Production-Ready AI Cybersecurity Operations Framework
🛡️ Enterprise Security Operations 🕵️ Intelligence Operations ⚖️ Legal Operations 🎯 Strategic Planning
BMAD CYBERSEC is a production-ready multi-agent operations framework that brings together specialized AI teams for cybersecurity operations, intelligence gathering, legal counsel, and strategic planning. Each agent has deep domain expertise and can collaborate through orchestrated workflows.
Abdul, the Master Project Manager, orchestrates all operations — routing requests to the right specialists and coordinating multi-team workflows.
You → Abdul → Right Team → Expert Agent(s) → Results
npx @blackunicorn/bmad-cybersec installgit clone https://github.com/BlackUnicornSecurity/BMAD-CYBERSEC.git
cd BMAD-CYBERSEC && git checkout BMAD-CYBEROPS-RPclaude-code /agents/abdulThat's it. Abdul will guide you from there.
BMAD CYBERSEC consists of two distinct product families:
Purpose-built security operations framework — hardened, compliance-focused, and designed for professional cybersecurity workflows.
| Module | Agents | Workflows | Focus |
|---|---|---|---|
| Cybersecurity Team | 15 | 13 | Penetration testing, incident response, threat modeling, compliance audits |
| Intelligence Team | 11 | 19 | OSINT, threat actor profiling, dark web research, attribution |
| Legal Team | 13 | 7 | Contract review, corporate formation, cross-border matters |
| Strategy Team | 14 | 16 | Executive decisions, board prep, crisis response, M&A due diligence |
Original framework for software development and innovation — versatile, creative, and designed for general business operations.
| Module | Workflows | Focus |
|---|---|---|
| BMM (BMAD Method) | 35 | Software development, requirements analysis, architecture |
| BMB (Module Builder) | 1 | Agent, module, and workflow architecture |
| BMGD (Game Development) | 36 | Game design, development pipelines |
| CIS (Creative Innovation) | 4 | Brainstorming, design thinking, innovation |
| Core | 23 | Project management, orchestration, templates |
🔒 Security-First Architecture
- OWASP AI Security compliance — 95/100 score
- TPI-CrowdStrike compliant — 6 epics covering all prompt injection vectors
- 139+ production validators across all attack vectors
- Prompt injection defense with 35+ detection patterns
- Rate limiting with sliding window algorithm
- PII/GDPR detection with Luhn/IBAN validation
- Tamper-evident audit logging with SHA256 hash chains
- RBAC with deny-by-default policy
📜 Compliance Framework Support (20+)
- US: NIST 800-53, SOC 2, PCI-DSS, HIPAA, FedRAMP, CMMC
- EU: GDPR, NIS2, Cyber Resilience Act, DORA, AI Act
- Global: ISO 27001/27017/27018, CIS Controls, CSA STAR
- Industry: SWIFT CSP, NERC CIP, TISAX
🔧 Security Workflows
- Incident Response Playbook (19-step automated response)
- Security Architecture Review
- STRIDE Threat Modeling
- Compliance Audit Preparation
- Virtual CISO Consulting
- Blockchain/Mobile/Web App Security Testing
- Network/Infrastructure/Cloud Security Assessment
- Vulnerability Management (full lifecycle)
💻 Software Development
- Requirements analysis and PRD generation
- Architecture design and tech specifications
- Sprint planning and story management
- Code review (ADVERSARIAL style)
- Test-first development with ATDD support
💡 Creative & Innovation
- Brainstorming facilitation
- Design thinking workshops
- Storytelling and presentation mastery
- Creative problem-solving
🔧 Module Building
- Custom agent creation
- Workflow builder
- Module architecture system
🎮 Game Development
- Game design documents (GDD)
- Game brief creation
- QA and testing workflows
- Performance testing
🤖 Multi-Agent Orchestration
- Abdul coordinates specialists across teams
- Party Mode — spawn multiple agents working in parallel
- Cross-module workflows
👨💻 Developer Experience
- 201 production workflows
- Direct slash commands —
/workflow-name(112 aliases) - AI-powered help —
/bmad-helpfor interactive discovery - Multi-LLM support (Claude, OpenAI, Groq, Ollama, LM Studio, vLLM)
✅ Quality Assurance
- 2,938+ tests passing across 351 test files
- Zero regressions
- CI/CD pipelines with automated testing
- Performance benchmarking
BMAD CYBERSEC aligns with 20+ global security standards and compliance frameworks:
| Standard | Status | Coverage |
|---|---|---|
| NIST 800-53 | ✅ Compliant | All control families (AC, AU, SC, SI, etc.) |
| SOC 2 Type II | ✅ Ready | Trust Services Criteria (Security, Availability, Confidentiality) |
| PCI-DSS 4.0 | ✅ Compliant | All 12 requirement domains |
| HIPAA | ✅ Ready | Privacy, Security, and Breach Notification Rules |
| FedRAMP | ✅ Ready | Low, Moderate, and High Impact Levels |
| CMMC 2.0 | ✅ Ready | Levels 1-3 (Basic, Advanced, Expert) |
| Standard | Status | Coverage |
|---|---|---|
| GDPR | ✅ Compliant | Articles 25, 32, 33 (Data Protection by Design/Default) |
| NIS2 | ✅ Ready | Network and Information Security Directive |
| DORA | ✅ Ready | Digital Operational Resilience Act |
| EU AI Act | ✅ Ready | High-risk AI systems compliance |
| Standard | Status | Coverage |
|---|---|---|
| ISO 27001 | ✅ Compliant | ISMS controls and Annex A controls |
| ISO 27017 | ✅ Ready | Cloud security controls |
| ISO 27018 | ✅ Ready | PII protection in cloud |
| CIS Controls v8 | ✅ Ready | All 8 Implementation Groups |
| CSA STAR | ✅ Ready | Cloud Controls Matrix (CCM) |
| Standard | Industry | Status |
|---|---|---|
| SWIFT CSP | Financial Services | ✅ Ready |
| NERC CIP | Energy/Utilities | ✅ Ready |
| TISAX | Automotive | ✅ Ready |
| Standard | Score | Coverage |
|---|---|---|
| OWASP LLM Top 10 | 95/100 | All 10 vulnerability categories |
| OWASP API Top 10 | ✅ Compliant | Full coverage |
| OWASP Top 10 (2021) | ✅ Compliant | Full coverage |
| ASVS v4.0 | ✅ Ready | Application Security Verification Standard |
Prompt Injection Defense — Fully compliant with CrowdStrike's 2026 Taxonomy
- ✅ 6 epics covering all prompt injection vectors
- ✅ 35+ detection patterns
- ✅ 540+ automated tests
- ✅ 14 identified gaps (G1-G14) closed
| Category | Feature | Status |
|---|---|---|
| Prompt Injection | 35+ detection patterns | ✅ Protected |
| Jailbreak prevention (28 patterns) | ✅ Protected | |
| TPI-CrowdStrike taxonomy coverage | ✅ Compliant | |
| Output Security | Command injection prevention | ✅ Protected |
| Path traversal blocking | ✅ Protected | |
| ANSI escape sanitization | ✅ Protected | |
| Rate Limiting | Sliding window algorithm | ✅ Active |
| Per-operation limits (Bash:60, Write:100, Read:400, Task:40) | ✅ Active | |
| PII Protection | 65+ secret pattern detection | ✅ Active |
| GDPR compliance module | ✅ Active | |
| Luhn/IBAN validation | ✅ Active | |
| Supply Chain | SHA256+GPG verification | ✅ Active |
| Ed25519 artifact signing | ✅ Active | |
| npm audit integration | ✅ Active | |
| Access Control | RBAC with deny-by-default | ✅ Active |
| Token-based authentication | ✅ Active | |
| 9 roles, 80+ agents mapped | ✅ Active | |
| Audit Logging | Tamper-evident hash chains | ✅ Active |
| SIEM integration (Splunk/ELK) | ✅ Ready | |
| Category-based retention (7yr/3yr/1yr/90d) | ✅ Active | |
| Resource Protection | Context window limits (75% warn, 95% block) | ✅ Active |
| Recursion depth limits | ✅ Active | |
| Fork bomb detection | ✅ Active |
|
15 specialists covering the full security lifecycle
|
11 analysts for comprehensive OSINT operations
|
|
13 attorneys covering multiple jurisdictions
|
14 advisors for executive decision-making
|
| Guide | Description |
|---|---|
| Getting Started | Full setup and first workflow |
| Agents Reference | All agents by team with capabilities |
| Slash Command Reference | Direct invocation guide (112 aliases) |
| Workflows Reference | All 200+ workflows documented |
| Security Overview | Security architecture and hardening |
| Security Advanced Topics | Audit logs, chain of custody, RBAC operations |
| Troubleshooting | Common issues and solutions |
| FAQ | Frequently asked questions |
| Configuration Guide | System configuration options |
| RBAC Roles Guide | Role-based access control |
User Guides (Docs/02-user-guides/)
- Getting Started, Agents Reference, Slash Commands, Workflows Reference
- Security Overview, Troubleshooting, FAQ
- Configuration, RBAC Roles, Party Mode
Advanced Topics (Docs/02-user-guides/Advanced/)
- Custom Agent Creation, Custom Workflow Creation
- Custom Party Presets, LLM Provider Advanced
Security (Docs/02-user-guides/Security/)
- Audit Log Guide, Chain of Custody
- RBAC Operations Guide, Token Management Guide
- Security Maintenance Checklist
Reference (Docs/06-reference/)
- Agent specifications, workflow definitions
- Security implementation details
🧹 Repository Cleanup
- Remove generated and internal files from git tracking
- Update .gitignore for cleaner repository state
🔧 CI/CD Improvements
- Remove SBOM from release assets (non-blocking generation)
- Fix tinypool worker error handling in release workflow
- Resolve OOM issues by excluding memory-intensive tests
- Use multi-worker pool with improved error handling
- Install cyclonedx-npm globally to avoid dependency corruption
🛡️ TPI-CrowdStrike Prompt Injection Taxonomy
- Complete prompt injection defense with 6 epics, ~540 tests
- Closes all 14 identified gaps (G1-G14)
✅ OWASP Compliance Testing Framework
- Complete OWASP security testing: Top 10, API Top 10, LLM Top 10, ASVS v4.0
- 6 epics, 24 stories, 113 unique test IDs, 404 test functions
🔄 V6 Alignment and Phase 2 Upgrade
- Testing infrastructure modernization
- CLI modernization with @clack/prompts migration
- 7,117+ tests passing across 208 files
Hybrid v6 Upgrade
- Cherry-picked best features from BMAD v6 while preserving security infrastructure
AI-Powered Help
/bmad-helpinteractive command for discovering modules, agents, workflows- Natural language search with 4-tier fuzzy matching
Node.js 20 Upgrade
- Minimum Node.js version updated to 20.0.0
- Verified crypto compatibility across all APIs
Slash Command Invocation
- 112 unique aliases mapped to 200+ workflows
- RBAC enforcement and audit trail integration
Security Enhancements
- Path sanitization hardening (6 bypass vector protections)
- YAML CRLF normalization
- Cross-file reference validation
- Settings.json SPOF protection
Testing
- 2,938+ tests passing across 351 test files
- Zero regressions
Multi-Agent Architecture
- 4 specialized teams with 53 AI agents
- 55 workflows with step-by-step execution
- Abdul Master Project Manager for cross-team orchestration
Testing Framework
- 232 test suites (unit, integration, e2e)
- Performance testing with 8.5x improvement
- Enterprise security testing framework
CI/CD Pipeline
- 4 automated GitHub Actions workflows
- Continuous testing, extraction QA, quality gate, release automation
- Claude Code CLI
- Node.js 20+ (npm 10+)
- Git (for clone install)
| Metric | Value |
|---|---|
| Total Agents | 81+ |
| Total Workflows | 201+ |
| CYBERSEC Agents | 53 |
| BMAD-METHOD Workflows | 99+ |
| Security Validators | 139+ |
| Test Files | 208 |
| Passing Tests | 7,117+ |
| Compliance Frameworks | 20+ |
| OWASP LLM Score | 95/100 |
| TPI-CrowdStrike | Compliant |
MIT — BMAD-CYBERSEC A BlackUnicorn Open Source Project 🦄
Built with BMAD-METHOD
BMAD CYBERSEC extends the BMAD-METHOD framework with specialized cybersecurity operations, intelligence gathering, legal counsel, and strategic planning capabilities while maintaining full compatibility with the original development, creative, and business workflows.
⭐ Star us on GitHub — Join the BlackUnicorn community!