pip install cognis-redpath
redpath scan . # → prioritized findings in secondsReal, reproducible output from the tool — runs offline:
$ redpath-emit --version
redpath 1.0.0$ redpath-emit --help
usage: redpath [-h] [--version] [--format {table,json}] {paths,remediate} ...
Active Directory attack path mapper: minimum-cost compromise paths and
remediation priority.
positional arguments:
{paths,remediate}
paths map minimum-cost attack paths to targets
remediate rank edges by remediation priority
options:
-h, --help show this help message and exit
--version show program's version number and exit
--format {table,json}
output formatBlocks above are real
redpathoutput — reproduce them from a clone.
Sample result format (illustrative values — run on your own data for real findings):
{
"Findings": [
{
"id": "1234567890",
"title": "Suspicious Network Traffic",
"description": "Potential malicious activity detected on network port 80.",
"mitre_attack_id": ["T1204"],
"ttp_stix_id": ["attack-pattern--1-2-3"]
},
{
"id": "2345678901",
"title": "Unusual File Access",
"description": "File access patterns indicate potential data exfiltration.",
"mitre_attack_id": ["T1008"],
"ttp_stix_id": ["attack-pattern--4-5-6"]
}
]
}
-
Install (Python 3.9+):
pip install redpath # or: pipx install redpath -
Enumerate attack paths from an attack-graph JSON file:
redpath paths graph.json
-
Get prioritized remediation for the same graph:
redpath remediate graph.json
-
Get machine-readable output. The global
--formatflag goes before the subcommand:redpath --format json paths graph.json > paths.json -
Read the result.
pathslists the routes an attacker can take through the graph;remediateranks the cut-points that break the most paths. Parse the JSON to feed a ticketing or dashboard system. -
Wire it into CI. Regenerate the path analysis whenever the modeled graph changes:
redpath --format json remediate graph.json > remediation.json
- Why redpath? · Features · Quick start · Example · Architecture · AI stack · How it compares · Integrations · Install anywhere · Related · Contributing
Active Directory attack path mapper — minimum-cost paths + remediation priority — without standing up heavyweight infrastructure.
redpath is single-purpose, scriptable, and self-hostable: point it at a target, get prioritized results in the format your workflow already speaks (table · JSON · SARIF), gate CI on it, and let agents drive it over MCP.
- ✅ Load Graph
- ✅ Shortest Path
- ✅ Map Attack Paths
- ✅ Remediation Priority
- ✅ Load Graph File
- ✅ Runs on Linux/macOS/Windows · Docker · devcontainer
- ✅ Ports in Python, JavaScript, Go, and Rust (
ports/)
pip install cognis-redpath
redpath --version
redpath scan . # scan current project
redpath scan . --format json # machine-readable
redpath scan . --fail-on high # CI gate (non-zero exit)$ redpath scan .
[HIGH ] RED-001 example finding (./src/app.py)
[MEDIUM ] RED-002 another signal (./config.yaml)
2 findings · risk score 5 · 38ms
flowchart LR
IN[input] --> P[redpath<br/>analyze + score]
P --> OUT[report]
redpath is interoperable with every popular way of using AI:
- MCP server —
redpath mcp(Claude Desktop, Cursor, Cognis.Studio, uncensored-fleet) - OpenAI-compatible / JSON — pipe
redpath scan . --format jsoninto any agent or LLM - LangChain · CrewAI · AutoGen · LlamaIndex — wrap the CLI/JSON as a tool in one line
- CI / scripts — exit codes + SARIF for non-AI pipelines
| Cognis redpath | BloodHoundAD | |
|---|---|---|
| Self-hostable, no account | ✅ | varies |
| Single command, zero config | ✅ | |
| JSON + SARIF for CI | ✅ | varies |
| MCP-native (AI agents) | ✅ | ❌ |
| Polyglot ports (JS/Go/Rust) | ✅ | ❌ |
| Open license | ✅ COCL | varies |
Built in the spirit of BloodHoundAD/BloodHound, re-framed the Cognis way. Missing a credit? Open a PR.
Pipes into your stack: SARIF for code-scanning, JSON for anything, an MCP server (redpath mcp) for AI agents, and a webhook forwarder for SIEM/Slack/Jira. See docs/INTEGRATIONS.md.
pip install "git+https://github.com/cognis-digital/redpath.git" # pip (works today)
pipx install "git+https://github.com/cognis-digital/redpath.git" # isolated CLI
uv tool install "git+https://github.com/cognis-digital/redpath.git" # uv
pip install cognis-redpath # PyPI (when published)
docker run --rm ghcr.io/cognis-digital/redpath:latest --help # Docker
brew install cognis-digital/tap/redpath # Homebrew tap
curl -fsSL https://raw.githubusercontent.com/cognis-digital/redpath/main/install.sh | sh| Linux | macOS | Windows | Docker | Cloud |
|---|---|---|---|---|
scripts/setup-linux.sh |
scripts/setup-macos.sh |
scripts/setup-windows.ps1 |
docker run ghcr.io/cognis-digital/redpath |
DEPLOY.md (AWS/Azure/GCP/k8s) |
c2detect— C2 server fingerprinter — Cobalt Strike, Sliver, Mythic, Havoc, Brute Ratelpayloadlab— Static malicious payload analyzer — PE/ELF/LNK/macro/OneNotepwnreview— Pentest report generator — YAML findings to CREST-grade PDFcrackq— Self-hosted password cracking queue — multi-user hashcat with audit log
Explore the suite → 🗂️ all 170+ tools · ⭐ awesome-cognis · 🔗 cognis-sources · 🤖 uncensored-fleet · 🧠 engram
PRs, new rules, and demo scenarios are welcome under the collaboration-pull model — see CONTRIBUTING.md and SECURITY.md.
{} composes with the 300+ tool Cognis suite — JSON in/out and a shared
OpenAI-compatible /v1 backbone. See INTEROP.md for the
suite map, composition patterns, and reference stacks.
Source-available under the Cognis Open Collaboration License (COCL) v1.0 — free for personal, internal-evaluation, research, and educational use; commercial / production use requires a license ([email protected]). See LICENSE.