The Pack

Eight otters and a guard dog. Each module is a small Node service on its own port. They share an alert bus so a finding from Red can trigger follow-up scans by Black or Blue automatically. The guard dog (Cyber Guard Dog) does cross-otter orchestration and produces the full-system report.

Red Otter — Recon

External-facing. DNS, SSL/TLS, headers, HTTP fingerprinting, IP/ASN, ping, traceroute, port scan, subdomain enum, subdomain takeover, CVE map, Wayback ingest, LAN discovery.

port 4000 · 22 endpoints

Blue Otter — DAST

Crawl + form scan, CORS, methods, redirects, info-disclosure, JS bundle secrets, GraphQL introspection, rate-limit testing.

port 4600 · 11 endpoints

Yellow Otter — Web fuzzing

Parameter fuzzing, header fuzzing, request mutation. Pairs with Blue for coverage.

port 4300 · 11 endpoints

Black Otter — Pentest

Active exploitation probes. SQLi, XSS, command injection, path traversal, dir enumeration, credential brute, JWT analysis, header injection, SSTI, TLS active probes.

port 4200 · 14 endpoints

White Otter — Triage

Aggregates findings from every offensive otter into a single alerts feed. Severity scoring, dedup, HackerOne / Bugcrowd-format markdown export.

port 4400 · 9 endpoints

Grey Otter — Host audit

Local system audit. OS hardening, user/SSH/cron/firewall/sysctl checks, file permissions, service inventory, package CVEs.

port 4500 · 13 endpoints

Green Otter — Runtime monitor

Background watch. New SUID binaries, world-writable file appearances, SSH config drift, suspicious process trees, login attempts.

port 4700 · 12 endpoints

Orange Otter — Forensics

File-hash baselining, drift detection, encrypted backup (AES-256-GCM), rollback to known-good.

port 4800 · 11 endpoints

Cyber Guard Dog — Orchestration

Cross-otter orchestration. Runs a full-system scan on schedule, produces the unified report, watchdogs the otters themselves.

port 4100 · ~20 endpoints

How they talk

Each otter listens on its own loopback port. The romp-core shared library handles HTTP between them — every otter knows where the others are via /etc/romp/romp.json. When Red finds a CVE, it fires an alert on the bus; White's subscriber picks it up, scores severity, and queues follow-up probes by Black or Blue.

How they fail

Otters run under the systemd template romp@.service; a crashed otter restarts in 5s. The guard dog notices repeated flapping and surfaces it on the dashboard. There's no shared state between otters except the alert bus, so one going down doesn't take the rest with it.

Self-fetch gotcha

When otters call each other, they need to forward X-API-Key. Romp-core's otterFetch() handles this — but if you're writing a custom otter, remember to include the header or the response will look canned (parsers silently fall through on 401 JSON).

Next

See API reference for every endpoint, or CLI cheatsheet for the user-facing commands that drive them.