Red teamers thrive on speed, creativity, and precision, but too often, they’re stuck doing repetitive work that slows everything down.

1. CVE analysis and prioritization.

2. Open source intelligence gathering.

3. Vulnerability scanning.

4. Payload and exploit code generation.

5. Recon and report writing.

These are foundational parts of offensive security, but they’re time-consuming, error-prone, and often stitched together manually across multiple tools.

This is where Kindo comes in.

By using Kindo to automate red team workflows, you can connect threat intelligence platforms, leverage AI to write custom scripts or generate payloads, and create complete playbooks that eliminate grunt work. 

The result? Less time spent researching, more time focused on strategy, lateral movement, and impactful exploitation.

In this guide, we’ll break down five high-impact workflows that are ideal for red team automation in Kindo, from CVE exploitation to WordPress scanning. Each one includes the key steps, the rationale for automation, and the value your team can unlock by making the switch.

1. Automatic CVE Exploitation

Finding and exploiting vulnerabilities is an important part of offensive security, but it requires an enormous amount of time and effort. Analysts must sift through massive public databases like MITRE's CVE database or detailed sources like Vuln Check. They must identify vulnerabilities associated with the target technologies and determine which can be exploited. Even after identifying a good vulnerability, developing a working exploit takes more time. Automating this process accelerates the entire workflow, from discovery to execution, allowing teams to focus on making a difference rather than spending too much time on research.

Workflow Steps

1. The first step is to set up a new workflow agent. In the initial stage of the workflow, we’ll add an API action step to query MITRE’s CVE database to gather vulnerability information.

2. The next step involves creating another API action step. Here, we'll query VulnCheck’s KEV database to access additional resources. This will provide more detailed information and complement the data available in the MITRE CVE database.

3. Now, we’ll set up an LLM action step. This step directs Kindo to identify CVEs that are relevant to our query (in this case, SonicWall). Additionally, it refines the results to include only those CVEs that allow privilege escalation, enable remote code execution, or facilitate backdoor access.

4. To conclude the workflow, we will use an LLM action step to generate a red team penetration test. This will involve selecting one of the identified CVEs and crafting exploit code based on it. The exploit will be designed to establish an administrator account, functioning as a backdoor within the system. We will also generate a comprehensive summary of the process in a detailed red team penetration testing report.

Value of Automation

Automating the CVE exploitation process saves a lot of time by turning a complicated, scattered task into a smooth, organized system. Instead of spending hours searching through massive CVE databases, red teamers can quickly find vulnerabilities that are relevant for their specific engagements.

Automation also ensures the process is consistent and reduces mistakes, like missing important vulnerabilities or making errors when creating exploits. With tools like MITRE, VulnCheck, and generative AI being used, the workflow not only identifies the most important vulnerabilities but also creates custom exploit code that's ready to deploy, saving time while staying accurate.

This frees up red teamers to focus on more advanced tasks, like finding new attack paths, improving lateral movement techniques, and tailoring payloads, instead of wasting time on repetitive research and data analysis.

2. OSINT Collection Using Dehashed

Compromised usernames and passwords usually provide attackers with a straightforward way to infiltrate systems, especially when credentials are reused or linked to high-privilege accounts. However, reviewing leaked data manually is both time-consuming and ineffective, particularly for organizations that might have a large number of accounts or employees. By automating this process, data analysis becomes faster, risk assessments are standardized, and red teams can concentrate on the most vulnerable accounts. This workflow outlines how to fully automate the collection and targeting of leaked credentials.

Workflow Steps

1. Start by creating a new workflow agent and include an API action step. In this step, configure an API call to DeHashed or a data leak platform of your choice. The API call should use a domain entered by the user as the input for the search.

2. In the next step, we will integrate an LLM action step. This will involve using the prompt shown in the image below. By using the power of generative AI, we can examine patterns in the API's output, like spotting the most frequently occurring accounts, identifying weak passwords, and more.

3. Lastly, we will add an additional LLM action step to generate a report that consolidates high-risk accounts. This report will be tailored for use by a red team. Refer to the prompt for this step in the image provided below.

Value of Automation

Although this workflow leverages DeHashed, you can easily replace it with other OSINT platforms like Snusbase, Breach Directory, or Have I Been Pwned. You could even enhance the workflow by incorporating multiple platforms and querying them simultaneously.

The benefit of this workflow is clear and immediate. Normally, if you wanted to check these services, you’d have to visit their websites or write a script to use their APIs. However, this approach doesn’t easily highlight patterns or high-risk accounts.

With this workflow, you can quickly identify high-risk employees worth investigating during a red team assessment. Tasks like running queries, spotting common accounts, and creating a simple report, which usually take hours, can now be done in just seconds.

3. Blind XSS Payload Script Generation

Blind cross-site scripting (XSS) vulnerabilities are notoriously difficult to detect because their payloads often execute within back-end systems or internal admin panels, making them hard to uncover. Identifying these vulnerabilities typically requires injecting payloads into various input fields in the hope that one successfully triggers and establishes a connection back to your domain. Performing this process manually is not only time-intensive but also increases the likelihood of overlooking potential injection points. Automating the generation, injection, and submission of payloads boosts the chances of finding this vulnerability type while substantially reducing the time needed to test each input surface.

Workflow Steps

1. Begin by setting up a new workflow agent and including an LLM action step. Within this step, utilize the human input feature to specify your Blind XSS Hunter subdomain and the target you wish to test for XSS vulnerabilities. Alternatively, you can opt to use Burp Suite Collaborator in place of Blind XSS Hunter to monitor and capture the incoming requests.

2. Next, we'll create an additional LLM action step and include the prompt shown in the image below. This step leverages the capabilities of generative AI to generate payloads suitable for use in a blind XSS context.

3. Lastly, by employing another LLM action step and switching the AI model to WhiteRabbitNeo, we’ll direct it to generate a Selenium script. This script will efficiently navigate the target website, pinpoint fields where blind XSS vulnerabilities might exist (like in contact forms), submit test inputs, and log all attempts for future reference.

Value of Automation

Most blind XSS vulnerabilities are typically found when analysts manually search through a web application, inserting test payloads wherever they think it makes sense. This process is time-consuming and can easily miss parts of the attack surface.

Quantifiably, what might usually take a couple of hours of work can now be reduced to a workflow that can be executed in a few seconds, and it covers more ground than an analyst likely would.

To take this workflow to the next level, you could prompt WhiteRabbitNeo to increase the script's depth, making it capable of finding additional attack surfaces, like even more endpoints, and so on.

4. Domain Attack Surface Mapping

No red team operation can succeed without an accurate view of the target’s external infrastructure. The challenge lies in the fragmentation of data: useful information is spread across DNS databases, IP intelligence tools, and threat intelligence feeds. Manually correlating these sources takes hours, and gaps in analysis can lead to missed opportunities. By automating this process, red teamers can begin every engagement with a complete and current overview of the organization's attack surface they are tasked with targeting.

Workflow Steps

1. Begin by setting up a new workflow agent. Once that’s done, the next step is to add an API action step. In this step, we’ll retrieve all DNS data from SecurityTrails using the provided input domain.

2. For step two, we are going to create another API action step, which will follow the same principle as the step above but will query Shodan instead of SecurityTrails.

3. Now, we are going to add an LLM step and instruct it to correlate and deduplicate all the results that we’ve obtained from both services used in the previous steps.

4. Finally, we can finish the workflow by including a step where the LLM creates a prioritized red team report. This report will be based on the asset exposure and service risk data gathered from SecurityTrails and Shodan.

Value of Automation

This workflow brings together various reconnaissance tools and platforms into a cohesive, unified system.

With it, red teamers can efficiently transform a domain name into a comprehensive asset inventory, complete with live service data and associated risks, all without the need to manually query multiple sources.

By automating this process, consistency across engagements is improved, decisions can be made more quickly, and important attack surfaces are less likely to be overlooked due to human error or time limitations.

5. WordPress Vulnerability Scanner

WordPress is a popular platform but is often regarded within the red team community as prone to vulnerabilities, especially when outdated plugins, custom themes, or misconfigurations are involved. Manually uncovering vulnerabilities in the core system, plugins, and themes can be both time-intensive and prone to errors due to human limitations, like fatigue. Automating this process enables security teams to identify known vulnerabilities more effectively and create test exploits with less effort.

Workflow Steps

1. To get started with this workflow, we’ll first create a new workflow agent. After that, we’ll add an API action step to query the WPScan vulnerability database. This API action allows us to search for vulnerabilities based on WordPress version, plugin name, or theme.

2. The final step is to add an LLM action step, which uses the AI model WhiteRabbitNeo to either give us step-by-step exploitation instructions or a fully functional script that can be used as proof of concept (POC).

Value of Automation

With WhiteRabbitNeo generating detailed exploitation steps or POCs, red teamers no longer need to write much code or dig through GitHub for POCs. In most cases, they might only need to tweak a value or two in the generated code, though often, this isn’t even necessary.

Typically, a red teamer would run WPScan as part of their toolkit, wait for the results, and then manually piece together all the information needed to exploit any CVEs or vulnerabilities it flags.

But with this automated workflow, you just enter the WordPress theme name, plugin, or version, press run, and then you get step-by-step exploitation instructions or a fully functional POC ready for further exploitation.

Take Your Next Steps With Kindo

The red team workflows in this guide - CVE exploitation, OSINT collection, XSS payload testing, recon, and WordPress scanning - are essential, but they don’t need to be done manually.

Kindo.ai is built for offensive security teams who want to move faster without cutting corners. With Kindo, you can:

• Automate research-heavy tasks using AI
• Query threat intelligence APIs and correlate data in one place

• Build modular playbooks that save time and reduce human error

• Generate custom scripts, payloads, and reports on demand

Whether you’re preparing for an engagement or mid-assessment, Kindo gives you a flexible system to standardize the boring stuff, so your team can focus on strategy, creativity, and execution.

Explore what you can build at Kindo.ai or get a demo to start turning your red team workflows into repeatable, intelligent automations.