• Important Disclaimer
• Quick Start
• Documentation
• Features
• Architecture
• Model Providers
• Observability
• Installation & Deployment
• Configuration
• Development & Testing
• Troubleshooting
• Contributing
• License

THIS TOOL IS FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING PURPOSES ONLY.

The React-based terminal interface is now the default UI, providing interactive configuration, real-time operation monitoring, and guided setup in all deployment modes.

The React terminal will automatically spawn the Python agent as a subprocess and guide you through configuration on first launch.

Complete User Guide - Detailed setup, configuration, operation modules, troubleshooting, and examples

Setup: Create .env file in project root with your configuration:

Example .env for LiteLLM:

Run assessments with the full observability stack:

Note: The .env file in the project root is automatically loaded by docker-compose.

The compose stack automatically provides:

• Langfuse observability at http://localhost:3000 (login: admin@cyber-autoagent.com / changeme)
• Persistent databases (PostgreSQL, ClickHouse, Redis, MinIO)
• Network access to challenge containers
• React terminal UI as the default interface

• User Guide - Complete usage, configuration, and examples
• Agent Architecture - Strands framework, tools, and metacognitive design
• Memory System - Mem0 backends, storage, and evidence management
• Observability & Evaluation - Langfuse tracing, Ragas metrics, and performance monitoring
• Deployment Guide - Docker, Kubernetes, and production setup
• Terminal Frontend - React interface architecture and event protocol
• Prompt Management - Module system and prompt loading

• Autonomous Operation: Conducts security assessments with minimal human intervention
• Intelligent Tool Selection: Automatically chooses appropriate security tools (nmap, sqlmap, nikto, etc.)
• Natural Language Reasoning: Uses Strands framework with metacognitive architecture
• Evidence Collection: Automatically stores findings with Mem0 memory (category="finding")
• Meta-Tool Creation: Dynamically creates custom exploitation tools when needed
• Adaptive Execution: Metacognitive assessment guides strategy based on confidence levels
• Assessment Reporting: Generates comprehensive reports with findings and remediation
• Swarm Intelligence: Deploy parallel agents with shared memory for complex tasks
• Real-Time Monitoring: React interface displays live agent reasoning and tool execution
• Observability: Built-in Langfuse tracing and Ragas evaluation metrics

Full Architecture Guide - Complete technical deep dive into Strands framework, tools, and metacognitive design

Key Components:

• User Interface: React-based terminal interface or command-line with target and objective specification
• Agent Core: Strands framework orchestration with metacognitive reasoning and tool selection
• AI Models: GenAI tool use models (AWS Bedrock remote) or local models (Ollama)
• Security Tools: Pentesting tools (nmap, sqlmap, nikto, metasploit, custom tools, etc.)
• Evidence Storage: Persistent memory with FAISS, OpenSearch, or Mem0 Platform backends
• Observability: Real-time tracing with Langfuse and automated evaluation with Ragas metrics

Enhanced Execution Pattern:

• Real-time Monitoring: Every action traced for complete visibility
• Intelligent Analysis: Agent continuously analyzes situation using metacognitive reasoning
• Dynamic Tool Selection: Chooses appropriate tools based on confidence and findings
• Evidence Collection: All discoveries stored in persistent memory with categorization
• Immediate Exploitation: Critical vulnerabilities trigger immediate exploitation attempts
• Automated Evaluation: System scores tool selection, evidence quality, and methodology
• Report Generation: Final analysis combines findings with performance metrics

Metacognitive Process:

Design Philosophy: Meta-Everything Architecture

At the core of Cyber-AutoAgent is a "meta-everything" design philosophy that enables dynamic adaptation and scaling:

• Meta-Agent: The swarm capability deploys dynamic agents as tools, each tailored for specific subtasks with their own reasoning loops
• Meta-Tooling: Through the editor and load_tool capabilities, the agent can create, modify, and deploy new tools at runtime to address novel challenges
• Meta-Learning: Continuous memory storage and retrieval enables cross-session learning, building expertise over time
• Meta-Cognition: Self-reflection and confidence assessment drives strategic decisions about tool selection and approach

This meta-architecture allows the system to transcend static tool limitations and evolve its capabilities during execution.

Process Flow:

• Assess Confidence: Evaluate current knowledge and confidence level (High >80%, Medium 50-80%, Low <50%)
• Adaptive Strategy:
  • High confidence: Use specialized tools directly
  • Medium confidence: Deploy swarm for parallel exploration
  • Low confidence: Gather more information, try alternatives
• Execute: Tool hierarchy based on confidence:
  • Specialized security tools for known vulnerabilities (sqlmap, nikto, nmap)
  • Swarm deployment when multiple approaches needed (with memory access)
  • Parallel shell for rapid reconnaissance (up to 7 commands)
  • Meta-tool creation only when no existing tool suffices
• Learn & Store: Store findings with category="finding" for memory persistence

Tool Selection Hierarchy (Confidence-Based):

1. Specialized cyber tools (sqlmap, nikto, metasploit) - when vulnerability type is known
2. Swarm deployment - when confidence <70% or need multiple perspectives (includes memory)
3. Parallel shell execution - for rapid multi-command reconnaissance
4. Meta-tool creation - only for novel exploits when existing tools fail

Cyber-AutoAgent supports multiple model providers for maximum flexibility:

• Best for: Production use, high-quality results, no local GPU requirements
• Requirements: AWS account with Bedrock access
• Default Model: Claude Sonnet 4.5 (claude-sonnet-4-5-20250929-v1:0)
• Benefits: Latest models, reliable performance, managed infrastructure

• Best for: Privacy, offline use, cost control, local development
• Requirements: Local Ollama installation
• Default Models: qwen3-coder:30b-a3b-q4_K_M (LLM), mxbai-embed-large (embeddings)
• Benefits: No cloud dependencies, complete privacy, no API costs

• Best for: Multi-provider flexibility, unified interface
• Requirements: API keys for desired providers
• Supported: 100+ models from OpenAI, Anthropic, Cohere, Google, Azure, etc.
• Benefits: Switch providers easily, fallback support, unified API

Complete Observability & Evaluation Guide - Langfuse tracing, Ragas metrics, and automated performance evaluation

Cyber-AutoAgent includes built-in observability and evaluation using self-hosted Langfuse for tracing and Ragas for automated performance metrics. This provides complete visibility into agent operations and continuous assessment of cybersecurity effectiveness.

Observability (Langfuse):

• Complete operation traces: Every penetration test operation is traced end-to-end
• Tool execution timeline: Visual timeline of nmap, sqlmap, nikto usage
• Token usage metrics: Track LLM token consumption and costs
• Memory operations: Monitor agent memory storage and retrieval patterns
• Error tracking: Failed tool executions and error analysis

Evaluation (Ragas):

• Tool Selection Accuracy: How well the agent chooses appropriate cybersecurity tools
• Evidence Quality: Assessment of collected security findings and documentation
• Answer Relevancy: Alignment of agent actions with stated objectives
• Context Precision: Effective use of memory and tool outputs
• Automated scoring: Every operation receives performance metrics automatically

When running with Docker Compose, observability and evaluation are enabled by default:

Essential Environment Variables:

The system automatically evaluates four key metrics after each operation:

1. Tool Selection Accuracy (0.0-1.0): Strategic tool choice and sequencing
2. Evidence Quality (0.0-1.0): Comprehensive vulnerability documentation
3. Answer Relevancy (0.0-1.0): Alignment with security objectives
4. Context Precision (0.0-1.0): Effective use of previous findings

For production deployments, update security keys:

Complete Deployment Guide - Docker, Kubernetes, production setup, and troubleshooting

System Requirements

• Node.js: Version 20+ required for React CLI interface
• Python: Version 3.10+ for local installation
• Docker: For containerized deployments
• macOS Users: Xcode Command Line Tools required

React CLI Setup (Required for Interactive Mode)

Bedrock Provider

Note: Bearer token authentication is only supported with the native Bedrock provider. LiteLLM does not currently support AWS bearer tokens - use standard AWS credentials instead.

LiteLLM Provider (Universal Gateway)

LiteLLM supports 100+ model providers. Set the appropriate environment variables for your chosen provider:

Important: When using LiteLLM with Bedrock models, AWS bearer tokens (AWS_BEARER_TOKEN_BEDROCK) are NOT supported. Use standard AWS credentials only.

Ollama Provider

Unified Output Structure (default, enabled by CYBER_AGENT_ENABLE_UNIFIED_OUTPUT=true):

The unified structure organizes all artifacts under operation-specific directories with unique IDs (OP_YYYYMMDD_HHMMSS), making it easy to track and manage results from multiple assessment runs. All directories are created automatically.

Required Arguments:

• --objective: Security assessment objective
• --target: Target system/network to assess (ensure you have permission!)

Optional Arguments:

• --provider: Model provider - bedrock (AWS), ollama (local), or litellm (universal), default: bedrock
• --module: Security module - general (web apps) or ctf (challenges), default: general
• --iterations: Maximum tool executions before stopping, default: 100
• --model: Model ID to use (default: remote=claude-sonnet-4-5, local=qwen3-coder:30b-a3b-q4_K_M)
• --region: AWS region for Bedrock, default: us-east-1
• --verbose: Enable verbose output with detailed debug logging
• --confirmations: Enable tool confirmation prompts (default: disabled)
• --memory-path: Path to existing memory store to load past memories
• --memory-mode: Memory initialization mode - auto (loads existing) or fresh (starts new), default: auto
• --keep-memory: Keep memory data after operation completes (default: true)
• --output-dir: Custom output directory (default: ./outputs)

By default, the agent runs as a non-root user (cyberagent) for security. This limits the agent's ability to install additional tools on the fly during execution. If you need the agent to install packages dynamically, you can override this at container start:

Note: Running as root reduces security isolation but enables full system access for tool installation.

The agent uses a centralized configuration system defined in src/modules/config/. All settings can be customized through environment variables, with sensible defaults provided.

Recent Improvements:

• Modular architecture with organized agents/, config/, tools/, prompts/, and evaluation/ directories
• Langfuse prompt management for dynamic prompt loading and versioning
• Unified output structure for better organization (enabled by default)
• Standardized paths for logs, reports, and evidence collection
• Enhanced memory management with cross-operation persistence
• Dedicated report agent for improved report generation

Copy the example environment file and customize it for your needs:

The .env.example file contains detailed configuration options with inline comments for all supported features including model providers, memory systems, and observability settings. Key environment variables include:

• AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_BEARER_TOKEN_BEDROCK, AWS_REGION for remote mode (AWS Bedrock)
• OLLAMA_HOST for local mode (Ollama)
• CYBER_AGENT_OUTPUT_DIR, CYBER_AGENT_ENABLE_UNIFIED_OUTPUT for output management
• LANGFUSE_PUBLIC_KEY, LANGFUSE_SECRET_KEY for observability
• MEM0_API_KEY or OPENSEARCH_HOST for memory backends

See .env.example for complete configuration options and usage examples.

This project uses uv for dependency management and testing:

Node.js Version

macOS Build Errors

Linux Build Errors

See Memory System Guide for complete backend configuration and troubleshooting

Ollama Server Not Running

Required Models Missing

Connection Errors

Docker Networking (Local Mode) Cyber-AutoAgent automatically detects the correct Ollama host for your environment:

Performance Issues

1. Fork the repository
2. Create a feature branch (git checkout -b feature/amazing-feature)
3. Commit your changes (git commit -m 'Add amazing feature')
4. Push to the branch (git push origin feature/amazing-feature)
5. Open a Pull Request

This project is licensed under the MIT License - see the LICENSE file for details.

This tool is provided for educational and authorized security testing purposes only. Users are solely responsible for ensuring they have proper authorization before testing any systems. The authors assume no liability for misuse or any damages that may result from using this software.

• Strands Framework - Agent orchestration & swarm intelligence
• AWS Bedrock - Foundation model access
• Ollama - Local model inference
• Mem0 - Advanced memory management with FAISS/OpenSearch/Platform backends

Remember: With great power comes great responsibility. Use this tool ethically and legally.