-
Notifications
You must be signed in to change notification settings - Fork 0
Home
A multi-layered defensive architecture designed to contain, degrade, disrupt, and commandeer autonomous offensive AI agents.
Built by DaxxSec & Claude (Anthropic)
Autonomous AI agents are being deployed for offensive cyber operations — automated recon, exploitation, and lateral movement at machine speed. But AI agents have cognitive dependencies that humans don't — and almost nobody is building defenses that target those dependencies.
LABYRINTH changes that.
# Clone, build, and install
git clone https://github.com/DaxxSec/labyrinth.git
cd labyrinth && ./scripts/install.sh
# Run the smoke test to verify everything works
./scripts/smoke-test.sh
# Deploy a test environment
labyrinth deploy -t
# Launch the TUI monitoring dashboard
labyrinth tuiOr grab a pre-built binary and run ./labyrinth --install.
labyrinth bait drop # Plant randomized bait credentials
labyrinth attacker setup # Pick and configure an attacker agentChoose from PentAGI, PentestAgent, Strix, or bring your own tool. All agents run in isolated Docker containers on the LABYRINTH network.
labyrinth report # Latest session (terminal)
labyrinth report --format md -o report.md # Markdown with Mermaid attack graphAgent connects to portal trap service
└─→ Container spawned (Layer 1 — THRESHOLD)
└─→ Agent explores contradictory environment (Layer 2 — MINOTAUR)
├─→ Agent uses stolen credentials → phantom services accept & log (Layer 4)
└─→ Terminal encoding corrupted (Layer 3 — BLINDFOLD)
└─→ API calls intercepted & rewritten (Layer 4 — PUPPETEER)
All activity captured → TUI dashboard, web dashboard, or forensic report
LABYRINTH implements a reverse kill chain — the deeper an agent penetrates, the more compromised it becomes.
| Layer | Codename | Action | What It Does |
|---|---|---|---|
| L0 | BEDROCK |
HARDEN | AES-256 forensics, VLAN isolation, retention policy |
| L1 | THRESHOLD |
CONTAIN | Portal trap routes connections into isolated containers |
| L2 | MINOTAUR |
DEGRADE | Contradictory environments erode the agent's world model |
| L3 | BLINDFOLD |
DISRUPT | Encoding corruption blinds the agent's I/O parsing |
| L4 | PUPPETEER |
CONTROL | Phantom services accept stolen credentials; MITM intercepts and rewrites agent instructions |
Depth of penetration = Depth of compromise
| Page | Description |
|---|---|
| Architecture | Reverse kill chain, layer summary, data flow |
| Installation | Prerequisites, install options, first deployment |
| CLI-Reference | All commands, flags, examples |
| TUI-Dashboard | 5 tabs, keybindings, data sources |
| Layer-0-BEDROCK | Encryption, network isolation, proxy, retention |
| Layer-1-THRESHOLD | SSH/HTTP portal traps, session logging, bait |
| Layer-2-MINOTAUR | Contradiction catalog, adaptive mode, density |
| Layer-3-BLINDFOLD | Corruption payloads, triggers, recovery traps |
| Layer-4-PUPPETEER | MITM proxy, prompt capture/swap, modes |
| Configuration | Full labyrinth.yaml reference |
| Deployment-Topology | Docker services, network, volumes, ports |
| Forensics-and-API | JSONL schema, session reports, dashboard API, SIEM |
| Testing-with-Attackers | PentAGI, PentestAgent, Strix, custom agents |
| Threat-Model | Agent cognitive dependencies and countermeasures |
AGPL-3.0 License — see LICENSE for details.
This project is intended for defensive security research only. The techniques described are designed to be deployed within controlled portal trap environments that the operator owns and controls. Always ensure compliance with applicable laws and organizational policies.
Getting Started
Architecture
Layers
Operations