Skip to main content

Overview

Decepticon is CLI-first. Security work belongs in the terminal — no browser tabs, no dashboards required, no context switching. The interface is a real-time streaming CLI built with Ink that shows you what the agent sees, as it happens. The CLI is delivered as a single Go-based launcher (decepticon) that orchestrates the underlying Docker stack and opens the React/Ink interactive UI.

Top-Level Commands

decepticon

Start all services and open the interactive CLI.
Starts the full stack — agent API server, LiteLLM proxy, Kali sandbox, PostgreSQL, Neo4j, optional Sliver C2 — and opens the streaming CLI. This is the primary entry point for creating and running engagements.

decepticon onboard

Run the interactive setup wizard.
Configures:
  • LLM provider and API key (Anthropic, OpenAI, Google, MiniMax, Anthropic OAuth via Claude subscription)
  • Authentication priority order
  • Model profile (eco, max, test)
  • LangSmith tracing toggle and key
The wizard writes .env and persists provider order. Use --reset to throw away existing configuration.

decepticon demo

Run the guided demonstration.
Launches Metasploitable 2 as a target, loads a pre-built engagement (RoE, ConOps, OPPLAN), and executes the full kill chain autonomously — port scan, vsftpd exploitation, Sliver C2 implant deployment, credential harvesting, internal reconnaissance.
The demo is the fastest way to see Decepticon in action. No additional configuration needed beyond your API key.

decepticon status

Show service status.
Lists each Docker service in the stack with its current state — running, stopped, restarting — and exposed ports. Useful for verifying that the stack came up cleanly before launching the CLI.

decepticon logs [service]

Tail service logs.
Streams logs in docker compose logs -f style. The most common debugging entry point — if Decepticon is misbehaving, this is where to look first.

decepticon kg-health

Diagnose the knowledge graph.
Runs Neo4j connectivity and schema checks. Reports orphaned nodes, missing relationships, and any constraint violations. Useful after a long engagement before exporting the deliverable.

decepticon stop

Stop all services.
Gracefully stops all Docker containers — agent API, LiteLLM proxy, sandbox, C2 server, database, knowledge graph, and web dashboard.

decepticon update

Check for and apply updates.
Checks GHCR for newer pre-built images and updates the local installation. The launcher itself is updated separately via the install script.

decepticon remove

Uninstall Decepticon.
Tears down all containers, removes images, and deletes the engagement workspace. Use with care — engagement data is purged unless explicitly exported first.

decepticon --version

Show the launcher version.

C2 Profiles

Enable C2 frameworks via Docker Compose profiles. The default install enables c2-sliver.

CLI Keybindings

The interactive CLI exposes the following key shortcuts:

Slash Commands

Inside the CLI prompt, you can invoke:

Developer Commands

For contributors working on Decepticon itself:

Developer Setup

Full development environment setup guide for contributors.