redteamer logo

Guides

Running Modules

Run any redteamer modules using the rt run command. This guide explains input precedence, file formats, references to past runs, piping, and output formats.

Overview

rt run executes a module, merges all input sources, captures outputs, and writes a full audit entry. Module execution always follows:

rt run <module> [--flags]

Examples:

rt run core/utils/whoami
rt run ./scan.rt.hcl

You can run modules interactively, within CI, or as part of a larger workflow using pipes or references.

Input Precedence

redteamer merges inputs from five different sources. They apply in strict order; later sources override earlier ones:

  1. Environment variables (RT_<NAME>=value)
  2. stdin (if present)
  3. Files (-f <path>), applied left → right
  4. References (-r name=RUNID.output_name)
  5. Literal inputs (-i name=value) — highest precedence

All structured input formats share the same schema:

  • HCL
  • JSON
  • YAML

Example

RT_env=prod \
cat ./base.hcl | \
rt run ./patch.rt.hcl \
  -f ./inputs/override.yaml \
  -r token=RUN123.api_token \
  -i retries=5

In this example:

  • RT_env seeds the value
  • stdin overrides environment
  • override.yaml overrides stdin
  • the reference overrides the file
  • the literal retries=5 overrides everything

Providing Inputs

Literal Inputs (-i)

rt run ./login.rt.hcl \
  -i username=admin \
  -i password=secret

Input Files (-f)

Files merge in order, left to right:

rt run ./login.rt.hcl \
  -f inputs/base.hcl \
  -f inputs/overrides.yaml

Stdin

Useful for piping or streaming:

cat base.hcl | rt run ./patch.rt.hcl

References to Past Runs (-r)

Use outputs from previous runs as structured input:

rt run ./ddos.rt.hcl \
  -r target=RUN123.endpoint \
  -i magnitude=3

References allow chaining runs without copying values manually.

Environment Variables (lowest precedence)

Use the RT_ prefix:

RT_threads=4 RT_region=eu-west-1 \
rt run ./scan.rt.hcl

Piping Modules Together

Modules can be chained by piping the output of one run into another. The data is passed to stdin of the next run, where it participates in normal input precedence.

rt run ./foo.rt.hcl | rt run ./bar.rt.hcl

This enables lightweight workflows without temporary files.

Validating Modules Before Running

To validate modules and inputs without executing them, use:

rt validate <module>

Validation checks:

  • module syntax
  • required inputs
  • types and constraints
  • reference correctness
  • expression evaluation

This is ideal for CI pipelines or pre-flight checks.

Output Formats

Use -o to control how results are printed:

FormatDescription
hclDefault, redteamer’s native form
jsonMachine-readable
yamlHuman-readable configuration

Example:

rt run ./report.rt.hcl -o json

The full, structured output is always preserved in the run’s audit entry, regardless of the display format.

Examples

Run a module with no inputs

rt run ./http_harvest.rt.hcl

Multiple literal inputs

rt run ./http_req.rt.hcl \
  -i url=https://example.com \
  -i method=GET

Inputs from files

rt run ./login.rt.hcl \
  -f ./inputs/base..hcl \
  -f ./inputs/overrides.yaml

Mixing stdin + file inputs

cat ./stdin-input.hcl | \
rt run ./patch.rt.hcl -f ./inputs/extra.yaml

Chaining outputs between modules

rt run ./foo.rt.hcl \
  | rt run ./bar.rt.hcl -f ./patch..hcl

Using references to past runs

rt run ./upload.rt.hcl \
  -r endpoint=RUN456.url \
  -i file=/tmp/payload.bin
Next
Audinting Runs