AWS capability graph analysis and attack path discovery CLI
Project description
Cyntrisec CLI
AWS capability graph analysis and attack path discovery.
A read-only CLI tool that:
- Scans AWS infrastructure via AssumeRole
- Builds a capability graph (IAM, network, dependencies)
- Discovers attack paths from internet to sensitive targets
- Prioritizes fixes by ROI (security impact + cost savings)
- Identifies unused capabilities (blast radius reduction)
- Outputs deterministic JSON with proof chains
Architecture
┌─────────────────────────────────────────────────────────────────────────────┐
│ CYNTRISEC CLI │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ CLI Layer (typer) │ │
│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │
│ │ │ scan │ │ analyze │ │ cuts │ │ waste │ │ report │ ... │ │
│ │ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │ │
│ └───────┼──────────┼──────────┼──────────┼──────────┼────────────────┘ │
│ │ │ │ │ │ │
│ ┌───────▼──────────▼──────────▼──────────▼──────────▼────────────────┐ │
│ │ Core Engine │ │
│ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │
│ │ │ Graph │ │ Paths │ │ Compliance │ │ │
│ │ │ (AwsGraph) │ │ (BFS/DFS) │ │ (CIS/SOC2) │ │ │
│ │ └──────────────┘ └──────────────┘ └──────────────┘ │ │
│ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │
│ │ │ Cuts │ │ Waste │ │ Simulator │ │ │
│ │ │ (Min-Cut) │ │ (Unused) │ │ (IAM Eval) │ │ │
│ │ └──────────────┘ └──────────────┘ └──────────────┘ │ │
│ └────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ┌───────▼────────────────────────────────────────────────────────────┐ │
│ │ AWS Layer │ │
│ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │
│ │ │ Collectors │ │ Normalizers │ │ Relationship │ │ │
│ │ │ (EC2, IAM, │ │ (Asset → │ │ Builder │ │ │
│ │ │ RDS, ...) │ │ Schema) │ │ │ │ │
│ │ └──────────────┘ └──────────────┘ └──────────────┘ │ │
│ └────────────────────────────────────────────────────────────────────┘ │
│ │ │ │
│ ┌───────▼──────────────────────┐ ┌──────────────▼──────────────────┐ │
│ │ Storage Layer │ │ MCP Server │ │
│ │ ┌────────────┐ ┌─────────┐ │ │ ┌──────────────────────────┐ │ │
│ │ │ Filesystem │ │ Memory │ │ │ │ Tools: get_scan_summary │ │ │
│ │ │ (~/.cyntri │ │ (tests) │ │ │ │ get_attack_paths, ... │ │ │
│ │ │ sec/) │ │ │ │ │ └──────────────────────────┘ │ │
│ │ └────────────┘ └─────────┘ │ │ │ │
│ └──────────────────────────────┘ └─────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────────────┐
│ AWS Account │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ IAM │ │ EC2 │ │ RDS │ │ S3 │ ... │
│ │ (Roles, │ │ (Instances, │ │ (Databases) │ │ (Buckets) │ │
│ │ Policies) │ │ SGs, VPCs) │ │ │ │ │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────────────────────────┘
Data Flow
┌──────────┐ AssumeRole ┌──────────┐ Describe/Get/List ┌─────────┐
│ CLI │ ─────────────────▶│ AWS │ ◀─────────────────────▶ │ APIs │
│ (scan) │ │ Session │ │(read-only)
└────┬─────┘ └──────────┘ └─────────┘
│
▼
┌──────────┐ normalize ┌──────────┐ build edges ┌──────────────┐
│Collectors│ ─────────────────▶│ Assets │ ─────────────────▶│Relationships │
└──────────┘ └──────────┘ └──────┬───────┘
│
┌───────────────────────────────────────────────────────────────┘
▼
┌──────────┐ BFS/DFS ┌──────────┐ min-cut ┌──────────────┐
│ AwsGraph │ ─────────────────▶│ Attack │ ─────────────────▶│ Remediation │
│ │ │ Paths │ │ Cuts │
└──────────┘ └──────────┘ └──────────────┘
Installation
pip install cyntrisec
Windows PATH Fix
If you see "cyntrisec is not recognized", the Scripts folder isn't on PATH:
# Option 1: Run with python -m
python -m cyntrisec --help
# Option 2: Add to PATH for current session
$env:PATH += ";$env:APPDATA\Python\Python311\Scripts"
Quick Start
# 1. Create the read-only IAM role in your account
cyntrisec setup iam 123456789012 --output role.tf
# 2. Apply the Terraform
cd your-infra && terraform apply
# 3. Run a scan
cyntrisec scan --role-arn arn:aws:iam::123456789012:role/CyntrisecReadOnly
# 4. View attack paths
cyntrisec analyze paths --min-risk 0.5
# 5. Find minimal fixes (prioritized by ROI)
cyntrisec cuts --format json
# 6. Generate HTML report
cyntrisec report --output report.html
Commands
Core Analysis
| Command | Description |
|---|---|
scan |
Scan AWS infrastructure |
analyze paths |
View attack paths |
analyze findings |
View security findings |
analyze stats |
View scan statistics |
analyze business |
Business entrypoint analysis |
report |
Generate HTML/JSON report |
Setup & Validation
| Command | Description |
|---|---|
setup iam |
Generate IAM role Terraform |
validate-role |
Validate IAM role permissions |
Remediation
| Command | Description |
|---|---|
cuts |
Find minimal fixes (Cost & ROI prioritized) |
waste |
Find unused IAM permissions |
remediate |
Generate or optionally apply Terraform plans (gated) |
Policy Testing
| Command | Description |
|---|---|
can |
Test "can X access Y?" |
diff |
Compare scan snapshots |
comply |
Check CIS AWS / SOC2 compliance |
Agentic Interface
| Command | Description |
|---|---|
manifest |
Output machine-readable capabilities |
explain |
Natural language explanations |
ask |
Query scans in plain English |
serve |
Run as MCP server for AI agents |
MCP Server Mode
Run Cyntrisec as an MCP server for AI agent integration:
# Install with MCP support
pip install "cyntrisec[mcp]"
cyntrisec serve # Start stdio server
cyntrisec serve --list-tools # List available tools
MCP Tools: get_scan_summary, get_attack_paths, get_remediations, check_access, get_unused_permissions, check_compliance, compare_scans
Claude Desktop Config
{
"mcpServers": {
"cyntrisec": {
"command": "python",
"args": ["-m", "cyntrisec", "serve"]
}
}
}
Trust & Safety
Read-Only Guarantees
This tool makes read-only API calls to your AWS account. The IAM role
should have only Describe*, Get*, List* permissions.
No Data Exfiltration
All data stays on your local machine. Nothing is sent to external servers.
Scan results are stored in ~/.cyntrisec/scans/.
No Auto-Remediation (Default Safe Mode)
By default, Cyntrisec is read-only and does not modify your AWS infrastructure.
- It analyzes your account using read-only APIs.
- It can generate remediation artifacts (e.g., Terraform modules) for you to review.
- It does not apply changes automatically.
Optional Remediation Execution (Explicit Opt-In)
Cyntrisec includes an explicitly gated path that can execute Terraform only if you intentionally enable it.
This mode is:
- Disabled by default
- Requires
--enable-unsafe-write-mode - Requires an additional explicit flag (e.g.
--execute-terraform) to run Terraform - Intended for controlled environments (sandbox / CI with approvals), not unattended production
If you do not pass these flags, Cyntrisec will never run terraform apply.
Write Operations
Cyntrisec makes no AWS write API calls during scanning and analysis.
The only supported "write" behavior is optional execution of Terraform locally on your machine, and only when explicitly enabled via unsafe flags.
Every AWS API call is logged in CloudTrail under session name cyntrisec-cli.
Trust & Permissions
Cyntrisec runs with a read-only IAM role. Generate the recommended policy with
cyntrisec setup iam <ACCOUNT_ID> and keep permissions to Describe*, Get*,
and List*. Live modes (waste --live, can --live) require extra IAM
permissions; the generated policy and docs cover those additions.
Output Format
Primary output is JSON to stdout. When stdout is not a TTY, the CLI automatically switches to JSON:
cyntrisec analyze paths --format json | jq '.paths[] | select(.risk_score > 0.7)'
Agent-friendly output wraps results in a structured envelope:
cyntrisec analyze paths --format agent
{
"schema_version": "1.0",
"status": "success",
"data": {...},
"artifact_paths": {...},
"suggested_actions": [...]
}
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success / compliant |
| 1 | Findings / regressions / denied |
| 2 | Usage error |
| 3 | Transient error (retry) |
| 4 | Internal error |
Use in CI/CD:
cyntrisec scan --role-arn $ROLE_ARN || exit 1
cyntrisec diff || echo "Regressions detected"
Storage
Scan results are stored locally:
~/.cyntrisec/
├── scans/
│ ├── 2026-01-17_123456_123456789012/
│ │ ├── snapshot.json
│ │ ├── assets.json
│ │ ├── relationships.json
│ │ ├── findings.json
│ │ └── attack_paths.json
│ └── latest -> 2026-01-17_...
└── config.yaml
Versioning
This project follows Semantic Versioning. See CHANGELOG.md for release notes.
License
Apache-2.0
Links
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cyntrisec-0.1.4.tar.gz.
File metadata
- Download URL: cyntrisec-0.1.4.tar.gz
- Upload date:
- Size: 106.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ac9e0fbc0a6020154393a95d83ec5eefcfc6e773b8d135d37642968cd3f4dd21
|
|
| MD5 |
13ebfb4b045c83d976c75fda6b989d97
|
|
| BLAKE2b-256 |
736e4dd3289f83385f364d867e7e1d2f6d8f55166f2978d115b349c3bfd8e0a5
|
File details
Details for the file cyntrisec-0.1.4-py3-none-any.whl.
File metadata
- Download URL: cyntrisec-0.1.4-py3-none-any.whl
- Upload date:
- Size: 134.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bdd0f5690f2b02b3afa8263b16e709275e5a7f0c868de00a6406508a8afee685
|
|
| MD5 |
1672dc99886904faf4c1e2d8f37dfbfa
|
|
| BLAKE2b-256 |
ce61d45d9a06e1f9e07e8d7edc0fba9076af24bdce01f4d3a1ffb0ac9d395095
|
