An asset-graph store (your own platform / spreadsheet / DB).
- A reporting platform (HackerOne, Bugcrowd, custom).
- ❌ Asking Claude to execute probes. Claude doesn't have access to your network. It tells you what to run; you run it.
- ❌ Pasting real PII / credentials / breach corpus content into the prompt. Use placeholder data.
- ❌ Skipping the scope check. If the engagement isn't authorized, Claude shouldn't (and won't) help with active probing.
- ❌ Treating Claude's output as ground truth without verification. Always validate against the §17 catalog (regex match), §40 severity matrix (worked examples), and your own engagement context.
- ❌ Ignoring confidence levels. TENTATIVE findings are TENTATIVE. Use §2.1 to upgrade.
See ../examples/ for end-to-end walkthroughs:
01-quick-recon.md— 1-hour rapid recon02-bug-bounty-workflow.md— full HackerOne engagement03-identity-fabric-mapping.md— M365 deep enum04-secret-hunting.md— leaked-credential workflow