explaingit

purpleailab/decepticon

Analysis updated 2026-07-03

3,691PythonAudience · ops devopsComplexity · 4/5LicenseSetup · moderate

TLDR

An AI-powered autonomous red team agent that simulates realistic multi-stage cyberattacks, from reconnaissance to lateral movement, inside an isolated sandbox, for authorized security testing.

Mindmap

mindmap
  root((decepticon))
    What it does
      Autonomous red team
      Realistic attack chains
    Attack phases
      Reconnaissance
      Exploitation
      Privilege escalation
      Lateral movement
    AI agents
      Orchestrator
      AD specialist
      Cloud specialist
      Binary reversing
    Setup
      Docker Compose
      Kali sandbox
      Web dashboard port 3000
    Model support
      Anthropic Claude
      OpenAI GPT
      Local Ollama
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Run a full authorized attack simulation against a target network, from initial reconnaissance through privilege escalation, without manually chaining tools.

USE CASE 2

Generate a MITRE ATT&CK-mapped operation plan before each engagement so every action stays within defined rules of engagement.

USE CASE 3

Test Active Directory, cloud environments, or smart contract security using specialist agents purpose-built for each domain.

USE CASE 4

Use the local web dashboard to monitor attack progress in real time while the orchestrator agent coordinates 16 specialist sub-agents.

What is it built with?

PythonDockerKali LinuxMetasploit

How does it compare?

purpleailab/decepticoncamelot-dev/camelotopenai/glide-text2im
Stars3,6913,6913,690
LanguagePythonPythonPython
Setup difficultymoderateeasyeasy
Complexity4/52/53/5
Audienceops devopsdataresearcher

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires Docker and Docker Compose, you must supply at least one AI provider API key and have authorized access to any system you target.

Apache 2.0, use freely for any purpose including commercial, as long as you include the license and copyright notice.

In plain English

Decepticon is an autonomous agent designed for red team security work, meaning it simulates real attacks on computer systems to find vulnerabilities before malicious actors do. It is built for security professionals who have authorization to test the systems they target. Unlike simpler security tools that run a port scan and produce a report, Decepticon executes realistic attack chains the way a human attacker would. This includes reconnaissance (gathering information about a target), exploitation (taking advantage of vulnerabilities), privilege escalation (gaining broader access), lateral movement (spreading across a network), and command-and-control operations. Before any attack action, Decepticon generates planning documents: rules of engagement, an operation plan, deconfliction guidelines, and a MITRE ATT&CK mapping. All subsequent actions stay within those defined boundaries. The system uses 16 specialist AI agents, each responsible for a different phase or domain. An orchestrator agent coordinates overall strategy, while others handle specific tasks like Active Directory attacks, cloud environments, smart contract exploitation, and binary reverse engineering. Each agent receives a fresh context window per objective so earlier steps do not pollute later reasoning. Technical setup requires Docker and Docker Compose. Install runs from a single command, and the tool starts as a combination of a terminal CLI and a local web dashboard at port 3000. All attack tool execution happens inside a Kali Linux sandbox on a dedicated network segment, isolated from the management services. Interactive security tools like Metasploit run inside persistent terminal sessions so the agent can issue follow-up commands without workarounds. Model support is flexible and tier-based. You can configure Anthropic, OpenAI, Google Gemini, DeepSeek, Mistral, local models via Ollama, or several subscription OAuth providers, and the system builds a priority fallback chain from whatever credentials you provide. The project is Apache 2.0 licensed and has a Korean-language README in addition to the English one.

Copy-paste prompts

Prompt 1
I'm running an authorized red team engagement with Decepticon. Help me write the rules of engagement and operation plan for a test targeting a small Active Directory environment.
Prompt 2
Explain the MITRE ATT&CK techniques that Decepticon would use for lateral movement after gaining initial access to a Windows network.
Prompt 3
I set up Decepticon with Docker Compose. Walk me through configuring it to use Claude as the primary model with a local Ollama model as the fallback.
Prompt 4
What Kali Linux tools does Decepticon run inside its sandbox for the reconnaissance phase, and how does the orchestrator agent decide which to use?

Frequently asked questions

What is decepticon?

An AI-powered autonomous red team agent that simulates realistic multi-stage cyberattacks, from reconnaissance to lateral movement, inside an isolated sandbox, for authorized security testing.

What language is decepticon written in?

Mainly Python. The stack also includes Python, Docker, Kali Linux.

What license does decepticon use?

Apache 2.0, use freely for any purpose including commercial, as long as you include the license and copyright notice.

How hard is decepticon to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is decepticon for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub purpleailab on gitmyhub

Verify against the repo before relying on details.