”The Threat Gets a Vote”
The principle, codified by redteam.guide and inherited from military doctrine, is simple: engagements must be grounded in what real threats actually do, not just what defenders plan for. A blue team that prepares for the threat they wish they had — instead of the threat that actually exists — has prepared for nothing. Decepticon enforces this principle by requiring an explicit threat profile before generating an OPPLAN.The Threat Profile
Decepticon adopts the seven-field threat profile structure used across the industry. Each engagement begins by selecting or authoring a profile:The threat profile is not a wishlist — it is a constraint. Decepticon will not use techniques that are out of profile, because the value of emulation is precisely that it teaches the blue team to recognize that adversary.
How Decepticon Consumes a Threat Profile
When you start an engagement, the Soundwave planning agent interviews the operator and produces:1
ConOps draft with embedded threat profile
Soundwave selects or composes a profile from the seven-field template, then weaves it into the Concept of Operations as the engagement’s “adversary of record.”
2
OPPLAN objectives constrained to in-profile TTPs
Each objective is tagged with MITRE ATT&CK IDs. The orchestrator refuses to schedule objectives whose TTPs fall outside the profile.
3
Skill loading filtered by profile match
Decepticon’s progressive-disclosure skill system loads only skills whose
mitre_attack tags overlap with the profile. Out-of-profile skills are kept off the agent’s working set.4
C2 channel selection by profile
The C2 tier and channel choices (Sliver mTLS, HTTPS, DNS) are picked to mirror the profile’s actual tradecraft — so the blue team’s detections fire against the right shapes.
Threat Profile vs. Pentest Scope
A pentest scope says “these IPs, these apps, these dates.” A threat profile says “this adversary, with these capabilities, motivated by these goals.” The two are not interchangeable.Authoring a Custom Profile
Custom profiles live alongside the default ones in the Soundwave skills directory. A minimal profile is YAML frontmatter plus prose:Skill System
See how progressive-disclosure skills filter by ATT&CK overlap with the active threat profile.
