Rainbow Six Lab · 2026

Continuous AI Red Team.

Annual pentests don't ship at the speed of your release cycle. Adversaries are already automated. We run a continuous AI red team against your real attack surface and deliver findings the day they appear.

Schedule engagement → See the methodology

Why continuous

Surfaces drift weekly.

New MCP servers, new OAuth metadata endpoints, new dangling CNAMEs, new staging subdomains in CT logs. Your last pentest is stale within days of shipping.

Red team cost collapsed.

A surface that took a consultant a week to map costs a frontier model under an hour. The economics of "scan once a year" no longer make sense.

OPFOR is automated.

The opposition force already runs the same models you do. The only defense that keeps pace is a defender running them in parallel, full-time, against your specific surface.

How it works

Ideate.
Frontier models generate candidate finding classes across your stack. A cheap-model pre-filter culls duplicates and known-noise before any external request fires.
Probe.
Read-only scans validate candidates against your real surface. Twenty deterministic checks today; the catalog expands per-engagement to the surfaces you actually run.
Triage.
Findings ranked by exploitability, blast radius, and signal-to-noise. False positives killed inside the loop, not in your inbox.
Report.
Verified findings, suggested fixes, and reproduction steps delivered directly to your security team. Every report is defensible from on-disk evidence.

The stack

rs-scanner Twenty read-only check classes across modern SaaS attack surfaces. MIT-licensed, published openly. Catalog co-developed with each engagement.
Ideation engine Anthropic Opus orchestrating cheaper models for cite-or-kill candidate pre-filter. The same arbitrage stack that lets the loop run at scale.
CT-log subdomain enumeration We scan the surface you have, not the surface on the org chart. Public Certificate Transparency data plus internal asset inventory.
Takeover hunter CNAME-chain tracing against the catalog of cloud-service takeover signatures from the CanITakeOverXYZ project, run continuously rather than once at engagement start.

What we won't claim. We don't list customer logos before customers consent. We don't quote payouts before triage completes. We're a young firm operating with a research-lab discipline; the receipts we cite are on-disk and we'll show you the directory tree on request.

Contact

Engagement inquiries: john@rainbowsix.dev
Coordinated disclosure of a finding against us: same address.