continuous offensive exposure validation • adversary intelligence • evidence-first

Know what is really exposed. Prove it. Chain it. Prioritise it.

SPECTRE is 313SEC’s offensive exposure validation and adversary intelligence platform. It discovers external attack surface, validates whether exposures are real, preserves forensic-grade evidence, models attack paths, fuses live threat context, and monitors drift over time. It is not a scanner clone. It is not an exploit toy. It is built to answer what matters and prove every answer.

Explore platform modules Inspect evidence chain
01
Safety firstAuthorised scope, policy classes, and controlled validation before anything else.
02
Evidence firstNo assumption counts as a finding unless it can be reproduced from stored artefacts.
03
Adversary logicWeaknesses are not treated in isolation. They are chained into realistic attack paths.
spectre://command-console
mode: validation
status
surface map
validate exposure
show attack path
enrich threat
package evidence
monitor drift
explain last
Click through the platform narrative. COMMAND scopes work. SURFACE discovers. VERIFY proves. SIGNAL enriches. CHAIN scores. EVIDENCE signs. WATCHTOWER monitors what changes next.
Priority order
6
Safety → Evidence → Accuracy → Architecture → Modularity → Adversary logic
Security model
RS256
JWT access tokens, refresh rotation, tenant isolation, RBAC, policy enforcement
Evidence doctrine
100%
Every validated finding must produce stored artefacts and reproducibility notes
Continuous view
24/7
Drift monitoring, revalidation, reporting, and executive watchtower posture

Module architecture

SPECTRE is structured as a platform, not a pile of scanners. Each module has a clear boundary and a specific responsibility. The orchestration layer can swap tools behind adapters without breaking the platform model. The outcome is cleaner code, safer execution, and evidence that survives scrutiny.

COMMANDTenant lifecycle, workspace scope, execution policy, approvals, RBAC, audit trail, and recurring schedules.
scope
RBAC
Why it matters
SPECTRE only touches what is authorised. Scope targets and execution classes sit at the core of the platform.
Key output
Immutable governance records for every user action, approval, schedule, and key rotation event.
SURFACEExternal attack surface discovery across domains, subdomains, services, ports, APIs, certificates, and cloud assets.
discovery
asset graph
What it does
Turns external sprawl into a structured perimeter map that can feed validation, graph reasoning, and continuous monitoring.
Why it matters
You cannot secure an estate you have not actually enumerated.
DARK MIRRORCredential and exposure monitoring across public repos, leaks, lookalikes, breaches, paste sites, and public storage.
passive
leaks
Operational rule
Class A only. No active interaction with third-party infrastructure. Source, time, and evidence snapshot always retained.
Value
Shows the human and operational attack surface beyond the obvious technical perimeter.
VERIFY + GHOST PROTOCOLSafe exposure validation with screenshots, HTTP and TLS evidence, configuration checks, and login surface classification, wrapped in an evasion-aware transport layer.
evidence
transport control
Evidence rule
Every validation attempt produces artefacts, even when a suspected weakness is rejected.
Transport rule
GHOST PROTOCOL shapes timing, TLS profile, DNS sources, headers, and rate while never altering request content itself.
Why it matters
SPECTRE distinguishes real exposures from noise and preserves how it reached that conclusion.
SIGNAL + CHAINThreat intelligence fusion and graph-powered attack path modelling. This is where isolated findings become business-relevant adversary stories.
EPSS
MITRE
Neo4j
What SIGNAL adds
EPSS, KEV, exploit maturity, ATT&CK mapping, campaign context, and threat actor relevance.
What CHAIN adds
Weighted graph reasoning, attack path scoring, blast radius, and what-if reachability modelling.
Business outcome
You stop prioritising by raw severity alone and start prioritising by real attacker utility.
PHANTOMAdversary behaviour emulation that tests exploitability and whether defences actually noticed.
emulation
MITRE
Safety stance
Never real exploitation. It validates exploitability and detection capability inside pre-authorised playbooks.
Why it matters
Exposure alone is not enough. SPECTRE measures defensive readiness as well.
STAND ALONE COMPLEXAutonomous multi-step logic that follows a validated clue into the next safest, highest-value checks.
playbooks
decisioning
Control
Chain depth, safety class, approvals, and halt conditions are enforced before automation moves forward.
Difference
It behaves more like a disciplined human tester following logic than a blunt batch scanner.
OPERATIONS · EVIDENCE · DOSSIER · WATCHTOWER · PANOPTICONScheduling, queues, evidence integrity, reporting, drift monitoring, and final executive or operator view.
forensics
reporting
Why it matters
The platform is not finished when a finding is seen. It is finished when it is stored, signed, reportable, and continuously monitored.
Executive value
Posture becomes measurable over time, not just during point-in-time scans.

Interactive attack path narrative

The platform’s core value appears when findings stop being isolated rows in a table. Click each stage to see how a discovered exposure becomes a threat-contextualised, attack-path-aware decision with preserved evidence.

01 — SURFACE discovers

Subdomains, services, APIs, certificates, and cloud assets are mapped into a unified external graph.

02 — VERIFY proves

Screenshots, HTTP evidence, TLS artefacts, and safe checks show whether the exposure is real.

03 — SIGNAL enriches

EPSS, KEV, ATT&CK, and exploit maturity provide the current threat lens around the weakness.

04 — CHAIN scores

The finding is connected to assets, services, logins, trust edges, and credentials to model attacker routes.

05 — EVIDENCE signs

Artefacts, manifest, hashes, and reproducibility notes become a tamper-aware evidence package.

06 — WATCHTOWER watches

Drift, re-opened findings, new assets, and threat changes trigger the next assessment cycle.

SF
SURFACE
VF
VERIFY
SG
SIGNAL
CH
CHAIN
EV
EVIDENCE
WT
WATCHTOWER

SURFACE — Attack surface discovery

Discovery starts with authorised scope targets and expands outward into domains, CT intelligence, DNS, ports, services, headers, APIs, and cloud clues. The point is not raw volume. The point is a reliable perimeter model that downstream modules can trust.

Evidence chain and reporting

SPECTRE treats evidence as a first-class object. The platform constitution is explicit: if it cannot be proved, it does not exist. Explore the evidence views below to see how artefacts, manifests, and reporting fit together.

Screenshot evidence

Captured web interfaces with timestamp watermark and target URL overlay so the visual state can be tied to a specific validation point.

HTTP request and response

Headers, bodies, and replayable request context stored so reviewers can understand exactly what was sent and what came back.

TLS and certificate artefacts

Certificate chains, handshake details, cipher observations, and expiry evidence retained for protocol validation and future comparison.

Reproduction notes

Step-by-step instructions that let a reviewer or engineer reproduce the validated finding from the preserved record.

/{tenant_id}/{workspace_id}/evidence/{finding_id}/ manifest.json sha256(screenshot.png) = 40f7a2...b98c sha256(http_request.txt) = 61ca29...15ac sha256(http_response.txt) = 2ab0d1...31ef sha256(tls_certificate.pem) = 72c18d...883e generated_at = 2026-03-12T14:02:18Z validator = VERIFY.HttpValidatorAdapter signature = hmac-sha256(manifest) integrity_status = VERIFIED
SUMMARY

Business-relevant finding narrative

DOSSIER does not just dump technical output. It explains what was found, how strong the evidence is, where it sits in an attack path, and what the organisation should do next.

RISK

Threat-contextualised prioritisation

Severity is weighed with exploit maturity, attacker targeting, graph reachability, and client-specific environmental context.

COMPLIANCE

Mapped to UK frameworks

Findings can be aligned to Cyber Essentials, CE Plus, ISO 27001 Annex A, GDPR-UK Article 32, NIS2, and NCSC guidance to make remediation useful to leadership as well as engineers.

Continuous drift monitoring

Point-in-time output is not enough for a modern external estate. WATCHTOWER exists because the question is never just what was exposed last week. It is what changed, what re-opened, what new asset appeared, and what threat context shifted since the last time you looked.

WATCHTOWER operating viewA posture layer that keeps the platform alive after the first assessment completes.
revalidation
drift
alerting
Re-open findings
If an issue comes back or evidence changes, the platform re-opens the case with an auditable event trail.
Asset drift
New domains, certificates, services, exposed APIs, or cloud assets are treated as posture changes, not background noise.
Threat drift
If exploit maturity rises or an existing weakness lands in a live exploitation catalogue, prioritisation changes automatically.
Queue backboneSeparated workloads prevent one class of task from polluting the rest of the system.
BullMQ
Redis
Examples
surface.discovery, verify.validation, signal.enrichment, chain.computation, evidence.processing, watchtower.monitoring.
Why it matters
Concurrency, retries, dead-letter handling, and workspace rate control remain predictable.