Skip to main content
A red team engagement that does not emulate a real threat is just a structured pentest with extra paperwork. The discipline of threat emulation — mimicking the TTPs of a specific adversary — is what makes red teaming meaningful.

”The Threat Gets a Vote”

The principle, codified by redteam.guide and inherited from military doctrine, is simple: engagements must be grounded in what real threats actually do, not just what defenders plan for. A blue team that prepares for the threat they wish they had — instead of the threat that actually exists — has prepared for nothing. Decepticon enforces this principle by requiring an explicit threat profile before generating an OPPLAN.

The Threat Profile

Decepticon adopts the seven-field threat profile structure used across the industry. Each engagement begins by selecting or authoring a profile:
The threat profile is not a wishlist — it is a constraint. Decepticon will not use techniques that are out of profile, because the value of emulation is precisely that it teaches the blue team to recognize that adversary.

How Decepticon Consumes a Threat Profile

When you start an engagement, the Soundwave planning agent interviews the operator and produces:
1

ConOps draft with embedded threat profile

Soundwave selects or composes a profile from the seven-field template, then weaves it into the Concept of Operations as the engagement’s “adversary of record.”
2

OPPLAN objectives constrained to in-profile TTPs

Each objective is tagged with MITRE ATT&CK IDs. The orchestrator refuses to schedule objectives whose TTPs fall outside the profile.
3

Skill loading filtered by profile match

Decepticon’s progressive-disclosure skill system loads only skills whose mitre_attack tags overlap with the profile. Out-of-profile skills are kept off the agent’s working set.
4

C2 channel selection by profile

The C2 tier and channel choices (Sliver mTLS, HTTPS, DNS) are picked to mirror the profile’s actual tradecraft — so the blue team’s detections fire against the right shapes.

Threat Profile vs. Pentest Scope

A pentest scope says “these IPs, these apps, these dates.” A threat profile says “this adversary, with these capabilities, motivated by these goals.” The two are not interchangeable.

Authoring a Custom Profile

Custom profiles live alongside the default ones in the Soundwave skills directory. A minimal profile is YAML frontmatter plus prose:
When this profile is selected, every Decepticon agent inherits its constraints — including the orchestrator’s refusal to schedule fast-callback C2 or noisy initial-access vectors.

Skill System

See how progressive-disclosure skills filter by ATT&CK overlap with the active threat profile.