Redstack Vault transforms offensive security knowledge into a living knowledge graph. Instead of scattered notes, blog posts, and cheat sheets, you get a unified, interconnected dataset where every technique, tool, and procedure is linked, tagged, and mapped to the MITRE ATT&CK framework.

Think of it as: Obsidian vault meets MITRE ATT&CK meets your penetration testing playbook—with AI superpowers.

• 🔗 Graph-Native Architecture: Every entity (procedures, tools, techniques) is bidirectionally linked through WikiLinks, creating a traversable knowledge graph
• 🤖 AI-First Design: Built-in MCP server for Claude, RAG-ready structured content, semantic search capabilities
• 📊 MITRE ATT&CK Synchronized: Complete mapping of 18 tactics, 337 techniques, 380+ sub-techniques with real-world procedures
• ⚡ Execution-Ready: 15,139 procedures, 8,314 executable commands, 1,062 code snippets, copy-paste ready for engagements
• 🔍 Multi-Dimensional Access: Query by tactic, technique, platform, tool, or semantic meaning
• 📈 Living Dataset: Structured YAML frontmatter on every file enables programmatic analysis and extensibility

Security professionals face a critical challenge: knowledge fragmentation. Attack techniques are scattered across:

• 📝 Personal notes that aren't searchable
• 🌐 Blog posts that disappear or become outdated
• 📚 PDFs and books that aren't queryable
• 💬 Forum threads with incomplete context
• 🧠 Mental models that can't be shared

Redstack Vault provides:

✅ Centralized Knowledge Graph — All offensive techniques in one interconnected system
✅ Programmatic Access — Query, filter, and integrate via APIs, MCP, or semantic search
✅ Standardized Schema — Every entry follows consistent YAML + Markdown structure
✅ MITRE ATT&CK Native — Complete framework integration for threat modeling
✅ AI-Enhanced Workflow — RAG, ML training, semantic search, and LLM integration
✅ Open Ecosystem — Extend with your own procedures, integrate with your tools

Plan and execute offensive engagements with confidence:

• Attack Planning: Browse by MITRE ATT&CK tactics to design multi-stage operations
• Tool Discovery: Find alternative tools when primary options are blocked or detected
• Technique Research: Deep-dive into 15,139 documented procedures with real-world context
• Chain Building: Leverage pre-built attack chains or create custom sequences
• Operational Notes: Copy-paste ready commands and scripts for immediate execution

Streamline your testing workflow:

• Quick Reference: Access 8,314 commands organized by context
• Platform-Specific: Filter by Windows, Linux, macOS, Cloud, Web, or Network targets
• Execution Ready: Every command tested and documented with prerequisites
• Methodology: Follow structured procedures from reconnaissance to post-exploitation
• Reporting: MITRE ATT&CK mappings for professional assessment reports

Understand the adversary to build better defenses:

• Threat Modeling: Map attacker TTPs to your environment using MITRE ATT&CK
• Detection Rules: Build SIEM/EDR rules based on documented attack procedures
• Threat Emulation: Replicate real-world attacks in controlled environments
• Purple Teaming: Bridge offensive and defensive teams with shared taxonomy
• Intelligence Analysis: Track tool usage, technique evolution, and emerging TTPs

Retrieval-Augmented Generation (RAG)

• Pre-structured for vector embeddings and semantic search
• YAML frontmatter enables metadata filtering
• Link graph provides contextual relationships
• 33,000+ training examples for fine-tuning

Machine Learning Training

• Malware classification datasets from code snippets
• Command detection model training data
• Attack sequence prediction from chains
• Technique recommendation systems

Knowledge Graph Analytics

• Graph database ingestion (Neo4j, Amazon Neptune)
• Technique clustering and pattern analysis
• Tool-to-technique relationship mapping
• Coverage gap identification

Semantic Search & Chatbots

• MCP server for Claude Desktop integration
• LangChain/LlamaIndex compatible structure
• Natural language query: "How do I escalate privileges on Windows without touching disk?"
• Context-aware responses with source attribution

• Capture The Flag (CTF): Reference library for techniques and tools
• Certification Prep: OSCP, OSEP, PNPT, CEH study material
• Course Development: Structured curriculum with hands-on procedures
• Research: Academic analysis of offensive techniques and tool capabilities

Every entity in Redstack Vault is a node in a knowledge graph:

┌─────────────┐         ┌──────────────┐         ┌─────────────┐
│   TACTICS   │────────▶│  TECHNIQUES  │────────▶│SUB-TECHNIQUES│
│    (18)     │         │    (337)     │         │   (380+)     │
└──────┬──────┘         └──────┬───────┘         └──────┬──────┘
       │                       │                        │
       │    ┌──────────────────┴──────────────┐         │
       │    │                                 │         │
       ▼    ▼                                 ▼         ▼
    ┌──────────────┐                   ┌──────────────┐
    │  PROCEDURES  │◀───────────────────│    TOOLS     │
    │   (15,139)   │                   │   (1,767)    │
    └──────┬───────┘                   └──────┬───────┘
           │                                  │
           ▼                                  ▼
    ┌──────────────┐                   ┌──────────────┐
    │   COMMANDS   │                   │     TAGS     │
    │   (8,314)    │                   │   (1,909)    │
    └──────────────┘                   └──────────────┘

Complete framework coverage:

📋 Standardized Schema

• YAML frontmatter on every file (UUID, timestamps, metadata)
• Consistent Markdown structure across all content types
• Bidirectional WikiLinks for graph traversal
• Platform tags (Windows, Linux, macOS, Cloud, Web, Network)

🔍 Multi-Dimensional Navigation

• Browse by MITRE ATT&CK Tactic → Technique → Procedure
• Filter by target Platform (7 categories)
• Search by Tool (1,767 documented)
• Explore by Tag (1,909 categorical)
• Traverse via knowledge graph relationships

🤖 AI/LLM Integration

• MCP Server: Claude Desktop native integration
• RAG-Ready: Structured content for vector embeddings
• Semantic Search: Natural language queries via SSE endpoint
• Dataview Queries: Dynamic filtering and statistics

⛓️ Attack Chain System

• 4,718 pre-built multi-stage attack sequences
• Complexity ratings and skill level requirements
• Execution time estimates
• Complete MITRE ATT&CK technique coverage per chain

redstack-vault/
├── 📁 procedures/          # 15,139 step-by-step attack procedures
│   ├── Kerberoasting.md
│   ├── DCSync Attack.md
│   └── Pass-the-Hash.md
│
├── 💻 commands/            # 8,314 executable CLI commands
│   ├── mimikatz-sekurlsa.md
│   ├── bloodhound-python.md
│   └── crackmapexec-smb.md
│
├── ⛓️ attack-chains/       # 4,718 multi-stage attack sequences
│   ├── Kerberoast to DCSync.md
│   ├── GitHub Token to Cloud Compromise.md
│   └── Web Shell to Domain Admin.md
│
├── 🏷️ tags/                # 1,909 categorical tags
├── 🛠️ tools/               # 1,767 red team tool documentation
│   ├── Metasploit.md
│   ├── BloodHound.md
│   └── Cobalt Strike.md
│
├── 📝 codes/               # 1,062 code snippets (Bash, Python, PowerShell)
│   ├── reverse-shells/
│   ├── enumeration-scripts/
│   └── exploitation/
│
├── 🔹 sub-techniques/      # 380 sub-technique variations
├── 🛡️ techniques/          # 335 MITRE ATT&CK techniques (T1001-T1659)
├── 🎯 tactics/             # 18 MITRE ATT&CK tactics (TA0001-TA0043)
│
├── 🖥️ Platforms/           # Platform-specific browsing
│   ├── Windows.md         # Most comprehensive coverage
│   ├── Linux.md
│   ├── macOS.md
│   ├── Cloud.md           # AWS, Azure, GCP
│   └── Web.md
│
├── 📚 _assets/
│   ├── templates/         # Templater templates for content creation
│   └── images/            # 1,392 screenshots & diagrams
│
├── 🤖 .mcp-server/         # Model Context Protocol server
│   ├── mcp_server.py      # Main MCP server implementation
│   ├── mcp_server_sse.py  # SSE endpoint for semantic search
│   └── start.sh           # Server startup script
│
├── .obsidian/           # Obsidian vault configuration
├── Dashboard.md         # Main navigation dashboard
└── MITRE-Framework.md   # ATT&CK framework overview

Every file follows a standardized YAML + Markdown structure for programmatic access:

---
id: 550e8400-e29b-41d4-a716-446655440000      # UUID for unique identification
name: Kerberoasting                            # Human-readable name
type: procedure                                # Entity type
verified: true                                 # Validation status
created_at: 2024-01-15T10:30:00Z              # Creation timestamp
updated_at: 2024-03-22T14:45:00Z              # Last update timestamp

# MITRE ATT&CK Mappings (WikiLinks)
tactics:
  - "[[Credential Access|TA0006 - Credential Access]]"
techniques:
  - "[[Steal or Forge Kerberos Tickets|T1558]]"
sub_techniques:
  - "[[T1558.003 - Kerberoasting]]"

# Categorization
platforms:
  - "[[Windows]]"
tools:
  - "[[Rubeus]]"
  - "[[Impacket]]"
commands:
  - "[[GetUserSPNs.py]]"
tags:
  - "[[Active Directory]]"
  - "[[Credential Theft]]"
---

# Kerberoasting

## Summary
Kerberoasting exploits Kerberos TGS tickets to extract service account credentials...

## Description
[Detailed technical explanation with context]

## Requirements
- Valid domain credentials
- Network access to Domain Controller
- Tools: Rubeus, Impacket, or PowerView

## Instructions
### Step 1: Enumerate SPNs
[Detailed procedure steps...]

• Obsidian v1.4.0+ (free)
• Git for cloning
• Python 3.10+ (optional, for MCP server)

# Clone the repository
git clone https://github.com/redstackio/redstack-vault.git
cd redstack-vault

# Open in Obsidian
# Option 1: Obsidian → "Open folder as vault" → Select redstack-vault/
# Option 2: CLI (macOS)
open -a Obsidian .

# Option 3: CLI (Linux)
obsidian .

1. Open Dashboard.md - Your central navigation hub
2. Explore by MITRE ATT&CK - Browse tactics/techniques/procedures
3. Search - Use Cmd/Ctrl+O for quick file search
4. Graph View - Cmd/Ctrl+G to visualize connections

Install these community plugins for the best experience:

• Dataview - Dynamic queries and statistics (essential)
• Templater - Content creation templates
• Omnisearch - Full-text search
• Tag Wrangler - Tag management
• Excalidraw - Attack flow diagrams

Redstack Vault includes a Model Context Protocol (MCP) server for seamless AI/LLM integration.

1. Install Python dependencies:

cd .mcp-server
python -m venv .venv
source .venv/bin/activate  # On Windows: .venv\Scripts\activate
pip install -r requirements.txt

2. Add to your Claude Desktop config:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "redstack-vault": {
      "command": "python",
      "args": ["/absolute/path/to/redstack-vault/.mcp-server/mcp_server.py"]
    }
  }
}

3. Restart Claude Desktop

4. Ask Claude: "List all Windows privilege escalation procedures" or "Show me the DCSync attack chain"

LangChain

from langchain.document_loaders import ObsidianLoader

loader = ObsidianLoader("/path/to/redstack-vault")
docs = loader.load()

LlamaIndex

from llama_index import SimpleDirectoryReader

reader = SimpleDirectoryReader("/path/to/redstack-vault")
documents = reader.load_data()

We welcome contributions! Here's how you can help:

1. Fork the repository
2. Use templates from _assets/templates/ for consistency:
   • procedure.md - Attack procedures
   • command.md - CLI commands
   • tool.md - Tool documentation
   • attack-chain.md - Multi-stage attacks
   • technique.md - MITRE techniques
3. Follow the schema:
   • Include YAML frontmatter with UUID
   • Link to relevant tactics/techniques/tools using WikiLinks
   • Add platform tags
   • Include verification status
4. Submit a Pull Request with:
   • Clear description of additions
   • MITRE ATT&CK mappings (if applicable)
   • Verification/testing notes

• Quality over quantity: Verified procedures preferred
• Cite sources: Link to original research/blogs when applicable
• No illegal content: Only techniques for authorized testing
• Maintain consistency: Follow existing file structure
• Test before submitting: Verify procedures work as documented

• Issues: Bug reports and feature requests
• Discussions: Share use cases and integrations
• Pull Requests: Code and content contributions welcome

FOR AUTHORIZED SECURITY TESTING ONLY

This knowledge base contains offensive security techniques and should only be used for:

✅ Authorized Activities

• Penetration testing engagements with written authorization
• Red team operations within defined scope
• Security research and academic study
• Capture The Flag (CTF) competitions
• Defensive security and threat modeling
• Personal lab environments you own

❌ Prohibited Activities

• Unauthorized access to computer systems (illegal in most jurisdictions)
• Attacking systems without explicit written permission
• Using techniques for malicious purposes
• Violating terms of service or acceptable use policies

• Unauthorized computer access is illegal under laws including the Computer Fraud and Abuse Act (CFAA) in the US and similar legislation worldwide
• The authors and contributors are not responsible for misuse of this information
• Always follow responsible disclosure practices when discovering vulnerabilities
• Obtain proper authorization before testing any system you do not own

Use responsibly. Stay legal. Be ethical.

• Dashboard.md - Main navigation hub
• MITRE-Framework.md - ATT&CK framework overview
• Platforms/ - Platform-specific documentation
• .mcp-server/README.md - MCP server setup guide

• MITRE ATT&CK - The framework that powers our taxonomy
• Atomic Red Team - Small, portable detection tests
• LOLBAS Project - Living Off The Land Binaries
• GTFOBins - Unix binaries for privilege escalation
• WADComs - Windows/AD command cheat sheet

If you find Redstack Vault useful, please consider starring the repository!