Skip to main content
Agents are the AI personas that CyberStrike uses to perform security assessments. You can create your own agents with tailored system prompts, specific models, custom tool permissions, and display settings.

File location

Place agent files in your .cyberstrike/agents/ directory: 
.cyberstrike/
  agents/
    api-security.md
    red-team.md
Global agents (available across all projects) go in ~/.cyberstrike/agents/. CyberStrike scans both agent/ and agents/ subdirectories automatically — no registration required.

Agent file format

An agent file is a Markdown file with YAML frontmatter. The frontmatter defines the agent’s configuration, and the Markdown body becomes its system prompt. 
---
model: anthropic/claude-sonnet-4-5
description: Custom API security specialist
mode: primary
color: "#FF5733"
---

You are an API security specialist. Focus on:
- REST API authentication weaknesses
- GraphQL introspection and injection
- JWT token vulnerabilities
- Rate limiting bypass techniques

Frontmatter fields

The model ID in provider/model format, e.g. anthropic/claude-sonnet-4-5 or openai/gpt-4o. If omitted, the agent inherits the global model setting.
A short description of when to use this agent. Shown in the agent picker and used by parent agents to decide which subagent to invoke.
Controls where the agent is available:
ValueBehavior
primarySelectable from the TUI and via --agent flag
subagentOnly invokable by other agents via the Task tool
allAvailable as both a primary and subagent
Defaults to primary if not set.
Sampling temperature as a number (e.g. 0.7). Lower values produce more deterministic output. Overrides the model’s default.
Top-p (nucleus) sampling value as a number between 0 and 1.
Display color for the agent in the TUI. Accepts a hex color (e.g. "#FF5733") or a theme color name: primary, secondary, accent, success, warning, error, info.
Maximum number of agentic loop iterations before the agent is forced to produce a text-only response. Useful for constraining runaway agents.
Set to true to hide a subagent from the @ autocomplete menu. Has no effect on primary agents.
Set to true to disable the agent entirely, including built-in agents.

Agent modes

Primary agents

Primary agents are invoked directly by the user. They appear in the agent picker (press the agent cycle key or use --agent on the CLI). 
---
mode: primary
description: Full red team operator with access to all attack tooling
---

You are a red team operator...

Subagents

Subagents are spawned by other agents via the Task tool. They do not appear in the main agent picker unless mode: all is set. Use subagents to decompose complex tasks into parallel or specialized workstreams. 
---
mode: subagent
description: Specialized in JWT vulnerability research and exploitation
hidden: true
---

You are a JWT security specialist...

All

Setting mode: all makes an agent selectable directly by users and callable by other agents: 
---
mode: all
description: General-purpose web application tester
---

Example: API security specialist

---
model: anthropic/claude-sonnet-4-5
description: Custom API security specialist focused on REST and GraphQL
mode: primary
color: "#FF5733"
temperature: 0.3
steps: 50
---

You are an API security specialist. Focus on:
- REST API authentication weaknesses
- GraphQL introspection and injection
- JWT token vulnerabilities
- Rate limiting bypass techniques

When testing APIs:
1. Always enumerate endpoints before testing
2. Check for BOLA/IDOR on every object reference
3. Test authentication on every endpoint individually
4. Look for mass assignment in POST/PUT/PATCH requests

Overriding built-in agents

You can tune built-in agents (like cyberstrike, web-application, internal-network) via cyberstrike.json without replacing them entirely: 
{
  "agent": {
    "web-application": {
      "model": "anthropic/claude-opus-4-5",
      "temperature": 0.1,
      "steps": 100
    },
    "cyberstrike": {
      "prompt": "Always produce a written report at the end of every assessment."
    }
  }
}
To disable a built-in agent: 
{
  "agent": {
    "mobile-application": {
      "disable": true
    }
  }
}

Generating an agent

Use the CLI to scaffold a new agent from a description using your configured LLM: 
cyberstrike agent create
This opens an interactive prompt asking for the agent’s description, tools, mode, and file location. CyberStrike generates the system prompt and writes the agent file automatically. To run non-interactively: 
cyberstrike agent create \
  --description "Specialised in testing REST APIs for authentication flaws" \
  --mode primary \
  --tools "bash,read,webfetch,report_vulnerability" \
  --path ./.cyberstrike

Built-in agents

CyberStrike ships with the following agents:

cyberstrike

The default primary agent. Full tool access, AI-powered offensive security.

web-application

OWASP Top 10, WSTG methodology, API security. Loads WSTG skills automatically.

internal-network

Active Directory, Kerberos, lateral movement. Loads AD and Kerberos skills.

cloud-security

AWS, Azure, GCP security testing. IAM analysis and CIS benchmarks.

mobile-application

Android/iOS testing, OWASP MASTG/MASVS, Frida/Objection.

general

General-purpose subagent for research and multi-step tasks.

Build docs developers (and LLMs) love

Get started for freeTalk to us