Red teamers are always looking for new ways to automate the tedious parts of their job. In a previous guide, we explored five high-impact workflows to save time and reduce errors. But there are even more offensive security tasks ripe for automation. In this follow-up, we’ll break down five additional red team workflows, from scanning JavaScript files for leaked secrets to aggregating breach data from multiple sources. Most of them leverage Kindo’s agentic AI (WhiteRabbitNeo) and API integrations:

1. JavaScript file scanning for exposed secrets.

2. Certificate Transparency & Shodan reconnaissance.

3. VirusTotal for IP address intelligence.

4. Tech stack analysis & admin panel discovery.

5. Multi-source leaked data aggregation.

Just like before, each workflow includes step-by-step instructions (with API action steps and LLM action steps) and explains the value you can unlock by automating it.

1. JavaScript Secrets Scanner

Developers sometimes embed API keys, tokens, or credentials in JavaScript or JSON files for front-end functionality, inadvertently exposing those secrets to anyone who inspects the client-side code. These leaks can provide direct access to cloud services or internal APIs if discovered by an attacker. Identifying such secrets manually is difficult and time-consuming, especially since production scripts are often minified or intentionally obfuscated. By automating the scanning of all JavaScript and JSON content with our foundational AI model (WhiteRabbitNeo), this workflow quickly displays hidden tokens or credentials that a manual review might miss.

Workflow Steps

1. To get started with this workflow, first create a new workflow agent. After that, add a LLM action step that accepts user input to upload the target’s JavaScript source files (e.g. in JSON format) so the agent has access to the code base we’re inspecting.

2. Next, include an LLM action step and switch the AI model to WhiteRabbitNeo. This generative AI step scans the uploaded JavaScript for any hardcoded secrets (like API tokens, encryption keys, or credentials) and can spot them even in minified or lightly obfuscated scripts.

3. Now, add another LLM action step (while keeping WhiteRabbitNeo selected) to interpret and refine the findings. This involves verifying each suspected secret and filtering out any false positives. For example, the LLM can cross-check if a detected string matches known patterns (such as the format of an AWS access key or a JWT token) to ensure it truly represents a credential.

4. Finally, include an LLM action step to compile a report of all exposed secrets identified. The resulting summary lists each discovered token or key along with context (for instance, which file or function it was found in) and displays the potential security implications of each secret from a red team perspective.

Value of Automation

Automating the search for leaked JavaScript secrets means a thorough and consistent audit that would be impractical to achieve manually. With WhiteRabbitNeo handling the heavy lifting, the process becomes both fast and exhaustive. The model can parse through dozens of files in seconds and catch subtle patterns a human might overlook. This reduces the chance of missing an API key due to fatigue or oversight. Typically, a red teamer might resort to grep or use multiple regex-based tools to scan code, then manually verify each find – a tedious process that still risks false negatives, especially if the secrets are hidden in unusual ways. In contrast, this workflow optimizes the task: you feed in the code and the AI immediately flags any credentials or tokens, even those concealed in complex scripts.

2. TLS Recon (crt.sh) + Shodan Fingerprinting

Staying on top of newly issued SSL/TLS certificates is a clever way to discover new subdomains or infrastructure that a target may have brought online. Certificate transparency (CT) logs are public and can reveal hostnames that standard DNS reconnaissance might miss. For example, a secret beta site or an internal API endpoint that recently got a certificate. By querying CT logs via an API (like the free crt.sh service) and then checking those hosts on Shodan, you can quickly enumerate and profile a target’s expanding attack surface. Automating this process means you get a near real-time view of new assets and their running services, without manually searching for anything.

Workflow Steps

1. Begin by setting up a new workflow agent and add an LLM action step to prompt the user to input the target domain name. This domain will be used to query certificate transparency (CT) logs for all related certificates issued for the domain and its subdomains.

2. After that, include an API action step that calls the crt.sh API with the provided domain. This query will retrieve a list of all public certificate logs related to the target domain, which may include subdomains or new infrastructure that could be useful for reconnaissance.

3. Once the crt.sh API returns the list of certificates, add an LLM action step to parse the results. The LLM will process the data to extract unique subdomains from the CT logs, ensuring that the subdomains are distinct and not duplicates, and filtering out wildcard entries if necessary.

4. Use the Shodan API to search for the discovered subdomains, looking for any associated infrastructure, open services, or potential vulnerabilities. For each subdomain, query Shodan to gather detailed information about its associated IP address, running services, and any open ports.

5. Finally, add an LLM action step to consolidate the subdomains and their Shodan findings into a single, easy-to-read report. In this step, you can prompt the AI to create a table where each row lists a discovered subdomain, its resolved IP address, and key open services or ports (with service names). The LLM can also flag any particularly interesting findings, like uncommon ports or services that might warrant further investigation.

Value of Automation

By automating CT log monitoring and service enumeration, you gain a large reconnaissance advantage. Instead of manually checking certificate transparency websites or waiting for periodic scans, this workflow continuously or on-demand pulls in the latest issued certificates for your target. It then immediately tells you which of those hosts are alive and what they’re running. This is incredibly valuable for red teams: you might catch a glimpse of a staging environment or a forgotten subdomain the moment it appears, possibly before the target organization even realizes it’s exposed. Combining CT logs with Shodan data means you don’t just get a list of names, you get context (“this host is up and running an outdated FTP service”). The process is fast and repeatable, ensuring that as the target’s infrastructure evolves, your knowledge of it stays one step ahead. Ultimately, this leads to more comprehensive coverage in engagements and a higher chance of finding vulnerabilities in new or obscure services.

3. VirusTotal API for IP Address Intelligence

VirusTotal isn’t just a tool for security teams fighting malware, it’s also helpful for red teams during planning and reconnaissance. By using VirusTotal’s API, red teams can quickly check if IP addresses linked to their infrastructure or targets have been flagged for suspicious activities, like phishing or malware. Additionally, verifying file hashes and URLs against VirusTotal's threat intel helps ensure your operational assets haven’t already been burned, allowing you to maintain stealth and avoid prematurely alerting defenders.

Workflow Steps

1. Start by setting up a new workflow agent and add an LLM action step to prompt the user for a target IP address. This input will be used to query VirusTotal’s API for intelligence on any associated activity. While we’re using IP addresses for now, this setup can easily be switched to query for domain names or file hashes in the future.

2. In the next step, make an API action call to VirusTotal to check any IP addresses you want to investigate. VirusTotal will give you a report showing if the IP address has been involved in activities like phishing or hosting malware. It will also show how many antivirus tools flagged it as suspicious. This helps you quickly see if the IP address is linked to known threats and identify possible attack risks.

3. Finally, use an LLM action step to interpret and summarize the data gathered from VirusTotal. WhiteRabbitNeo can be prompted here to consolidate the findings: list all the subdomains discovered and highlight if any of them have malicious tags or flags in VirusTotal’s data. The LLM can produce a brief report that prioritizes the most interesting intelligence. For instance, if one subdomain was flagged in a malware campaign, the summary might note that as a high-risk item for the red team to investigate further.

Value of Automation

Integrating VirusTotal into your red team workflow ensures you automatically tap into a global intelligence network. This has two major benefits. First, you gain an expanded view of the target’s infrastructure - the subdomains VirusTotal knows about might include those discovered by other researchers or malware, giving you perspective beyond what you’d find through internal scans alone. Second, you gain immediate context around suspicious artifacts: if a piece of software, IP, or URL related to your target has a malicious reputation, you’ll know immediately. Normally, operators manually plug indicators into VirusTotal’s interface one by one, but automation checks every relevant indicator in seconds, compiling the results for easy review. The outcome is a richer reconnaissance phase: you might discover a seemingly innocuous subdomain was involved in a phishing campaign last year, or that a leaked company file is malware designed to phone home. By identifying these signs early, your team can avoid inadvertently using detected infrastructure, prioritize more promising vectors, and make more informed attack decisions.

4. Tech Stack Analysis and Admin Panel Discovery

Almost every web application has some form of administrative interface, and if that interface is exposed and not properly secured, it can be a golden ticket for a red teamer. Many websites run on common platforms or content management systems (CMS) which have predictable admin login paths (like /wp-admin for WordPress, /administrator for Joomla, etc.). This workflow automates the process of identifying what technology each target domain is running and then guessing the likely admin portals for those technologies. By using the BuiltWith API to fingerprint a site’s tech stack and our foundational LLM (WhiteRabbitNeo) to derive admin URLs, this approach quickly pinpoints which sites have login pages out in the open, information that a red team can use to attempt default credentials, brute force, or other exploitation.

Workflow Steps

1. First, set up a new workflow agent and include an LLM action step that asks the user to provide a list of target domains to analyze. The user can input this list either manually or upload a file, and the workflow will process each domain one by one.

2. After that, add an API action step to query the BuiltWith API for each target domain. The BuiltWith API will return detailed information about the technology stack used on each website, such as CMS platforms, frameworks, server software, and other relevant technologies that can help identify exposed admin panels.

3. Now add an LLM action step to analyze the technology profile and predict admin panel URLs. This is where WhiteRabbitNeo comes into play to apply security knowledge. The AI examines the BuiltWith data to see if it recognizes a platform that has a standard admin login path. Based on the tech stack, the LLM will output one or several likely admin login paths.

4. Finally, include an LLM action step to summarize the results for all domains. The AI can produce a report or table where each target domain is listed alongside the identified technology and its predicted admin panel. This summary lets the red team quickly see which sites potentially have an exposed login page. Those with exposed admin portals can be prioritized for further action.

Value of Automation

This workflow optimizes a task that is tedious but important: finding the biggest entry points. In a manual scenario, an operator would have to visit each site, guess or know its platform, then try various admin URLs by hand, a process that doesn’t scale well and can easily miss less obvious admin pages. By automating technology fingerprinting with BuiltWith, you get an accurate read on each site’s stack instantly. Using AI to suggest admin paths means you benefit from collective knowledge of countless frameworks (AI remembers even less common default URLs). The time saved is huge: what might take a human hours of mind-numbing checking is accomplished in minutes, with consistency. Moreover, this reduces human error – the workflow won’t forget to check a certain path, and it can be rerun anytime to catch changes. Overall, it’s a quick win to tighten your focus on high-value targets in any red team engagement.

5. Multi-Source Data Leak Aggregation and Analysis

One organization’s forgotten leak is a red team’s treasure. Companies often have data leaked or exposed across various platforms – GitHub repositories with hardcoded secrets, Pastebin dumps of database credentials, darknet forum posts mentioning the company, old PDF reports on public shares, and so on. Gathering this open-source intelligence (OSINT) manually is like searching for needles in a lot of different haystacks. This workflow automates the collection of leaked data related to a target from multiple sources and uses an AI agent to make sense of it. We’ll use Intelligence X (intelx.io) as a primary source (it’s an aggregator of breaches, paste sites, and dark web data), and note that you could extend the workflow with others (GitHub code search, Pastebin, etc.) similarly. The goal is to produce a distilled briefing of any exposed information about the target that could be leveraged in an attack.

Workflow Steps

1. Start by setting up a new workflow agent and include an LLM action step to prompt the user for a target domain or keyword. The user will provide this information which will be used to search for leaked data associated with the target across multiple platforms.

2. Add an API action step to search Intelx (Intelligence X) for the given domain. Using the intelx API, the workflow sends a search query for our target string. The response from intelx will include references to any data leaks or records where the target appears. This could be entries like email addresses and passwords in a leaked database, mentions of the company in paste dumps, documents containing the domain name, etc.

3. Once the data is collected, use an LLM action step to interpret and summarize the findings. The AI will sift through possibly large text dumps looking for things like credential pairs, API keys, confidential documents, personal identifiable information, or internal server details. For instance, if intelx returned a list of email addresses and hashed passwords from a 2018 breach, the LLM can highlight that and even suggest which accounts look high-value (like admins or service accounts). Essentially, this step turns a mountain of leaked data into a concise intelligence report by extracting the juicy bits.

4. Finally, the workflow gives the team AI-created insights in a simple, easy-to-use format. This could just be the result from an LLM action step, or you might add a final step to organize the findings into a short report or send them out through email or Slack. In the end, you’ll get something like: “Found 3 employee password hashes and emails in public breach data (likely from the XYZ breach in 2020), etc.” These insights can then go straight into your red team plan. You now have some passwords to test in credential stuffing attacks, keys to try in AWS, or an internal host to investigate with more context.

Value of Automation

The real power of this workflow is comprehensive awareness. Manually tracking all possible leak sources is nearly impossible; something will slip through the cracks or be discovered too late. By doing automation with Intelligence X and other aggregators, you essentially have a research assistant scouring the internet for any mention of your target. Moreover, the inclusion of an LLM means that the deluge of raw data is immediately put into context. Instead of handing the team hundreds of search results or dumps to read, the workflow delivers actionable intelligence: it calls out exactly what was found and why it matters. This not only saves time but can unveil useful information early.

Take Your Next Steps With Kindo

If you want to optimize your red team workflows, Kindo can help. With 80% fewer tools required, our agent-driven automation replaces brittle scripts and dashboards, saving time and improving efficiency. You’ll see a 26x ROI as Kindo executes tasks at machine speed, reducing MTTR by days. Automate everything from scanning JavaScript for exposed secrets to aggregating data leaks securely and with full control.

Ready to make your red team more effective? Get a demo here.