Multi-agent attack chain framework. Define declarative attack chains that link audit and inject modules into multi-step exploitation paths, then validate and trace them.
chain
chain validate
Validate an attack chain definition without executing it. Checks syntax, step references, module/technique validity, and graph structure.
counteragent chain validate [OPTIONS]
| Option | Required | Description |
|---|
--chain-file | Yes | Path to chain definition to validate |
counteragent chain validate --chain-file chain.yaml
chain list-templates
List available attack chain templates.
counteragent chain list-templates [OPTIONS]
| Option | Required | Description |
|---|
--category | No | Filter by category: rag_pipeline, agent_delegation, mcp_ecosystem, hybrid |
counteragent chain list-templates
counteragent chain list-templates --category mcp_ecosystem
chain run
Execute an attack chain against a target architecture. Default mode is dry-run (simulation only) which traces the success path without executing destructive steps.
counteragent chain run [OPTIONS]
| Option | Required | Description |
|---|
--chain-file | Yes | Path to attack chain definition (YAML) |
--dry-run / --no-dry-run | No | Trace path without executing destructive steps (default: --dry-run) |
--output | No | Output file for trace result JSON |
--verbose / -v | No | Verbose output |
counteragent chain run --chain-file chain.yaml --dry-run
counteragent chain run --chain-file chain.yaml --output trace.json -v
The --dry-run flag is enabled by default. Dry-run mode walks the success path, reports each step and trust boundary crossing, and produces a trace JSON — without making any network calls or sending any payloads.
chain blast-radius
Analyze blast radius from a completed chain execution. Quantifies what the attacker reached: data, systems, actions, and persistence.
counteragent chain blast-radius [OPTIONS]
| Option | Required | Description |
|---|
--results-dir | Yes | Path to completed chain results |
--format | No | Output format: html or json (default: html) |
--output | No | Output file path |
Blast radius analysis is not yet implemented. The command is defined but returns a stub.
chain detect
Generate detection rules from observed attack patterns. Produces Sigma or Wazuh rules that would detect the chain’s execution in a monitored environment.
counteragent chain detect [OPTIONS]
| Option | Required | Description |
|---|
--results-dir | Yes | Path to completed chain results |
--format | No | Rule format: sigma or wazuh (default: sigma) |
--output | No | Output directory for detection rules |
Detection rule generation is not yet implemented. The command is defined but returns a stub.