HomeToolsDocsPricingGalleryExtensionContact Get the App
// tools & library

Red Team / Blue Team Mode

Choosing a mode

When you first open Legion, you pick either Red Team or Blue Team mode. This sets which tool categories and workflows are surfaced by default. You can switch modes at any time using the toggle in the top right of the app.

Red Team

  • 69 offensive tools
  • Recon, scanning, exploitation
  • Web app attacks
  • Post-exploitation and lateral movement
  • Password cracking and credential attacks
  • Wireless and network attacks

Blue Team

  • 17 defensive tools
  • Digital forensics and incident response
  • Threat hunting
  • Detection engineering
  • Log analysis and triage
  • Artifact examination

Switching modes

The mode toggle is in the top right corner of the app. Click it to switch between red and blue at any point. You don't need to restart or create a new task. The tool categories shown in the sidebar update immediately to match the selected mode.

Which mode to use

If you're running a penetration test or simulating an attack, use Red Team mode. If you're investigating an incident, hunting for threats on a network, or doing defensive analysis, use Blue Team mode.

Some users run both during a task. For example, you might start in Red Team mode to simulate an attack, then switch to Blue Team to look at what the attack left behind.

Switching modes does not affect your task data. Findings, loot, and the knowledge graph are preserved regardless of which mode you're in.
Download Legion Back to Docs