Paste an indicator. Watch Claude investigate.
A Kali-native OSINT and pen-test operator console for cybercrime victims, attribution investigators, and authorised pen-test engagements. The whole stack — Next.js UI, Python MCP bridge, full Kali Linux toolkit, Flask backend — runs inside one Docker image. One docker run, one volume to back up, one OAuth token in Settings.
Drop any indicator into the paste bar — a wallet address, a domain, an email, a file hash, a phone number. Winter Soldier auto-detects the type, spawns a Claude Code CLI subprocess to investigate, and queues every newly-discovered IOC as a pending pivot for the operator to approve.
↳ each subprocess streams findings live via SSE; pivots fan out unbounded until depth caps hit
Each indicator type has its own prompt template, its own skill-augmented Claude workflow, and its own auto-pivot rules. The detector recognises them on paste; the dispatcher routes them automatically.
The Kali toolkit is always installed and always running inside the container. The toggle is a pure MCP-config switch: it decides which tools are registered with each new spawned investigator. Toggling is instantaneous — no container start, no compose dance, no healthcheck wait.
s6-overlay runs as PID 1 and supervises two long-running services. Per-investigator Claude Code CLI subprocesses spawn on demand inside the same container. The audited bearer-token boundary between the MCP bridge and Flask survives intact — just on loopback instead of host.docker.internal.
one command, anywheredocker run -d \ --name winter-soldier \ -p 3000:3000 \ -v winter-soldier-data:/data \ --cap-add NET_RAW --cap-add NET_ADMIN \ --device /dev/net/tun \ ghcr.io/flightxcaptain/winter-soldier:latest # open http://localhost:3000 # paste OAuth token in Settings → done.
Winter Soldier collapses what used to be four host prerequisites (Node, npm, Python 3, Docker Desktop) into one. The full Kali pentest toolkit, the OSINT investigator pipeline, the Settings UI, and the audited security boundary all live inside one image. The operator runs docker run, pastes a token, starts investigating.
Next.js on 0.0.0.0:3000, Kali Flask on 127.0.0.1:5000, Python MCP bridge as a loopback child, supervised by s6-overlay. One docker run, one volume to back up.
Wallet, domain, URL, IP, email, phone, username, person, file hash, repository, CVE, package, tx-hash, onion — auto-detected and routed to the right investigator template.
Switches what tools investigators see. No docker compose dance. Mode applies to new pastes only; in-flight investigations keep whatever mode they were spawned with.
Inherited verbatim from the upstream zebbern-kali-mcp fork audit. Stripped arbitrary-shell tools. Bearer auth on every Flask request. /api/exec returns 403 regardless of caller.
Paste a year-long OAuth token into Settings. The container injects CLAUDE_CODE_OAUTH_TOKEN into every spawned investigator. No ANTHROPIC_API_KEY required.
OAuth token, auto-generated Kali bearer, audit logs, per-paste workspace, case files — every operator-state artefact lives under /data. Container is otherwise immutable.
Each Claude Code subprocess gets its own MCP server registration in its scratch dir at spawn time. The operator's global Claude config is never touched.
Live SSE event stream — indicator detection, structured findings, tool-call chips, severity rollups, follow-up chat. Per-card abort + per-paste kill switches.
Every active-mode Kali tool invocation appended to /data/workspace/audit.jsonl. cases/ holds long-form material ready for law-enforcement handover.
YARA-X rule authoring for hash investigations. Chain-specific scanners for wallet pivots. Burp Suite parser for victim-supplied evidence. Skill-driven workflow upgrades per indicator type.
The image is an artefact, not a deploy script. Any host that accepts NET_RAW / NET_ADMIN / /dev/net/tun works. Operator state migrates with the volume.
Never scan anything you don't own or have written permission to test. No hack-back. No vigilantism. Investigate, document, hand to law enforcement.
The vendored Kali MCP fork ships with five Winter Soldier security patches applied before the bridge ever talks to Flask. They survive the unified-container consolidation byte-for-byte; the boundary just moved from host networking to container loopback.
zebbern_exec, exec_stream, send_input, read_output in mcp_tools/command_exec.py are removed. Only health and system_network_info survive from that module.
Both /api/exec and /api/command endpoints return 403 regardless of caller. Defense in depth: even if the MCP layer's patches were bypassed, the backend itself refuses to run arbitrary shell.
Flask refuses to start without WS_KALI_API_TOKEN set; every request from the MCP client carries the token in Authorization: Bearer …. The token is auto-generated on first boot and lives in /data/.config/kali-api-token (mode 600).
A _MODULE_CLASSIFICATION dict drives passive-vs-active loading. Passive mode filters every invasive module out at registration time — Claude literally cannot see those tools. Active mode logs every invocation to audit.jsonl.
Container always builds locally from the source pinned in REVIEWED_COMMIT.txt — never pulls GHCR latest. Upstream CI pushes on every main commit; that image may not match the code that was audited in this repo.
Winter Soldier bundles a full Kali Linux pentest stack with an AI investigator pipeline. It is a dual-use toolkit, and Alchatex does not license or sell it as an off-the-shelf product. There is no public download, no SaaS tenant, and no reseller channel.
Engagements are scoped per client, gated on demonstrated written authorisation to test the targets in question, and delivered as a private container build owned by the operator commissioning the work. Redistribution, sublicensing, or transfer of the image to third parties is not permitted under those terms.
The case study on this page exists so you can decide whether the capability fits the work you have. The artefact itself does not.
Whether you're responding to a phishing incident, helping a small business through a ransomware tail, hardening a stack before launch, or running an authorised pen-test engagement — let's talk about how Winter Soldier (or a tailored variant) fits.
