WitnessOps Catalog

How the WitnessOps catalog describes available governed execution capabilities.

The WitnessOps catalog is the authoritative list of governed execution capabilities available to operators. Each entry is a runbook -- a versioned workflow definition that the execution engine can validate, run, and produce evidence for. If a capability is not in the catalog, the engine cannot execute it.

What the catalog controls

The catalog enforces three constraints:

Available capabilities are explicit. Operators can only request runbooks that exist in the catalog. There is no ad-hoc execution path.
Each runbook declares its category and scope. The engine uses this metadata to apply the correct policy gates, tool wrappers, and evidence capture rules.
Versioning is pinned. Each runbook has a version number. Receipts record which version was executed. Changes to a runbook produce a new version, not an in-place mutation.

Listing the catalog

Operators view the catalog with:

bash automation/helpers/runbook-list.sh

Output format:

ID                       VERSION  CATEGORY        SUMMARY
attack-surface-discovery 2        recon           External attack surface discovery
initial-external-recon   2        recon           Quick external recon workflow
web-recon                2        recon           Scoped web reconnaissance workflow
tls-review               2        recon           TLS configuration review
web-content-discovery    2        recon           Web content and directory discovery
ad-enumeration           2        enumeration     Active Directory enumeration
smb-share-enum           2        enumeration     SMB share enumeration
linux-basic-enum         2        enumeration     Linux host basic enumeration
web-exploitation         2        exploitation    Web exploitation workflow
campaign-orchestrator    2        orchestration   Multi-phase campaign orchestration

Runbook coverage by threat phase

The catalog maps to the WitnessOps threat operations lifecycle. Current coverage:

Threat phase	Runbooks	Category
Target discovery	`attack-surface-discovery`, `initial-external-recon`	recon
Reconnaissance	`web-recon`, `tls-review`, `web-content-discovery`	recon
Enumeration	`ad-enumeration`, `smb-share-enum`, `linux-basic-enum`	enumeration
Vulnerability identification	`tls-review`, `web-exploitation`	recon / exploitation
Exploitation	`web-exploitation`	exploitation
Campaign orchestration	`campaign-orchestrator`	orchestration

Phases not yet covered by dedicated runbooks: post-exploitation, privilege escalation, lateral movement, and impact validation. These phases are planned but do not have first-class catalog entries today.

Runbook detail

Recon category

attack-surface-discovery (v2) -- Identifies reachable targets and external infrastructure. Runs DNS discovery, subdomain enumeration, and HTTP probing. Produces asset inventories under recon/.

initial-external-recon (v2) -- Quick external reconnaissance combining port scanning, service fingerprinting, and basic enumeration. Designed as the standard first runbook for new engagements.

web-recon (v2) -- Scoped web reconnaissance including port scanning, technology detection, content discovery, and vulnerability scanning. Produces structured scan output and a runbook summary.

tls-review (v2) -- Evaluates TLS configuration, certificate validity, cipher suites, and known TLS weaknesses. Produces TLS-specific scan artifacts.

web-content-discovery (v2) -- Directory and file discovery against web targets using wordlist-driven fuzzing. Captures discovered paths and response codes.

Enumeration category

ad-enumeration (v2) -- Active Directory enumeration for domain-joined environments. Covers user, group, GPO, and trust enumeration.

smb-share-enum (v2) -- SMB share discovery and access-level enumeration. Identifies readable and writable shares.

linux-basic-enum (v2) -- Basic Linux host enumeration including users, services, network configuration, and file system review.

Exploitation category

web-exploitation (v2) -- Web exploitation workflow covering SQL injection, authentication bypass, and other web attack vectors. This runbook includes approval-gated steps -- intrusive actions pause for explicit operator approval before execution proceeds.

Orchestration category

campaign-orchestrator (v2) -- Multi-phase campaign workflow that sequences child runbooks into a coordinated operation. Current orchestration chain:

campaign-orchestrator
  -> attack-surface-discovery
  -> web-recon
  -> tls-review
  -> web-exploitation
  -> ad-enumeration

Each child run produces independent evidence. The parent run aggregates campaign-level artifacts including campaign-manifest.json and campaign-receipt.json.

Catalog governance

The catalog is not a convenience index. It is a governance boundary:

Adding a runbook requires defining its steps, tool wrappers, evidence capture rules, and policy gates. Undeclared capabilities cannot execute.
Removing a runbook removes the ability to run that workflow. Existing receipts referencing the removed runbook remain valid historical evidence.
Modifying a runbook increments its version. Old receipts reference old versions; new runs reference the current version. Version history is never rewritten.