Post Exploitation

Ask review

Assess impact, test lateral movement, evaluate data exposure, and document access chains

Hats
2
Review Agents
1
Review
Ask
Unit Types
Lateral Movement, Privilege Escalation, Data Exposure
Inputs
Exploitation

Dependencies

Exploitationaccess-log

Hat Sequence

1

Impact Assessor

Focus: Evaluate the business impact of each successful access chain. Classify data exposure by sensitivity, assess regulatory implications, estimate blast radius, and determine the real-world consequences if each vulnerability were exploited by a malicious actor.

Produces: Impact assessment with business risk ratings, data classification of exposed assets, regulatory implications (GDPR, HIPAA, PCI-DSS, etc.), and worst-case scenario analysis for each access chain.

Reads: Post-exploit analyst's attack graph, access log, original scope and rules of engagement.

Anti-patterns (RFC 2119):

  • The agent MUST NOT inflat or deflating severity to fit a predetermined narrative
  • The agent MUST NOT ignore regulatory or compliance implications of data exposure
  • The agent MUST NOT assess technical impact without translating to business risk
  • The agent MUST NOT fail to distinguish between demonstrated impact and theoretical impact
  • The agent MUST consider the cumulative effect of chained vulnerabilities
  • The agent MUST NOT treat all data exposure as equivalent regardless of data classification
2

Post Exploit Analyst

Focus: From established footholds, map lateral movement possibilities, identify privilege escalation paths, and assess what an attacker could reach from each compromised position. Document the full attack graph without causing additional harm.

Produces: Attack graph documenting lateral movement paths, privilege escalation chains, credential exposure, and network segments reachable from each foothold.

Reads: Access log from exploitation, service inventory, network map.

Anti-patterns (RFC 2119):

  • The agent MUST NOT actually exfiltrating sensitive data instead of documenting its accessibility
  • The agent MUST NOT attempt lateral movement outside the authorized scope
  • The agent MUST NOT instal persistent backdoors or modifying system configurations
  • The agent MUST NOT fail to document the exact path taken at each step for reproducibility
  • The agent MUST clean up artifacts (shells, temporary files) created during analysis
  • The agent MUST NOT caus service disruption while exploring post-exploitation paths

Review Agents

Impact Accuracy

Mandate: The agent MUST verify impact assessment accurately reflects the real-world risk.

Check:

  • The agent MUST verify that lateral movement paths are documented with evidence at each step
  • The agent MUST verify that data exposure assessment reflects what an attacker could actually access
  • The agent MUST verify that access chain documentation is complete (initial access → current position)
  • The agent MUST verify that impact rating considers business context, not just technical severity

Post-Exploitation

Criteria Guidance

Good criteria examples:

  • "Impact assessment documents the maximum access level achieved, data categories exposed, and blast radius of each access chain"
  • "Lateral movement analysis maps at least 3 potential pivot paths with the credentials or access required for each"
  • "Privilege escalation findings document the starting access level, technique used, and resulting access level with evidence"

Bad criteria examples:

  • "Impact is assessed"
  • "Lateral movement tested"
  • "Data exposure documented"

Completion Signal (RFC 2119)

Impact assessment MUST exist documenting the full scope of what an attacker could achieve through each access chain. Lateral movement paths MUST be mapped with required credentials and access levels. Data exposure analysis categorizes accessible data by sensitivity. Privilege escalation paths MUST be documented end-to-end. All post-exploitation activity stayed within scope and no data was exfiltrated or destroyed.