Skip to main content

Quick Deploy

Prerequisites, IAM setup, and your first terraform apply in minutes.

Architecture

Understand the dual-VPC design, VPC peering, and traffic flow.

C2 Frameworks

Configure Mythic, Sliver, and Havoc to call back through the redirector.

Terraform Reference

Full variable reference for customizing your deployment.

What is redStack?

redStack is a Boot-to-Breach red team lab environment that removes the infrastructure burden so you can focus on learning. A single terraform apply deploys a fully configured, production-style red team setup on AWS:
  • Three C2 frameworks — Mythic, Sliver, and Havoc pre-installed and ready
  • Apache redirector — header validation, URI-based routing, and automated scanner blocking
  • Dual-VPC isolation — C2 servers have no public IPs; all traffic flows through the redirector via VPC peering
  • Browser-based access — Apache Guacamole portal with pre-configured SSH and RDP connections
  • Windows operator workstation — Windows Server 2022 with Chromium, VS Code, MobaXterm, and 7-Zip
  • OpenVPN support — connect to HTB, VulnLab, and PG Pro Lab networks directly from the lab
redStack is strictly for authorized training and lab environments (HTB, VulnLab, Proving Grounds, self-hosted cyber ranges, personal lab VMs). It is not intended for use in real-world engagements or against systems you do not own with explicit written permission.

How it works

[ Operator ] ──HTTPS/SSH──► Guacamole (public EIP)

                    ┌───────────────┼───────────────┐
                    │               │               │
                 Mythic          Sliver           Havoc
                (internal)      (internal)      (internal)
                    │               │               │
                    └───────────────┴───────────────┘
                                    │ VPC Peering
                             Redirector VPC
                        Apache :80/:443 (public EIP)
                          X-Request-ID validation
                          URI prefix routing
                          Scanner/AV blocking

                            Public Internet
                           [Target / Implant]
Implants call back to the redirector’s public IP (or your domain) over HTTP/HTTPS. Apache validates the X-Request-ID header and URI prefix, then proxies valid traffic through VPC peering to the appropriate C2 server. Requests without a valid header receive a decoy CloudEdge CDN maintenance page.

AWS cost awareness

AWS TOS: Hosting C2 infrastructure on AWS may be subject to the AWS Acceptable Use Policy. Review the AUP and submit the AWS Penetration Testing request form before deploying. Consider using a dedicated, single-purpose throwaway AWS account.
Running EC2 instances incur charges 24/7. Set a billing alarm and run terraform destroy when you finish a training session. See Cost Management for details.

Get started

1

Check prerequisites

Install AWS CLI and Terraform, create an IAM user, and generate your SSH key pair. Prerequisites →
2

Configure variables

Copy terraform.tfvars.example and set your public IP, SSH key name, and optional domain. Variables →
3

Deploy

Run terraform init, terraform plan, and terraform apply. Infrastructure deploys in ~10 minutes. Deploy →
4

Verify and configure

Access Guacamole, obtain an SSL certificate, and verify all C2 backends are reachable. Verify →
5

Start hacking

Generate your first C2 payload, get a callback through the redirector, and confirm the full chain works. Mythic → · Sliver → · Havoc →

Build docs developers (and LLMs) love

Get started for freeTalk to us