v0.1.0

Released 2026-04-20

Initial release of RedGNAT — the Continuous Automated Red Teaming (CART) addon for GNAT.

What’s included

Intake

• GNATSubscriber — polls GNAT for new campaigns and TTPs via GNATClient
• SandGNATSubscriber — polls SandGNAT export API for new STIX behavioral bundles
• IntelNormalizer — maps STIX bundles to EmulationScenario objects

Scenario management

• ScenarioBuilder — assembles ordered EmulationPlan from intel
• ScenarioStore — PostgreSQL persistence for scenarios, runs, and results
• TTPMapper — ATT&CK technique metadata for 30+ technique IDs

Emulation

• EmulationRunner — dispatches techniques, records results, enforces rate limits
• Celery task definitions for async, retryable scenario execution

Technique library (Phase 1)

• Discovery: T1046, T1595.001, T1087.002, T1069.002, T1482, T1087.004, T1069.003, T1526
• Phishing: T1566.001, T1566.002, T1566 + T1621 (AiTM)
• Identity: T1110.003, T1110.004, T1621, T1528, T1539

Phase 2 engagement infrastructure

• EngagementGate — three-factor authorization (config flag + env var + Redis token)
• EngagementToken — time-bounded, Redis-backed engagement window
• KillSwitch — Redis fast path + Postgres durable record
• EngagementRunner — per-step gate and kill-switch re-checks

Feedback loop

• GapReporter — converts undetected techniques to STIX 2.1 Note objects pushed to GNAT
• ProbeGenerator — uses GNAT’s LLMClient (Claude) to suggest follow-on probes; rule-based fallback

API

• FastAPI management interface on :8000
• Operator endpoints: /scenarios, /runs, /intel
• GNAT connector endpoints: /stix/results, /stix/sightings, /stix/gaps
• Engagement control endpoints: /engage/status, /engage/authorize, /engage/kill

GNAT integration

• RedGNATConnector plugin — bidirectional STIX exchange via ConnectorMixin

Safe-harbor controls

All Phase 1 techniques enforce:

1. Scope validation (target_ranges, excluded_ranges, target_accounts)
2. Dry-run mode (default true on new installs)
3. Rate limiting with per-technique jitter for credential techniques
4. Test-account-only enforcement for credential techniques
5. emulation_only = True flag on all Phase 1 techniques

See safe-harbor design for details.

Dependencies

• Python 3.11+
• PostgreSQL 15+ (psycopg3)
• Redis 7+
• Celery 5+
• FastAPI 0.110+
• GNAT library (gnat)