CyberStrike is an AI-powered offensive security platform. We welcome contributions that make it a more powerful, reliable, and comprehensive security testing tool.
- Security agents — New specialist agents (e.g., API security, wireless, IoT)
- Security skills — OWASP test case knowledge, attack methodology guides
- Tool integrations — New security tool wrappers, MCP server tools
- Knowledge base — WSTG, MASTG, PTES, OSSTMM test case documentation
- Bug fixes — Crashes, incorrect behavior, edge cases
- Provider support — Additional LLM providers and models
- Performance — Faster tool execution, reduced token usage
UI changes, core architecture modifications, and new agent types must go through a design review with the core team. Open an issue first to discuss.
If you're unsure whether a PR would be accepted, look for issues labeled:
Note
PRs that ignore these guardrails will likely be closed.
- Bun 1.3+
- Docker (for Bolt/Kali MCP development)
git clone https://github.com/CyberStrikeus/CyberStrike.git
cd CyberStrike
bun install
bun devbun dev <directory> # Run in a specific directory
bun dev . # Run in the repo rootbun run --cwd packages/cyberstrike build --single
./packages/cyberstrike/dist/cyberstrike-<platform>/bin/cyberstrikeReplace <platform> with your platform (e.g., darwin-arm64, linux-x64).
| Package | Description |
|---|---|
packages/cyberstrike |
Core CLI — agents, tools, session, provider logic |
packages/app |
Web UI components (SolidJS) |
packages/plugin |
Plugin SDK (@cyberstrike-io/plugin) |
knowledge/ |
Security knowledge base (WSTG test cases) |
.cyberstrike/skill/ |
Security skills (methodology guides) |
| Server | Repo | Description |
|---|---|---|
| cloud-audit-mcp | badchars/cloud-audit-mcp | Cloud security audits — AWS/Azure/GCP |
| github-security-mcp | badchars/github-security-mcp | GitHub security posture — 39 tools |
| cve-mcp | badchars/cve-mcp | CVE intelligence — NVD/EPSS/KEV |
| osint-mcp | badchars/osint-mcp | OSINT recon — Shodan/VT/DNS/WHOIS |
Skills are markdown files that provide domain knowledge to agents. Create a new directory under .cyberstrike/skill/:
.cyberstrike/skill/your-skill-name/
SKILL.md # Methodology, checklists, tool commands
Reference it in an agent's skills array in packages/cyberstrike/src/agent/agent.ts.
Knowledge base files go under knowledge/. Follow the existing WSTG format:
knowledge/web-application/WSTG-CATEGORY/WSTG-CATEGORY-XX.md
Each file should include: objective, test description, tools, commands, and remediation.
- Create a system prompt:
packages/cyberstrike/src/agent/prompt/your-agent.txt - Register in
packages/cyberstrike/src/agent/agent.tsas a native agent - Configure permissions (bash, browser, read, grep, etc.)
- Add associated skills if applicable
MCP servers live in their own repos (see table above). Each tool needs:
- Tool definition with Zod input schema
- Implementation with proper error handling
- Category tagging for lazy loading
To contribute to an MCP server, open a PR in the relevant repo.
bun dev # Start CyberStrike TUI (development)
bun dev serve # Start headless API server
bun dev web # Start server + web interface
bun turbo typecheck # Run type checking across all packages- Start the server:
bun dev serve - Start the web app:
bun run --cwd packages/app dev
Run with Bun's inspector:
bun run --inspect=ws://localhost:6499/ --cwd packages/cyberstrike ./src/index.ts serve --port 4096Or set export BUN_OPTIONS=--inspect=ws://localhost:6499/ for all invocations.
All PRs must reference an existing issue. Open an issue first describing the bug, feature, or security tool request. Use Fixes #123 or Closes #123 in your PR description.
- Keep PRs small and focused
- Explain the issue and why your change fixes it
- Verify your changes work and explain how
Follow conventional commit format:
feat:— new feature or agentfix:— bug fixsecurity:— new security tool, skill, or knowledge base contentdocs:— documentation changeschore:— maintenance, dependenciesrefactor:— code changes without behavior change
Optional scope: feat(agent):, fix(browser):, security(wstg):
Long, AI-generated PR descriptions will be ignored. Write short, focused descriptions in your own words.
- Functions: Keep logic in a single function unless reuse is clear.
- Control flow: Avoid
elsestatements. - Error handling: Prefer
.catch(...)overtry/catch. - Types: Use precise types, avoid
any. - Variables: Prefer
const, avoidlet. - Naming: Concise, descriptive identifiers.
- Runtime: Use Bun APIs (
Bun.file(), etc.) when applicable.
CyberStrike is designed for authorized security testing only. All contributions must:
- Support legitimate penetration testing and security research
- Not enable unauthorized access to systems
- Follow responsible disclosure practices
- Comply with applicable laws and regulations
Contributions that facilitate malicious use will be rejected.
This project uses vouch to manage contributor trust. The vouch list is in .github/VOUCHED.td.
- Vouched users are explicitly trusted contributors
- Denounced users are blocked (issues and PRs auto-closed)
- Everyone else can participate normally
Maintainers can manage the list by commenting vouch, denounce, or unvouch on any issue.
For new functionality, start with a design conversation. Open an issue describing the problem, your proposed approach, and why it belongs in CyberStrike. Wait for core team approval before opening a PR.
- Discord: Join the community
- X: @cyberstrike
- Website: cyberstrike.io