Open-source, pre-compiled Retrieval-Augmented Generation (RAG) databases for offensive security and embedded systems.
The open-source AI community shares models and code, but almost nobody shares compiled knowledge. If 10,000 security researchers want to build an AI agent that understands AWS exploitation, 10,000 people have to independently scrape, chunk, parse, and embed the exact same manuals. That wastes compute, time, and API credits.
This repository contains pre-built, highly tactical Vector Databases. They are ready to be dropped directly into your local machine and queried by any LLM immediately. No chunking or embedding required.
To ensure these RAG shards run locally on standard hardware (laptops) without requiring heavy GPU compute or cloud APIs, they are built on a strictly lightweight stack:
- Vector Database: Local
Qdrant(File-based, no Docker/server required). - Embeddings:
BAAI/bge-small-en-v1.5(384 dimensions, ~133MB footprint, lightning fast on CPU). - Framework:
llama-index
These databases are completely model-agnostic. You can plug them into OpenAI, Claude, or a local Llama-3 instance. Every compiled RAG in this repository includes a rag_config.json manifest for automated agent routing, but they can also be loaded manually in standard Python scripts.
If you just want to query the database in your own custom script without any complex agent architecture, you only need the llama-index and qdrant-client libraries.
Here is a minimal example of how to load and query the aws_red_team_ops database:
from llama_index.core import VectorStoreIndex, StorageContext
from llama_index.vector_stores.qdrant import QdrantVectorStore
from llama_index.embeddings.huggingface import HuggingFaceEmbedding
from qdrant_client import QdrantClient
# 1. Load the exact embedding model used to create the database
embed_model = HuggingFaceEmbedding(model_name="BAAI/bge-small-en-v1.5")
# 2. Connect to the local Qdrant directory
# (Replace './storage/aws_red_team_ops' with the path to the downloaded shard)
client = QdrantClient(path="./storage/aws_red_team_ops")
# 3. Mount the vector store using the specific collection name
vector_store = QdrantVectorStore(
client=client,
collection_name="aws_red_team_ops"
)
# 4. Initialize the index
storage_context = StorageContext.from_defaults(vector_store=vector_store)
index = VectorStoreIndex.from_vector_store(
vector_store,
embed_model=embed_model
)
# 5. Query the database (Plug your preferred LLM into the LlamaIndex settings)
query_engine = index.as_query_engine(similarity_top_k=5)
response = query_engine.query("What is the AWS CLI command to list IAM users?")
print(response)These RAG shards were originally compiled for Wintermute, an agentic AI architecture. If you are running an agentic system, you don't need to hardcode the paths.
Every shard contains a rag_config.json file that acts as a plug-and-play manifest. It looks like this:
{
"rag_id": "aws_red_team_ops",
"description": "A highly tactical, cloud-native offensive security database...",
"base_provider_id": "local",
"embedding_model": "BAAI/bge-small-en-v1.5",
"vector_store_type": "qdrant",
"qdrant_url": "local",
"db_path": "./storage/aws_red_team_ops",
"qdrant_collection_name": "aws_red_team_ops"
}To load into an agent loop: Your agent's boot sequence can simply scan the ./storage directory, parse these JSON manifests, and dynamically initialize the query engines as distinct "Tools" with descriptions.
import json
from pathlib import Path
# Example Wintermute dynamic loading logic
rag_tools = []
storage_dir = Path("./storage")
for config_file in storage_dir.rglob("rag_config.json"):
with open(config_file, "r") as f:
manifest = json.load(f)
# Your agent reads the manifest and spins up the tool dynamically
# agent.mount_knowledge_base(
# collection=manifest["qdrant_collection_name"],
# description=manifest["description"]
# )
print(f"Loaded Knowledge Module: {manifest['rag_id']}")If you are using Wintermute, it has a built-in RAG loader that can automatically detect and mount these databases as tools. Simply place the downloaded shards in the ./storage directory, and Wintermute will handle the rest during its initialization phase.
import logging
from wintermute.ai.bootstrap import init_router
from wintermute.ai.types import ChatRequest, Message
logging.basicConfig(level=logging.INFO)
def test_dynamic_rag():
print("--- 1. Bootstrapping Wintermute ---")
# This automatically registers your base LLMs and scans for your RAG folders
router = init_router()
available_providers = llms.providers()
print(f"\n[Registry Check] Available Providers: {available_providers}")
# Prepare the query using your actual types
query = (
"What voltage does the Wintermute Quantum Processor use on the VCC_CORE pin? "
"Also, where are the JTAG pins?"
)
req = ChatRequest(messages=[Message(role="user", content=query)])
# ==========================================
# TEST 1: NO RAG (Direct to Bedrock/Base)
# ==========================================
print("\n--- 2. Test: WITHOUT RAG (Naked Provider) ---")
router.set_default(provider="bedrock") # Bypassing RAG entirely
# The router chooses the provider and prepares the request based on its policy
base_provider, routed_base_req = router.choose(req)
try:
base_resp = base_provider.chat(routed_base_req)
print(f"Wintermute (Base): {base_resp.content}")
except Exception as e:
print(f"Base Query Failed: {e}")
# ==========================================
# TEST 2: WITH RAG
# ==========================================
print("\n--- 3. Test: WITH RAG (Hardware Oracle) ---")
rag_target = "rag-tiny_hardware_test"
if rag_target not in available_providers:
print(
f"Error: {rag_target} was not discovered. Check your knowledge_bases folder!"
)
return
# Tell the router to point at the newly discovered RAG provider
router.set_default(provider=rag_target)
rag_provider, routed_rag_req = router.choose(req)
try:
rag_resp = rag_provider.chat(routed_rag_req)
print(f"Wintermute (RAG Augmented): {rag_resp.content}")
except Exception as e:
print(f"RAG Query Failed: {e}")
test_dynamic_rag()(Add your specific RAG databases here as you build them)
red_team_aws: Extracted from HackingTheCloud, HackTricks, and tactical cloud penetration testing manuals. Covers IAM escalation, Pacu, and AWS CLI payloads.
red_team_ops: A highly tactical offensive security reference database with a focus on information gathering, attacks, post-exploitation techniques, lateral movement, and persistence.
These vector databases are compiled for educational and authorized security auditing purposes only. Do not use the payloads extracted from these databases on infrastructure you do not own or do not have explicit permission to test.