Choosing a mode
When you first open Legion, you pick either Red Team or Blue Team mode. This sets which tool categories and workflows are surfaced by default. You can switch modes at any time using the toggle in the top right of the app.
Red Team
- 69 offensive tools
- Recon, scanning, exploitation
- Web app attacks
- Post-exploitation and lateral movement
- Password cracking and credential attacks
- Wireless and network attacks
Blue Team
- 17 defensive tools
- Digital forensics and incident response
- Threat hunting
- Detection engineering
- Log analysis and triage
- Artifact examination
Switching modes
The mode toggle is in the top right corner of the app. Click it to switch between red and blue at any point. You don't need to restart or create a new task. The tool categories shown in the sidebar update immediately to match the selected mode.
Which mode to use
If you're running a penetration test or simulating an attack, use Red Team mode. If you're investigating an incident, hunting for threats on a network, or doing defensive analysis, use Blue Team mode.
Some users run both during a task. For example, you might start in Red Team mode to simulate an attack, then switch to Blue Team to look at what the attack left behind.