BRA is an AI-augmented security assessment framework — an extension to the operator, not a replacement. The operator drives the engagement and owns the decisions. An LLM agent works alongside as force-multiplier — running reconnaissance, capturing evidence, drafting findings, generating the report — but every action it takes is gated, anonymized, and recorded by a governance layer the operator controls.
Before any agent is launched, BRA runs you through a multi-step scope intake wizard: privacy posture (what gets anonymized before reaching the model), target name + version, in-scope IPs / CIDRs / URLs / file paths / device addresses, out-of-scope exclusions, time window, written-authorization attestation, active-testing permission, and a per-engagement safety-approvals matrix. The framework then auto-detects identifiable values in the scope (IPs, hostnames, credentials), shows them to you for review, and anonymizes the approved set before anything reaches the LLM.
From there, the agent runs reconnaissance, captures evidence, and files leads and findings. Every request, response, tool call, and command flows through multiple layers that:
Target check
Subdomains and unrelated hosts trigger an in-app modal asking the operator to grant Full / Limited / Deny before anything runs.
Approval gates
Destructive ops, active testing, framework writes — each requires its own governance token to be active.
Local masking
IPs and hostnames are anonymized before reaching the LLM and rehydrated for the operator on the way back. The map is operator-only.
As the engagement runs, three living records are built up — Intel (services, endpoints, infrastructure facts), Leads (investigation threads worth pursuing), and Findings (confirmed vulnerabilities).
When the operator ends an engagement and selects which findings to include, the governed schema is used to generate a full engagement report with executive summary, per-finding detail, remediation roadmap, and vendor disclosure timeline.
Control is not a brake on capability; it is the condition that allows capability to persist.
BRA separates AI capability from operational authority. Models reason and propose; governance state, runtime controls, and operator decisions determine what actually executes.
- AI is advisory, not authoritative.
- Authority is explicit state, not prompt-only or SDK hook compliance.
- Control exists both inside and outside the agent’s purview — and survives replacement of the model, tool, interface, or operator.
chmod +x bra-slim
./bra-slim --host 0.0.0.0 --port 7777On first launch the binary creates a hidden state directory (.bra-slim/) under the current working directory and prints an auto-generated session token to the terminal:
BRA Web GUI — Battle Ready Armor Dashboard
Token: ABc123…
BRA Directory: /home/youOpen http://<host>:7777/?token=<token> in a browser. First load asks for your Anthropic API key in Config → Agent Runtime; paste it in and start your first engagement from the Operations tab.
To run without auth, add --no-auth.
A scoped, read-only summary of the active engagement: governance posture, scope, lifecycle, statistics, and recent findings. Operator network identifiers are redacted in this screenshot.
The Operations tab is the live engagement workspace — the operator sees the agent's reasoning, proposed commands, and decision options inline, with three independent gates riding every action:
- Tool approval — first-time use of any tool (Bash, Write, Edit, etc.). Per-call:
Allow Once, orAllow + Overrideto record a rule that suppresses repeats of the same pattern. - Target scope — every host / IP / URL in the command must match the approved scope. Subdomains and unrelated targets prompt a modal with
Full / Limited / Denybefore anything runs. - Governance token — destructive ops, active testing, framework writes, etc. each require their own token to be active. The prompt offers
Once / Session / Engagement / Denyscoping.
Allow + Override button records an override rule so the operator isn't prompted for the same pattern again.
An override is an approval rule the operator records during an engagement so the agent doesn't ask again for the same pattern. They are visible in Loadout → Overrides and can be enabled / disabled / reviewed there. The framework keeps a per-decision history so every Allow / Deny remains auditable after the fact.
Override management itself is governed: writes require the OVERRIDE-APPROVAL token. Without it, the panel is read-only and existing overrides apply but new ones cannot be created.
The Web GUI is responsive — the same engagement runs from a phone or tablet without a separate app. Useful when the operator is away from the desk and the agent hits a tool-approval gate.
Three living records are built up as the engagement runs:
- Intel — services, endpoints, technology facts the agent confirms (e.g., open ports, DNS / mail infrastructure, framework fingerprints).
- Leads — investigation threads worth pursuing (e.g., a softfail SPF record, a misconfigured cookie, a suspicious header) before they become findings.
- Findings — confirmed vulnerabilities. As the agent identifies them they are emitted to a queue for documentation by a dedicated subagent; the main thread keeps running so the operator can drive forward while the queue drains.
End the engagement, fill in the disclosure intake form (researcher / vendor / CNA fields, report types: pentest / vendor / research), select which findings make the report, and the framework generates a structured report.
The report includes an AI-enhanced executive summary, technical summary covering methodology and intelligence highlights, per-finding detail with CVSS, a phased remediation roadmap, and a disclosure timeline ready to send to the vendor.
Locked features are available with a premium license.
Feature matrix · Slim vs Premium
| Capability | Slim | Premium |
|---|---|---|
| Web | ● | ● |
| Mobile (browser) | ● | ● |
| iOS Native App | — | ● |
| CLI | — | ● |
| TUI | — | ● |
| 2x4 (AI Assistant Co-pilot) | — | ● |
| Capability | Slim | Premium |
|---|---|---|
| Anthropic / Claude direct | ● | ● |
| Multi-provider routing (frontier hosted models) | — | ● |
| Local / on-host LLM | — | ● |
| Bring-your-own LLM gateway | — | ● |
| Capability | Slim | Premium |
|---|---|---|
| During scope intake (one-time, before agent starts) | ||
| Dumb Scope — regex/dictionary anon | ● | ● |
| No-Scope mode | ● | ● |
| Frontier Scope (LLM standardization) | — | ● |
| Local Scope (on-host NER — SecBERT / CyNER / spaCy) | — | ● |
| Live during LLM chat (every request/response) | ||
| Map Scan — applies the scope-intake anon map to live chat | ● | ● |
| No-Scan mode | ● | ● |
| Anon Scan (regex+dictionary live chat) | — | ● |
| Local Scan (on-host NER live chat — SecBERT / CyNER / spaCy) | — | ● |
| Manual rules (operator-added via Loadout → Anonymization) | ||
| Add custom anon entry (literal or pattern → token) | ● | ● |
| Edit / remove entries from the engagement anon map | ● | ● |
| Capability | Slim | Premium |
|---|---|---|
| Scope intake wizard | ● | ● |
| Active engagement chat | ● | ● |
| Tool / target / token approval gates | ● | ● |
| Findings emission + subagent documentation | ● | ● |
| Findings selection before report | ● | ● |
| End-engagement intake (vendor/CNA/PenTest) | ● | ● |
| AI-enhanced report (exec summary, recommendations) | ● | ● |
| Vendor disclosure timeline | ● | ● |
| Custom Report Format / Syntax | — | ● |
| Findings fast path | — | ● |
| Capability | Slim | Premium |
|---|---|---|
| Loadout — Skills library | — | ● |
| Loadout — Tools library | — | ● |
| Loadout — Methodologies | — | ● |
| Loadout — Workflows | — | ● |
| Battle Card view (operator profile) | ● | ● |
| Pitches — framework improvement proposals | — | ● |
| Lessons Learned — Kill Chain Progression | — | ● |
| Reference docs viewer | — | ● |
| Capability | Slim | Premium |
|---|---|---|
| Debug tab — live diagnostics | — | ● |
| Log viewer / WebSocket inspector | — | ● |
| Process explorer | — | ● |
| Environment / token-usage diagnostics | — | ● |
| Harness explorer (test-harness UI) | — | ● |
| 2x4 / Voice Call / Takeover integration | — | ● |
Slim activates a small core set of governance tokens. Premium unlocks the rest of the catalog and adds session/engagement scoping.
Incomplete list — additional tokens are introduced and rotated as the framework evolves; the rows below are representative, not exhaustive.
| Token | Purpose | Slim | Premium |
|---|---|---|---|
| ACTIVE-TESTING-APPROVAL | Active network testing | ● | ● |
| DESTRUCTIVE-APPROVAL | Destructive ops (resets, deletions) | ● | ● |
| OFFENSIVE-APPROVAL | Exploit attempts & offensive activity | ● | ● |
| OVERRIDE-APPROVAL | Override-rule management (always on in slim) | ● | ● |
| FINDINGS-SELECTION | Pre-report finding picker (always on in slim) | ● | ● |
| SLOWPATH-FINDINGS | Subagent-driven finding doc (always on in slim) | ● | ● |
| DISABLE-TOKEN-TRACKING | Suppress per-token audit (always on in slim) | ● | ● |
| SYSTEM-INSTALL-APPROVAL | Install packages / system tools | — | ● |
| FRAMEWORK-DEV-APPROVAL | Modify BRA framework files | — | ● |
| PUSH-APPROVAL | Git push / external transmission | — | ● |
| LAYER2-WRITE-APPROVAL | Modify methodologies / workflows | — | ● |
| USER-INSTALL-APPROVAL | User-scoped installs | — | ● |
| VIRTUAL-INSTALL-APPROVAL | Virtualenv-only installs | — | ● |
| HEALTH-BYPASS | Proceed past failed health checks | — | ● |
| WATCH / TRACK / BRA-DEBUG | Live audit / tracking / debug | — | ● |
| NEGATIVE-RESULTS | Record negative-test outcomes | — | ● |
| FINDINGS-FASTPATH | Skip subagent doc, fast write | — | ● |
| IGNORE-BACKUP | Skip backup steps | — | ● |
- You own the binary. No calls home, no telemetry, no license server.
- You own the API traffic. Requests go from your host directly to Anthropic.
- Anonymization happens locally. The map is generated on your disk; the agent never sees the real values until after rehydration.
- Control in Depth. Engagements follow the Control in Depth principle. The agent is mechanically contained, ensuring scope and rules of engagement are law, not suggestion.
- Replacement-resistant. The control boundary survives replacement — model, tool, interface, and operator agnostic.
Unlock multi-provider agent routing, the full knowledge surface (skills / tools / methodologies / workflows), the operator control plane (debug, harness explorer, live diagnostics), advanced privacy modes (Frontier / Micro / Local Scope, NER), and the full governance-token catalog.