GNAT-o-sphere / readiness testing

RedGNAT

Continuous Automated Readiness Testing (CART) addon for the GNAT-o-sphere: ingest live threat intelligence from GNAT and SandGNAT, build scoped adversary-emulation scenarios, execute them under layered safety controls, and feed detection gaps back into GNAT as structured intelligence requirements.

Source: github.com/wrhalpin/RedGNAT.

Documentation

Organised with the Diátaxis framework. Four quadrants for four kinds of reader intent:

	Action (doing)	Study (reading)
Learning	Tutorials	Explanation
Working	How-to guides	Reference

Start here if you’re…

New to RedGNAT → Getting started
Adding a technique → How to add a technique
Connecting to GNAT → Configure GNAT integration
Curious about the safety model → Safe-harbor design
Standing up production → Deploy with Docker

What RedGNAT does, end to end

Intake — GNATSubscriber polls GNAT for new campaigns and TTPs; SandGNATSubscriber polls SandGNAT for fresh STIX behavioral bundles.
Normalise — IntelNormalizer maps STIX AttackPattern objects to registered Technique classes and builds an ordered EmulationScenario.
Execute — EmulationRunner dispatches each technique via Celery, enforcing scope, dry-run, and rate-limit controls at every step.
Report gaps — GapReporter converts undetected techniques into STIX 2.1 Note objects and pushes them back to GNAT as intelligence requirements.
Generate probes — ProbeGenerator calls GNAT’s LLMClient (Claude) with gap context; suggests follow-on techniques as ProbeRequest objects.
Repeat — probe tasks re-enter the same pipeline, deepening coverage until detected or the runaway guard trips.

Full architecture diagrams and component breakdown in explanation/architecture.

Key design choices

Scope guard is non-negotiable. Every technique calls _check_scope() before any network activity. Out-of-scope targets produce BLOCKED results, not errors. See safe-harbor design.
Phase 2 requires three independent factors. Exploitation techniques need a config flag, a runtime env var, and a time-bounded Redis token — all simultaneously. See Phase 2 activation.
The feedback loop is the point. A single-shot emulation run has limited value. The gap→probe→emulate cycle is what drives coverage convergence over time. See feedback loop.
AI calls stay out of the hot path. ProbeGenerator runs post-completion. A slow or unavailable LLM cannot block an active run.

The GNAT-o-sphere

RedGNAT is one part of a family of standalone capabilities that extend GNAT without modifying it.

Core Platform

GNAT

The hub platform for threat intelligence. 159 connectors, STIX 2.1 modeling, AI agents, investigations, and workflow automation.

Learn more

Interface

GNAT-gui

Analyst-facing React SPA for GNAT — investigation management, seed-driven evidence graphs, Hy/YAML/Prolog rules, full RBAC, and real-time SSE streaming.

Learn more

Addon

SandGNAT

Automated malware sandbox — detonate binaries in isolated Windows VMs, capture behavioral artifacts, emit STIX 2.1 objects.

Learn more

Addon

SenseGNAT

Network profiling and behavior analysis that surfaces anomalies and enriches GNAT investigations with traffic-layer context using network sensor and honeypot telemetry — high-volume ingestion from Kafka topics, Redis dedup, automatic campaign linking.

Learn more

Canonical Workflow

Collect Telemetry & Sources

External indicators and raw network telemetry enter the ecosystem

→

Process GNAT

Ingest, normalize, convert to STIX, and route to addons

→

SenseGNAT

Behavioral profiling & anomaly detection

SandGNAT

Malware detonation & artifact enrichment

RedGNAT

Adversary emulation & validation

→

Report Investigate & Act

Unified investigation graph, reporting, and operator action

View full diagram → Read the workflow doc →

Status

v0.1.0 — Phase 1 (emulation and probing) and Phase 2 engagement infrastructure shipped. See releases/v0.1.0.

Licensed under Apache 2.0.