Coordinated intelligence, unrestricted coverage.
Unlike legacy scanners that execute rigid, linear checklists, Chelys deploys 8 specialized agents in parallel — each with distinct expertise, tools, and objectives — coordinating over a shared ledger to pivot seamlessly from reconnaissance to compliance reporting.
8 Specialist Agent Roles
Meet the nodes of the Chelys autonomous offensive security swarm.
Phantom
Attack Surface MappingMaps the attack surface, identifies open ports, fingerprints services, and discovers subdomains. Feeds structured asset inventory to the orchestrator for downstream agent targeting.
Viper
Vulnerability ExploitationAttempts exploitation of confirmed vulnerabilities. On success, captures proof-of-exploitation output and passes credentials or shells to the Lateral Movement agent.
Serpent
Post-Exploitation PivotingExecutes pass-the-hash, Kerberoasting, and credential relay attacks. Maps Active Directory attack paths. Attempts to pivot to adjacent hosts within authorized scope, capped at 3 hops by Safety Oracle.
Wraith
Detection ValidationValidates whether the target's detection controls (SIEM, EDR, WAF) are alerting on the attack traffic. Tests detection gaps and recommends compensating controls. Generates Sigma detection rules for findings where the target was not alerted.
Oracle
Findings SynthesisSynthesizes all agent outputs into structured findings. Maps to MITRE ATT&CK, NIST, PCI-DSS, SOC2, and HIPAA. Generates remediation recommendations. Drafts full PDF reports with executive summary, technical evidence, and compliance mapping tables.
Safety Oracle
Constitutional AI GuardrailConstitutional AI agent that reviews every proposed tool call before execution. Enforces scope, reversibility, and authorization constraints. Blocks destructive operations. Maintains an immutable action log for post-scan audit. Cannot be overridden by other agents.
Analyst
Evidence ValidationReviews findings for false-positive risk, validates evidence quality, and scores confidence levels. Flags findings where AI reasoning may have over-concluded and queues them for human verification before delivery to the customer.
Auditor
Regulatory Framework MappingSpecialized in regulatory frameworks. Reviews findings against PCI-DSS 4.0, SOC2, HIPAA, NIST 800-53, and ISO 27001 requirements. Generates the compliance mapping section of deliverable reports and tracks remediation verification status.
Real-Time Attack Graph Construction
As agents execute scanning and exploit commands, they register findings to a live attack path model. The SwarmOrchestrator continually evaluates paths of least resistance, computing breach likelihood and identifying high-value targets (e.g. Active Directory DCs or staging database nodes) dynamically.
Living Attack Graph
Safety Oracle & Blast-Radius Mitigation
Offensive operations inside live enterprise subnets require strict boundaries. The Safety Oracle acts as a deterministic barrier, evaluating every exploit proposal against pre-authorized scope rules and destructive command lists. High-risk movements trigger automated hold states awaiting explicit operator clearance.
Safety Oracle — Live Decision Feed
MITRE ATT&CK® Framework Mapping
Every technique executed by the swarm is automatically tagged to the MITRE ATT&CK® Enterprise framework in real time — tactic, technique ID, and sub-technique. Findings arrive compliance-ready, with full adversary behavior lineage mapped to the industry-standard knowledge base.
ATT&CK® Technique Mapper
See the Swarm Orchestrator in action.
Request a guided environment staging where we'll simulate a swarm security assessment on mock infrastructure to verify speed, path logic, and compliance logging.