THREAT FEED // LIVE SIM ID: MYTHOS-7741
v0.1.58 UPTIME 99.97% --:--:-- UTC
CLASSIFIED // ADVERSARY SIMULATION PLATFORM

Claude Mythos
doesn't sleep.
Neither does your defense.

A new generation of autonomous AI agents can now plan and execute multi-stage cyber attacks against your infrastructure — without a human at the keyboard. Autonomess is the AI red team that simulates them first, so the only Mythos-class adversary that ever touches your network is yours.

To match a Mythos-class threat we run on Anthropic's most powerful modelsClaude Opus 4.7 drives the Architect and the adversary persona, with Sonnet 4.6 and Haiku 4.5 on specialized sub-agents. Same weight class as the attacker. By design.

⟶ Deploy Counter-AI Read the Dossier
// LIVE_ATTACK_FEED — autonomess.mission.replay
◢ AUTONOMOUS AGENT INCIDENTS Q1 2026: +387%/// ◢ AVG. TIME-TO-COMPROMISE BY AI AGENT: 11 MIN/// ◢ HUMAN SOC RESPONSE LAG: 4.2 HOURS/// ◢ ORGANIZATIONS UNPREPARED: 94%/// ◢ AUTONOMOUS AGENT INCIDENTS Q1 2026: +387%/// ◢ AVG. TIME-TO-COMPROMISE BY AI AGENT: 11 MIN/// ◢ HUMAN SOC RESPONSE LAG: 4.2 HOURS/// ◢ ORGANIZATIONS UNPREPARED: 94%///
SECTION 01 / THE NEW ADVERSARY

The attacker isn't a person
anymore. It's a model.

Frontier models can now run multi-day reconnaissance campaigns, chain exploits across services, and pivot through internal networks — with no operator, no script, no schedule. Your perimeter was built to stop tools. Mythos-class agents are not tools.

VECTOR // RECON

Always-on enumeration

An AI agent doesn't get tired at port 1024. It scans your entire surface, fingerprints every service, and quietly waits for the next CVE drop — then acts within minutes.

VECTOR // EXPLOIT

Adaptive payload synthesis

Failed payload? It writes another. WAF in the way? It rephrases. Your blue team's playbook becomes its training set in real time.

VECTOR // PERSIST

Memory across breaches

Mythos-class agents remember. What it learned about you last quarter shapes how it attacks you tomorrow. There is no "unrelated incident" anymore.

SECTION 02 / THE COUNTERMEASURE

Hire an AI red team. Before someone else's hires you.

Autonomess is an autonomous penetration testing framework built on the Claude Agent SDK. It dispatches up to six parallel sub-agents and four collaborative teams against your own infrastructure — running the exact playbook a hostile agent would.

Every action is labeled, streamed, logged. Every finding persists in an inspectable Obsidian vault. No black box. No silent agents. Auditable end-to-end.

SECTION 03 / OPERATIONAL TOPOLOGY

One Architect.
An army of specialists.

◆ ARCHITECT mission planner / orchestrator RECONsub-agent · isolated ENUMsub-agent · isolated SCANsub-agent · isolated EXPLOIT TEAM≤4 collaborative members RESEARCHnotebookLM ▣ OBSIDIAN VAULT runtime memory · raw / wiki / output · single-writer
SHAPE 01 / SUB-AGENTS

≤6 parallel · isolated

Breadth work. Each gets a fresh 200K context. Clean slate, single objective, returns one final message. Coordinated via anyio.TaskGroup + CapacityLimiter(6).

SHAPE 02 / TEAMS

≤4 collaborative · shared

Depth work. Teams coordinate through a shared vault note (wiki/attack-chains/*). Librarian protocol enforces dedup and append-or-wikilink semantics.

SHAPE 03 / VAULT

Single writer · audit trail

All writes serialized through the VaultWriter queue. Karpathy-RAG zones — raw/wiki/output/. Promotion is explicit, not implicit.

Prerequisites

Autonomess targets Python 3.11. The runtime is claude-agent-sdk 0.1.58; no other model providers are supported.

First Mission

Drop a scope file in your working directory and launch the architect. The scope contract — allow-list of targets, exclusions, policy bounds, optional notification webhook — is loaded once at boot and enforced on every tool call by the scope guard.

targets
ALLOW-LIST
CIDR · hostname · URL · wildcards
excluded
CARVE-OUTS
protected hosts inside the range
policy
BOUNDS
destructive ops · DoS · concurrency · runtime
notify
CALLBACKS
webhooks fired on breach + completion
refuse-by-default · enforced at the PreToolUse hook operator-only · the Architect cannot mutate scope
EXPECTEDThe TUI launches with the Architect pane on the left, six sub-agent panes on the right, and a vault tail at the bottom. Every action streams as [agent-name] verb.

CLI Reference

CommandPurpose
autonomess runLaunch a mission with the Architect agent.
autonomess vault doctorValidate vault structure, locks, write queue, and Obsidian connectivity.
autonomess vault init <path>Bootstrap a fresh runtime vault (zones, indexes, templates).
autonomess vault tailStream live vault writes to stdout (NDJSON).
autonomess scope check <target>Test whether a target would be allowed by the current scope file.
autonomess --versionPrint build + SDK versions.

Common run flags

FlagMeaning
--scope PATHRequired. Path to scope.yaml.
--mission TEXTRequired. Natural-language mission objective.
--vault PATHOverride runtime vault path.
--no-researchDisable NotebookLM research dispatch.
--max-agents NOverride sub-agent capacity (default: 6).
--dry-runPlan only — no tool calls hit the wire.

scope.yaml

Refuse-by-default. If a target isn't on the allow-list, it cannot be reached, ever — the scope guard intercepts at the PreToolUse hook before any subprocess fires. The contract is the operator's instrument; the Architect cannot mutate it mid-mission.

SECTION 01

targets

The reachable surface. CIDR ranges, hostnames, FQDNs, URL prefixes, wildcards. Nothing outside this set survives the guard.

SECTION 02

excluded

Surgical carve-outs from the allow-list. Production gateways, executive endpoints, regulated assets — exempted explicitly.

SECTION 03

policy

Behavioral envelope. Toggle destructive operations, denial-of-service tooling, max concurrent agents, max runtime. Bounded autonomy is the only autonomy.

SECTION 04

notify

Callback channels. Webhook URLs fired on breach simulation, scope violation attempts, and mission completion. Wire these into your SIEM.

Vault Tools

Memory is layered and promoted explicitly. Sub-agents land raw evidence; the Architect promotes only verified knowledge into the operator-facing zones. Every write passes through a single-writer queue with a file lock — concurrent agents cannot corrupt the vault.

RAW
sub-agents
unfiltered tool output
WORKBENCH
sub-agents
in-flight analysis
WIKI
architect
verified knowledge
OUTPUT
architect
operator deliverables
VAULT WRITER
single-writer · filelock
doctor · health
init · bootstrap
tail · live stream
promote · zone shift

Architecture

The system is composed of an Architect agent that orchestrates two dispatch shapes — independent Sub-Agents and collaborative Agent Teams — over a transparent event bus, with all memory persisted to an Obsidian vault behind a single-writer queue.

┌─────────────────────────────────────────────────────────┐
│                     ARCHITECT (Claude)                  │
│         plans · dispatches · arbitrates · reports       │
└──────────┬──────────────────────────┬───────────────────┘
           │ Agent tool               │ Agent tool
           ▼                          ▼
   ┌───────────────┐          ┌─────────────────┐
   │ SUB-AGENTS ≤6 │          │ AGENT TEAMS ≤4  │
   │ parallel,     │          │ collaborative,  │
   │ isolated ctx  │          │ shared via vault│
   └───────┬───────┘          └────────┬────────┘
           │                           │
           ▼                           ▼
   ┌─────────────────────────────────────────────┐
   │ PreToolUse / PostToolUse hooks              │
   │  → ScopeGuard refuse-by-default             │
   │  → StreamEvent → Textual RichLog panes      │
   └─────────────┬───────────────────────────────┘
                 ▼
        ┌─────────────────┐       ┌──────────────┐
        │   VaultWriter   │──────▶│ Obsidian CLI │
        │ (single writer) │       │   1.12+      │
        └─────────────────┘       └──────────────┘

Architect Agent

The Architect is the only agent with the Agent tool. It owns mission decomposition, dispatch decisions, and final reporting. It does not run pentest tools directly — it orchestrates specialists who do.

Sub-Agents

Up to six concurrent. Each receives a fresh 200K-token context and a single, narrow objective. Only the final message bubbles back to the Architect — intermediate reasoning lives in the vault and the live stream.

FRONTIER-MODEL PARITYSub-agents are routed by task weight: claude-opus-4.7 for adversary simulation and exploit reasoning, claude-sonnet-4.6 for enumeration and reporting, claude-haiku-4.5 for fast hooks like the scope guard. We refuse to ship a defender that thinks slower than the attacker.

Default personas:

Agent Teams

Teams are the mechanism for depth work — exploitation, drill-down, multi-step attack chains. The SDK has no first-class team primitive, so Autonomess simulates one through the vault: each member reads/writes a shared wiki/attack-chains/chain-X.md note. The librarian enforces dedup.

WHY NOT NESTED DISPATCHThe SDK disables sub-agents spawning sub-agents. Teams therefore coordinate via the vault, not via nested Agent calls.

Transparency Pipeline

Every tool call passes through PreToolUse and PostToolUse hooks. The hooks emit a structured event tagged with the originating agent_id and its parent dispatch, which the Textual app routes to the correct pane via post_message.

AGENTopus-4.7 · architect
tool_use
HOOKPreToolUse · PostToolUse
agent_starttool_result
DASHBOARDRichLog · per-agent pane
kind · classified event type agent_id · routing key parent_id · dispatch chain summary · one-liner

Vault System (Karpathy-RAG)

Memory is layered. Information is born in raw/, distilled in workbench/, promoted to wiki/ only when verified, and exported to output/ for the operator.

ZoneWritersPurpose
raw/Sub-agentsUnfiltered tool output — scan results, banners, payload responses
workbench/Sub-agentsIn-flight analysis, hypotheses, intermediate reasoning
wiki/Architect (via librarian)Verified knowledge — attack chains, host profiles, CVE notes
output/ArchitectMission deliverables — report, executive summary, recommendations
CRITICALAll writes route through VaultWriter — a single-writer queue holding a filelock. Direct file I/O on vault paths is banned at lint time (ast-grep scan).

Scope Guard

Refuse-by-default. The guard hooks PreToolUse, parses the tool's target argument (nmap's host list, curl's URL, etc.), and blocks if the target is not in scope. The Architect cannot override.

tool_callnmap · curl · sqlmap
SCOPE GUARD
PRE-TOOL-USE
→ vuln-lab.local ALLOW
→ corp-prod.example.com DENY · out of scope
→ 10.10.50.0/24 ALLOW
→ 8.8.8.8 DENY · refuse-by-default

NotebookLM Research

Any agent can dispatch a research-agent mid-mission. It shells out to notebooklm-py, asks a focused question, and writes the answer to wiki/research/{topic}.md via the librarian. Subsequent agents read the wiki entry instead of re-querying.

Boot Sequence

  1. Parse CLI args, load .env
  2. Bind structlog contextvars (mission_id, loop)
  3. Load + validate scope.yaml
  4. Spawn VaultWriter background task; acquire vault lock
  5. Run vault doctor — abort on FAIL
  6. Build ClaudeAgentOptions (hooks, MCP servers, agent registry)
  7. Launch Textual TUI; subscribe panes to event bus
  8. Architect receives mission objective; loop begins

Mission Loop

  1. Plan — Architect inspects vault head, drafts next step
  2. Dispatch — Architect calls Agent tool, spawning specialists
  3. Execute — Sub-agents/teams run tools (scope-checked, streamed)
  4. Persist — Findings flow into raw/ and workbench/
  5. Distill — Librarian promotes verified facts to wiki/
  6. Decide — Architect evaluates: continue, pivot, or report
  7. Loop until objective met or budget exhausted

Tech Stack

LayerChoice
RuntimePython 3.11
Agent SDKclaude-agent-sdk 0.1.58
Concurrencyanyio 4.13 · TaskGroup + CapacityLimiter
Project mgmtuv 0.11
TUItextual 8 + rich 15
Loggingstructlog 25 (JSON + Rich sinks)
Lint / typeruff + mypy --strict
Testspytest 9 + pytest-asyncio
Vault I/OOfficial Obsidian 1.12 CLI via /obs skill
Researchnotebooklm-py CLI

Build Phases

01
Foundation
Repo skeleton · uv · ruff · mypy · CI gates
02
Vault
VaultWriter · zones · obsidian-cli adapter · lint rule
03
Transparency
Hooks · StreamEvent · Textual TUI · RichLog routing
04
Architect
Mission planner · agent registry · MCP servers
05
Sub-Agents
Recon/enum/scan personas · capacity limiter
06
Research
notebooklm-py integration · librarian dedup
07
Tools
nmap/sqlmap/ffuf wrappers · stdbuf streaming
08
Teams
Shared-vault collab · attack-chain notes
09
E2E
Full mission against vuln-lab · report generation

Troubleshooting

SymptomResolution
vault doctor exit 2 — Obsidian not runningLaunch Obsidian; ensure CLI is enabled in Settings → CLI.
vault doctor exit 3 — lock heldStale lock. Remove .vault-lock only if no autonomess process is running.
Sub-agent stream silentConfirm include_partial_messages=True in ClaudeAgentOptions.
Pentest tool buffers outputWrap with stdbuf -o0 -e0 (or gstdbuf on macOS).
Scope guard blocks valid targetRun autonomess scope check <target>; verify CIDR/hostname pattern.
NotebookLM research times outRe-auth: notebooklm login. Idempotent retry will pick up partial imports.
FINAL TRANSMISSION

The next breach
is already being planned.

By a model. With patience. With memory. With no off switch.
Stand up your AI red team before someone else's stands up against you.

⟶ Request a Live Demo Read Documentation