[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-72454":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":23,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":27,"readmeContent":28,"aiSummary":29,"trendingCount":16,"starSnapshotCount":16,"syncStatus":30,"lastSyncTime":31,"discoverSource":32},72454,"raptor","gadievron\u002Fraptor","gadievron","Raptor turns Claude Code into a general-purpose AI offensive\u002Fdefensive security agent. By using Claude.md and creating rules, sub-agents, and skills, and orchestrating security tool usage, we configure the agent for adversarial thinking, and perform research or attack\u002Fdefense operations.","",null,"Python",2920,465,24,11,0,41,124,405,123,110.01,"Other",false,"main",true,[],"2026-06-12 04:01:05","```text\n╔═══════════════════════════════════════════════════════════════════════════╗\n║ ║\n║ ██████╗ █████╗ ██████╗ ████████╗ ██████╗ ██████╗ ║\n║ ██╔══██╗██╔══██╗██╔══██╗╚══██╔══╝██╔═══██╗██╔══██╗ ║\n║ ██████╔╝███████║██████╔╝ ██║ ██║ ██║██████╔╝ ║\n║ ██╔══██╗██╔══██║██╔═══╝ ██║ ██║ ██║██╔══██╗ ║\n║ ██║ ██║██║ ██║██║ ██║ ╚██████╔╝██║ ██║ ║\n║ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ║\n║ ║\n║ Autonomous Offensive\u002FDefensive Research Framework ║\n║ Based on Claude Code (v3.0.0) ║\n║ ║\n║ Gadi Evron, Daniel Cuthbert, Thomas Dullien (Halvar Flake) ║\n║ Michael Bargury, John Cartwright ║\n║ ║\n╚═══════════════════════════════════════════════════════════════════════════╝\n\n⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣤⣤⣀⣀\n⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣾⣿⣿⠿⠿⠟\n⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⣀⣀⣀⣀⣤⣴⣶⣶⣶⣤⣿⡿⠁⠀⠀⠀\n⣀⠤⠴⠒⠒⠛⠛⠛⠛⠛⠿⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠟⠁⠀⠀⠀⠀\n⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠛⣿⣿⣿⡟⠻⢿⡀⠀⠀⠀⠀⠀\n⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣾⢿⣿⠟⠀⠸⣊⡽⠀⠀⠀⠀⠀\n⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⡇⣿⡁⠀⠀⠀⠉⠁⠀⠀⠀⠀⠀\n⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠻⠿⣿⣧⠀ Get them bugs.....⠀⠀⠀⠀⠀\n\n```\n\n\u003Ca href=\"https:\u002F\u002Fsmithery.ai\u002Fskills?ns=gadievron&utm_source=github&utm_medium=badge\">\u003Cimg src=\"https:\u002F\u002Fsmithery.ai\u002Fbadge\u002Fskills\u002Fgadievron\">\u003C\u002Fa>\n\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fgadievron\u002Fraptor\u002Factions\u002Fworkflows\u002Fgithub-code-scanning\u002Fcodeql\">\u003Cimg src=\"https:\u002F\u002Fgithub.com\u002Fgadievron\u002Fraptor\u002Factions\u002Fworkflows\u002Fgithub-code-scanning\u002Fcodeql\u002Fbadge.svg\">\u003C\u002Fa>\n\n**Authors:** Gadi Evron, Daniel Cuthbert, Thomas Dullien (Halvar Flake), Michael Bargury, John Cartwright\n([@gadievron](https:\u002F\u002Fgithub.com\u002Fgadievron), [@danielcuthbert](https:\u002F\u002Fgithub.com\u002Fdanielcuthbert), [@thomasdullien](https:\u002F\u002Fgithub.com\u002Fthomasdullien), [@mbrg](https:\u002F\u002Fgithub.com\u002Fmbrg), [@grokjc](https:\u002F\u002Fgithub.com\u002Fgrokjc))\n\n**Licence:** MIT, see LICENSE. Note that CodeQL has its own licence and does not permit commercial use.\n\n**Repository:** https:\u002F\u002Fgithub.com\u002Fgadievron\u002Fraptor\n\n---\n\n## What is RAPTOR?\n\nRAPTOR is an autonomous security research framework built on top of Claude Code (but not tied to it -- you can plug in your own analysis layer too). It chains together static analysis, binary analysis, LLM-powered vulnerability validation, exploit generation, and patch writing into a single workflow you can run against a codebase or binary.\n\nIt is not polished software. It was built in free time, held together with enthusiasm and duct tape, and it works well enough that we can't stop using it. If you want to make it better, open a PR.\n\nRAPTOR stands for Recursive Autonomous Penetration Testing and Observation Robot. We really wanted to call it RAPTOR.\n\n---\n\n## Quick Start\n\n### Option 1: Install manually\n\n```bash\n# Clone the repo\ngit clone https:\u002F\u002Fgithub.com\u002Fgadievron\u002Fraptor.git\ncd raptor\n\n# Install Python dependencies\npip install -r requirements.txt\n\n# Install Claude Code (required)\nnpm install -g @anthropic-ai\u002Fclaude-code\n\n# Install Semgrep (required for scanning)\npip install semgrep\n\n# Open RAPTOR\nclaude\n```\n\n### Option 2: Devcontainer (recommended)\n\nEverything pre-installed. Open in VS Code with **Dev Containers: Open Folder in Container**, or build manually:\n\n```bash\ndocker build -f .devcontainer\u002FDockerfile -t raptor:latest .\ndocker run --privileged -it raptor:latest\n```\n\nThe `--privileged` flag is required for the `rr` deterministic debugger. The image is large (around 6 GB). It starts from the Microsoft Python 3.12 devcontainer and adds static analysis, fuzzing, and browser automation tooling.\n\nOnce inside, just say \"hi\" to get started, or jump straight to a command.\n\n---\n\n## What RAPTOR can do\n\n| Command | What it does | Status |\n|---------|-------------|--------|\n| `\u002Fagentic` | Full autonomous workflow: scan, validate, exploit, patch | Stable |\n| `\u002Fscan` | Static analysis with Semgrep and CodeQL | Stable |\n| `\u002Funderstand` | Map attack surface, trace data flows, hunt vulnerability variants | Stable |\n| `\u002Fvalidate` | Multi-stage exploitability validation pipeline (Stages 0-F) | Stable |\n| `\u002Fcodeql` | CodeQL-only deep analysis with SMT dataflow pre-screening | Stable |\n| `\u002Fexploit` | Generate proof-of-concept exploit code | Beta |\n| `\u002Fpatch` | Generate secure patches for confirmed vulnerabilities | Beta |\n| `\u002Ffuzz` | Binary fuzzing with AFL++ and crash analysis | Stable |\n| `\u002Fcrash-analysis` | Autonomous root-cause analysis for C\u002FC++ crashes | Stable |\n| `\u002Foss-forensics` | Evidence-backed forensic investigation for GitHub repositories | Stable |\n| `\u002Fproject` | Named workspaces to organise runs and track findings over time | Stable |\n| `\u002Fweb` | Web application scanning | Alpha\u002Fstub |\n\n---\n\n## How the pipeline works\n\nStart by creating a project so all your runs land in one place:\n\n```\n\u002Fproject create myapp --target \u002Fpath\u002Fto\u002Fcode # create a project first\n\u002Fproject use myapp # set it as active\n\u002Funderstand --map # map the attack surface\n\u002Fagentic # scan, validate, exploit, patch\n\u002Fproject findings # review everything in one place\n```\n\n`\u002Funderstand` builds a context map of entry points, trust boundaries, and sinks before a line of scanning happens. `\u002Fagentic` then runs Semgrep and CodeQL, deduplicates findings, and dispatches each one for validation using the exploitation-validator methodology:\n\n- Stage A: is the pattern actually a vulnerability, or is the tool pattern-matching noise?\n- Stage B: what does an attacker need to reach it, and what gets in the way?\n- Stage C: does the code path actually exist? can it be reached from outside?\n- Stage D: final call -- is this test code, does it need unrealistic preconditions, is the model hedging?\n\nFindings that clear validation get exploit PoCs and patches generated. A cross-finding analysis runs at the end to find shared root causes and attack chains.\n\n`\u002Fvalidate` runs this same pipeline as a standalone step if you already have findings from a previous scan.\n\n---\n\n## Z3 SMT integration\n\nRAPTOR has a two-layer Z3 integration (`pip install z3-solver`). It is optional. Everything works without it, but the results are better with it.\n\n**Dataflow pre-screening (CodeQL)**\n\nWhen CodeQL produces a path result, the path constraints are checked for satisfiability before any LLM call is made. Paths that are provably unreachable get dropped immediately. For paths that are reachable, Z3 produces concrete candidate inputs that go into the analysis prompt, so the LLM has something specific to reason about rather than abstract patterns.\n\n**One-gadget constraint analysis (binary feasibility)**\n\nDuring binary exploit feasibility assessment, Z3 checks whether a one-gadget's register and memory constraints are satisfiable against the concrete crash state. Gadgets are ranked by actual reachability rather than heuristics, so you spend time on gadgets that can actually work.\n\nZ3 is pre-installed in the devcontainer. For manual installs: `pip install z3-solver`.\n\n---\n\n## Running offline and in air-gapped pipelines\n\nSemgrep scanning works fully offline. All registry packs that would normally be fetched from semgrep.dev at scan time are shipped in the repo under `engine\u002Fsemgrep\u002Frules\u002Fregistry-cache\u002F`. The scanner resolves pack IDs to local files before invoking semgrep, so no network call happens.\n\nCached packs: `p\u002Fsecurity-audit`, `p\u002Fowasp-top-ten`, `p\u002Fsecrets`, `p\u002Fcommand-injection`, `p\u002Fjwt`, `p\u002Fdefault`, `p\u002Fxss`.\n\nCustom rules under `engine\u002Fsemgrep\u002Frules\u002F` were never network-dependent and run as normal.\n\nCodeQL needs network access only during initial setup to download the CLI and query packs. Once installed it runs offline.\n\n---\n\n## Using a different LLM\n\nRAPTOR has two separate model layers, and it is worth knowing how both work before you change anything.\n\nThe **orchestration layer** is always Claude Code. The CLAUDE.md, skills, and commands all run as Claude Code instructions. To change which Claude model orchestrates RAPTOR, use Claude Code's `--model` flag or the `\u002Fmodel` command inside a session.\n\nThe **analysis dispatch layer** is the LLM that analyses individual vulnerability findings. This is separate from the orchestration layer and can be any supported provider. Configure it in `~\u002F.config\u002Fraptor\u002Fmodels.json`:\n\n```json\n{\n \"models\": [\n {\n \"provider\": \"anthropic\",\n \"model\": \"claude-opus-4-6\",\n \"api_key\": \"sk-ant-...\",\n \"role\": \"analysis\"\n },\n {\n \"provider\": \"openai\",\n \"model\": \"gpt-5.4\",\n \"api_key\": \"sk-...\",\n \"role\": \"analysis\"\n },\n {\n \"provider\": \"anthropic\",\n \"model\": \"claude-sonnet-4-6\",\n \"api_key\": \"sk-ant-...\",\n \"role\": \"aggregate\"\n }\n ]\n}\n```\n\nOr skip the config file and set environment variables. RAPTOR will detect them automatically:\n\n```bash\nexport ANTHROPIC_API_KEY=sk-ant-... # Anthropic Claude\nexport OPENAI_API_KEY=sk-... # OpenAI\nexport GEMINI_API_KEY=... # Google Gemini\nexport MISTRAL_API_KEY=... # Mistral\nexport OLLAMA_HOST=http:\u002F\u002Flocalhost:11434 # Local Ollama\n```\n\nModel roles let you assign different models to different tasks:\n\n| Role | What it does |\n|------|-------------|\n| `analysis` | Validates and analyses each finding (Stages A-D) |\n| `code` | Writes exploit PoCs and patch code |\n| `consensus` | Second-opinion vote on true positives |\n| `aggregate` | Optional. LLM-written narrative synthesis on top of the deterministic multi-model correlation, written to `aggregation.json` and the final `agentic-report.md` |\n| `fallback` | Used if the primary model fails or hits rate limits |\n\nIf no roles are set, the first model in the list handles everything. For multi-model\nsource-code analysis, configure two or more `analysis` models — you'll get the\ndeterministic correlation by default. The `aggregate` role is optional and adds an\nLLM-written summary on top:\n\n```bash\npython3 raptor.py agentic --repo \u002Fcode \\\n --model claude-opus-4-6 \\\n --model gpt-5.4 \\\n --aggregate claude-sonnet-4-6\n```\n\nBudget control:\n\n```bash\nexport RAPTOR_MAX_COST=5.00 # cap analysis spend at $5 per run\n```\n\nOllama works for analysis but produces unreliable exploit and patch code. For code generation tasks, use a frontier model.\n\n### Fast-tier short-circuit + the model scorecard\n\nWhen your analysis-tier model has a same-provider cheaper sibling (Anthropic Opus → Haiku, OpenAI 5.x → 4o-mini, Gemini Pro → Flash-Lite, Mistral Large → Small), RAPTOR will use it as a prefilter on consumers that wire into the substrate (codeql today; SCA and others as follow-ups land). The cheap model only ever short-circuits on **confident false positives**; ambiguous cases and confident-TPs always run the full analysis. Trust accumulates per `(model, decision_class)` cell — RAPTOR records cheap-vs-full agreement and only short-circuits once the Wilson 95% upper-bound on the cell's miss-rate falls at or below 5%.\n\nTo inspect what your models are good at, use `\u002Fscorecard` (or directly: `libexec\u002Fraptor-llm-scorecard list`). The scorecard is global (lessons carry across projects) and persists at `out\u002Fllm_scorecard.json`.\n\n---\n\n## Projects\n\nWithout a project, each run gets its own timestamped directory under `out\u002F`. With a project, everything goes into one place and you get merged findings, coverage tracking, and diffs between runs.\n\n```bash\n\u002Fproject create myapp --target \u002Fpath\u002Fto\u002Fcode -d \"Short description\"\n\u002Fproject use myapp\n\n\u002Fscan\n\u002Funderstand --map\n\u002Fvalidate\n\n\u002Fproject status # all runs, pass\u002Ffail, timestamps\n\u002Fproject findings # merged findings across all runs\n\u002Fproject findings --detailed # per-finding detail\n\u002Fproject coverage --detailed # which files were reviewed\n\u002Fproject diff myapp run1 run2 # compare two runs\n\u002Fproject report # full merged report\n\u002Fproject clean --keep 3 # remove old runs, keep the last 3\n\u002Fproject export myapp \u002Ftmp\u002Fmyapp.zip\n\u002Fproject none # clear active project\n```\n\n---\n\n## Architecture\n\nRAPTOR is two layers.\n\nThe **Python execution layer** (`raptor.py`, `packages\u002F`, `core\u002F`, `engine\u002F`) handles the heavy lifting: running Semgrep and CodeQL, managing subprocesses, parsing SARIF, deduplicating findings, dispatching LLM API calls, tracking costs, writing output files. It does not make decisions. It executes.\n\nThe **Claude Code decision layer** (`.claude\u002F`, `tiers\u002F`, `CLAUDE.md`) makes the calls: which findings to prioritise, how to interpret results, what the attack scenario is, whether the exploit is realistic. Implemented as Claude Code skills, commands, and agents that load progressively.\n\n```\nCLAUDE.md always loaded -- bootstrap, routing, security rules\n.claude\u002Fcommands\u002F slash commands (\u002Fagentic, \u002Fscan, \u002Fvalidate, etc.)\n.claude\u002Fskills\u002F methodology detail, loaded on demand\ntiers\u002F adversarial thinking, recovery, expert personas\n.claude\u002Fagents\u002F specialist sub-agents (offsec, crash analysis, forensics)\n```\n\nThe split means you can run the Python layer from a CI pipeline (`python3 raptor.py scan --repo ...`) and get structured SARIF output without Claude Code, or run it interactively with the full agentic workflow.\n\n---\n\n## OSS forensics\n\n`\u002Foss-forensics` investigates public GitHub repositories using evidence from multiple sources: the GitHub API, GH Archive (immutable event history via BigQuery), the Wayback Machine, and local git history. It runs a structured pipeline from evidence collection through hypothesis formation to a final forensic report.\n\nRequires `GOOGLE_APPLICATION_CREDENTIALS` for BigQuery access. See `.claude\u002Fcommands\u002Foss-forensics.md` for details.\n\n---\n\n## Expert personas\n\nNine expert personas are available on demand. Load one when you want a different perspective on a finding or a specific technique:\n\n```\nMark Dowd Binary exploitation and vulnerability research\nCharlie Miller \u002F Halvar Flake Low-level exploitation and reverse engineering\nSecurity Researcher General adversarial code review\nPatch Engineer Secure fix generation\nPenetration Tester Realistic attack scenario assessment\nFuzzing Strategist Corpus design and triage\nBinary Exploitation Specialist ROP, heap, and memory corruption\nCodeQL Dataflow Analyst Query writing and path analysis\nCodeQL Finding Analyst Triage and false positive identification\n```\n\nTell Claude which one to use, e.g. \"Use the Binary Exploitation Specialist\".\n\n---\n\n## Documentation\n\n| File | Contents |\n|------|----------|\n| `docs\u002FCLAUDE_CODE_USAGE.md` | Complete usage guide for interactive sessions |\n| `docs\u002FPYTHON_CLI.md` | Python CLI reference for scripting and CI |\n| `docs\u002FFUZZING_QUICKSTART.md` | Binary fuzzing guide |\n| `docs\u002FARCHITECTURE.md` | Technical architecture detail |\n| `docs\u002FEXTENDING_LAUNCHER.md` | How to add new capabilities |\n| `docs\u002FDEPENDENCIES.md` | External tools, versions, and licences |\n| `.claude\u002Fcommands\u002Foss-forensics.md` | OSS forensics investigation guide |\n| `tiers\u002Fpersonas\u002FREADME.md` | Persona reference |\n\n---\n\n## Contributing\n\nRAPTOR is open source. Good places to start if you want to contribute:\n\n- A proper web exploitation module (the current one is a stub)\n- SSRF detection rules (no registry pack exists and the local rules directory is empty)\n- YARA signature generation\n- Ports to other AI coding tools (Cursor, Windsurf, Copilot, Cline)\n- Better firmware analysis coverage\n- Anything you think is missing\n\nReleases are tagged as `vX.Y.Z` and built automatically by CI. Commit prefixes determine what goes in the changelog: `feat:` for new features, `fix:` for bug fixes, `security:` for security changes, `docs:` for documentation. Anything without a prefix lands in \"Other changes\". No strict convention required, but it helps.\n\nSubmit pull requests. Chat with us on the **#raptor** channel in the Prompt||GTFO Slack:\nhttps:\u002F\u002Fjoin.slack.com\u002Ft\u002Fpromptgtfo\u002Fshared_invite\u002Fzt-3v2b4sll3-SfyzFRw2lykx_XQX7F3uNQ\n\n---\n\n## Licence\n\nMIT -- Copyright (c) 2025-2026 Gadi Evron, Daniel Cuthbert, Thomas Dullien (Halvar Flake), Michael Bargury, John Cartwright.\n\nSee LICENSE for the full text. Review the licences for all dependencies before commercial use -- CodeQL in particular does not permit it.\n\n**Issues:** https:\u002F\u002Fgithub.com\u002Fgadievron\u002Fraptor\u002Fissues\n","Raptor是一个基于Claude Code构建的通用AI攻防安全代理框架。它通过创建规则、子代理和技能,并协调安全工具的使用,来配置代理进行对抗性思考,执行研究或攻防操作。核心功能包括静态分析、二进制分析、基于LLM的漏洞验证、利用生成和补丁编写等,并将这些功能整合到一个工作流中,可以应用于代码库或二进制文件。该项目适合需要进行自动化安全测试与研究的场景,尤其是对软件进行深度安全性评估时。",2,"2026-06-11 03:42:08","high_star"]