whatisgithub

What is havoc?

havocframework/havoc — explained in plain English

Analysis updated 2026-06-24

8,352GoAudience · ops devopsComplexity · 4/5Setup · hard

In one sentence

An open-source red team command-and-control framework with a GUI client, a Go team server, and a C/assembly agent (Demon) for simulating attacker post-exploitation activity during authorized security assessments.

Mindmap

mindmap
  root((Havoc))
    What it does
      Red team C2
      Post-exploitation
    Components
      Teamserver
      Qt GUI client
      Demon agent
    Features
      SMB pivoting
      Token management
      Python extensions
    Platform
      Linux server
      Windows target
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Run a red team engagement with multiple operators sharing one team server to simulate coordinated attacker activity.

USE CASE 2

Test whether your organization's endpoint detection tools catch common post-exploitation techniques using the Demon agent.

USE CASE 3

Extend the framework with custom Python API modules for specific evasion or automation scenarios.

USE CASE 4

Simulate lateral movement through a network using Demon's SMB pivoting and token impersonation features.

What is it built with?

GoCC++QtPythonAssembly

How does it compare?

havocframework/havoccharmbracelet/bubblesandlabs/ui
Stars8,3528,3538,359
LanguageGoGoGo
Setup difficultyhardeasymoderate
Complexity4/52/53/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1day+

Requires Debian/Ubuntu/Kali Linux for the teamserver, Qt 6, Python 3.10, and a separate Windows test target to deploy the Demon agent.

So what is it?

Havoc is an open-source command and control framework used in offensive security and red team engagements. Security professionals use tools like this to simulate what an attacker would do after gaining initial access to a target network, helping organizations understand and test their defenses. The framework has three main parts. The teamserver is the central server component, written in Go, that multiple operators can connect to simultaneously. It handles incoming connections from compromised machines, generates payloads, and manages communication channels over HTTP and HTTPS. The client is a desktop application with a graphical interface, built with C++ and Qt, that the security operator uses to interact with the teamserver and see what is happening across all active sessions. The third part is called Demon, an agent written in C and assembly that runs on the target system and communicates back to the teamserver. Demon includes a range of post-exploitation capabilities: running commands on target machines, managing authentication tokens, communicating through other compromised machines via SMB, and various techniques designed to avoid detection by security monitoring tools. The framework is described by its author as designed to be modular and configurable rather than optimized for any specific evasion technique out of the box, with the idea that operators extend it for their own needs. Extensibility is built in through a Python API, a custom modules system, and support for plugging in third-party agents beyond Demon. The teamserver runs best on Debian, Ubuntu, or Kali Linux and requires a modern version of Qt and Python 3.10 to build. Documentation lives in the project wiki and on the official website.

Copy-paste prompts

Prompt 1
Walk me through setting up Havoc's teamserver on Debian with HTTPS listeners, then connecting the Qt client and deploying a Demon agent to a test Windows VM.
Prompt 2
Write a Havoc Python API extension that automates credential harvesting via token impersonation and logs all results to a local file.
Prompt 3
Generate a red team engagement checklist using Havoc: from initial Demon deployment through lateral movement to reaching the objective, with operator notes for each stage.
Prompt 4
Explain how Havoc's Demon agent communicates over HTTP/HTTPS in a way that security monitoring tools may not flag as suspicious.

Frequently asked questions

What is havoc?

An open-source red team command-and-control framework with a GUI client, a Go team server, and a C/assembly agent (Demon) for simulating attacker post-exploitation activity during authorized security assessments.

What language is havoc written in?

Mainly Go. The stack also includes Go, C, C++.

How hard is havoc to set up?

Setup difficulty is rated hard, with roughly 1day+ to a first successful run.

Who is havoc for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.