TantoC2 uses Flask-SocketIO for real-time event push to authenticated clients.
Connecting#
Connect via Socket.IO with a valid access token:
| |
Events are emitted server-wide to all authenticated clients connected to the same engagement.
Event Catalog#
| Event | Data | Trigger |
|---|---|---|
agent_registered | {agent_id, package} | New agent registers |
agent_checkin | {agent_id} | Agent checks in |
agent_killed | {agent_id} | Kill command sent |
task_completed | {task_id, agent_id} | Agent returns final task result |
task_streaming_result | {task_id, agent_id} | Agent returns intermediate result from long-running module |
module_execution_started | {task_id, module_name, agent_id} | Module queued |
build_completed | {build_id, package_name, template_name, binary_hash} | Build finishes |
agentless_execution_started | {execution_id, module_name, operation} | Tools operation begins |
agentless_execution_completed | {execution_id} | Tools operation finishes |
file_transfer_initiated | {transfer_id, agent_id, direction, remote_path} | Transfer starts |
file_transfer_completed | {transfer_id, agent_id} | Transfer finishes |
p2p_link_created | {relay_agent_id, interior_agent_id} | P2P relay link established |
session_output | {session_id, data} | Interactive tools session output |
security_alert | {event_type, details} | Security-flagged event |
Usage in Python Client#
| |
Security Events#
The security_alert event is emitted for security-flagged audit entries:
- Failed login attempts
- Force-logout operations
- Token revocations
These appear with visual emphasis in both the CLI event stream and the Web UI audit log.