DEV.co
Open-Source Security · CyberStrikeus

CyberStrike

CyberStrike is an open-source AI agent that automates penetration testing by combining large language models (Claude, GPT, etc.) with offensive security frameworks (MITRE ATT&CK, OWASP, CIS Benchmarks). It runs as a terminal-based tool that orchestrates reconnaissance, vulnerability discovery, and exploitation autonomously.

Source: GitHub — github.com/CyberStrikeus/CyberStrike
1.1k
GitHub stars
185
Forks
TypeScript
Primary language
AGPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryCyberStrikeus/CyberStrike
OwnerCyberStrikeus
Primary languageTypeScript
LicenseAGPL-3.0 — OSI-approved
Stars1.1k
Forks185
Open issues18
Latest releasev1.1.15 (2026-06-30)
Last updated2026-07-07
Sourcehttps://github.com/CyberStrikeus/CyberStrike

What CyberStrike is

TypeScript-based security automation agent that abstracts 15+ LLM providers through a standardized intelligence layer, applying OWASP WSTG, MITRE ATT&CK tactics, and CIS controls via specialized agents. Supports remote execution via Bolt, MCP ecosystem integration, and offline operation via Ollama/LM Studio.

Quickstart

Get the CyberStrike source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/CyberStrikeus/CyberStrike.gitcd CyberStrike# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Budget-constrained red-team automation

Leverages existing Claude or GPT subscriptions to power autonomous pentest workflows without separate security tool licensing. Reduces per-engagement infrastructure cost for startups and mid-market security teams.

Multi-framework compliance testing

Integrates OWASP, MITRE ATT&CK, CIS Benchmarks, and NIST guidance in one agent. Teams needing to validate against multiple standards simultaneously can orchestrate cross-framework testing from a single interface.

Distributed remote pentesting

Bolt enables command-and-control of security tools across multiple remote servers with Ed25519 key authentication. Useful for internal security teams testing geographically distributed infrastructure without centralizing tools.

Implementation considerations

  • LLM subscription required (Anthropic, OpenAI, or equivalent); CyberStrike reuses existing plan but token consumption during runs should be monitored and budgeted.
  • Requires Node.js/TypeScript runtime and npm package management; air-gapped deployments need pre-built artifacts and vendored dependencies.
  • Autonomous agent operates with privileges of execution context; restrict to sandbox/test environments or use Bolt with segregated remote servers to prevent production impact.
  • Output schema normalization across LLM providers adds abstraction layer; model hallucinations can still produce invalid security findings—operator should validate high-risk recommendations before acting.
  • 13+ specialized agents delegate behavior; ensure team understands which agent runs for target domain (web vs. cloud vs. mobile) to align findings with actual testing scope.

When to avoid it — and what to weigh

  • Enterprise need for commercial indemnity — AGPL-3.0 license requires source disclosure and creates copyleft obligations. Organizations needing vendor-backed liability coverage or proprietary tool stacking should require legal review before deployment.
  • Closed-network, air-gapped environments without pre-staging — While offline LLM support exists (Ollama, LM Studio), initial setup and npm dependency resolution require internet access. Pre-staging and custom builds needed for truly disconnected environments.
  • Regulatory environments requiring tool audit trails and certified controls — Project matures rapidly (v1.1.15 as of July 2026) but lacks documented SOC 2, FedRAMP, or formal security assessment. Regulated industries (finance, healthcare, government) may require vendor attestations not provided.
  • Organizations unfamiliar with LLM limitations and hallucination risk — Autonomous agent execution without human-in-the-loop review increases risk of false positives, incorrect remediation guidance, or unintended system state changes. Requires security-aware operators.

License & commercial use

AGPL-3.0 (GNU Affero General Public License v3.0). This is a strong copyleft license that requires source code disclosure to any users and mandates any derived work or network-accessible modification also be open-sourced under AGPL-3.0 terms.

AGPL-3.0 permits commercial use but enforces strict obligations: (1) any modifications or derivative work must be released under AGPL-3.0; (2) network access triggers source disclosure requirements; (3) integrating into proprietary products likely requires source release or separate licensing. Organizations embedding CyberStrike into commercial offerings should consult legal counsel. Vendor does not appear to offer commercial licensing alternative. Use for internal pentesting (non-network-exposed, no derivative distribution) is straightforward; SaaS/hosted deployment requires full source availability.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

No security audit, CVE history, or formal threat model provided. Autonomous pentesting agent executing on live systems poses risk: (1) LLM hallucinations may generate invalid or dangerous payloads; (2) privilege escalation at execution context; (3) network segmentation required to prevent lateral movement; (4) tool orchestration may trigger unintended system state changes. AGPL-3.0 source availability enables community review but does not guarantee secure design. Use Bolt remote execution to isolate tooling from production. Validate LLM-generated findings independently before acting. No mention of rate-limiting, audit logging, or compliance controls for regulated use.

Alternatives to consider

Metasploit Pro (commercial) / Metasploit Community (open-source)

Mature, battle-tested pentesting framework with extensive exploit modules and established community. Lacks integrated LLM-driven autonomous agent but offers superior tool maturity and commercial support. Steeper learning curve.

Burp Suite (Professional/Enterprise)

Industry-standard web app security scanner with active scanning, API testing, and Burp Copilot (LLM integration). Proprietary, expensive, focused on web apps. No autonomous multi-domain orchestration like CyberStrike.

Nuclei (open-source, Apache 2.0)

Template-driven vulnerability scanner for web and infrastructure. Permissive license, no copyleft obligations. Lacks autonomous agent and LLM orchestration; community maintains template library. Lower abstraction than CyberStrike but easier to integrate into CI/CD.

Software development agency

Build on CyberStrike with DEV.co software developers

Review licensing, LLM provider integration, and remote execution architecture with your legal and security teams. Prototype in a test environment with Ollama or your existing Claude/GPT subscription before production adoption.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

CyberStrike FAQ

Can I use CyberStrike for commercial pentesting and resell results?
AGPL-3.0 permits commercial use of the tool itself for internal pentesting. However, if you modify CyberStrike or offer it as a hosted/SaaS service, you must release source code under AGPL-3.0. Selling pentesting reports (tool output) is generally allowed if you do not distribute the modified tool. Consult legal counsel for your specific model.
Does CyberStrike require internet access?
Initial npm installation and CLI first-run setup require internet. LLM provider communication requires internet by default. Offline operation is possible via Ollama or LM Studio (self-hosted LLMs), but dependency resolution and updates still need internet staging. Air-gapped deployments require pre-built artifacts.
What happens if the LLM generates a malicious payload or wrong exploitation command?
CyberStrike's intelligence layer provides schema normalization and context guards but does not eliminate LLM hallucination. Output validation and operator review are required before executing high-risk actions. Use Bolt remote servers to isolate execution from critical infrastructure. This is an autonomous agent risk, not a bug—operator judgment is mandatory.
How is CyberStrike different from simply prompting Claude or GPT directly?
CyberStrike injects domain-specific context (OWASP, MITRE ATT&CK, CIS frameworks) into every LLM interaction, normalizes output across 15+ providers, chains multi-step attacks intelligently, and provides agent specialization (web, cloud, mobile, etc.). Direct LLM prompting lacks methodology grounding, tool orchestration, and cross-provider abstraction.

Custom software development services

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If CyberStrike is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.

Evaluate CyberStrike for Your Offense Security Workflow

Review licensing, LLM provider integration, and remote execution architecture with your legal and security teams. Prototype in a test environment with Ollama or your existing Claude/GPT subscription before production adoption.