exploit-pipeline/PRODUCT-SPEC.md

# GreySec RED — Product Specification
**Product:** GreySec Exploit Development Pipeline (Reverse Engineering + Exploit Dev)
**Version:** 1.0
**Status:** BUILDING
**Date:** 2026-05-07
**Owner:** GreySec (COO: Hermes, CEO: Adam)

---

## What the Product Is

GreySec RED is an AI-augmented reverse engineering and exploit development lab. Drop a binary. Get a vulnerability brief, a working exploit, and shellcode. No manual RE required. No expert hours needed upfront.

**The core promise:** Turn a binary into a working exploit in 20-90 minutes, depending on complexity. Validated against the real target, not a thought experiment.

---

## What the Client Gets

### Standard Deliverable Package

For every binary target, the client receives:

1. **analysis.md** — Full vulnerability brief
   - Vulnerability class (buffer overflow, format string, UAF, heap corruption, etc.)
   - Affected function with offset
   - Root cause explanation
   - Attack constraints and mitigations bypassed
   - Recommended next steps

2. **struct.json** — Structured vulnerability data
   - Machine-readable format for automation
   - Offset, bad chars, mitigations, difficulty rating
   - Integrates into CI/CD pipelines

3. **exploit.py** — Working pwntools exploit
   - Targets the real binary via `process()` or `remote()`
   - Passes test loop against actual binary
   - Commented and readable
   - No pseudocode — this is runnable

4. **shellcode.bin** — Position-independent shellcode
   - Architecture-appropriate (x86, x64, ARM, MIPS)
   - Ready to use in the exploit or independently

5. **test-results.md** — Validation proof
   - Exit code, output, and PASS/FAIL verdict
   - Confirms the exploit was run against the real target
   - If FAIL: diagnostic information on what went wrong

### Optional Add-Ons

- **Full disassembly dump** (`.md` or `.txt`) — rizin output for manual review
- **ROP chain analysis** — for ASLR/DEP-enabled targets requiring chained gadgets
- **Libc database lookup** — for targets requiring libc address leaks
- **Multi-stage shellcode** — stageless vs. staged payload selection

---

## Target Buyer

### Primary: Security Team Building Internal Red Team Toolchains

**Pain point:** They run internal red team engagements and spend significant time manually analyzing targets before building exploits. Every hour spent on RE is an hour not spent on the actual engagement.

**Current workaround:** Metasploit module development (slow, requires expert), manual RE (slow), or just skipping binary analysis entirely. CTF teams and training environments also use manual RE, which doesn't scale.

**What they'd pay:** $500-1,500/month for a tool that turns binary analysis from a 4-hour manual task into a 20-minute automated pipeline.

**Buying trigger:** After a red team engagement where they spent more time REing targets than actually testing controls.

---

### Secondary: Exploit Developers and CTF Players

**Pain point:** Competitive hacking (CTF) requires solving dozens of binary challenges under time pressure. Manual RE is the bottleneck, not creativity or offensive thinking.

**Current workaround:** Using existing solvers for known challenge types, manually writing exploits for new types. High-skill individuals doing low-skill repetitive work.

**What they'd pay:** $100-300/month (individual or team subscription). CTF teams are price-sensitive but high-volume.

**Buying trigger:** Losing a CTF competition by 15 minutes because RE took too long on one challenge.

---

### Tertiary: Security Researchers Analyzing Third-Party Binaries for CVEs

**Pain point:** Analyzing a third-party binary for a potential CVE requires fast turnaround. They need to understand the vulnerability class, affected function, and whether an exploit is feasible before committing to a full disclosure process.

**Current workaround:** Manual RE + writing a PoC from scratch. Takes days for a single binary. High opportunity cost.

**What they'd pay:** $1,000-3,000/month if it speeds up their CVE research by 50%.

**Buying trigger:** After a missed disclosure deadline because RE took too long.

---

## SLA (Target)

| Metric | Target | Notes |
|--------|--------|-------|
| Beginner binary (stack/heap/format) | 20-30 minutes | Protostar difficulty |
| Intermediate binary (ROP/enabled ASLR) | 40-60 minutes | Requires gadget finding |
| Advanced binary (real-world binary) | 60-120 minutes | May require human review |
| Expert/0-day research | Not committed | Pipeline assists, not autonomous research |
| Exploit test pass/fail | Immediate | Test loop runs automatically |

**What we do not commit to:**
- Guaranteeing exploit development for binaries with novel mitigations
- Research-level RE for obfuscated/packed binaries (V1 — see V2 roadmap for future)
- Automated bypass of state-of-the-art EDR evasion techniques

---

## Limitations

- **Novel 0-day research:** The abliterator model is trained on existing knowledge. Novel exploitation techniques (post-May 2026) may not be in context. Use this for known vulnerability classes against known binary types, not for discovering unknown vulnerabilities.

- **Packed/obfuscated binaries:** If the binary is packed with UPX, ASPack, or a custom packer, the initial disassembly will show the unpacker stub, not the actual payload. V2 roadmap includes unpacker integration.

- **Kernel-level binaries:** We analyze user-space binaries. Kernel modules, drivers, and firmware require a different environment (ring 0 vs. ring 3). Not supported V1.

- **Cross-architecture:** V1 supports x86 and x64 Linux binaries. Windows PE, ARM, MIPS, and other architectures are V2/V3 roadmap items.

- **Cloud model quality:** When MacBook Ollama is unreachable, we fall back to cloud models. The abliterator model produces significantly better exploits on offensive security tasks. Cloud fallback works but is not the primary experience.

---

## Competitive Landscape

| Tool | Type | Cost | Strengths | Weaknesses for Our Buyer |
|------|------|------|-----------|--------------------------|
| **Metasploit Framework** | Open source | Free | Huge module library, community-developed | Modules are manually written, not AI-generated for novel binaries |
| **Cobalt Strike** | Commercial | $3,500+/license | Industry standard for red team tooling | Not an RE/exploit development tool — it's a C2 platform |
| **Immunity CANVAS** | Commercial | $500+/month | Automated exploit generation | Ancient UI, slow development, Windows-only |
| **Core Impact** | Commercial | $8,000+/year | Automated everything | Expensive, slow, dated UX |
| **Manual RE + exploit dev** | Consultant | $150-300/hr | Expert judgment | 4-8 hours per binary minimum, expensive at scale |
| **CTF solvers (custom)** | Open source | Free | Fast for known challenge types | One-off tools, not a platform |
| **GreySec RED** | **AI-augmented service** | **TBD** | **20-90 min per binary, validated exploits, struct.json for automation, local model quality** | **V1 is new (May 2026), limited to x86/x64 Linux, abliterator model required for best quality** |

**GreySec RED's positioning:**
- Faster than manual RE (20-90 min vs. 4-8 hrs)
- Validated output (exploit.py tested against real binary, not just generated)
- Machine-readable struct.json for CI/CD integration
- Local AI model quality (abliterator) when MacBook reachable
- AI-augmented but not AI-only — human expert review available

---

## Pricing Framework (Internal Only)

**Do not share externally. Adam reviews and approves all client-facing numbers.**

### Internal Cost Basis

| Cost Item | Per Binary (est.) |
|-----------|-------------------|
| AI compute (Ollama, local MacBook) | ~$0.05-0.15 (amortized model cost) |
| Human review (5-10 min at $105-135/hr) | ~$9-22.50 |
| Infrastructure (Kali container, storage) | ~$0.50 |
| **Total direct cost per binary** | **~$10-23** |

At a 4x margin: $40-92 per beginner binary, $80-184 per intermediate, $160-368 per advanced.

### Build vs. Buy Analysis

**Building this internally:**
- Engineering time: 60-100 hours to replicate RED pipeline
- Ongoing: 5-10 hours/month maintaining scripts and model context
- No AI quality guarantee — the abliterator model is specifically trained for this task
- Total first-year cost: $20,000-35,000 + risk that it doesn't work at quality

**Using GreySec RED:**
- Per-binary pricing (or monthly subscription)
- Zero engineering time
- GreySec maintains the pipeline and model quality

### Competitive Price Reference

| Option | Price | Notes |
|--------|-------|-------|
| Manual RE consultant | $150-300/hr | 4-8 hours per binary = $600-2,400 |
| Metasploit module dev (consultant) | $100-200/hr | 2-4 hours per binary = $200-800 |
| Immunity CANVAS | $500+/month | Annual commitment, Windows focus |
| GreySec RED (target) | TBD | Sub-$500 per binary, subscription available |

---

## Roadmap (Future Tiers)

### V1 (Current Build — MVP)
- x86/x64 Linux binaries only (Protostar-style)
- Two-stage pipeline: RE Agent + Exploit Writer
- Validation gates and test loops
- gbrain + TIME-LOG hooks

### V2 (Next Quarter)
- Windows PE/DLL analysis
- ROP chain builder integration (one_gadget, ROPgadget)
- Libc database lookup for ASLR bypass
- Multi-arch support: ARM, MIPS

### V3 (Future)
- macOS binary analysis
- Automated unpacker integration (for packed binaries)
- Malware family classification (from RE output)
- CI/CD integration (GitHub Actions plugin)

---

## What GreySec Gets Out of This

1. **Internal tooling:** GreySec uses this for red team engagements — fast binary analysis without eating into engagement hours.

2. **Product revenue:** Second productized internal capability (after MAL). Complements MAL — MAL analyzes what a payload does, RED builds the payload that does it.

3. **Differentiation:** No other firm in GreySec's market is offering AI-augmented exploit development as a service. Most competitors either sell tool licenses (Cobalt Strike) or bill by the hour (consulting). RED is a middle path.

---

**Status:** BUILDING — agent scripts updated, validation gates added, needs heap0 re-run and MacBook SSH unblock before full operational validation.

**Next decision needed from Adam:** MacBook SSH fix (Option A/B/C), and pricing tiers.