🛡️ Hancock — CyberViser AI Security Agent

Automate cybersecurity through specialized LLMs — from pentesting to SOC analysis.

🌐 Website · 📖 API Docs · 📋 Business Proposal · 🐛 Report Bug · ✨ Request Feature

---

🚀 What is Hancock?

Hancock is CyberViser's AI-powered cybersecurity agent, fine-tuned on Mistral 7B using:

• MITRE ATT&CK — TTPs, tactics, procedures
• NVD/CVE — Real vulnerability data
• Pentest Knowledge Base — Recon, exploitation, post-exploitation

It operates in three specialist modes and exposes a clean REST API.

╔══════════════════════════════════════════════════════════╗
║  ██╗  ██╗ █████╗ ███╗   ██╗ ██████╗ ██████╗  ██████╗██╗ ║
║  ██║  ██║██╔══██╗████╗  ██║██╔════╝██╔═══██╗██╔════╝██║ ║
║  ███████║███████║██╔██╗ ██║██║     ██║   ██║██║     ██║ ║
║  ██╔══██║██╔══██║██║╚██╗██║██║     ██║   ██║██║     ██╚╗║
║  ██║  ██║██║  ██║██║ ╚████║╚██████╗╚██████╔╝╚██████╗╚═╝║║
║  ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝ ╚═════╝ ╚═════╝  ╚═════╝   ║
║          CyberViser — Pentest + SOC Specialist           ║
╚══════════════════════════════════════════════════════════╝

---

📋 Table of Contents

• Features
• Quick Start
• API Reference
• Fine-Tuning
• Roadmap
• Contributing
• License

---

✨ Features

Mode	Description	Status
🔴 Pentest Specialist	Recon, exploitation, CVE analysis, PTES reporting	✅ Live
🔵 SOC Analyst	Alert triage, SIEM queries, PICERL IR, Sigma/YARA	✅ Live
⚡ Auto	Context-aware switching between pentest + SOC	✅ Live
💻 Code	Security code: YARA, KQL, SPL, Sigma, Python, Bash	✅ Live
👔 CISO	Compliance, risk reporting, board summaries, gap analysis	✅ Live
🔍 Sigma	Sigma detection rule authoring with ATT&CK tagging	✅ Live
🦠 YARA	YARA malware detection rule authoring	✅ Live
🔎 IOC	Threat intelligence enrichment for IOCs	✅ Live
🔐 GraphQL Security	GraphQL auth/authz testing, IDOR detection, JWT security	✅ Live

---

⚡ Quick Start

1. Install dependencies

git clone https://github.com/cyberviser/Hancock.git
cd Hancock
python -m venv .venv && source .venv/bin/activate
pip install -r requirements.txt

2. Configure your API key

cp .env.example .env
# Edit .env and add your NVIDIA API key
# Get one free at: https://build.nvidia.com

3. Run the CLI

export NVIDIA_API_KEY="nvapi-..."
python hancock_agent.py

4. Or run as a REST API server

python hancock_agent.py --server --port 5000

5. Build the training dataset

# v2 dataset (pentest + SOC):
python hancock_pipeline.py --phase all

# v3 dataset (+ CISA KEV + Atomic Red Team + GitHub Advisories):
python hancock_pipeline.py --phase 3

6. Fine-tune Hancock on Mistral 7B

python hancock_finetune.py

---

🌐 API Reference

Start the server: python hancock_agent.py --server

Endpoints

Method	Endpoint	Description
GET	/health	Agent status and capabilities
GET	/metrics	Prometheus-compatible request counters
GET	/v1/agents	All agent system prompts and defaults
POST	/v1/chat	Conversational AI with history + streaming
POST	/v1/ask	Single-shot question
POST	/v1/triage	SOC alert triage + MITRE ATT&CK mapping
POST	/v1/hunt	Threat hunting query generator (Splunk/Elastic/Sentinel)
POST	/v1/respond	PICERL incident response playbook
POST	/v1/code	Security code generation (YARA/Sigma/KQL/SPL)
POST	/v1/ciso	CISO advisory: risk, compliance, board reports, gap analysis
POST	/v1/sigma	Sigma detection rule generator
POST	/v1/yara	YARA malware detection rule generator
POST	/v1/ioc	IOC threat intelligence enrichment (IP, domain, URL, hash, email)
POST	/v1/webhook	Ingest alerts from Splunk/Elastic/Sentinel/CrowdStrike

Examples

Alert Triage:

curl -X POST http://localhost:5000/v1/triage \
  -H "Content-Type: application/json" \
  -d '{"alert": "Mimikatz detected on DC01 at 03:14 UTC"}'

Threat Hunting (Splunk):

curl -X POST http://localhost:5000/v1/hunt \
  -H "Content-Type: application/json" \
  -d '{"target": "lateral movement via PsExec", "siem": "splunk"}'

Sigma Rule Generation:

curl -X POST http://localhost:5000/v1/sigma \
  -H "Content-Type: application/json" \
  -d '{"description": "Detect LSASS memory dump", "logsource": "windows sysmon", "technique": "T1003.001"}'

YARA Rule Generation:

curl -X POST http://localhost:5000/v1/yara \
  -H "Content-Type: application/json" \
  -d '{"description": "Cobalt Strike beacon default HTTP profile", "file_type": "PE"}'

IOC Enrichment:

curl -X POST http://localhost:5000/v1/ioc \
  -H "Content-Type: application/json" \
  -d '{"indicator": "185.220.101.35", "type": "ip"}'

GraphQL Security Testing:

# Generate GraphQL security knowledge base
python collectors/graphql_security_kb.py

# Run GraphQL security tests (requires authorization)
python collectors/graphql_security_tester.py \
  --url https://api.example.com/graphql \
  --token <jwt-token> \
  --verbose \
  --report graphql_security_report.json

CISO Board Summary:

curl -X POST http://localhost:5000/v1/ciso \
  -H "Content-Type: application/json" \
  -d '{"question": "Summarise top 5 risks for the board", "output": "board-summary", "context": "50-person SaaS, AWS"}'

Incident Response Playbook:

curl -X POST http://localhost:5000/v1/respond \
  -H "Content-Type: application/json" \
  -d '{"incident": "ransomware"}'

📖 Full OpenAPI 3.1.0 spec: docs/openapi.yaml · Interactive API Docs

CLI Commands

/mode pentest   — switch to Pentest Specialist
/mode soc       — switch to SOC Analyst
/mode auto      — combined persona (default)
/mode code      — security code (Qwen Coder 32B)
/mode ciso      — CISO strategy & compliance
/mode sigma     — Sigma detection rule authoring
/mode yara      — YARA malware detection rule authoring
/mode ioc       — IOC threat intelligence enrichment
/clear          — clear conversation history
/history        — show history
/model <id>     — switch NVIDIA NIM model
/exit           — quit

---

🤖 Fine-Tuning

Hancock uses LoRA fine-tuning on Mistral 7B — trained on a multi-source cybersecurity dataset (MITRE ATT&CK + NVD CVEs + SOC/Pentest KB + CISA KEV + Atomic Red Team + GitHub Security Advisories).

⚡ One-Click: Colab / Kaggle (Free T4)

Works on both Google Colab and Kaggle — auto-detects environment:

1. Click the badge above (or import Hancock_Universal_Finetune.ipynb on Kaggle)
2. Enable GPU (Colab: Runtime → T4 GPU / Kaggle: Settings → Accelerator → T4)
3. Run all (~30 min)
4. Downloads GGUF Q4_K_M at end — run locally with Ollama

Or use the CLI script directly:

python hancock_finetune_v3.py --steps 300 --export-gguf --push-to-hub

CPU Fine-Tuning (No GPU Required)

Run on any machine — trains TinyLlama-1.1B with LoRA (adapter already included):

# Quick test (10 steps, ~40 min)
python hancock_cpu_finetune.py --debug

# Full run (500 steps, ~25 hr on 16-core CPU)
python hancock_cpu_finetune.py --max-steps 500

# Load and test the saved adapter
python hancock_cpu_finetune.py --test

Pre-trained adapter: hancock-cpu-adapter/ — TinyLlama-1.1B + LoRA (r=8, eval_loss=2.084)

Other GPU Options

Platform	GPU	Cost	Script
Google Colab	T4 16GB	Free (15 hr/day)	Hancock_Universal_Finetune.ipynb
Kaggle	T4 16GB	Free (30 hr/week)	Hancock_Universal_Finetune.ipynb
Modal.com	T4/A10G	Free $30/mo	modal run train_modal.py
Any GPU server	Any	Varies	python hancock_finetune_gpu.py

After Training — Run Locally

# Load fine-tuned model in Ollama
ollama create hancock -f Modelfile.hancock-finetuned
ollama run hancock

Training Data

Dataset	Samples	Sources	Command
hancock_v2.jsonl	1,375	MITRE ATT&CK + NVD CVE + Pentest KB + SOC KB	python hancock_pipeline.py --phase 2
hancock_v3.jsonl	5,670	v2 + CISA KEV + Atomic Red Team + GitHub Security Advisories	python hancock_pipeline.py --phase 3

# Generate latest v3 dataset (internet required)
python hancock_pipeline.py --phase 3

# Or offline-only (static KB, no internet)
python hancock_pipeline.py --kb-only

data/
├── hancock_pentest_v1.jsonl    # Pentest training data (MITRE + CVE + KB)
├── hancock_v2.jsonl            # v2 dataset — pentest + SOC
└── hancock_v3.jsonl            # v3 dataset — + CISA KEV + Atomic Red Team + GHSA (build with --phase 3)

collectors/
├── mitre_collector.py          # Fetches MITRE ATT&CK TTPs
├── nvd_collector.py            # Fetches NVD/CVE vulnerability data
├── pentest_kb.py               # Pentest knowledge base Q&A
├── soc_collector.py / soc_kb.py
├── cisa_kev_collector.py       # CISA Known Exploited Vulnerabilities
├── atomic_collector.py         # Atomic Red Team test cases
├── ghsa_collector.py           # GitHub Security Advisories
├── graphql_security_kb.py      # GraphQL auth/authz vulnerability KB
└── graphql_security_tester.py  # GraphQL security testing framework

formatter/
├── to_mistral_jsonl.py         # v1 formatter
├── to_mistral_jsonl_v2.py      # v2 formatter
└── formatter_v3.py             # v3 formatter — merges all sources

---

🗺️ Roadmap

Phase	Focus	Status
Phase 1	Pentest Specialist + SOC REST API	✅ Live
Phase 2	SOC deep specialization + v3 dataset (KEV/Atomic/GHSA)	✅ Live
Phase 3	CISO strategy + compliance automation	✅ Live
Phase 4	Enterprise platform + SIEM/SOAR integrations	📋 Planned

---

🤝 Contributing

Contributions are welcome! Please read CONTRIBUTING.md first.

1. Fork the repo
2. Create a feature branch: git checkout -b feat/my-feature
3. Commit your changes: git commit -m 'feat: add my feature'
4. Push and open a PR

---

📄 License

CyberViser Proprietary License — see LICENSE for full terms.

• ✅ View and study the code
• ✅ Run locally for personal/research use
• ✅ Submit contributions (assigned to CyberViser)
• ❌ Commercial use without a written license agreement
• ❌ Redistribution or reselling
• ❌ Building competing products or services
• ❌ Training AI/ML models on the code or datasets
• ❌ White-labeling or removing CyberViser branding

For commercial licensing: contact@cyberviser.ai

---

Built by CyberViser · Powered by NVIDIA NIM · Mistral 7B · LoRA