Your AI Security Partner - Just describe what you need. No commands to memorize. No syntax to learn.
Security testing shouldn't require memorizing hundreds of tool flags and command syntaxes.
Think about it: nmap has 130+ options. Nuclei has dozens of flags. SQLMap has over 100 parameters. Now multiply that by the 30+ tools a typical assessment requires. That's not security work - that's a memorization exercise.
Cyxwiz takes a different approach. Instead of learning tool syntax, you simply describe what you want to accomplish. The AI understands your intent and figures out which tools to use, how to chain them, and how to interpret the results.
You: "check if this server is vulnerable to log4j"
Cyxwiz: Checking 192.168.1.10 for Log4Shell vulnerability...
[Running nuclei with CVE-2021-44228 templates]
Found: CRITICAL - Log4Shell (CVE-2021-44228) confirmed
The server is vulnerable to remote code execution via JNDI injection.
Recommendation: Upgrade log4j to 2.17.1+ or apply mitigations immediately.
No flags to remember. No syntax to look up. Just describe what you need.
Cyxwiz is an AI-powered security operations assistant. You talk to it in plain English, and it:
- Understands your intent - Whether you say "scan for open ports" or "what services are running" - same result
- Selects the right tools - Picks nmap, nuclei, nikto, or whatever fits the task
- Chains operations intelligently - Finds a web server? Automatically suggests vulnerability checks
- Explains results clearly - No raw output dumps, just actionable insights
- Tracks everything - Every finding, every command, ready for your report
Here's how a real conversation with Cyxwiz looks:
You: "I need to test this web application at https://target.com"
Cyxwiz: I'll start with reconnaissance. Let me:
1. Check what technologies it's running
2. Look for common vulnerabilities
3. Test the authentication mechanisms
Starting now...
[After scanning]
Here's what I found:
- Running WordPress 5.8.1 (outdated - current is 6.4)
- 3 plugins with known vulnerabilities
- Admin login page exposed at /wp-admin
- No rate limiting on login attempts
Want me to dig deeper into any of these?
You: "yes, check those plugin vulnerabilities"
Cyxwiz: Looking at the vulnerable plugins...
CRITICAL: Contact Form 7 < 5.3.2 - Unrestricted file upload
HIGH: Elementor < 3.1.2 - Authenticated XSS
MEDIUM: WooCommerce < 5.2.0 - Information disclosure
The file upload vulnerability is serious. With a valid form submission,
an attacker could upload malicious PHP files.
Should I generate a detailed report with remediation steps?
Just describe what you need in your own words:
- "find all the web servers on this network"
- "is this site vulnerable to SQL injection?"
- "check the SSL configuration on our servers"
- "what users exist in this Active Directory domain?"
- "test if this API has authentication issues"
- "show me everything you've found so far"
- "write up a report for the client"
Cyxwiz understands context too. After scanning a network, you can say "check that Apache server 10BC0 for vulnerabilities" - it knows which one you mean.
Yes, Claude CLI, Cursor, and other LLM tools can run commands too. So what makes Cyxwiz different?
Cyxwiz is built on OpenCode, which provides a superior agent architecture compared to generic LLM CLIs:
┌─────────────────────────────────────────────────────────────────────────────┐
│ Generic LLM CLI vs Cyxwiz (OpenCode-based) │
├─────────────────────────────────┬───────────────────────────────────────────┤
│ Generic LLM CLI │ Cyxwiz │
├─────────────────────────────────┼───────────────────────────────────────────┤
│ General-purpose agent │ Security-focused agent │
│ Raw command output │ Parsed, structured findings │
│ No domain knowledge │ Security tool expertise built-in │
│ Basic bash execution │ Specialized tool integrations │
│ Chat history only │ Findings database + audit trail │
│ No scope awareness │ Governance & scope enforcement │
│ Export chat transcript │ Professional pentest reports │
└─────────────────────────────────┴───────────────────────────────────────────┘
-
Better Agent Control - OpenCode's architecture gives finer control over LLM behavior, tool execution, and context management than Claude CLI's generic approach
-
Extensible Tool Framework - Not just "run bash commands" but structured tool definitions with typed inputs/outputs
-
Session Persistence - Real session management, not just chat history
-
Multi-LLM Support - Claude, GPT-4, Gemini, local models - your choice
Cyxwiz extends OpenCode with a complete security operations layer:
┌─────────────────────────────────────────────────────────────────────────────┐
│ Cyxwiz Security Layer │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Security │ │ Output │ │ Findings │ │ Report │ │
│ │ Tools │ │ Parsers │ │ Database │ │ Engine │ │
│ │ │ │ │ │ │ │ │ │
│ │ nmap, nikto │ │ Extract CVEs │ │ Severity │ │ Executive │ │
│ │ nuclei, etc │ │ Parse JSON │ │ OWASP cats │ │ Technical │ │
│ │ 30+ tools │ │ Structure │ │ Evidence │ │ HTML/PDF/MD │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Governance │ │ Scope │ │ Audit │ │
│ │ Engine │ │ Enforcement │ │ Trail │ │
│ │ │ │ │ │ │ │
│ │ Policy-based │ │ Authorized │ │ Compliance │ │
│ │ approval │ │ targets only │ │ logging │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
| Category | Tools | What Cyxwiz Adds |
|---|---|---|
| Network | nmap, masscan | Service detection, port classification |
| Web | nikto, nuclei, gobuster, ffuf | Vuln detection, directory enumeration |
| Exploitation | searchsploit, msfconsole | Exploit matching, payload generation |
| AD/LDAP | ldapsearch, smbclient | User enum, share discovery |
| API | Custom scanners | OpenAPI parsing, JWT analysis |
| Wireless | aircrack-ng, reaver | WiFi assessment |
| Cloud | aws-cli, az, gcloud | Misconfig detection |
OpenCode gives raw output. Cyxwiz parses it:
Raw nmap output: Cyxwiz parsed output:
─────────────────── ──────────────────
PORT STATE SERVICE {
80/tcp open http ──────► "port": 80,
"service": "http",
"product": "Apache",
"version": "2.4.41",
"cves": ["CVE-2021-41773"]
}
Not just command history - structured security findings:
- Severity Classification: Critical, High, Medium, Low, Info
- OWASP Categorization: A01-A10 mapping
- CVE Tracking: Automatic CVE detection and linking
- Evidence Storage: Screenshots, request/response pairs
- Remediation Tracking: Fix status, verification
What OpenCode doesn't have:
- Scope Definition: Define authorized targets (IPs, domains, ports)
- Scope Enforcement: Block scans against unauthorized targets
- Policy Rules: Require approval for destructive actions
- Engagement Profiles: Different rules for different assessments
Compliance-ready logging:
[2024-01-15 10:23:45] SCAN_START target=192.168.1.0/24 user=analyst1
[2024-01-15 10:23:46] SCOPE_CHECK target=192.168.1.0/24 result=AUTHORIZED
[2024-01-15 10:23:47] TOOL_EXEC tool=nmap args="-sV -sC 192.168.1.0/24"
[2024-01-15 10:25:12] FINDING_NEW id=F001 severity=CRITICAL cve=CVE-2021-41773
[2024-01-15 10:30:00] REPORT_GEN format=HTML findings=15
Professional deliverables, not chat exports:
| Report Type | Contents | Format |
|---|---|---|
| Executive | Risk summary, business impact | HTML, PDF |
| Technical | Full findings, evidence, remediation | Markdown, HTML |
| Compliance | Audit trail, scope verification | JSON, PDF |
| Raw Data | Machine-readable findings | JSON |
Schedule recurring scans with diff detection:
- Baseline establishment
- Change detection (new ports, services, vulns)
- Alert on critical changes
- Trend tracking over time
Visual interface for findings management:
- Real-time scan progress
- Interactive findings table
- Severity charts and statistics
- Report generation UI
Claude CLI:
You: "scan 192.168.1.10 for vulnerabilities"
Claude: *runs nmap*
Here's the raw output:
PORT STATE SERVICE VERSION
80/tcp open http Apache 2.4.41
443/tcp open ssl/http Apache 2.4.41
...
You: "what vulnerabilities does it have?"
Claude: *runs nikto*
Here's what nikto found:
+ Server: Apache/2.4.41
+ /: The anti-clickjacking X-Frame-Options header is not present
...
[You manually track these, decide severity, write report]
Cyxwiz:
You: "scan 192.168.1.10 for vulnerabilities"
Cyxwiz: [Runs nmap → parses services]
[Runs nikto → extracts findings]
[Runs nuclei → matches CVEs]
[Classifies by severity]
[Stores in findings database]
Scan complete. Found:
CRITICAL (1):
- CVE-2021-41773: Apache path traversal → RCE possible
HIGH (2):
- Missing security headers (X-Frame-Options, CSP)
- SSL certificate expires in 7 days
MEDIUM (3):
- Directory listing enabled on /uploads
- Server version disclosed
- Outdated Apache version
All 6 findings saved with evidence.
You: "generate report"
Cyxwiz: [Creates executive summary]
[Includes technical details]
[Adds remediation steps]
[Exports to HTML]
Report ready: http://localhost:4096/reports/192.168.1.10-assessment.html
| Feature | Claude CLI | Cyxwiz |
|---|---|---|
| Agent Architecture | Generic | OpenCode (superior control) |
| Tool Integration | Bash only | 30+ security tools with parsers |
| Output Handling | Raw text | Structured findings |
| Severity Classification | Manual | Automatic (Critical→Info) |
| CVE Matching | Manual lookup | Automatic detection |
| Scope Control | None | Governance engine |
| Audit Trail | Chat history | Compliance-ready logs |
| Reports | Copy-paste chat | Professional HTML/PDF |
Cyxwiz = OpenCode's superior agent + Security expertise + Findings management + Governance + Reporting
| As Plugin | As Fork (Platform) |
|---|---|
| Limited by OpenCode's roadmap | Full control |
| Can't modify core UX | Customize everything |
| "Cyxwiz for OpenCode" | "Cyxwiz" |
| Tenant | Owner |
| Single product ceiling | Platform potential |
Key reasons we forked:
-
Governance is core, not optional - Cyxwiz needs scope enforcement and audit logging baked into every command execution. As a plugin, we'd be bolting security onto someone else's foundation. As a fork, governance IS the foundation.
-
We need to modify core UX - Security workflows require approval prompts, findings panels, and audit trails integrated into the interface. Plugins can't touch core UI.
-
Platform potential - Cyxwiz isn't just a pentest tool. It's designed to expand to SOC, DevOps, NetEng domains. A plugin would forever be "Cyxwiz for OpenCode." A fork becomes "Cyxwiz" - its own platform.
-
Independence - OpenCode could change direction, deprecate plugin APIs, or make decisions that conflict with security use cases. Fork = we control our destiny.
What we inherited (for free): CLI/TUI framework, Multi-LLM support (Claude, GPT, Gemini), Session management, Tool execution framework, Plugin system
What we added: Governance engine, Scope enforcement, Audit logging, Security tool parsers (30+), Findings management, Report generation
Let's be clear about boundaries:
Cyxwiz is a tool, not a security expert replacement. It doesn't:
- Make risk decisions for your organization
- Determine what's in scope for your engagement
- Replace the need to understand what you're doing
- Guarantee finding every vulnerability
You are the security professional. Cyxwiz handles the tedious parts so you can focus on analysis and decisions.
Cyxwiz is built for:
- Authorized penetration testing
- Security assessments with written permission
- CTF competitions and security research
- Learning and education
It is NOT for:
- Unauthorized access to systems
- Attacking systems you don't own or have permission to test
- Any illegal activity
The tools Cyxwiz uses are powerful. Use them responsibly and legally.
Cyxwiz won't:
- Automatically hack anything
- Replace proper methodology
- Skip the need for authorization
- Make you compliant just by running it
It's an assistant that makes security work more efficient - not a shortcut around doing things properly.
The easiest way to get started. Download for your platform:
| Platform | Download |
|---|---|
| Linux (x64) | cyxwiz-linux-x64.tar.gz |
| Linux (ARM64) | cyxwiz-linux-arm64.tar.gz |
| macOS (Intel) | cyxwiz-darwin-x64.tar.gz |
| macOS (Apple Silicon) | cyxwiz-darwin-arm64.tar.gz |
| Windows (x64) | cyxwiz-windows-x64.zip |
# Linux/macOS
tar -xzf cyxwiz-*.tar.gz
chmod +x cyxwiz
./cyxwiz
# Windows
# Extract the zip and run cyxwiz.exe# Install Bun (JavaScript runtime)
curl -fsSL https://bun.sh/install | bash
# Clone and build
git clone https://github.com/code3hr/opencode.git wiz
cd wiz
bun install
bun run --cwd packages/opencode src/index.tsCyxwiz needs an AI provider to work. Set one of these:
export ANTHROPIC_API_KEY=sk-ant-... # Claude (recommended)
# or
export OPENAI_API_KEY=sk-... # GPT-4For full functionality, have these tools installed (pre-installed on Kali/Parrot):
- nmap - Network scanning
- nuclei - Vulnerability scanning
- nikto - Web server scanning
- gobuster - Directory enumeration
- sqlmap - SQL injection testing
Don't have them? Cyxwiz will tell you when it needs something.
┌─────────────────────────────────────────────────────────────────────────────┐
│ YOU (Security Professional) │
│ │
│ "scan this network" "check for vulnerabilities" "generate report" │
└──────────────────────────────────┬───────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────────────┐
│ CYXWIZ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ AI Engine (Claude/GPT) │ │
│ │ │ │
│ │ • Understands natural language intent │ │
│ │ • Plans tool sequences │ │
│ │ • Interprets results │ │
│ │ • Explains findings │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ Tool Orchestration │ │
│ │ │ │
│ │ Network Web API AD Reporting │ │
│ │ Scanner Scanner Scanner Scanner Engine │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │ │
└───────────────────────────────────┼──────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────────────┐
│ Security Tools (Kali/Parrot) │
│ │
│ nmap nuclei nikto gobuster sqlmap smbclient ldapsearch │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────────────┐
│ TARGET SYSTEMS │
│ (With your authorization) │
└─────────────────────────────────────────────────────────────────────────────┘
┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ Intent │ ──▶ │ Plan │ ──▶ │ Execute │ ──▶ │ Findings │
│ │ │ │ │ │ │ │
│ "scan │ │ 1. nmap │ │ Run each │ │ Store & │
│ for web │ │ 2. nikto │ │ tool in │ │ classify │
│ vulns" │ │ 3. nuclei│ │ sequence │ │ results │
└──────────┘ └──────────┘ └──────────┘ └──────────┘
│
▼
┌──────────┐
│ Report │
│ │
│ Generate │
│ HTML/PDF │
└──────────┘
Cyxwiz offers multiple interfaces to fit your workflow:
┌─────────────────────────────────────────────────────────────────┐
│ INTERFACES │
├─────────────────┬───────────────────┬───────────────────────────┤
│ Terminal │ Web Server │ Dashboard │
│ (Default) │ (--server) │ (Development) │
├─────────────────┼───────────────────┼───────────────────────────┤
│ ./cyxwiz │ ./cyxwiz --server│ bun run dashboard │
│ │ │ │
│ Interactive │ http://localhost │ http://localhost:5173 │
│ CLI prompt │ :4096 │ (proxies to :4096) │
│ │ │ │
│ Best for: │ Best for: │ Best for:
F956
│
│ Quick tasks, │ Team access, │ Development, │
│ scripting │ remote work │ customization │
└─────────────────┴───────────────────┴───────────────────────────┘
./cyxwizInteractive command-line interface. Type naturally and see results directly.
./cyxwiz --serverOpens a web interface at http://localhost:4096. Features:
- Same AI assistant in a browser
- Real-time scan progress
- Interactive findings table
- Report viewing and export
cd packages/opencode/src/dashboard
bun run devDevelopment dashboard at http://localhost:5173. For contributors extending Cyxwiz.
Reports are served through the web interface:
You: "generate a report"
Cyxwiz: Report generated!
View at: http://localhost:4096/reports/assessment-2024-01-15.html
Features:
- Interactive severity charts
- Sortable findings table
- Evidence screenshots
- Export to PDF/HTML/Markdown
You: "find subdomains for example.com"
Cyxwiz: I'll enumerate subdomains using multiple methods...
Found 47 subdomains:
- api.example.com (192.168.1.10)
- mail.example.com (192.168.1.11)
- dev.example.com (192.168.1.12)
- staging.example.com (192.168.1.13)
[... and 43 more]
Notable: dev and staging are exposed to the internet.
Want me to scan these for vulnerabilities?
You: "scan the staging server"
Cyxwiz: Scanning staging.example.com (192.168.1.13)...
[Cyxwiz remembers this from the previous subdomain scan]
You: "what have we found so far?"
Cyxwiz: Current findings for example.com assessment:
CRITICAL (2):
- SQL injection on api.example.com/users
- Exposed admin panel on staging.example.com
HIGH (5):
- Outdated TLS on mail.example.com
- Missing security headers (4 instances)
MEDIUM (8):
[...]
Total: 2 critical, 5 high, 8 medium, 12 low findings
You: "generate a report for the client"
Cyxwiz: Generating executive report...
Created: example-com-assessment-2024-01-15.html
Includes:
- Executive summary
- Risk ratings
- All findings with evidence
- Remediation recommendations
- Technical appendix
- Port scanning and service detection
- Network mapping and host discovery
- Protocol-specific testing (SMB, SNMP, DNS, LDAP)
- Credential testing and password auditing
- Vulnerability scanning (OWASP Top 10)
- Directory and file enumeration
- SSL/TLS configuration analysis
- CMS vulnerability detection (WordPress, Drupal, etc.)
- OpenAPI/Swagger discovery and parsing
- Authentication bypass testing
- Injection testing (SQL, NoSQL, Command)
- JWT analysis and manipulation
- User and group enumeration
- Kerberoasting and AS-REP roasting
- Trust relationship mapping
- Privilege escalation path finding
- Executive summaries (HTML/PDF)
- Technical reports (Markdown)
- Raw data export (JSON)
- Evidence preservation
| Distribution | Status | Notes |
|---|---|---|
| Kali Linux | Fully Supported | All tools pre-installed |
| Parrot OS | Fully Supported | All tools pre-installed |
| Ubuntu/Debian | Supported | Install tools via apt |
| Arch Linux | Supported | Install tools via pacman |
| macOS | Supported | Install tools via homebrew |
| Windows | Supported | Install tools via chocolatey/manual |
Cyxwiz is under active development. Current capabilities:
| Module | Status | Description |
|---|---|---|
| Core Framework | Complete | AI interaction, session management |
| Network Scanning | Complete | Nmap integration, service detection |
| Web Scanning | Complete | Nikto, Nuclei, Gobuster, SQLMap |
| API Security | Complete | OpenAPI, GraphQL, JWT analysis |
| Active Directory | Complete | User enum, Kerberoasting |
| Reporting | Complete | Multiple formats, evidence |
| Cloud Security | In Progress | AWS, Azure, GCP scanning |
| CI/CD Security | In Progress | Pipeline security analysis |
| Container Security | Planned | Docker, Kubernetes |
| Document | Description |
|---|---|
| PROJECT.md | Platform architecture and vision |
| PENTEST.md | Pentest module overview |
| GOVERNANCE.md | Policy and scope enforcement |
| TODO.md | Development roadmap |
| COMPARISON.md | How Cyxwiz compares to other tools |
| Phase | Module | Description |
|---|---|---|
| 03 | Pentest Agent MVP | Core scanning foundation |
| 04 | Multi-Tool Parsers | Nikto, Nuclei, Gobuster parsers |
| 05 | Report Generation | HTML, PDF, Markdown reports |
| 06 | Continuous Monitoring | Scheduled scans, diff detection |
| 07 | Exploit Framework | Metasploit, Searchsploit integration |
| 08 | Web App Scanner | OWASP Top 10, crawling |
| 09 | API Security | OpenAPI, GraphQL, JWT testing |
| 10 | Network Infrastructure | SMB, SNMP, DNS, LDAP |
| 11 | Cloud Security | AWS, Azure, GCP scanning |
| 12 | Container Security | Docker, Kubernetes, CVE lookup |
| 13 | Mobile App Scanner | Android/iOS analysis |
| 14 | Wireless Scanner | WiFi security testing |
| 15 | Social Engineering | Phishing, pretexting toolkit |
| 16 | Post-Exploitation | Privilege escalation, persistence |
| 17 | Reporting Dashboard | Web UI for findings |
| 18 | CI/CD Security | Pipeline security analysis |
Contributions welcome! See CONTRIBUTING.md.
Found a security issue? See SECURITY.md.
MIT License - See LICENSE
- OpenCode - The foundation we built upon
- Anthropic - Claude AI
- The security community for the amazing open-source tools
Cyxwiz - Security testing should be about security, not syntax.