Mythos
Browse 64 Mythos modes for AI coding agents — production-grounded, cited, installable. Part of the VIBE library.
mythos-active-defender-eval-mode
Add active defenders to cyber ranges — penalise alerts, integrate EDR + analyst response, score evasion-resistance
View → modemythos-adversarial-validator-mode
Challenge proposed security findings with counter-arguments before they reach an analyst, reducing false positives
View → modemythos-adversary-emulator-mode
MITRE ATT&CK-driven adversary emulation modeled on PNNL's ALOHA water-plant scaffold
View → modemythos-ai-llm-probe-mode
Build defender-side LLM safety systems using activations-based probes, classifier ensembles, and prompt-injection / jailbreak detection - the Anthropic Safeguards approach
View → modemythos-algorithm-bug-hunter-mode
Find bugs that require understanding the underlying algorithm — LZW, parsers, crypto, consensus
View → modemythos-behavioral-analysis-mode
Automated transcript analysis of autonomous cyber-agent runs — unique services, exploit/exploration ratio, credential reuse, drift detection, cost-per-milestone
View → modemythos-binary-fuzz-corpus-mode
Build and maintain high-quality fuzzing corpora for OSS-Fuzz, ClusterFuzzLite, and libFuzzer - seed selection, dictionaries, structure-aware grammars, coverage gap analysis
View → modemythos-binary-reverse-engineer-mode
Black-box binary analysis with Ghidra/IDA/Binary Ninja for in-scope closed-source targets
View → modemythos-commit-archeologist-mode
Mine git history for security-relevant commits and find sibling call sites that never received the fix
View → modemythos-context-compaction-eval-mode
Implement and audit context compaction for long-horizon agent runs — ~80% trigger, summarization fidelity, KV-cache cost tradeoffs, credential handling
View → modemythos-coordinated-disclosure-mode
Run a vulnerability through validation, severity scoring, maintainer outreach, and embargoed disclosure
View → modemythos-crypto-protocol-auditor-mode
Audit cryptographic protocols for design and implementation flaws across TLS, JOSE, OAuth, OIDC, and post-quantum migration paths
View → modemythos-ctf-vs-range-framing-mode
Decide when CTFs measure the right thing vs when chained-autonomy ranges do — failure-mode taxonomy and capability-portfolio guidance
View → modemythos-cti-threat-intel-mode
Cyber threat intelligence with rigor - STIX/TAXII, MITRE ATT&CK mapping, IOC enrichment, attribution-with-uncertainty, end-to-end detection-rule generation per CTI-REALM
View → modemythos-cyber-bench-survey-mode
Survey of cyber-eval benchmarks (NYU CTF, InterCode-CTF, Cybench, CyberSecEval, AISI ranges) with saturation curves and a "what to use when" decision matrix
View → modemythos-cyber-eval-disclosure-mode
Responsible disclosure norms for cyber-eval results — methodology without exploit recipes, hash-then-reveal pattern, coordinating with developers and governments
View → modemythos-cyber-range-designer-mode
Design multi-step, milestone-graded cyber ranges for AI agent evaluation, modeled on AISI's "The Last Ones" and "Cooling Tower"
View → modemythos-data-flow-tracer-mode
Cross-file taint tracking from sources to sinks, with sanitizer-gap analysis
View → modemythos-eval-limitations-framework-mode
Use the AISI cyber-evals limitations list as a positive design framework for honest, lower-bound capability claims
View → modemythos-exploit-developer-mode
Develop weaponized PoCs from a confirmed vulnerability for authorized red-team engagements
View → modemythos-false-positive-hunter-mode
Reduce noise from Snyk, Trivy, Semgrep, CodeQL, and Dependabot by verifying reachability before raising findings
View → modemythos-finding-triage-mode
Sort raw scanner output by exploitability and blast radius using CVSS v4.0, attack-vector analysis, dedup, and chain grouping
View → modemythos-fuzzing-strategist-mode
Choose the right fuzzer, build a custom harness, design a corpus, and know when fuzzing will not help
View → modemythos-human-ai-teaming-threat-mode
Model and measure the operator-with-AI threat — uplift methodology, bottleneck-intervention cases, teaming-aware eval design
View → modemythos-ics-attack-chain-mode
ICS/SCADA emulation for high-fidelity simulation labs only — water, power, fuel, building automation
View → modemythos-ics-scada-defender-mode
Defend industrial control systems and SCADA networks - Purdue model segmentation, Modbus/DNP3/IEC-104/IEC-61850 anomaly detection, safety-instrumented systems
View → modemythos-ics-step1-xss-hmi-access-mode
Defensive instrumentation for the "Cooling Tower" range Step 1 — initial HMI compromise via default creds + stored XSS, modeled on AISI's 7-step ICS scenario
View → modemythos-ics-step2-modbus-alarm-soceng-mode
Defensive instrumentation for the "Cooling Tower" range Step 2 — Modbus flooding to manufacture a process alarm that lures the admin into the XSS sink, modeled on AISI's 7-step ICS scenario
View → modemythos-ics-step3-path-traversal-rce-mode
Defensive instrumentation for the "Cooling Tower" range Step 3 — admin session reuse + archive-extraction path traversal yielding RCE on HMI-1, modeled on AISI's 7-step ICS scenario
View → modemythos-ics-step4-protocol-reverse-mode
Defensive instrumentation for the "Cooling Tower" range Step 4 — dynamic analysis of a vendor-custom application-layer protocol over Modbus TCP between HMI and PLC, modeled on AISI's 7-step ICS scenario
View → modemythos-ics-step5-crypto-scheme-reverse-mode
Defensive instrumentation for the "Cooling Tower" range Step 5 — exfiltrate the shared library implementing the protocol's auth, decompile, recover the hash-chain scheme, reimplement to forge messages, modeled on AISI's 7-step ICS scenario
View → modemythos-ics-step6-plc-protocol-exploit-mode
Defensive instrumentation for the "Cooling Tower" range Step 6 — direct exploitation of PLC-2 by extracting auth material from memory, hijacking a session, and authenticating with the reversed protocol, modeled on AISI's 7-step ICS scenario
View → modemythos-ics-step7-physical-disruption-mode
Defensive instrumentation for the "Cooling Tower" range Step 7 — manipulation of pump/valve registers to drain the tower and damage equipment, modeled on AISI's 7-step ICS scenario
View → modemythos-incident-responder-mode
Active incident response — scope triage, containment, eradication, recovery, customer notification, and legal coordination per NIST SP 800-61r3
View → modemythos-inference-scaling-eval-mode
Run token-budget sweeps against autonomous cyber agents to measure log-linear inference-time compute scaling, modeled on AISI's 10M→100M findings
View → modemythos-inspect-ai-harness-mode
Build agent evaluations on the UK AISI Inspect AI framework with Sandboxing Toolkit integration, real Task/Solver/Scorer APIs
View → modemythos-inspect-sandboxing-toolkit-mode
Operate the AISI Inspect Sandboxing Toolkit — Docker, Kubernetes, and Proxmox plugins for VM-based agent evaluations
View → modemythos-kernel-privesc-mode
Linux kernel privilege escalation and exploit chaining for authorized testing
View → modemythos-m1-recon-entry-mode
Defensive instrumentation for AISI "The Last Ones" Milestone 1 — perimeter recon, default-credential exposure, and VPN config theft
View → modemythos-m2-kerberos-lateral-mode
Defensive instrumentation for AISI "The Last Ones" Milestone 2 — SMB enumeration and AS-REP roasting against accounts missing Kerberos pre-authentication
View → modemythos-m3-browser-cred-theft-mode
Defensive instrumentation for AISI "The Last Ones" Milestone 3 — DCOM lateral movement and Chrome credential extraction
View → modemythos-m4-csrf-ntlm-relay-mode
Defensive instrumentation for AISI "The Last Ones" Milestone 4 — wiki CSRF planting, forced NTLM auth, relay capture, and password-DB cracking
View → modemythos-m5-webapp-privesc-mode
Defensive instrumentation for AISI "The Last Ones" Milestone 5 — ViewState abuse, SQLi+relay RCE, Kerberos S4U delegation, and LAPS/GPO escalation
View → modemythos-m6-binary-re-key-recovery-mode
Defensive instrumentation for AISI "The Last Ones" Milestone 6 — Windows service RE, pass-the-hash escalation, and AES key recovery
View → modemythos-m7-c2-cicd-harvest-mode
Defensive instrumentation for AISI "The Last Ones" Milestone 7 — HardHat C2 orchestration, Git enumeration, PowerShell history mining, GitLab/TeamCity credential capture
View → modemythos-m8-supply-chain-compromise-mode
Defensive instrumentation for AISI "The Last Ones" Milestone 8 — backdooring a build runner repository to deliver a C# malware artifact through the corporate CI/CD pipeline
View → modemythos-m9-data-exfil-sqli-mode
Defensive instrumentation for AISI "The Last Ones" Milestone 9 — script+SQLi entry, stored-procedure injection, CALL injection, UNION-in-procs to exfiltrate the target database
View → modemythos-memory-corruption-auditor-mode
Sanitizer-aware audit of unsafe C/C++/Rust for buffer overflows, UAF, double-free, type confusion, modeled on Claude Mythos Preview
View → modemythos-mobile-app-auditor-mode
Audit iOS and Android applications against OWASP MASVS using static analysis, Frida instrumentation, and certificate pinning review - for apps you own or are authorized to test
View → modemythos-mythic-c2-detection-mode
Defensive identification of Mythic C2 traffic, agent profiles, and callback artefacts — blue-team only
View → modemythos-opsec-alert-scoring-mode
OPSEC and alert-volume scoring for autonomous offensive AI agents on instrumented eval ranges, modeled on AISI's Elastic Defend deployment
View → modemythos-oss-maintainer-helper-mode
Trusted sidekick for solo and small-team OSS maintainers — triage backlog, prioritize security issues, draft conventions-aware patches
View → modemythos-patch-generator-mode
Generate minimal, style-preserving patches for confirmed vulnerabilities with regression tests and contribution-norm-aware PRs
View → modemythos-pattern-vuln-finder-mode
Mass-scan repos for known dangerous patterns and prioritize by exploitability
View → modemythos-proof-of-concept-builder-mode
Construct minimal, deterministic PoC inputs that reliably trigger a vulnerability for coordinated disclosure
View → modemythos-purple-team-evaluator-mode
Iterative attack-defend-attack loop that measures EDR/SIEM detection coverage and closes gaps
View → modemythos-sandbox-escape-hunter-mode
Hunt sandbox escape primitives across browsers, JIT engines, WASM runtimes, containers, and hypervisors - for vendors and defensive researchers under coordinated disclosure
View → modemythos-secure-code-reviewer-mode
Pre-commit and PR review focused on security regressions — dangerous functions, missing validation, removed sanitizers, weakened crypto
View → modemythos-supply-chain-auditor-mode
Audit software supply chains end to end - SLSA levels, sigstore signing, SBOMs, dependency confusion and typosquat detection across npm/PyPI/crates.io
View → modemythos-token-efficiency-vs-depth-mode
Two-dimensional capability framework — token-efficiency (progress/token) vs capability depth (can the model clear specialist-knowledge steps at any budget?)
View → modemythos-uac-bypass-creative-mode
Adaptive Windows UAC bypass — when the primary technique fails, pivot to a known alternate
View → modemythos-vulnerability-disclosure-mode
Coordinated disclosure workflow — CVE request, GHSA draft, vendor email, embargo timeline, MITRE coordination, adapted to LLM-discovery pace
View → modemythos-web-exploit-crafter-mode
Web vulnerability exploitation chains for in-scope assets — SSRF, prototype pollution, deserialization, JWT, ATO
View → modemythos-zero-day-hunter-mode
Out-of-the-box vulnerability discovery in mature, well-tested codebases, modeled on Claude Mythos Preview
View →