Guides
Auditing Runs
redteamer records every execution: command, module, and output, into a local audit log. The rt audit command lets you search, filter, and export run history.
Overview
Each run is captured with its metadata, including:
- Run ID
- Module slug
- Tags and inputs
- Execution timestamp
- Operator identity (from
X-IDwhen run through API or gateway)
Auditing provides a complete history of operator activity. You can trace outcomes, reproduce results, and build compliance reports.
Basic Usage
rt audit [keywords] [--flags]
Examples
# Show all runs (most recent first)
rt audit
# Search runs that mention "lateral-move"
rt audit lateral-move
# Show runs for a specific module slug
rt audit cobaltstrike/launcher
# Find runs where the output filename contains "creds"
rt audit creds
Search Modes
| Mode | Flag | Description |
|---|---|---|
| Default | (none) | Simple keyword match. Fast and deterministic. |
| Interactive | --interactive / -i | Launches an interactive fuzzy finder to browse and preview runs. |
| Fuzzy (non-interactive) | --fuzzy / -f | Performs a fuzzy search automatically without interaction. |
Example: Interactive Search
rt audit -i
This opens a terminal fuzzy finder listing recent runs. Select a run to view details or copy its run_id for inspection.
Filtering and Output Formats
You can tailor results for display, scripting, or export.
| Format | Flag | Description |
|---|---|---|
| Table (default) | --output table | Human readable table view. |
| CSV | --output csv | Good for spreadsheet analysis. |
| JSON | --output json | Structured output for APIs or pipelines. |
| NDJSON | --output ndjson | One JSON object per line, stream friendly. |
| YAML | --output yaml | Compact and readable. |
Examples
# Export the last 100 runs in JSON
rt audit --limit 100 --output json > runs.json
# Show compact table with selected columns
rt audit core --columns id,module,executed --limit 20
# Pipe JSON output to jq for local inspection
rt audit core --output json | jq '.[0]'
You can choose which columns appear in table or CSV formats using --columns.
Refining and Navigating Results
| Flag | Description |
|---|---|
--limit <n> | Restrict number of results (0 means unlimited). |
--pager | View results through a pager for long lists. |
--no-headers | Omit table or CSV headers for compact output. |
Combine these flags to drill into specific time frames, playbooks, or operators.
Inspecting Run Details
After locating a run of interest, inspect its outputs or execution graph:
# View run output files
rt output <run-id>
# View execution trace and span tree
rt output <run-id> --trace
Every run directory includes its metadata, outputs, and artifacts under:
~/.local/share/redteamer/runs/<run-id>/
Example Workflow
Search by tag or keyword
rt audit reconIdentify a Run ID
Note the
idcolumn from the results, for example7bc312.Inspect outputs and the execution graph
rt output 7bc312 --traceExport results for reporting
rt audit recon --output json --limit 50 > recon-runs.json