An agentic security CLI in the spirit of Claude Code and Codex, for offensive and defensive work.
The verification harness for AI-written detections. Red and blue, one motion. Riposte drafts a Sigma rule from each reproduced attack, then ships it only if it survives four gates: it compiles, fires on the real exploit, catches a model-mutated variant, and stays under your false-positive threshold.
$ riposte demo
[scope] loaded ROE: demo-lab (deny-by-default)
[red] 4 findings on http://localhost:3000 (3 INFO, 1 MEDIUM)
[purple] drafting Sigma rules from reproducible artifacts
gate 1 compile PASS
gate 2 fires on exploit PASS (attack.t1190 reflected-input)
gate 3 survives mutation PASS
gate 4 low false-positive PASS
[ship] 1 shipped (0 verified, 1 unverified) . 3 held back
[audit] hash-chain OK . tamper-evident
exit 0Deny-by-default scope check before every action; tiered autonomy, passive by default; sandboxed execution with a default-deny egress allowlist; a mandatory hash-chained audit log; a global kill switch.
Read the security modelA detection ships only if it survives four fail-closed gates, each rule carrying a 3-axis score (efficacy, robustness, cost). The harness is the product; generation is the easy part.
See the four gatesRed reproduces an exploit on an authorized target; blue auto-drafts a detection from that exact artifact; only verified rules ship, so coverage tracks real attacks. Defense and offense in one motion, which is literally what a riposte is in fencing.
Verified coverage feeds the next attack, so the loop stays closed.
The harness leads by rejecting bad rules. The missing-header findings produced the same rule shape, but it did not fire on their artifacts, so they were correctly held back. One reproduced exploit produced a rule that survived all four gates.
$ riposte demodetection:
selection:
cs-uri-query|contains: rpq=
condition: selection
tags:
- attack.t1190url.query:*rpq\=*sigma-cli converts the rule to your backend, self-correcting until it is clean.
Replays the real exploit against an instrumented SIEM and confirms the rule triggers.
A second model mutates the attack; the rule must still catch the variant.
Replayed against a benign corpus; only rules under your threshold pass.
Red enters as a finding. Only a rule that clears all four gates exits as a verified detection. Anything that fails stops in its chamber and is held back.
Claude-first, bring your own provider. Run it against a local Ollama or LM Studio model and nothing leaves your machine. There is no telemetry module to disable, because none exists.
$ riposte audit verify --log <dir>/audit.jsonl
OK (chain + anchor verified)| capability | Offensive-AI | AI-SOC | Riposte |
|---|---|---|---|
| proves the detection fires on the real exploit | not the focus | not the focus | yes |
| mutation-tested | not the focus | not the focus | yes |
| false-positive gated | not the focus | not the focus | yes |
| deterministic non-LLM oracle | not the focus | not the focus | yes |
Peers demonstrate more end-to-end attack capability and publish numbers; we do not have published capability numbers yet. Our bet is narrower: verification of the detection, not breadth of the attack.
What it has NOT done: run unsupervised, run against a third party, or ship a verified detection outside a self-owned lab.
Riposte is open core. The engine is free and Apache-2.0; the commercial product is the multi-team, hosted, compliance layer around it. We are not gating the core or competing on attack breadth.
$ git clone https://github.com/JoakimLarssen/Riposte && cd Riposte && riposte demoFor a blue team with a benign log corpus and an authorized target. We are looking for one design partner, not a waitlist.
Become a design partner