Coverage Analysis
April 26, 2026 · View on GitHub
Honest assessment of what these skills cover vs. what real practitioners need.
Headline number
~85–90% coverage of what an experienced practitioner would reach for during the OSINT/recon phase of an authorized external red-team engagement.
~35–45% coverage of what a full external red-team operator does in their job (because most red-team work is exploitation + post-exploit, intentionally out of scope).
By practitioner archetype
| Archetype | Coverage of their needs | Why |
|---|---|---|
| Pure OSINT analyst | ~90% | Skills are built for this. |
| External attack-surface analyst (CyCognito-style) | ~85–90% | Direct overlap with the methodology. |
| Bug bounty hunter | ~75–80% | Strong on recon; thin on exploit techniques. |
| Threat intel investigator | ~70% | RU/CN pivots, attribution discipline, malware basics — but no infrastructure-tracking-over-time. |
| External red teamer (recon phase) | ~85–90% | The OSINT phase is well-covered. |
| External red teamer (full engagement) | ~35–45% | Recon is ~30–40% of a full engagement; rest (exploitation, post-exploit, lateral, reporting) is mostly out of scope. |
| Internal red teamer (assumed-breach) | ~10% | Almost entirely out of scope. |
| Adversary emulation / TTP-driven | ~25% | Threat-actor section exists; specific TTP playbooks per APT don't. |
| Physical pentester | ~25% | Sat imagery + LinkedIn intel cover scouting; physical execution doesn't. |
| Social engineer | ~50% | Pretext development covered; payload crafting + voice tradecraft not. |
| Purple teamer | ~30% | No SOC-coordination guidance. |
By engagement phase
| Phase | Coverage |
|---|---|
| Pre-engagement (RoE, scoping, NDAs, SOW, pricing) | ~10% |
| External OSINT / passive recon | ~85–90% |
| External active recon (light probing) | ~75–85% |
| Phishing payload crafting + delivery | 0% (out of scope) |
| Initial access (exploit execution) | ~5% (we identify, don't exploit) |
| Foothold / persistence | 0% (out of scope) |
| Privilege escalation (local + AD) | 0% (out of scope) |
| Lateral movement | 0% (out of scope) |
| C2 infrastructure | 0% (out of scope) |
| AV/EDR evasion | 0% (out of scope) |
| Domain dominance | 0% (out of scope) |
| Data exfiltration tradecraft | 0% (out of scope) |
| Cleanup / artifact removal | 0% (out of scope) |
| Reporting (technical + exec) | ~75% |
| Disclosure / vendor coordination | ~60% |
| Re-test / continuous monitoring | ~30% |
| Purple-team / SOC-coordination | 0% |
| Lessons-learned / engagement retrospective | ~20% |
What's deliberately out of scope (and why)
- Active exploitation, post-exploitation, malware — operational tradecraft, different domain, safety posture concerns.
- C2 frameworks, AV/EDR evasion — operational tradecraft, large body of separate knowledge.
- AD attacks, BloodHound, Kerberos — internal recon, not external.
- Specific client-portal report formats — too company-specific to template usefully.
- Pricing, NDA, SOW templates — business operations, not technical.
- Real PII / breach corpus content — privacy + opsec.
Smoke-test results (32 prompts)
The repo ships 32 self-test prompts (tests/smoke-test-prompts.md) covering the major capability areas.
| Run | PASS | PARTIAL | FAIL | Grade |
|---|---|---|---|---|
| v2.0 (initial) | 1 | 9 | 22 | C |
| v2.1 (current) | 31 | 1 | 0 | A |
The single PARTIAL is Test 5 (cloud-bucket combinatorial generation) — acceptable; the inputs + technique are documented, runtime synthesis is appropriate.
Caveats
The smoke-test number (96.9% PASS) is Claude grading itself on tests Claude designed. It's a useful signal for tracking gaps but not an objective measure of real-world coverage. A real practitioner would find more gaps. Treat it as "the skills now answer the obvious questions"; non-obvious questions may need a follow-on iteration.
What experienced practitioners would say is still missing (within OSINT scope)
If a senior offensive consultant reviewed v2.1 and stayed within OSINT scope, here's what they'd flag as still missing:
- Specific tool-chaining recipes — "use spiderfoot → export CSV → maltego transforms → asset graph" workflows. We name tools; we don't compose them step-by-step.
- Recon-ng / SpiderFoot / Maltego module-by-module configuration — these are full ecosystems; we treat them as pointers.
- Custom Burp Suite / OWASP ZAP setup for engagements — the "configure your active proxy for an engagement" guide.
- OPSEC infrastructure as code — Terraform/Ansible to spin up clean engagement infrastructure (proxy stacks, redirectors).
- Sector-specific deep dives — §47 is a starting point, not a deep dive (real healthcare RT specialists know HL7 trafficking like a second language).
- Adversary-emulation playbooks per APT — "to simulate APT29's external recon, use these specific tools/techniques."
- Continuous-monitoring orchestration — daily diff scripts, alert pipelines, false-positive tuning.
- Multi-tenant engagement workflow — how an MSSP runs 30 concurrent ASM engagements without crossing wires.
- Client-specific report styling — every Big-4 consultancy has their own template.
- Tool failure recovery — when Shodan rate-limits during a critical phase, what's plan B/C/D?
These would push coverage to ~95% of OSINT-phase work. Each would add 200–500 lines and approach the limits of what a single skill can usefully encode.
Roadmap
| Phase | Status | Description |
|---|---|---|
| v1.0 | ✅ Done | Original framework |
| v2.0 | ✅ Done | External-red-team posture rewrite |
| v2.1 | ✅ Current | Comprehensive expansion (this version) |
| v2.2 | 🔜 | Continuous-monitoring playbook + multi-tenant workflow + Burp extension recipes |
| v3.0 | 🔜 | Plugin manifest for one-click Claude Code install + optional MCP server companion |
Bottom line
For "external OSINT for authorized red-team operations": ~85–90% coverage of what an experienced practitioner reaches for. For "everything a full red-team operator does in their job": ~35–45% — the gap is mostly intentional (out of scope).
The skills are production-ready for OSINT-phase work. They are not a replacement for a senior red teamer on a full engagement.