Skip to main content
Bolt is CyberStrike’s remote tool execution server. Instead of running heavy security tools on your laptop, you deploy Bolt on remote infrastructure and control it from the CyberStrike TUI over an encrypted MCP connection authenticated with Ed25519 keys. One CyberStrike instance can orchestrate many Bolt servers simultaneously — each with its own toolkit, network position, and access to different attack surfaces.

Architecture

                                      ┌─────────────────────┐
                                 ┌───►│  Bolt Server #1     │
                                 │    │  nmap, nuclei, ffuf  │
┌──────────────────┐  MCP + Ed25519   └─────────────────────┘
│  Your Terminal   │  over HTTPS  │   ┌─────────────────────┐
│  CyberStrike TUI │◄────────────►├───►│  Bolt Server #2     │
│                  │  Tool Results │   │  sqlmap, burp, zap   │
└──────────────────┘              │   └─────────────────────┘
                                  │   ┌─────────────────────┐
                                  └───►│  Bolt Server #3     │
                                       │  Custom toolkit      │
                                       └─────────────────────┘
Results stream back to your TUI in real time as tools execute on the remote servers.

Authentication

Bolt uses Ed25519 key pairs for authentication — no passwords, no shared secrets. You generate a key pair, deploy the public key on the Bolt server, and CyberStrike uses the private key to authenticate all requests. There is no credentials file to rotate or password database to compromise.

Deployment options

VPS

Deploy on any Linux VPS. DigitalOcean, Linode, Hetzner, and Vultr all work well. A 2 vCPU / 4 GB instance is sufficient for most scan workloads.

Docker

Pull the official Bolt Docker image and run it with a single command. Bind-mount your key pair and expose port 3001.

Kubernetes

Deploy Bolt as a Kubernetes Deployment with a Service and ingress. Scale replicas independently based on scan load.

Pre-built Kali images

Use the official Kali Linux images with Bolt pre-installed. Includes nmap, nuclei, sqlmap, ffuf, and the full Kali toolset out of the box.

Configuration

Add Bolt servers to cyberstrike.json under the "bolt" key. Each entry is a named server with its connection details.

Schema

Type: string — requiredThe full URL of the Bolt server, including protocol and port.
"url": "https://kali.example.com:3001"
Type: boolean — optionalWhether CyberStrike should connect to this Bolt server on startup. Defaults to true when the server is present in config. Set to false to temporarily disable a server without removing its config.
Type: number (integer, positive) — optionalRequest timeout in milliseconds. Defaults to 30000 (30 seconds). Increase this for long-running scans like full nmap port sweeps.

Example configuration

cyberstrike.json
{
  "bolt": {
    "kali-vps": {
      "url": "https://kali.example.com:3001",
      "enabled": true,
      "timeout": 60000
    },
    "cloud-scanner": {
      "url": "https://scanner.example.com:3001",
      "enabled": true
    }
  }
}
You can define as many servers as you need. CyberStrike agents can route tool calls to specific servers or let the orchestrator choose based on tool availability.

Managing Bolt servers from the TUI

You can add, remove, and monitor Bolt servers without leaving CyberStrike:
1

Open the server list

Press your leader key followed by b to open the sidebar. Bolt servers appear alongside their connection status.
2

Add a server

Select Add Bolt server from the sidebar menu. You’ll be prompted for the server URL and whether to enable it immediately.
3

Monitor connection status

Each server shows a live connection indicator. A green checkmark means connected and ready. A red cross means the server is unreachable or authentication failed.
4

Disable or remove a server

Select a server in the sidebar to toggle it on/off or remove it. Removing a server deletes its entry from cyberstrike.json.

Use cases

Your laptop’s upload speed is rarely ideal for network scanning. A VPS with a 1 Gbps uplink can run nmap or nuclei across a /16 CIDR in a fraction of the time. Route scan tasks to your Bolt server and watch results stream back to your TUI.
Deploy a Bolt server inside a target network (with authorization) to reach services that aren’t exposed externally. Your CyberStrike TUI stays on your local machine while the Bolt server executes tools with access to internal hosts, Active Directory, and internal APIs.
Keep noisy or destructive tools on dedicated servers. A Bolt server running sqlmap and Metasploit is isolated from your daily workstation. Logs and artifacts stay on the remote server until you explicitly retrieve them.
Run multiple Bolt servers in parallel to distribute large-scope engagements. Assign one server per IP range, one per cloud provider account, or one per target application — then orchestrate everything from a single TUI session.
All traffic between CyberStrike and Bolt servers is encrypted over HTTPS. Ed25519 authentication happens at the connection layer — tools on the Bolt server never handle credentials directly.

Build docs developers (and LLMs) love

Get started for freeTalk to us