Project Chimera is an advanced agentic AI system designed for authorized security testing and diagnostic validation. It combines a modern Next.js dashboard frontend with a sophisticated multi-agent AI orchestration backend powered by LangChain and LangGraph, enabling automated, contextually-aware security assessments within sanctioned diagnostic environments.
The system is designed to simulate and validate enterprise security posture through authorized, automated workflows while maintaining strict operational security controls.
┌─────────────────────────────────────────────────────────────────┐
│ Frontend (Next.js 16) │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Landing Page (Chimera) │ │
│ │ - Public portal for users │ │
│ │ - Authentication & signup │ │
│ │ - Feature showcase and how-it-works guide │ │
│ └──────────────────────────────────────────────────────────┘ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Admin Dashboard │ │
│ │ - Real-time threat visualization │ │
│ │ - Incident management & incident logs │ │
│ │ - Attack timeline and severity tracking │ │
│ │ - Live threat mapping and statistics │ │
│ └──────────────────────────────────────────────────────────┘ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ API Integration Layer (Next.js API Routes) │ │
│ │ - /api/agent/* endpoints for backend communication │ │
│ │ - Real-time WebSocket connections │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
HTTP/WebSocket
│
┌─────────────────────────────────────────────────────────────────┐
│ Backend (Python ML Orchestration) │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Main Orchestrator (Chimera Agent Controller) │ │
│ │ - Coordinates multi-agent workflow │ │
│ │ - Enforces security validation checks │ │
│ │ - Manages execution timeline and state │ │
│ └──────────────────────────────────────────────────────────┘ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Multi-Agent System (LangGraph + DeepAgents) │ │
│ │ │ │
│ │ ┌─────────────────────────────────────────────────┐ │ │
│ │ │ External Reconnaissance Specialist │ │ │
│ │ │ - Shodan honeypot detection │ │ │
│ │ │ - Evasive latency-optimized scanning │ │ │
│ │ │ - TLS randomization for signature evasion │ │ │
│ │ └─────────────────────────────────────────────────┘ │ │
│ │ │ │
│ │ ┌─────────────────────────────────────────────────┐ │ │
│ │ │ Internal Reconnaissance Specialist │ │ │
│ │ │ - Environment type verification │ │ │
│ │ │ - Passive subnet topology mapping │ │ │
│ │ │ - Adjacent network node discovery │ │ │
│ │ └─────────────────────────────────────────────────┘ │ │
│ │ │ │
│ │ ┌─────────────────────────────────────────────────┐ │ │
│ │ │ Evasive Execution Agent │ │ │
│ │ │ - Dynamic payload mutation │ │ │
│ │ │ - Inter-node lateral movement (WinRM) │ │ │
│ │ │ - Fileless persistence (WMI) │ │ │
│ │ │ - Human-cadence execution timing │ │ │
│ │ │ - DLP & data exfiltration testing (DOH, DNS) │ │ │
│ │ └─────────────────────────────────────────────────┘ │ │
│ │ │ │
│ │ All sub-agents report results to Orchestrator │ │
│ └──────────────────────────────────────────────────────────┘ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Specialized Tool Library │ │
│ │ - shodanchecker: Shodan API integration │ │
│ │ - evasive_scan: Syn scanning with evasion │ │
│ │ - tls_randomizer: TLS fingerprint randomization │ │
│ │ - mutation_engine: Payload obfuscation │ │
│ │ - lotl_checker: Living-off-the-land detection │ │
│ │ - lateral_movement: WinRM inter-node access │ │
│ │ - persistance: WMI fileless persistence │ │
│ │ - internal_recon: Passive subnet mapping │ │
│ │ - evasive_execution: Human-cadence execution │ │
│ │ - exfiltration: DOH/DNS data exfiltration tests │ │
│ │ - cleanup: Autonomous log sanitization │ │
│ └──────────────────────────────────────────────────────────┘ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ LLM Integration Layer │ │
│ │ - Primary: Groq (openai/gpt-oss-120b) │ │
│ │ - Fallback: Local Ollama integration │ │
│ │ - Temperature: 0.3 (deterministic, precise) │ │
│ └──────────────────────────────────────────────────────────┘ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ State Management & Memory │ │
│ │ - InMemorySaver for session state │ │
│ │ - LangGraph checkpoint system │ │
│ │ - Thread-based execution isolation │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
Target Infrastructure
(Authorized Diagnostic Servers)
- Framework: Next.js 16.2.1 with React 19.2.4
- Language: TypeScript 5
- Styling: Tailwind CSS 4 with PostCSS
- State Management: React hooks
- HTTP Client: Axios
- UI Components: Recharts for data visualization, Lucide React for icons
Landing Page (/app/page.tsx or /app/landing/page.tsx)
- Public-facing portal with hero section
- Feature showcase highlighting security capabilities
- How-it-works guide explaining the testing process
- Call-to-action banner
- Authentication: Sign In/Sign Up modal
- After successful authentication → redirects to IP entry page
IP Test Entry Page (Authenticated route)
- Secure input form for target IP address
- Validation and submission to backend
- Real-time status indicator during execution
- Polling/WebSocket connection for live updates
Admin Dashboard (/app/admin/dashboard/page.tsx)
-
Threat Incident Board: Real-time incident logging from agent execution
- Incident ID, target IP address, attack type, country of origin
- Severity levels: Critical, High, Medium, Low
- Protocol and timestamp tracking
-
Attack Timeline Chart: Time-series visualization of attack patterns
- Brute force attempts
- Exploit attempts
- Port scans
- 24-hour rolling window analysis
-
Geo-Threat Mapping: Geographic visualization of threats
- Country-level threat aggregation
- Latitude/longitude positioning
- Risk heat mapping
-
Recovery Metrics:
- Mean Time To Detect (MTTD)
- Mean Time To Respond (MTTR)
- Recovery point objectives (RPO)
- Test execution success rate
API Route Handler (/app/api/agent/route.ts)
- Single Responsibility: Accept target IP from authenticated user
- Backend Bridge: Forwards IP to Python orchestrator service
- Result Aggregation: Collects JSON response from agent execution
- Response Format: Returns structured telemetry payload to dashboard
App
├── Landing Page (/)
│ ├── Header (with navigation + Sign In button)
│ ├── Auth Modal (Sign In / Sign Up)
│ ├── Feature Showcase
│ ├── How-It-Works Section
│ └── CTA Banner
├── Auth Required Routes (Protected)
│ ├── IP Test Entry Page
│ │ ├── IP Input Form
│ │ ├── Validation
│ │ └── Execution Status
│ └── Admin Dashboard (/admin/dashboard)
│ ├── Incident Board
│ ├── Timeline Chart
│ ├── Geo-Threat Map
│ ├── Recovery Metrics
│ └── Statistics Cards
└── API Routes
└── /api/agent (POST: target IP → orchestrator)
- Language: Python 3.13+
- AI Orchestration: LangGraph 1.1.3, LangChain 1.2.13
- Agent Framework: DeepAgents 0.4.12
- LLM Provider: Groq API (openai/gpt-oss-120b) + Ollama fallback
- Network Tools: Scapy 2.7.0 (packet crafting, scanning)
- Security Assessment: Shodan SDK 1.31.0
- Remote Access: pywinrm 0.5.0 (WinRM lateral movement)
- Container Integration: Docker 7.1.0
- HTTP: curl-cffi for network requests
- Data Processing: NumPy/SciPy for analytics
1. Initialization Phase
chimera_agent.invoke(
messages=[{role: "user", content: "Target: {TARGET_IP}"}],
config={configurable: {thread_id: "chimera_sim_001"}}
)
2. Orchestrator Workflow (Defined in agent_orcheastrator.py)
-
Phase I: Call
recon-specialistagent- Run Shodan honeypot detection
- Perform evasive latency-optimized network scanning
- Detect deceptive infrastructure (abort if detected)
-
Phase II: Call
internal-recon-specialistagent- Verify environment type (physical vs. simulated)
- Passively map internal network topology
- Discover adjacent network nodes
-
Phase III: Call
evasive-execution-agentagent- Mutate payloads with dynamic obfuscation
- Verify inter-node administrative access
- Test DLP egress controls
- Validate configuration retention
-
Cleanup Phase: Execute autonomous cleanup
- Sanitize diagnostic logs
- Remove artifacts
- Clean up execution traces
3. Output Generation The orchestrator compiles a JSON telemetry payload with:
{
"status": "Simulation Complete",
"dashboard_metrics": {
"activeImplants": <int>,
"exfiltratedDataMB": <float>,
"honeyscore": <float>,
"attackSuccessRate": <float %>,
"overallRiskScore": <float>
},
"attack_graph": {
"nodes": [{id, label, type}],
"edges": []
},
"execution_timeline": [
{agent, tool_used, mitre_tactic_id, time_to_objective_seconds, action_result}
],
"failedExploits": [{target, reason}]
}Sub-Agent 1: External Reconnaissance Specialist
- Purpose: Map exposed perimeter infrastructure
- Tools:
shodan_honeypot_scout: Detect honeypot infrastructureevasive_request: TLS-randomized requestsevasive_syn_scan: Evasion-enabled port scanning
- System Prompt: Authorized external perimeter visibility specialist
- Safety: Aborts if deceptive infrastructure detected
Sub-Agent 2: Internal Reconnaissance Specialist
- Purpose: Verify environment type and map internal topology
- Tools:
run_environment_check: Verify physical host vs. simulationpassive_subnet_mapping: Non-disruptive network discovery
- System Prompt: Internal topology auditing tool
- Safety: Only proceeds after environment verification
Sub-Agent 3: Evasive Execution Agent
- Purpose: Test execution controls and data protection mechanisms
- Tools:
mutate_payload: Dynamic payload obfuscationwinrm_lateral_movement: Inter-node access via WinRMwmi_fileless_persistence: WMI-based persistence testingdoh_exfiltrate: DNS-over-HTTPS exfiltration testshuman_cadence_execution: Timing-based evasion simulation
- System Prompt: Inter-node resilience testing agent
- Safety: All operations wrapped in evasion techniques
| Tool | Purpose | Purpose Category |
|---|---|---|
shodanchecker.py |
Shodan API integration, honeypot detection | Reconnaissance |
evasive_scan.py |
Syn-based port scanning with evasion | Reconnaissance |
tls_randomizer.py |
TLS fingerprint randomization | Evasion |
mutation_engine.py |
Payload obfuscation and encoding | Evasion |
lotl_checker.py |
Living-off-the-land technique detection | Detection |
internal_recon.py |
Passive subnet topology mapping | Reconnaissance |
lateral_movement.py |
WinRM-based inter-node access | Lateral Movement |
persistance.py |
WMI-based fileless persistence | Persistence |
evasive_execution.py |
Human behavior simulation for execution | Evasion |
exfiltration.py |
DOH/DNS data exfiltration | Exfiltration |
cleanup.py |
Autonomous log and artifact sanitization | Post-Exploitation |
c2_server.py |
Command & control server implementation | C2 |
implant.py |
Agent implant generation | Payload |
ebpf_bypasser.py |
eBPF security control evasion | Evasion |
dna_bypasser.py |
DNA-based malware detection bypass | Evasion |
- Checkpointer:
InMemorySaverfor session persistence - Thread ID:
chimera_sim_001format for execution isolation - Message History: Full conversation history maintained for analytics
- Checkpoint Recovery: LangGraph enables resumption from failures
1. User lands on http://localhost:3000/
↓ (Landing Page displayed)
2. User clicks "Sign In" button
↓ (Auth Modal opens)
3. User enters credentials & authenticates
↓ (Redirects to IP entry page)
4. User enters target IP address
↓ (HTTP POST /api/agent/route.ts with {targetIP})
5. Next.js API Handler receives request
↓ (Validates auth token + IP format)
6. Backend invocation: Python orchestrator receives IP
↓ (agent_orcheastrator.py::chimera_agent.invoke())
7. Main Orchestrator orchestrates workflow:
├─→ Phase 1: External Recon Specialist
│ └─→ Tools: Shodan, evasive_scan, tls_randomizer
├─→ Phase 2: Internal Recon Specialist
│ └─→ Tools: env_check, subnet_mapping
├─→ Phase 3: Evasive Execution Agent
│ └─→ Tools: mutation, lateral_movement, persistence, exfiltration
└─→ Cleanup Phase
└─→ Autonomous log sanitization
8. JSON Telemetry Payload Generated
↓ (Contains metrics, timeline, attack graph)
9. Response sent back to frontend API handler
↓ (HTTP 200 with JSON payload)
10. Frontend displays results on Dashboard
├─→ Incident Board (live threats)
├─→ Attack Timeline Chart
├─→ Geo-Threat Map
└─→ Recovery Metrics
Frontend Deployment
# Development
npm run dev # Starts on port 3000
# Production
npm run build # Build Next.js app
npm run start # Start production serverBackend Deployment
# Setup Python environment
python3 -m venv venv
source venv/bin/activate # Linux/Mac
# or
venv\Scripts\activate # Windows
# Install dependencies
pip install -e .
# Run orchestrator
python main.py # Connects to localhost:8080- tpot.yml: Ansible playbook for environment bootstrapping (Python setup across distributions)
- package.json: Defines frontend dependencies and build scripts
- pyproject.toml: Defines Python dependencies and project metadata
NEXT_PUBLIC_API_URL: Backend API endpoint (default: http://localhost:8080)GROQ_API_KEY: Groq API authenticationSHODAN_API_KEY: Shodan API key for honeypot detectionOLLAMA_BASE_URL: Ollama server endpoint (for LLM fallback)
- Deceptive Infrastructure Detection: Aborts if honeypots detected
- Environment Verification: Confirms physical host before proceeding
- Passive Discovery: Avoids network traffic that disrupts telemetry
- Autonomous Cleanup: Self-sanitizing logs and artifacts
- Payload Obfuscation: Dynamic mutation to avoid signature detection
- Human Cadence Simulation: Timing patterns mimic legitimate user behavior
- Sanctioned Environments Only: System designed for authorized diagnostics
- Thread Isolation: Each execution thread isolated via LangGraph
- Configuration Tracking: All parameters logged for audit trails
- Abort Conditions: Multiple fail-safe abort vectors
- MTTR/MTTD Metrics: Track detection and response time
- Exfiltration Testing: Validates DLP controls
- Incident Classification: Severity-based event tracking
- ✅ Hierarchical agent structure with specialized roles
- ✅ Inter-agent communication via LangGraph
- ✅ Coordinated workflow execution
- ✅ Checkpointed state management
- ✅ Dynamic payload mutation
- ✅ TLS fingerprint randomization
- ✅ Living-off-the-land technique detection
- ✅ eBPF/DNA security bypass testing
- ✅ Human-cadence execution timing
- ✅ Live incident monitoring
- ✅ Attack timeline visualization
- ✅ Geo-threat mapping
- ✅ Recovery metrics (MTTD, MTTR)
- ✅ Severity-based alerting
- ✅ Structured JSON telemetry
- ✅ MITRE ATT&CK tactic mapping
- ✅ Attack graph visualization
- ✅ Execution timeline with timestamps
- ✅ Failed exploit analysis
Chimera/
├── frontend/ # Next.js React frontend
│ ├── app/
│ │ ├── page.tsx # Home/landing page
│ │ ├── layout.tsx # Root layout
│ │ ├── landing/ # Landing page components
│ │ ├── admin/
│ │ │ └── dashboard/ # Admin dashboard
│ │ ├── api/
│ │ │ └── agent/ # Backend API proxy routes
│ │ └── components/ # Reusable UI components
│ ├── lib/
│ │ └── utils.ts # Utility functions
│ ├── public/ # Static assets
│ ├── package.json
│ ├── tsconfig.json
│ └── next.config.ts
│
├── ML/ # Python ML backend
│ ├── main.py # Entry point / orchestrator invocation
│ ├── agents/
│ │ └── agent_orcheastrator.py # Multi-agent controller
│ ├── tools/ # Specialized tool implementations
│ │ ├── shodanchecker.py
│ │ ├── evasive_scan.py
│ │ ├── tls_randomizer.py
│ │ ├── mutation_engine.py
│ │ ├── lotl_checker.py
│ │ ├── internal_recon.py
│ │ ├── lateral_movement.py
│ │ ├── persistance.py
│ │ ├── evasive_execution.py
│ │ ├── exfiltration.py
│ │ ├── cleanup.py
│ │ ├── c2_server.py
│ │ ├── implant.py
│ │ ├── ebpf_bypasser.py
│ │ ├── dna_bypasser.py
│ │ └── stage_check.ps1
│ ├── pyproject.toml
│ └── requirements.txt
│
├── test/
│ └── target.js # Mock test server
│
├── tpot.yml # Ansible bootstrapping
└── README.md # This file
- Python 3.13+
- Node.js 18+ with npm
- Docker (optional, for cloud deployment)
- Shodan API key
- Groq API key
Frontend Setup
cd frontend
npm install
npm run dev # Starts on http://localhost:3000Backend Setup
cd ML
python3 -m venv venv
source venv/bin/activate
pip install -e .
python main.py- Start the frontend:
npm run dev→http://localhost:3000 - Start the backend:
python main.py→ Listens on localhost:8080 - User Journey:
- Navigate to landing page
- Click "Sign In" and authenticate
- Enter target IP address in the test form
- Observe execution status indicator
- Results displayed on admin dashboard automatically
- Dashboard displays:
- Live incident data from the agent execution
- Attack timeline with timestamps
- Geographic threat origin mapping
- Recovery metrics (MTTD, MTTR)
Each agent has a singular, well-defined responsibility with specialized tools.
Main Orchestrator coordinates sub-agents; sub-agents manage tools; tools execute specific operations.
Multiple abort conditions prevent unintended expansion of scope.
All operations logged with MITRE ATT&CK mappings and execution timelines.
Payloads, timing, and network traffic designed to avoid detection mechanisms.
All artifacts self-sanitized post-execution; no manual cleanup required.
- WebSocket real-time streaming of execution timeline
- Distributed agent orchestration (multiple backend instances)
- YARA rule integration for malware detection
- Custom agent creation UI
- Report generation with PDF/CSV export
- Integration with SIEM systems (Splunk, ELK)
- Multi-target orchestration and correlation
- ML-based threat pattern detection
- Advanced visualization with 3D attack graphs
- Frontend Guide: See
frontend/FRONTEND_GUIDE.md - Agent Documentation: See
frontend/AGENTS.md - Claude AI Notes: See
frontend/CLAUDE.md - Python Requirements: See
ML/requirements.txt - Project Config: See
pyproject.toml
[Specify your license here]
For questions or issues regarding Project Chimera, please contact the development team.
Last Updated: March 30, 2026
Project Status: Active Development
Current Version: 0.1.0