Implement proven methodologies and tool workflows from top security researchers for effective reconnaissance, vulnerability discovery, and bug bounty hunting. Automate common tasks while maintaining thorough coverage of attack surfaces.
Confirm successful installation by checking the skill directory location:
.cursor/skills/red-team-tools-and-methodology
Restart Cursor to activate red-team-tools-and-methodology. Access via /red-team-tools-and-methodology in your agent's command palette.
β
Security Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Implement proven methodologies and tool workflows from top security researchers for effective reconnaissance, vulnerability discovery, and bug bounty hunting. Automate common tasks while maintaining thorough coverage of attack surfaces.
Inputs/Prerequisites
Target scope definition (domains, IP ranges, applications)
Linux-based attack machine (Kali, Ubuntu)
Bug bounty program rules and scope
Tool dependencies installed (Go, Python, Ruby)
API keys for various services (Shodan, Censys, etc.)
Outputs/Deliverables
Comprehensive subdomain enumeration
Live host discovery and technology fingerprinting
Identified vulnerabilities and attack vectors
Automated recon pipeline outputs
Documented findings for reporting
Core Workflow
1. Project Tracking and Acquisitions
Set up reconnaissance tracking:
# Create project structuremkdir-p target/{recon,vulns,reports}cd target
# Find acquisitions using Crunchbase# Search manually for subsidiary companies# Get ASN for targetsamass intel -org"Target Company"-src# Alternative ASN lookupcurl-s"https://bgp.he.net/search?search=targetcompany&commit=Search"
# Check which hosts are live with httprobecat domains.txt | httprobe -c80 --prefer-https | anew hosts.txt
# Use httpx for more detailscat domains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt
# Alternative with massdnsmassdns -r resolvers.txt -t A -o S domains.txt > resolved.txt
# Directory bruteforce with ffufffuf -ac-v-u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
# Historical URLs from Waybackwaybackurls target.com |tee wayback.txt
# Find all URLs with gaugau target.com |tee all_urls.txt
# Parameter discoverycat all_urls.txt |grep"="|sort-u> params.txt
# Generate custom wordlist from historical datacat all_urls.txt | unfurl paths |sort-u> custom_wordlist.txt
6. Application Analysis (Jason Haddix Method)
Heat Map Priority Areas:
File Uploads - Test for injection, XXE, SSRF, shell upload
Content Types - Filter Burp for multipart forms
APIs - Look for hidden methods, lack of auth
Profile Sections - Stored XSS, custom fields
Integrations - SSRF through third parties
Error Pages - Exotic injection points
Analysis Questions:
How does the app pass data? (Params, API, Hybrid)
Where does the app talk about users? (UID, UUID endpoints)
Does the site have multi-tenancy or user levels?
Does it have a unique threat model?
How does the site handle XSS/CSRF?
Has the site had past writeups/exploits?
7. Automated XSS Hunting
# ParamSpider for parameter extractionpython3 paramspider.py --domain target.com -o params.txt
# Filter with Gxsscat params.txt | Gxss -ptest# Dalfox for XSS testingcat params.txt | dalfox pipe --mining-dict params.txt -o xss_results.txt
# Alternative workflowwaybackurls target.com |grep"="| qsreplace '"><script>alert(1)</script>'|whileread url;docurl-s"$url"|grep-q'alert(1)'&&echo"$url"done> potential_xss.txt
8. Vulnerability Scanning
# Nuclei comprehensive scannuclei -l hosts.txt -t ~/nuclei-templates/ -o nuclei_results.txt
# Check for common CVEsnuclei -l hosts.txt -t cves/ -o cve_results.txt
# Web vulnerabilitiesnuclei -l hosts.txt -t vulnerabilities/ -o vuln_results.txt
9. API Enumeration
Wordlists for API fuzzing:
# Enumerate API endpointsffuf -u https://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
# Test API versionsffuf -u https://target.com/api/v1/FUZZ -w api_wordlist.txt
ffuf -u https://target.com/api/v2/FUZZ -w api_wordlist.txt
# Check for hidden methodsformethodin GET POST PUT DELETE PATCH;docurl-X$method https://target.com/api/users -vdone
βΊAccess to product documentation and roadmap tools (Jira, Notion, etc.)
βΊUnderstanding of product management frameworks (RICE, Jobs-to-be-Done, etc.)
βΊStakeholder contact information and communication channels
Time Estimate
30-60 minutes to see productivity improvements
Steps
1Install product management skill
2Start with user story generation for known feature
3Progress to competitive analysis: research 2-3 competitors
4Use for roadmap prioritization: apply RICE/ICE scoring
5Draft stakeholder communications and refine based on feedback
6Build template library for recurring PM tasks
7Share effective prompts with product team
Common Pitfalls
β Not validating competitive researchβverify facts before sharing
β Accepting user stories without involving engineering team
β Over-relying on frameworks without qualitative judgment
β Not customizing outputs to company culture and communication style
β Skipping stakeholder validation of generated requirements
Best Practices
β Do
+Validate research and competitive analysis with real data
+Collaborate with engineering when generating technical requirements
+Customize frameworks and templates to your company context
+Use skill for first drafts, refine with stakeholder input
+Document successful prompt patterns for PM tasks
+Combine AI efficiency with human judgment and intuition
β Don't
βDon't publish competitive analysis without fact-checking
βDon't finalize user stories without engineering review
βDon't make prioritization decisions solely on AI scoring
βDon't skip customer validation of generated requirements
βDon't ignore company-specific context and culture
π‘ Pro Tips
β Provide context: company goals, constraints, customer feedback
β Ask for alternatives: 'Show 3 ways to prioritize this roadmap'
β Request stakeholder-specific formatting: 'Executive summary vs. engineering spec'
β Use skill for 70% generation + 30% customization to company needs
When to Use This
β Use when
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
β Avoid when
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
Learning Path
1Basic: user stories, feature specs, status updates
