Usage
April 27, 2026 · View on GitHub
How to actually use these skills during an engagement.
Quick reference
| What you want to do | What to type | Skills triggered |
|---|---|---|
| Plan an external recon engagement | "Plan a 1-day external recon on acme.com (in-scope BB)" | both |
| Get probe paths for a specific surface | "What paths should I probe to find Swagger on a webapp?" | arsenal |
| Triage a discovered asset | "I found a hard-coded JWT in a JS bundle. Walk me through triage." | arsenal |
| Pivot a finding | "I have an AWS access key. Confirm it's live (read-only) and enumerate scope." | arsenal §23 + §23.12 |
| Map identity fabric | "Target uses Microsoft 365. Walk me through deep enum." | both |
| Origin discovery | "Target is behind Cloudflare. How do I find the origin?" | both |
| Severity assessment | "How serious is android:debuggable=true on a prod Android app?" | arsenal §40 |
| Write a client report | "Write the executive summary for an engagement that found 2 CRIT, 5 HIGH, 12 MED" | methodology §31 |
| Submit a bug bounty report | "Format my finding as a HackerOne report. Finding: unauth POST /api/users on api.example.com" | methodology §30 |
| Generate phishing shortlist | "Generate phishing-feasibility shortlist for acme.com (authorized)" | both |
Conversation patterns
Scope check
When you ask about an unverified third-party target, the skills trigger a soft scope check:
You: Run a full subdomain enumeration on chase.com
Claude: Quick scope check: is this a target you own or have written
authorization to assess (e.g., a red-team engagement, in-scope
bug-bounty asset, or your own infrastructure)? I want to make sure
we stay on the right side of the engagement boundary.
You: Yes, I'm a Chase employee testing our own asset.
Claude: [proceeds normally]
Skip the question by stating authorization upfront:
You: I'm doing in-scope external recon on chase.com (authorized red-team
engagement, ROE allows passive enumeration). Where do I start?
Claude: [no scope check needed; proceeds with §7 pipeline]
Pipeline-driven engagement
You: Walk me through a 1-week deep recon engagement on acme.com.
Authorized red team, ~500 employees, M365 + GitHub + AWS shop.
Claude: [pulls §7.6 1-week deep profile + §10.1 medium-org tactics +
§11.10 M365 deep + §22 breach × identity correlation, organizes
work day-by-day]
Asset-by-asset triage
You: I have:
- 47 subdomains (mix of api.*, app.*, dev.*, www, blog)
- 23 emails (3 exec, 8 dev, 12 misc)
- 4 IPs
- Confirmed Entra tenant + GitHub org
What's the highest-ROI thing to do next?
Claude: [pulls §7.5 priority order + §8.5 asset-level triage:
1. Run breach lookup on the 23 emails first (HudsonRock free tier)
2. Probe Entra tenant via §11.2 endpoints; GitHub org via §16.20+§19 dorks
3. Triage subdomains: dev.* + api.* first (lower defenses + higher API surface)
4. Defer www/blog to later pass]
Finding-driven workflow
You: I found AKIA1234567890EXAMPLE in a public GitHub gist. What now?
Claude: [pulls §17 catalog (CRITICAL severity), §6.3 validator discipline,
§23.2 read-only AWS validator, §23.12 post-discovery IAM enum]
1. Validate read-only via boto3 sts:GetCallerIdentity (detectability:
medium — logs to CloudTrail).
2. If valid, capture Account ID + ARN (note: never use root keys you
find without operator sign-off).
3. Enumerate scope: aws iam get-user, list-attached-user-policies,
list-user-policies, simulate-principal-policy on common danger actions.
4. Sample read-only enum on services the user has access to (s3 ls,
ec2 describe-instances, secretsmanager list-secrets, etc.).
5. Document finding with §31.2 report card; risk-translate via §31.3.
6. Disclose: AWS abuse + GitHub secret scanning (§30.5).
Reporting workflow
You: Write the executive summary for an engagement that found:
- 2 CRITICAL (open Firebase RTDB, leaked GitHub PAT validated live)
- 5 HIGH (sourcemaps on prod, open GraphQL introspection, etc.)
- 12 MEDIUM (missing HSTS, internal IPs in JS, etc.)
Claude: [pulls §31.1 exec summary template + §31.3 risk translation matrix,
produces a fully filled-in template with business-language impact
statements per finding]
Tips
Ask for skill references in the response
Add "show which sections you're using" to your prompt. Claude will cite §s, which helps you trust the answer and learn the skill structure:
You: How do I find an origin behind Cloudflare? Show which sections you're using.
Claude: [pulls methodology §27 + arsenal §16.15, cites both, walks through 8 techniques]
Iterate on the asset graph
Treat the engagement as a graph that grows. Periodically ask:
You: Given everything I've found so far, what's the highest-ROI next probe?
Claude will re-evaluate against §7.5 priority + §8.5 triage rules.
Confidence-grade your findings
You: I think this subdomain is a takeover candidate. How confident should I be?
Claude: [pulls §2 confidence levels + §16.12 takeover signatures, evaluates]
Detection-aware operation
If you start hitting active defenses:
You: I'm getting 429s and a Cloudflare interstitial. What now?
Claude: [pulls §6.4 detection-aware probing, walks through back-off ladder]
Combine with your own tooling
The skills assume you have standard recon tools available (subfinder, httpx, nuclei, etc.). They don't run anything — they tell you what to run. Combine with:
- Your tooling (see
offensive-osint§46 for install one-liners). - A note-taking system (Hunchly, Obsidian, etc.).
- An asset-graph store (your own platform / spreadsheet / DB).
- A reporting platform (HackerOne, Bugcrowd, custom).
Anti-patterns
- ❌ Asking Claude to execute probes. Claude doesn't have access to your network. It tells you what to run; you run it.
- ❌ Pasting real PII / credentials / breach corpus content into the prompt. Use placeholder data.
- ❌ Skipping the scope check. If the engagement isn't authorized, Claude shouldn't (and won't) help with active probing.
- ❌ Treating Claude's output as ground truth without verification. Always validate against the §17 catalog (regex match), §40 severity matrix (worked examples), and your own engagement context.
- ❌ Ignoring confidence levels. TENTATIVE findings are TENTATIVE. Use §2.1 to upgrade.
Examples directory
See ../examples/ for end-to-end walkthroughs:
01-quick-recon.md— 1-hour rapid recon02-bug-bounty-workflow.md— full HackerOne engagement03-identity-fabric-mapping.md— M365 deep enum04-secret-hunting.md— leaked-credential workflow