Kali Infrastructure
Forge runs Kali Linux in a Docker container -- a full offensive toolkit with 2,400+ commands and 191 mapped tools across seven pentest phases. The container is the execution sandbox: every security tool, from nmap to responder, runs inside it.
Container Architecture
Operator Machine
|
Docker Engine
|
allysec-kali (ghcr.io/allyseclabs/allysec-kali-full:latest)
|-- 2,400+ Kali Linux commands
|-- 191 mapped tools (KaliTool catalog)
|-- Host networking (direct network access)
|-- Privileged mode (raw socket, packet injection)
|-- Docker socket mount (container-in-container)
|-- Persistent volume (/var/lib/allysec/kali)Single Full Image
The container ships as one image: allysec-kali-full. This replaces an earlier tiered approach (base/recon/ad/cloud/web images) that proved fragile. A single image eliminates image dependency chains and ensures every tool is available on first deploy.
Deployment
# Manual deploy
docker pull ghcr.io/allyseclabs/allysec-kali-full:latest
docker run -d --name allysec-kali \
--network host \
--privileged \
-v /var/run/docker.sock:/var/run/docker.sock \
-v allysec-kali-data:/var/lib/allysec/kali \
ghcr.io/allyseclabs/allysec-kali-full:latestAuto-Deploy
Set ALLYSEC_AUTO_DEPLOY=1 and the container is pulled and started on first tool invocation. No manual setup required.
Auto-Install
Set ALLYSEC_AUTO_INSTALL=1 and missing tools are installed via apt-get at runtime. If a tool is requested that is not in the base image, the system installs it and caches the installation in the persistent volume.
Tool Mapping
The KaliTool catalog maps 191 tools to pentest phases. The mapping enables phase-aware tool discovery:
| Phase | Tools | Examples |
|---|---|---|
| Recon Passive | 28 | whois, theHarvester, amass, subfinder |
| Recon Active | 31 | nmap, masscan, dnsrecon, ffuf |
| Enumeration | 41 | enum4linux, smbclient, snmpwalk, dirb |
| Vuln Analysis | 24 | nuclei, nikto, wpscan, sqlmap |
| Exploitation | 22 | metasploit, searchsploit, hydra, impacket |
| Post-Exploitation | 27 | mimikatz, bloodhound, crackmapexec |
| Pivoting | 18 | chisel, sshuttle, proxychains, socat |
Health Checking
The Pipeline verifies container health on session startup. It checks:
- Container is running (
docker ps) - Tool count meets minimum threshold (170+)
- Network connectivity (can reach targets)
- Persistent volume is writable
If health checks fail, the Pipeline surfaces diagnostics and offers remediation.
Evolution
The infrastructure evolved from five separate tiered images to one full image. The tiered approach was abandoned because:
- Dependency chains between images caused deployment failures
- Partial images required runtime tool installation that slowed first-touch latency
- Operators needed to know which image had which tool
The single full image solves all three problems at the cost of a larger pull. The tradeoff is intentional: disk space is cheap; an operator's time is not.