Domain Coverage¶
ARCHER is designed to cover the full operational scope of a professional security team. Each domain is a self-contained skill pack, built to its governing professional standards, validated with real operational runs.
A domain is considered complete when: it has thorough skill coverage, has been validated with multiple real operational runs against appropriate targets, and produces output that meets the governing standards for that domain.
Current Status¶
| Domain | Status | Standards |
|---|---|---|
| Penetration Testing | Active - 9 subdomain packs shipped | PTES, NIST SP 800-115, OWASP, MITRE ATT&CK, OSCP |
| System Hardening | Planned | CIS Benchmarks, DISA STIGs, NIST SP 800-123 |
| Threat Hunting | Planned | MITRE ATT&CK, PEAK Framework, Cyber Kill Chain |
| Digital Forensics | Planned | ISO/IEC 27037, NIST SP 800-86, SWGDE |
| Malware Analysis | Planned | MAEC, MITRE ATT&CK, Behavior-based Detection |
| Threat Intelligence | Planned | Diamond Model, Intelligence Cycle, STIX, TAXII, NIST SP 800-150 |
| CTF / Training | Planned | OWASP, PTES |
| Network and Host Baselining | Planned | CIS Benchmarks, NIST SP 800-123 |
| Honeypot Operations | Planned | Scientific Method, Behavior-based Detection |
Penetration Testing - Active Subdomains¶
The penetration testing domain currently includes eight active skill packs:
| Pack | Skills |
|---|---|
| PT-Recon | Entity identification, reconnaissance, port scanning, service enumeration |
| PT-Vulnerability | Vulnerability assessment, vulnerability scanning |
| PT-Web | Web enumeration, web vulnerability scanning, authentication testing, exploitation, SQLi, LFI, XSS, command injection |
| PT-Exploitation | Network exploitation, system exploitation |
| PT-PostExploit | Post-exploitation, lateral movement, persistence, exfiltration |
| PT-Pivoting | SSH tunneling, SOCKS proxy, chisel, ligolo-ng, socat relay, ProxyJump |
| PT-Privesc | Linux privilege escalation, Windows privilege escalation |
| PT-ActiveDirectory | AD enumeration, credential attacks, lateral movement |
| PT-ThreatEmulation | Adversary TTP simulation and detection validation — pack exists, no eval objectives yet |
Architecture Note¶
Each domain loads as an isolated skill pack - it cannot be combined with another domain in the same session. This is a hard architectural constraint, not a configuration option. Penetration testing prompts the model to be aggressive and enumerate everything. Threat hunting prompts it to minimize footprint. A merged prompt produces neither correctly. Isolation is enforced mechanically: a RuntimeError fires on any attempt to load a second domain.
New domains can be added without modifying ARCHER's core. The skill pack contract - halt_fn, hints_fn, bonus_fn - is the extension point. A contributor who follows the contract ships a working new domain without touching the agent loop, the routing system, or the eval harness.