Quick Start
Five minutes from zero to running autonomous red team operations. Zero guardrails. Zero refusals.
Prerequisites
- Node.js 18+ or Bun (Bun recommended for install speed)
- Docker — required for the Kali tools container
Verify Docker is running:
docker psInstall
bun install -g allysecThe npm package is allyseclabs-agent. allysec is the CLI command.
After install, verify:
allysec --versionConfigure
Copy the example environment file and fill in your API keys.
cp .env.example .envOpen .env and set at minimum:
# Provider — OpenCode Go is recommended for offensive workloads
ANTHROPIC_AUTH_TOKEN=your-key-here
ANTHROPIC_BASE_URL=https://opencode.ai/zen/go/v1
# Or use OpenAI-compatible providers
CLAUDE_CODE_USE_OPENAI=1
OPENAI_API_KEY=your-key-here
OPENAI_BASE_URL=https://opencode.ai/zen/go/v1See Environment Variables for the full reference.
First Run
The Kali container auto-deploys on first run. Docker pulls ghcr.io/allyseclabs/allysec-kali-full:latest (this takes a few minutes once).
allysec --target example.comForge runs through all eight phases without pausing for approval. Reconnaissance flows directly into exploitation. Exploitation flows into post-exploitation. The engine does not ask "should I continue?" — it continues.
What happens, phase by phase:
| Phase | What runs | Tools |
|---|---|---|
| 1. Recon | Passive OSINT, subdomain enumeration, then active scanning | recon-dominator, whois, theHarvester |
| 2. Enumeration | Service fingerprinting, directory brute force | nmap, ffuf, gobuster |
| 3. Vuln Analysis | Automated and manual vulnerability detection | nuclei, nikto, wpscan |
| 4. Exploitation | Active exploitation of confirmed findings | ExploitTool, sqlmap, custom scripts |
| 5. Attack Chains | Multi-step compromise chaining | AttackChainTool |
| 6. Post-Exploitation | Privesc, lateral movement, persistence | PostExploitTool |
| 7. Loot Collection | Collect, classify, archive | LootTool |
| 8. Anti-Forensics | Cover tracks, clean artifacts | anti-forensics-suite |
No pauses between phases. Recon flows directly into exploitation. Exploitation flows into post-exploitation.
Next Steps
- Engagement Workflow — full phase-by-phase reference
- Tool Selection — when to use which tool
- Environment Variables — all configuration options
- Third-Party Models — configure any model provider
- FAQ — common questions