Skip to content

ADR 0025 — MÓDULO KALI.Art + DoYour.Art — Offensive Testing Suite

  • Status: Accepted (formalized 2026-05-12 with v3.7.0 — Tier-3 batch-C wave delivered KALI-1 scaffold + DOYOUR-1 Scapy-mode scaffold; sibling har-engine/internal/waf/ WAF-detector shipped in same batch. KALI-2..15 + DOYOUR-2..8 follow-up tracked under Tier-3 backlog)
  • Date: 2026-05-10
  • Deciders: TLSStress.Art project
  • Targets: v5.x (Phase 1 Materialization scaffolds: K-1..15 + DY-1..8 partially merged Wave 5)
  • Patent claim family: claim #17

Context

The bench's first 6 Test Kinds cover defender-side validation: TLS throughput, inspection profile, BGP saturation, etc. They tell the customer "your NGFW handled X load with Y inspection profile." None of them answer the second-most-asked question:

"How does my NGFW behave under actual offensive traffic?"

Pen-testers + red teams have asked for the bench to host their offensive tooling so the entire test (defender config + attacker traffic + DUT response) is run + recorded in one place.

Decision

Introduce two complementary offensive MÓDULOs:

  1. MÓDULO KALI.Art — full Kali Linux pen-test pod (600+ tools, browser-accessed via ttyd terminal, gVisor-sandboxed)
  2. MÓDULO DoYour.Art — operator-crafted custom tests via Scapy + Go embed + PCAP replay (3-mode Art Studio UI)

Both are Team+ tier-gated (per discuss_module_kali_art_2026_05_10 and discuss_do_your_art_feature_2026_05_10).

KALI.Art

Element Value
Slot OOBI .82
VLAN 2902
Subnet 172.21.0.0/16
Sandbox gVisor (defense in depth)
UI ttyd terminal in browser
Tools 600+ from Kali rolling repo
Tier gate Team+ minimum
Token rate 2× baseline (per token economy ADR future)
Audit log every command + every output captured

Tooling: - nmap, masscan, sqlmap, hydra, john, hashcat (offensive) - metasploit-framework, set, burp suite (web app) - wireshark, tcpdump (passive) - AI Companion sidebar (MCP-based, K-13 scaffold) - Tool Quick-Launch panel (5 categories × 4-5 tools curated, K-14) - Air-gap LLM sidecar (Ollama + Llama 3.3 / Mistral / WhiteRabbitNeo for ops without Internet, K-15)

DoYour.Art

Element Value
Slot OOBI .81
VLAN 2901
Subnet 172.20.0.0/16
Sandbox gVisor
UI Art Studio with 3 modes
Modes Scapy / Go embed / PCAP replay
Free tier 1 piece per 5 min
Premium unlimited (Team+ minimum)
Community gallery v2 — share + fork pieces (DY-7)

The 3 modes:

  1. Scapy mode — drag-drop or write Scapy snippets that craft custom packets. Run against synthetic personas; capture the DUT response.
  2. Go embed mode — Go playground-style UI where operator writes gopacket-based traffic generators. Compiled in sandbox + executed.
  3. PCAP replay mode — upload a PCAP, modify L2/L3/L4 headers via UI, replay through DUT.

Hard rules

  1. gVisor mandatory for both MÓDULOs (defense in depth above K8s pod isolation)
  2. NetworkPolicy ferro — MÓDULOs cannot reach Internet directly; all egress via CLONER (audit logged)
  3. DOM-awareproduction mode hard-blocks both MÓDULOs unless explicit DDPB unlock + audit reason
  4. Token escrow for DoYour.Art (per token economy memo)
  5. Audit log mandatory + encrypted at rest with 90-day retention
  6. Tier gate enforced at GATEWAY.Art (RBAC role mapping) — not at MÓDULO level

Brand pun

DoYour.Art reads literally as "Do Your Art" — operator craftsmanship is the product. Marketing leans hard into this.

Architecture

KALI.Art pod layout

┌─ kali-pod (gVisor sandbox) ────────────────┐
│                                            │
│   Kali Linux rolling base                  │
│   ├ ttyd (browser terminal, port 7681)    │
│   ├ noVNC (GUI tools, port 6080)          │
│   ├ AI Companion sidebar (MCP)             │
│   ├ Tool Quick-Launch panel                │
│   ├ Ollama sidecar (air-gap LLM)          │
│   └ kali-home PVC (per-operator)           │
└────────────────────────────────────────────┘
         │
         ▼ NetworkPolicy ferro
   bench overlay only (no Internet)

DoYour.Art pod layout

┌─ doyour-studio (gVisor sandbox) ───────────┐
│                                            │
│   Art Studio UI                            │
│   ├ Scapy editor                           │
│   ├ Go embed playground                    │
│   ├ PCAP replay studio                     │
│   ├ token escrow + free quota meter        │
│   └ community gallery integration          │
└────────────────────────────────────────────┘

DUT response capture flow

KALI/DoYour pod sends traffic
      ↓
DUT inspects + responds
      ↓
SPAN.Art captures wire-side response (line rate)
      ↓
SYSLOG.Art captures DUT log (out of band)
      ↓
auto-attach to PDF report annex

Consequences

Pros

  • Closes "offensive testing" customer ask
  • Tier-gating drives Team+ subscription value
  • gVisor + NetworkPolicy ferro = defense in depth
  • DoYour community gallery v2 = network effect
  • Patent moat: KALI/DoYour pair = claim #17

Cons / risks

  • gVisor adds ~10% perf overhead (acceptable trade for security)
  • Air-gap LLM sidecar (Ollama) = 14-26 GB image (large download)
  • Tool Quick-Launch curation = ongoing maintenance
  • Compliance: bench operators using offensive tools must have authorization (project_quality_excellence_policy_2026_05_08 references this)

Compatibility

  • Free tier: DoYour.Art Scapy mode only (1 piece per 5min)
  • Pro tier: + Go embed + PCAP replay
  • Team+: + KALI.Art access + community gallery write
  • Air-gap deployments: Ollama sidecar mandatory; AI Companion switches to local model

References

  • Memory: discuss_module_kali_art_2026_05_10.md
  • Memory: discuss_do_your_art_feature_2026_05_10.md
  • Memory: discuss_pure_real_url_replay_2026_05_10.md (KALI nmap import as Discovery Hub source #8)
  • Code: k8s/oobi/90-kali-art.yaml, k8s/oobi/100-doyour-art.yaml, k8s/oobi/95-kali-ollama-airgap.yaml (K-1, DY-1, K-15 scaffolds, Wave 5)
  • Code: dashboard/src/lib/kali/ai-companion.ts (K-13 MCP companion)
  • ADR cross-ref: 0014 (DOM modes — production hard-block), 0018 (Compliance — encrypted audit log + 90d retention), 0019 (OOBI slots .81/.82)
  • Patent claim: #17