authored by a working operator

Two Claude Code skills for the full pentest kill chain.

Drop these in. Claude becomes a competent red-team operator that runs the actual toolchain — nmap, Metasploit, Burp, Project Discovery, sqlmap — across internal network and web app engagements.

get the bundle — $129 browse skills →

or $79 single · 24h download link · no subscription

claude — internal-network-pentest — engagement-2026-05-27

$ claude
✓ skill loaded: internal-network-pentest

> run recon on 192.168.4.0/24, i own this network

claude confirming target authorization for 192.168.4.0/24...
> yes, my lab

▸ phase 0 — toolchain check [ok]
▸ phase 2 — engagement dir ~/engagements/2026-05-27-lab
▸ phase 3 — host discovery
  sudo nmap -sn -PR 192.168.4.0/24 -oA scans/01-host-discovery
  sudo arp-scan -I wlan0 --localnet -x
  → 14 live hosts, written to scans/live-hosts.txt

▸ phase 4 — service enum on 14 hosts
  sudo nmap -sS -sV -sC -O --top-ports 1000 -iL scans/live-hosts.txt
  → 192.168.4.12 :445 SMB, signing disabled
  → 192.168.4.31 :8080 jboss, version 6.1.0 [check CVE-2017-12149]
  → 192.168.4.50 :22 openssh 7.4

claude SMB signing disabled on .12 — proceed to NTLM relay setup?

01 / authored

Hand-written by an operator

Not a tutorial. Not a wrapper. Each phase encodes commands and decision points from actual engagements.

02 / structured

Authorization gates everywhere

Both skills refuse active probes until you confirm scope. Protects you from muscle memory, not from yourself.

03 / drop-in

30 seconds to install

Unzip into ~/.claude/skills/. Restart Claude Code. Done.

/skills

The skills

Buy individually or as a bundle. Same buyer, same email, same install path.

internal

$79

internal-network-pentest

Drop-in operator for internal engagements on Windows + WSL2 with an AWUS1900. Walks the kill chain from association → recon → enum → vuln → exploit → report.

▸

Phase 0 — WSL2 + AWUS1900 toolchain verification

▸

Phase 1–2 — wpa_supplicant connect + numbered engagement directory

▸

Phase 3–5 — ARP/nmap discovery → SMB/LDAP/SNMP/NFS enum → NSE vuln scripts

▸

Phase 6 — Default creds, SMB null sessions, EternalBlue, Kerberoasting, AS-REP roasting, ACL abuse

▸

Phase 7 — CVSS-ish severity, impact, remediation per finding

Reference files

wsl-usbipd-setuprecon-enumerationvuln-scan-exploitreporting

buy internal — $79

web

$79

web-app-pentest

Windows-native web app + API pentest. Burp Community + Project Discovery toolchain. Passive recon, content discovery, manual OWASP Top 10, REST + GraphQL.

▸

Phase 0 — Windows toolchain (nmap, nuclei, httpx, ffuf, subfinder, katana, sqlmap, Burp)

▸

Phase 1–2 — Scope intake + structured engagement directory

▸

Phase 3 — Passive recon (CT logs, subfinder, DNS) before WAF-visible traffic

▸

Phase 4–6 — Content/parameter discovery → nuclei → manual SQLi, XSS, IDOR, SSRF, SSTI, deserialization

▸

Phase 7–8 — REST + GraphQL API testing → report devs will actually fix

Reference files

windows-toolchain-setuprecon-enumerationburp-suite-workflowsowasp-top10-testingapi-testingreporting

buy web — $79

/bundle

Both skills — full external-to-internal kill chain

Recon from outside, exploit the web app, pivot internal, lateral movement, report. Save $29.

$129

$158

buy bundle →

/how

How it works

01
Buy
Stripe Checkout. Card or Link. No account to create.
02
Check email
Within seconds, you receive a download link valid for 24h.
03
Install
Unzip into ~/.claude/skills/. Restart Claude Code.
04
Use
Mention the skill or let it auto-activate on relevant prompts.

/why

Why these aren't prompt-stuffing

Most "act as a pentester" prompts hallucinate tooling, skip authorization, and produce unstructured output you can't use at report time.

Real workflows, not prompts.

Full procedures Claude follows — with reference files, decision points, and authorization gates baked in.

Tool-first, not theory.

Every phase is grounded in commands you already run. The skills tell Claude exactly which nmap flags, which Burp extensions, which Metasploit modules.

Authorization gates everywhere.

Both skills refuse active probes until you confirm scope. Not legal cover — a guardrail.

Free updates.

Buy once, get email when skills update.

/faq

Questions

Is this legal?

Selling and possessing pentest skills is legal in the US and most jurisdictions. Both skills assume you have authorization for the target — your own lab, signed SOW, in-scope bug bounty — and have built-in authorization gates that block active probes until you confirm. Running them against systems you don't have authorization to test is not legal, and that's on you, same as nmap or Burp.

What's Claude Code?

Anthropic's official CLI for Claude. Free to install. Skills extend it with domain-specific capabilities — exactly what these provide.

Do I need Claude Pro or API credits?

Yes — these run on top of Claude Code, so you need a Claude account. Most engagements fit comfortably inside a Pro subscription.

Do these work outside Claude Code?

The skill format is Claude Code's, but the SKILL.md files are plain markdown. You can paste them into any Claude conversation as system instructions. Quality is best in Claude Code with the skill properly loaded.

Refund policy?

No refunds — these are digital goods delivered instantly. If something is genuinely broken, reply to your order email and we'll fix it.

Updates?

Free. You'll get an email when a skill you bought updates.

Can I share with my team?

License covers you + your direct employer's team for internal authorized engagements. Don't redistribute publicly.

Ready when you are.

get the bundle — $129