Brumby
The intelligence and orchestration layer for red team operations.
Brumby sits above the C2 tooling your team already uses—Cobalt Strike, Mythic, Sliver, or your custom framework—capturing every action in a standardized schema and building a live context graph of your entire operation.
Your C2 does implant management. Brumby does everything else.
Every action dispatched through Brumby flows through a deterministic parsing engine that extracts entities and builds a live context graph. No LLM required—it's code, not magic.
C2-Agnostic
First-party integrations for Sliver, Mythic, and Cobalt Strike. Bring your custom or proprietary C2 with our adapter SDK.
Live Context Graph
Hosts, users, credentials, processes, services, files—automatically parsed and correlated in a Neo4j knowledge graph that builds itself as the operation progresses.
Multi-Operator Workspace
Shared context graph, four RBAC roles (Admin, Journeyman, Apprentice, Observer), and a full security audit trail. The whole team operates from the same intelligence.
For the first time, the offensive and defensive sides of an engagement live in the same data model.
Brumby captures what defenders saw, alerted on, and acted on—with detection timing and triage status correlated to the actions that triggered them.
The industry chose between frequency, fidelity, and measurability. Brumby dissolves the tradeoff.
BAS and autonomous pentesting scale control validation but don't engage response. Red teams engage the full program, but at the cost of frequency and measurability. These tradeoffs are no longer necessary.
Operator Uplift
AI-assisted execution, automated documentation, and operation replay let quarterly set-pieces become continuous adversarial pressure. Substantially more operations per year.
Real Tradecraft Preserved
Brumby orchestrates the tools real adversaries use—Cobalt Strike, Mythic, Sliver, and custom frameworks. No proprietary implant ceiling, no synthetic TTPs: engagements remain real red team operations.
Structured Capture & Corpus
Raw operation data never leaves the customer environment by default. Every action is captured in a standardized schema—structured data that powers automated documentation, compliance audit trails, and cross-operation analysis.
Built for the operators who'll use it, and the leaders accountable for it.
Every capability below ships in the base platform. Brumby scales operations without sacrificing tradecraft, gives leaders visibility and governance, and keeps sensitive data inside your environment.
Real Tradecraft, Your Tools
Your custom C2, implants, loaders, obfuscation, and tradecraft. Brumby makes all of it more effective. Unlike autonomous pentesting platforms that lock you into proprietary implants, Brumby sits above your existing frameworks.
Your Data, Your Models, Your Environment
Brumby deploys locally via Docker Compose. Raw operation data stays in your environment by default. Bring your own LLM provider—Anthropic, OpenAI, OpenRouter, or fully local inference with Ollama for air-gapped deployments.
Programmatic OPSEC Enforcement
Write rules from simple regex (block whoami) to rich context-aware logic: don't upload a binary calling C2 domain A to a host already beaconing to domain B. Rules fire inline before commands reach the C2, fail-closed on engine failure.
Role-Based Execution
Four operator roles (Admin, Journeyman, Apprentice, Observer) with distinct permissions across OPSEC rules, agentic features, and execution scope. Apprentices learn under enforced guardrails; Journeymen operate independently within team SOPs.
Audit-Grade Logging, Automatic
Every input and output is captured in a standardized schema—more consistent, factual documentation without operator effort. Powers SOP generation, compliance audit trails, and structured attack chain intelligence.
AI Woven Through the Workflow
Purpose-built agents where necessary, workflows and deterministic logic wherever possible. Operators control AI involvement through per-agent model selection, per-feature enable/disable, and approval gates on automated steps.
LLM-augmented, not LLM-dependent. All core capabilities—parsing, graph building, baseline classification, guardrails, chains—run deterministically by default with no LLM required. AI features are off by default and individually enabled when you connect your provider.
The platform thinks while you operate.
Brumby continuously analyzes your operation—surfacing opportunities, classifying targets, tracing causality, and mining data you've already collected.
Vanilla/Notable Entity Detection
Every process, service, and scheduled task is classified against curated OS baselines—automatically matched to the target's build and version. You run ps and instantly see what doesn't belong. Operators can override classifications with team-scoped rules that refine the baseline for your target environment.
Proactive Intelligence Feed
Brumby cross-correlates graph state, command output, and environmental context to surface actionable opportunities in real time—credential reuse across hosts, services with unquoted paths, writable directories in the system PATH. Write rules once against the context graph, benefit in every operation.
Causal Action Chains
Brumby traces the causal flow of your operation by linking entity references through the context graph—which actions discovered which entities, and which later actions used them. Chains form retroactively from graph-level dependencies, building navigable attack narratives without manual annotation.
Quiet File Intelligence
Zero additional target noise. File listings you've already collected are automatically classified by a curated rule corpus, tagged with behavioral verdicts, and change-tracked across successive listings. Credential stores, key material, and anomalous files surface without running a single extra command.
Measure What Defenders Actually Saw
Ingest Elastic Security alerts and correlate them to the red team actions that triggered them. Per-action detection attribution shows defenders exactly what was caught, what was missed, and where response gaps remain—turning every engagement into measurable program improvement.
Detections Become Guardrails
Import detection rules (common/default ones, or whatever you exfil) from EQL/KQL into Brumby's OPSEC engine. The platform warns operators before they trip a wire defenders are likely watching for.
See Brumby in action.
Operate through Brumby: every input and output flows through the platform, building the context graph that powers everything else.
ps. Note the gold processes, which are deviations from a vanilla baseline host, and the faint gold processes which have partial deviation from expected baseline.
Try Brumby.
Brumby is live, and ready to improve your operations. If you're a red team operator or security leader, reach out—we'll get you set up with access in a realistic environment so you can test it thoroughly.
Or email us directly at [email protected]