What is CyberMind CLI?

CyberMind CLI is an AI-powered offensive security CLI with a VSCode extension, 20-tool recon chain, OMEGA plan mode, Abhimanyu exploit mode, and four new v4.4.0 modes: /devsec, /vibe-hack, /chain, and /red-team.

Is CyberMind CLI free?

Yes. CyberMind CLI has a free tier with 20 requests/day, AI chat, and basic scanning. Paid plans start at $4/month (Starter) for full recon, hunt, and /devsec mode.

Does CyberMind CLI work on Windows?

Yes. CyberMind CLI fully supports Windows via PowerShell. AI chat, /scan, /osint, /breach, /cve, /payload, and /devsec all work on Windows. Recon/hunt/Abhimanyu require Linux/Kali.

What AI models does CyberMind CLI use?

CyberMind CLI supports DeepSeek R1, Qwen3 Coder, GPT-5, Claude Opus 4, Llama 3.3 70B, and 11+ other providers. It auto-routes to the best model for your task and plan tier.

What is /devsec mode?

/devsec is CyberMind's Developer Security Scanner. It scans GitHub repos and local paths for secrets (trufflehog, gitleaks), SAST issues (semgrep), and vulnerable dependencies (trivy, npm audit, pip-audit). Available on Starter+ plan.

What is /vibe-hack mode?

/vibe-hack is an autonomous AI hacking session where the AI decides the next attack step, streams results live via SSE, and saves a full session transcript. Available on Pro+ plan.

What is /red-team mode?

/red-team is a structured 7-day red team campaign with mandatory scope validation, AI-guided phases (OSINT, phishing, initial access, lateral movement, persistence, report), and state persistence between sessions. Elite plan only.

How do I connect a custom domain to CyberMind on Vercel?

Deploy on Vercel, then go to Project Settings > Domains > Add Domain. In your domain registrar (Hostinger, GoDaddy), add a CNAME record pointing to cname.vercel-dns.com, or an A record pointing to 76.76.21.21. Vercel auto-provisions SSL.

CyberMind CLI

Terminal-first security workflow

Full Capabilities

Features

CyberMind CLI — AI-powered offensive security CLI with OMEGA plan mode, 50+ tool recon/hunt pipeline, auto PoC generation, HackerOne integration, VSCode AI extension, and full Linux hacking workflow.

$sudo cybermind /plan --auto-target --focus idor,xss

OMEGA Plan Mode — 10-Phase Autonomous Attack Pipeline

The most powerful feature: give CyberMind a target and it runs a complete 10-phase attack pipeline autonomously. No manual steps. Runs for hours if needed.

Phase 1: Passive OSINT — whois, theHarvester, dig, shodan CLI, h8mail (breach data), exiftool (metadata), metagoofil (document harvest), spiderfoot (200+ OSINT modules), recon-ng
Phase 2: Subdomain Enum — reconftw -a --deep --parallel (6h exhaustive), subfinder, amass, dnsx
Phase 3: Port Scan — rustscan (all 65535 ports), nmap vuln scripts, masscan, naabu
Phase 4: HTTP Fingerprint — httpx (500 threads), whatweb, tlsx (JA3), wafw00f
Phase 5: Directory Discovery — ffuf (recursive depth 4), feroxbuster, gobuster
Phase 6: Vuln Scan — nuclei (ALL templates, all severities), nikto, crlfuzz, sstimap
Phase 7: Hunt Mode — 30+ tools: dalfox, kxss, bxss, ssrfmap, smuggler, corsy, arjun, x8
Phase 8: Secret Hunting — trufflehog, mantra, subjs, cariddi, gitxray
Phase 9: JWT + GraphQL — jwt_tool (all attacks), graphw00f (schema dump)
Phase 10: Exploitation — sqlmap, commix, wpscan, hydra, tplmap, liffy, nosqlmap

HackerOne Integration + Auto-Target Selection

CyberMind connects to HackerOne to find the best bug bounty targets for you. No more manual research.

cybermind /plan --auto-target — AI selects best program with wide scope
cybermind /plan --auto-target --skill beginner --focus xss — beginner-friendly XSS targets
cybermind /plan shopify.com --focus idor,ssrf — focus on specific bug types
Curated programs: Shopify, GitLab, GitHub, Uber, Twitter, PayPal, Mozilla and more
Shows scope, min/max bounty, best bug types, and why each target is good right now

Auto Bug Detection + PoC Generation

When a vulnerability is confirmed, CyberMind automatically generates a complete Proof-of-Concept and bug bounty report.

Parses nuclei, dalfox, sqlmap, ssrfmap, commix output for confirmed bugs
Detects: XSS, SQLi, SSRF, LFI, RCE, IDOR, SSTI, CRLF, HTTP smuggling
Auto-generates PoC: curl commands, reproduction steps, expected output
Calculates CVSS score and maps to CWE
Generates HackerOne-ready report template
Saves full report: cybermind_bugs_target_date.md
Continuous loop: if no bugs found, suggests next best target automatically

reconftw — Full Exhaustive Mode

CyberMind uses reconftw in its most powerful configuration — every module enabled, no shortcuts.

reconftw -a --deep --parallel — ALL mode (50+ internal tools)
--subs-bruteforce-threads 50 — aggressive DNS brute force
--nuclei-templates-all — every nuclei template
--dalfox --all — XSS on every discovered endpoint
--waf-detect --waf-bypass — WAF fingerprint + bypass
--screenshotting — visual recon of all subdomains
--paramspider — parameter extraction from JS/source
--ffuf — directory fuzzing on all live hosts
--loots — save all findings to structured output
6-hour timeout — we wait as long as it takes

Hunt Mode — 30+ Tools

The most comprehensive web vulnerability hunting pipeline available in any CLI tool.

URL Collection: waymore, gau, waybackurls, hakrawler, urlfinder, httprobe
Deep Crawl: gospider, katana (depth 10), cariddi, subjs, trufflehog, mantra
Parameter Discovery: paramspider, arjun, x8 (high level, 100 threads)
XSS Hunting: xsstrike, dalfox (WAF bypass), kxss, bxss (blind XSS), corsy (CORS)
Vuln Scan: nuclei (1000 concurrency, all tags), gf patterns, ssrfmap, tplmap, liffy, gopherus
Network: nmap vuln scripts on all open ports
New 2025-2026 Kali tools: crlfuzz, tinja, sstimap, wpprobe, gitxray

AI Coding Assistant

Terminal-native AI coding assistant. Free Claude Code alternative. Works on Windows, macOS, Linux.

11+ AI providers: MiniMax M2.5, DeepSeek R1, Qwen3 Coder, GPT-5, Claude, Groq
Skills system: /review, /commit, /security, /test, /document, /refactor, /debug
Hooks: auto-run linter on file save, tests on edit, security checks
Real subagents: parallel isolated execution for complex tasks
MCP support: GitHub, Playwright, Figma, 300+ external services
Agent loop: generate → write → run → fix errors → repeat
CYBERMIND.md project memory — context persists across sessions

Doctor Command — Auto-Update + Tool Install

cybermind /doctor first updates the CLI binary to the latest version, then checks and installs all 80+ security tools.

Step 1: Self-update — downloads latest binary from GitHub, replaces in-place
Step 2: Checks all recon tools (28+): shodan, h8mail, exiftool, metagoofil, spiderfoot, recon-ng, subfinder, amass, reconftw, nmap, httpx, nuclei...
Step 3: Checks all hunt tools (30+): dalfox, gau, gospider, ssrfmap, tplmap...
Step 4: Checks all exploit tools (25+): sqlmap, metasploit, hydra, sliver, empire, commix...
Auto-installs missing tools: apt, go install, pip3, cargo, git clone
New Kali 2025-2026 tools: crlfuzz, sstimap, wpprobe, adaptixc2, rubeus, ldeep
AI diagnosis: if install fails, AI suggests exact fix commands
Note: shodan requires API key — run 'shodan init YOUR_KEY' after install

Cross-Platform Commands (Windows/macOS/Linux)

Core features work on every platform — no Linux required.

/scan — native network scan (no tools needed)
/portscan — port scan + netstat analysis
/osint — DNS + Shodan InternetDB (free, no key)
/breach — breach intelligence (HIBP + BreachDirectory + LeakCheck + local SQLite)
/breach +91XXXXXXXXXX — WhatsApp OSINT (name, about, photo via RapidAPI)
/locate — IP/EXIF/WiFi/Social geolocation (Level 1-4)
/payload — AI payload generator (no msfvenom)
/cve — CVE intelligence from NVD
/wordlist — custom wordlist generator
AI coding assistant (Windows/macOS/Linux)
AI chat — interactive security assistant

OSINT Deep — 45 Tools, 9 Phases

The most comprehensive OSINT pipeline available in any CLI. Auto-detects target type (domain/email/username/phone/company) and runs the right tools automatically.

Phase 1 — Domain/Subdomain: subfinder, amass, dnsx, theHarvester, sublist3r, crt.sh CT logs
Phase 2 — Email + Breach: holehe (120+ sites), h8mail, emailfinder, HIBP API, LeakCheck (5B+ records)
Phase 3 — Username/People: sherlock (400+ sites), maigret (3000+ sites), socialscan, WhatsMyName
Phase 4 — Social Media: osintgram (Instagram), twscrape (Twitter/X), instaloader, Photon crawler
Phase 5 — Company Intel: recon-ng (76 modules), spiderfoot (200+ modules), crosslinked, linkedin2username, ghunt
Phase 6 — Phone OSINT: phoneinfoga (carrier/location/social), geoiplookup
Phase 7 — Metadata: exiftool (GPS from photos), metagoofil (document metadata)
Phase 8 — Dark Web: trufflehog (GitHub secrets), gitdorker, onionsearch, torbot, pwndb (Tor)
Phase 9 — Network Intel: nmap OSINT scripts, shodan CLI, whois, dig
Breach check auto-runs on all found emails — HIBP + BreachDirectory (RapidAPI) + LeakCheck
AI analysis: complete digital footprint, attack surface, MITRE ATT&CK mapping
Phase 0 in /plan: OSINT Deep runs automatically before active recon

Reverse Engineering — 30 Tools, 6 Phases

Full automated RE pipeline for ELF, PE, APK, firmware, and Mach-O binaries. Static + dynamic + decompilation + malware analysis.

Phase 1 — File ID: file, sha256sum, strings (-n 6 -t x), readelf, objdump, exiftool
Phase 2 — Static: checksec (PIE/NX/canary/RELRO), radare2 (aaa;afl;iz;ii), rizin, binwalk (firmware extraction), nm, ldd, floss (obfuscated strings), diec (packer detection)
Phase 3 — Dynamic: strace (syscalls), ltrace (library calls), gdb+pwndbg, frida-trace (runtime hooks), QEMU user mode (foreign arch emulation)
Phase 4 — Vuln Discovery: ROPgadget (ROP/JOP chains), pwntools checksec, angr (symbolic execution), cve-bin-tool (embedded CVEs)
Phase 5 — Malware: yara (pattern matching), ssdeep (fuzzy hash), clamscan (AV scan)
Phase 6 — Decompile: Ghidra headless (NSA decompiler), retdec (C output), jadx (APK→Java), apktool (smali), r2ghidra
Modes: --mode static | dynamic | decompile | malware | mobile | all
Session persistence: saves to /tmp/cybermind_reveng_*/session.json
AI analysis: binary purpose, vulnerabilities (BOF/format string/UAF), exploit approach, CVEs

Breach Intelligence — HIBP + RapidAPI + Local SQLite

Multi-source breach intelligence with 90% API + 10% local dump fallback. Integrated into /osint-deep automatically.

HIBP v3 — 13B+ records, breach names + data types (free tier), full details with API key
BreachDirectory via RapidAPI — email:password plaintext lookup (your RapidAPI key)
LeakCheck.io — 5B+ records, free public API, source names + dates
WhatsApp OSINT via RapidAPI — phone → name, about, profile photo, business status
Local SQLite indexer — index any dump file (email:password, email:hash, plain emails)
Streaming indexer — handles 100M+ line dumps without OOM (50K batch commits)
cybermind /breach --setup — interactive RapidAPI key save
cybermind /breach --index /dump.txt — index local breach dump
cybermind /breach user@email.com — check all sources concurrently (4 goroutines)
cybermind /breach +91XXXXXXXXXX — WhatsApp OSINT
Auto-runs on all emails found during /osint-deep Phase 2

Geolocation — Level 1 to Level 5 (SDR)

Multi-level geolocation from basic IP lookup to advanced SDR cell tower tracking. /locate works on all OS, /locate-advanced requires Linux + SDR hardware.

Level 1 — IP/Domain: geoiplookup, ipinfo API (city/ISP/ASN), shodan host, whois
Level 2 — EXIF/Metadata: exiftool GPS extraction from photos, metagoofil document metadata
Level 3 — WiFi: tshark SSID capture → wigle.net lookup → coordinates, kismet passive monitoring
Level 4 — Social Geo: Creepy (Twitter/Instagram location aggregator), osintgram geotags
Level 5 — SDR Cell Tower (/locate-advanced, Pro plan): gr-gsm passive GSM sniffing → TAC/LAC → OpenCellID GPS
Level 5 — srsRAN 4G/5G fake BTS (IMSI catcher), YateBTS GSM fake tower, SigPloit SS7 simulation
Hardware guide: RTL-SDR ($30), HackRF One ($300), BladeRF ($420) — see cli/locate/sdr_setup.md
Auto-detects target type: IP → Level 1, file → Level 2, username → Level 4, phone → Level 5
AI analysis: physical location, network infrastructure, attack surface, privacy exposure

New in v4.4.0

Four New Offensive Modes

CyberMind v4.4.0 introduces four new specialized offensive security modes.

/devsecStarter+

Developer Security Scanner

Scan GitHub repos for secrets (trufflehog/gitleaks), SAST (semgrep), and vulnerable deps (trivy/npm audit/pip-audit)

/vibe-hackPro+

Real-time AI Hacking

Autonomous AI hacking session: AI decides next attack step, streams live via SSE, saves full transcript

/chainPro+

Vulnerability Chaining Engine

Reads Brain_Memory findings and suggests multi-step exploit chains (e.g., SSRF+IDOR → PII leak) with PoC

/red-teamElite

Multi-Day Red Team Campaign

Structured 7-day campaign: OSINT → Phishing → Initial Access → Lateral Movement → Persistence → Report