CLI cheatsheet
Eight verb groups. Every command exits non-zero on a finding so you
can chain Romp into CI. Pipe results to jq for structured
output.
Status & control
| Command |
What it does |
romp status |
Health + uptime per otter, plus version. |
romp start / stop / restart
|
Bring otters up/down. Same as
systemctl ... romp.target.
|
romp tail [otter] |
Stream the log for one otter, or all. |
romp window |
Open the unified dashboard window (GTK). |
romp install-deps |
Install/refresh node_modules across all otters. |
romp version |
Print Romp version + license tier. |
recon — Red Otter
External-facing reconnaissance. No exploitation, no auth probing.
| Command |
Result |
romp recon dns <target> |
A/AAAA/MX/NS/TXT, plus DNSSEC chain. |
romp recon ssl <host> |
Cert chain, SAN list, ciphers, protocol versions, expiry. |
romp recon headers <url> |
Security-header analysis (HSTS, CSP, X-Frame, Permissions-Policy).
|
romp recon http <url> |
Status, redirects, server fingerprint. |
romp recon ip <ip> |
Geolocation, ASN, reverse PTR. |
romp recon ping <target> |
Round-trip latency, packet loss. |
romp recon traceroute <target> |
Hop-by-hop path. |
romp recon ports <target> |
Top-1000 TCP scan. |
romp recon subdomains <domain> |
Wordlist-based subdomain enumeration. Up to 110K entries. |
romp recon takeover <domain> |
Subdomain-takeover detection — 20 service fingerprints (S3,
Heroku, GitHub Pages, Shopify, Webflow, Statuspage, Zendesk, …).
|
romp recon cves <target> |
Server / X-Powered-By → CVE map. Curated mini-DB of 9 high-impact
CVEs (Apache 2.4.49 traversal, OpenSSL Heartbleed/Spooky, PHP
8.1.0/1, Tomcat Ghostcat, Jenkins 2024-23897, GitLab ExifTool,
etc).
|
romp recon wayback <domain> |
Pull historical URLs from the Wayback Machine. Up to 25K. Optional
status filter.
|
romp recon localnet |
Discover live hosts on your LAN. Requires
ROMP_ALLOW_PRIVATE_TARGETS=1.
|
dast — Blue Otter
Dynamic application scanning. Crawl, then probe.
| Command |
Result |
romp dast crawl <url> |
Spider the app, returns URL + form inventory. |
romp dast forms <url> |
Find forms, classify (login, search, upload, comment). |
romp dast cors <url> |
CORS misconfiguration probe. |
romp dast methods <url> |
Enumerate allowed HTTP methods (TRACE, OPTIONS, PUT, etc). |
romp dast redirects <url> |
Open-redirect tests against common parameter names. |
romp dast leaks <url> |
Information-disclosure probe (.git, .env, source maps, backup
files).
|
romp dast secrets <url> |
JS bundle secret extraction. 12 patterns (AWS keys, Stripe live,
Slack, GitHub PAT/OAuth, JWT, generic apikey-assignment).
|
romp dast graphql <url> |
Detect GraphQL endpoint, attempt introspection, flag dangerous
mutations.
|
romp dast ratelimit <url> |
Send N bursts, detect throttling behavior. |
romp dast full <url> |
Run every dast subcommand sequentially. |
pentest — Black Otter
Active exploitation probes. Use only on targets you own or have
written authorization for.
| Command |
Result |
romp pentest sqli <url> |
SQL-injection probe across query/form params. |
romp pentest xss <url> |
Reflected + stored XSS payloads. |
romp pentest cmdi <url> |
Command-injection probe. |
romp pentest traversal <url> |
Path-traversal payloads against parameters. |
romp pentest dirs <url> |
Directory enumeration. Up to 50K-entry wordlist. |
romp pentest creds <url> |
HTTP-basic / form-login brute-force against bundled
weak-credential list.
|
romp pentest jwt <token> |
Decode JWT, flag alg=none, missing exp,
RS-asymmetric (alg-confusion candidate). Bruteforces HS256/384/512
against ~70 weak secrets.
|
romp pentest ssti <url> |
Server-side template injection. Five syntax probes (double-brace,
dollar-brace, ERB, razor-hash, Smarty), 7×7/8×8/9×9 arithmetic
confirmation, engine fingerprint across Jinja2 / Twig / Freemarker
/ Velocity / Mako / ERB / Smarty.
|
romp pentest ssrf <url> |
Server-side request forgery. Two-track detection: cloud-metadata
canaries (AWS / GCP / Azure / Alibaba IMDS + loopback service
banners), baseline-diff to suppress false positives, plus
time-based blind detection against an unreachable RFC1918 target.
External-callback OAST mode coming once the relay VPS is up.
|
romp pentest headers <url> |
Header-injection probes (host, x-forwarded-*, x-original-url).
|
romp pentest ssl <target> |
TLS active probes — Heartbleed, BEAST, POODLE, ROBOT. |
romp pentest vulns <target> |
Composite scan — cves + headers + ssl active. |
guard / audit — Grey + White
System audits and runtime monitoring on the host Romp itself runs on.
| Command |
Result |
romp guard full |
Composite system audit — every Grey Otter check. |
romp guard os |
OS version, kernel, distro hardening flags. |
romp guard users |
User audit — sudoers, weak shells, no-password accounts. |
romp guard ssh |
sshd_config audit — root login, password auth, weak ciphers.
|
romp guard files |
World-writable, SUID, orphaned files. |
romp guard services |
Running services, listening ports per process. |
romp guard cron |
Cron job audit — odd users, unusual paths, suspicious timing.
|
romp guard packages |
Installed packages with known CVEs. |
romp guard firewall |
iptables / ufw rule sanity. |
romp guard sysctl |
Kernel hardening sysctls. |
forensics — Orange + Yellow
| Command |
Result |
romp forensics baseline <dir> |
Snapshot file hashes + permissions for later drift detection.
|
romp forensics verify <baseline> |
Compare current state to a baseline; flags new/modified/deleted
files.
|
romp forensics backup <dir> <password>
|
Encrypted (AES-256-GCM) tarball backup. |
ai — local LLM triage
| Command |
Result |
romp ai chat |
Interactive REPL with the local model. |
romp ai ask <question> |
One-shot Q&A. |
romp ai scan <target> |
Run a recon + dast + ai-triage chain — model summarizes findings
in plain English with severity reasoning.
|
romp ai model |
Show the loaded model + memory usage. |
alerts / report
| Command |
Result |
romp alerts list |
Open alerts across all otters. |
romp alerts ack <id> |
Mark an alert acknowledged. |
romp report |
Full-system summary report (Cyber Guard Dog). |
romp report <finding-id> |
HackerOne / Bugcrowd-format markdown for a single finding. |
romp license verify |
Validate Ed25519 license signature. |
romp license info |
Tier + expiry. |
scope — bug-bounty scope manager
When a program is active, the offensive otters refuse out-of-scope
targets at the same chokepoint that blocks SSRF / metadata-IP probes.
Stops you accidentally hitting legacy.target.com when
only *.api.target.com is in scope.
Patterns: literal hostnames (api.target.com) or glob
(*.target.com — matches subdomains, not the apex).
Storage: ~/.config/romp/scope.json.
| Command |
Result |
romp scope add <program> [pattern] |
Create program; if pattern given, add to in_scope. |
romp scope deny <program> <pattern>
|
Add pattern to out_of_scope. |
romp scope rm-scope <program> <pattern>
|
Remove from in_scope. |
romp scope rm-deny <program> <pattern>
|
Remove from out_of_scope. |
romp scope rm <program> |
Delete the whole program. |
romp scope use <program> |
Set active program — enforcement turns ON. |
romp scope clear |
Unset active — enforcement turns OFF. |
romp scope active |
Show active program details. |
romp scope list [program] |
List programs / detail one. |
romp scope check <target> [program] |
Test whether target is in scope. Exits 0 (in scope) or 2 (out).
|
Empty in_scope means "anything not explicitly out_of_scope is allowed"
— useful when you want a deny-list-only program. SSRF / metadata-IP /
private-network blocks always win regardless of scope; you can't grant
access to 169.254.169.254
by adding it to in_scope.
Exit codes
0 — success, no findings.-
1 — findings present (CI gate). Use
--no-fail to suppress.
2 — bad arguments / configuration.3 — otter unreachable / not running.4 — network error reaching target.5 — target out of license scope.