Skip to content

nuclide-research/pharos

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
phases
phases
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
case_study.py
case_study.py
 
 
pharos.py
pharos.py
 
 
state.py
state.py
 
 
target_queue.py
target_queue.py
 
 
tool_runner.py
tool_runner.py
 
 

Repository files navigation

pharos

Autonomous two-layer offensive research agent for AI and ML infrastructure.

license python NuClide

FeaturesInstallationUsageChainOutputScope

pharos attacks the server and the AI system running on it, in one chained pass. Most recon stops at the service: fingerprint the port, confirm the version, rank an exploit, done. AI and ML deployments carry a second attack surface a port scanner never touches, the model itself. pharos drives both layers. The infra layer maps the stack and confirms known-vulnerable versions. The AI layer probes the live LLM with an adversarial corpus and measures behavioral drift before and after injection. Output is a scored, prioritized finding with a generated case study, not raw scan text.

pharos is an orchestrator. It does not reimplement the recon tools, it drives them: aimap, js-extractor, BARE, VisorScuba, VisorRAG, VisorCorpus, VisorAgent, VisorLog, Cortex, and pcse. Each phase feeds the next. Tools missing from PATH cause the dependent phase to skip cleanly.

Features

  • Seven-phase chain: triage, stack_map, exploit_surface, infra_attack, ai_attack, evidence, decision
  • Active phases gated behind --authorized plus a triage ethics gate (clinical/HIPAA, military/ITAR, honeypot-flagged targets blocked before any active probe)
  • Two-layer attack model: infrastructure CVE chain plus adversarial corpus against the live LLM
  • Behavioral drift measurement: pcse pre- and post-injection baselines. Breach confirmed at hit rate >= 30%, or drift >= 0.25 with hit rate >= 10%
  • Resumable sessions, full per-phase JSON written to disk on every step
  • Five-factor scoring: impact, exploit, breach, dwell, blast radius. Produces P1 to P4 priority and a disclosure-urgency label
  • Markdown case study generated per run
  • Standard library only. requests is an optional add-on, not a requirement
  • --from-sentinel mode pulls the top P1/P2 target from the sentinel queue

Installation

git clone https://github.com/nuclide-research/pharos

Python 3.9 or later. Tested on 3.12. No required pip dependencies. One phase (ai_attack) uses requests to probe LLM endpoints, but the import is guarded.

pip install requests   # optional, enables live LLM baseline probing

Usage

pharos run <ip>                          # passive only: triage + stack map, then stop
pharos run <ip> --authorized             # full chain, all 7 phases (active)
pharos run --from-sentinel               # pull top P1/P2 target from sentinel queue
pharos run --from-sentinel --authorized  # full chain on the sentinel target
pharos status                            # list the 10 most recent runs
pharos report <session_id>               # print the full session JSON

Invoke with python3 pharos.py <args>, or symlink pharos.py onto PATH.

run takes either a positional IP or --from-sentinel. --authorized unlocks the four active phases (infra_attack, ai_attack, evidence, decision). Without it, pharos runs the three passive phases and exits.

Tools by phase

Phase Tool Role
triage aimap-profile Target classification, ethics gate
stack_map aimap, js-extractor Service fingerprint, baked-secret scan of SPA bundles
exploit_surface BARE, VisorScuba Semantic module ranking, compliance score
infra_attack VisorRAG LLM-driven recon chain, JSONL event stream
ai_attack VisorCorpus, VisorAgent, pcse Adversarial corpus build, injection run, behavioral drift
evidence VisorLog, Cortex Ledger ingest, authorization-context analysis
decision (none) Scoring and prioritization, pure Python

The chain

Seven phases in order. Each writes a PhaseResult into the session and saves on every step, so a run is resumable even when it stops early.

  1. triage (passive). Classify with aimap-profile. Gate and stop on clinical/HIPAA, military/ITAR, or honeypot signals
  2. stack_map (passive). Fingerprint services with aimap, detect LLM endpoints and web ports, run js-extractor on the first web port to pull secrets baked into SPA bundles
  3. exploit_surface (passive). Confirm the version against an internal CVE-range table, rank Metasploit-style modules with BARE, pull a VisorScuba compliance score, decide which active phases to skip
  4. infra_attack (active). Drive VisorRAG for an LLM-led recon chain (aimap + visorgraph + menlohunt + nuclei), parse the JSONL stream into findings
  5. ai_attack (active). Build a platform-specific adversarial corpus with VisorCorpus, fire it at the live LLM with VisorAgent, compute hit rate, measure pcse drift between pre- and post-injection baselines
  6. evidence (active). Collect critical findings, ingest into VisorLog, run Cortex authorization-context analysis on the top finding, generate a Markdown case study
  7. decision (active). Five-factor score producing a P1 to P4 priority, disclosure-urgency label, and a list of next actions

Output

Each run lands in ~/pharos/runs/<timestamp>-<ip>/. The directory holds session.json (full phase data), tool artifacts (aimap.json, visorrag-stream.jsonl, pharos-corpus.json, bare-output.json, others), and case-study.md. Terminal prints a per-phase status line as the chain runs, then the decision summary.

PHAROS  <ip>  platform=litellm  authorized=True
  session: 20260528T...-<ip>
  run dir: /home/<user>/pharos/runs/20260528T...-<ip>

  [triage]  ok
  [stack_map]  ok
  [exploit_surface]  ok
  [infra_attack]  ok
  [ai_attack]  ok
  [evidence]  ok
  [decision]  ok
  ----------------------------------------------------------
  P1  score=0.812  breach=YES  drift=0.341
  IMMEDIATE: <attack chain summary>
    * <next action>

A gated triage stops the chain immediately and prints the gate reason.

Tests

pytest

Covers the scoring math, the version-range matcher, the breach and drift logic, the triage ethics gates, and the sentinel queue parser. The ai_attack test confirms the phase completes with no tools installed.

Scope

pharos is an offensive research agent. The four active phases drive live exploits against live infrastructure and live LLMs. The active path is gated behind two layers: --authorized is required to unlock it, and the triage phase blocks clinical/HIPAA, military/ITAR, and honeypot-flagged targets before any active probe runs. Run pharos only against your own infrastructure or in-scope, written-authorized targets. Without --authorized, the passive phases run and the chain stops.

This is a research tool. Treat the output as evidence, not as remediation copy.

Our other projects

  • aimap — fingerprint scanner for AI and ML infrastructure
  • sentinel — CVE-reactive exposure pipeline, feeds the pharos queue
  • winnow — codified false-positive screen
  • visorlog — finding ledger
  • BARE — semantic exploit-module ranking

License

MIT. Part of the NuClide toolchain. Contact: nuclide-research.com

About

Autonomous two-layer offensive research agent for AI and ML infrastructure. Drives aimap, BARE, VisorScuba, VisorRAG, VisorCorpus, VisorAgent, VisorLog, and Cortex across seven phases. Attacks the server and the AI system itself. Controlled targets only.

nuclide-research.com

Topics

python exploit offensive-security nuclide security-tools vulnerability-research ai-security autonomous-agent adversarial-ml ai-red-team ml-security ai-attack prompt-injection llm-security ai-pentest offensive-research offensive-agent

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages