-
Notifications
You must be signed in to change notification settings - Fork 0
Home
A multi-layered defensive architecture designed to contain, degrade, disrupt, and commandeer autonomous offensive AI agents.
Built by DaxxSec & Claude (Anthropic)
Autonomous AI agents are being deployed for offensive cyber operations — automated recon, exploitation, and lateral movement at machine speed. But AI agents have cognitive dependencies that humans don't — and almost nobody is building defenses that target those dependencies.
LABYRINTH changes that.
# Clone, build, and install
git clone https://github.com/DaxxSec/labyrinth.git
cd labyrinth && ./scripts/install.sh
# Run the smoke test to verify everything works
./scripts/smoke-test.sh
# Deploy a test environment
labyrinth deploy -t
# Launch the TUI monitoring dashboard
labyrinth tuiOr grab a pre-built binary and run ./labyrinth --install.
./scripts/attacker-setup.shChoose from PentAGI, PentestAgent, Strix, or bring your own tool. All agents run in isolated Docker containers on the LABYRINTH network.
Agent connects to portal trap service
└─→ Container spawned (Layer 1 — THRESHOLD)
└─→ Agent explores contradictory environment (Layer 2 — MINOTAUR)
└─→ Terminal encoding corrupted (Layer 3 — BLINDFOLD)
└─→ System prompt intercepted & rewritten (Layer 4 — PUPPETEER)
All activity captured → Dashboard at http://localhost:9000
LABYRINTH implements a reverse kill chain — the deeper an agent penetrates, the more compromised it becomes.
| Layer | Codename | Action | What It Does |
|---|---|---|---|
| L0 | BEDROCK |
HARDEN | AES-256 forensics, VLAN isolation, retention policy |
| L1 | THRESHOLD |
CONTAIN | Portal trap routes connections into isolated containers |
| L2 | MINOTAUR |
DEGRADE | Contradictory environments erode the agent's world model |
| L3 | BLINDFOLD |
DISRUPT | Encoding corruption blinds the agent's I/O parsing |
| L4 | PUPPETEER |
CONTROL | MITM intercept captures and rewrites the agent's instructions |
Depth of penetration = Depth of compromise
| Page | Description |
|---|---|
| Architecture | Reverse kill chain, layer summary, data flow |
| Installation | Prerequisites, install options, first deployment |
| CLI-Reference | All commands, flags, examples |
| TUI-Dashboard | 5 tabs, keybindings, data sources |
| Layer-0-BEDROCK | Encryption, network isolation, proxy, retention |
| Layer-1-THRESHOLD | SSH/HTTP portal traps, session logging, bait |
| Layer-2-MINOTAUR | Contradiction catalog, adaptive mode, density |
| Layer-3-BLINDFOLD | Corruption payloads, triggers, recovery traps |
| Layer-4-PUPPETEER | MITM proxy, prompt capture/swap, modes |
| Configuration | Full labyrinth.yaml reference |
| Deployment-Topology | Docker services, network, volumes, ports |
| Forensics-and-API | JSONL schema, session reports, dashboard API, SIEM |
| Testing-with-Attackers | PentAGI, PentestAgent, Strix, custom agents |
| Threat-Model | Agent cognitive dependencies and countermeasures |
MIT License — see LICENSE for details.
This project is intended for defensive security research only. The techniques described are designed to be deployed within controlled portal trap environments that the operator owns and controls. Always ensure compliance with applicable laws and organizational policies.
Getting Started
Architecture
Layers
Operations