sarfaraz-munir/Claude-Code-Cyber-agents

# CISO Agents — 专为 Claude Code 打造的网络安全蜂群 一套为 Claude Code 构建的生产级分层蜂群架构，包含 10 个 AI agent（1 个 CISO 主管 orchestrator + 9 个专家 worker）。涵盖企业级 CISO 的完整技能体系：风险治理、合规审计、威胁情报、安全架构、事件响应、漏洞管理、DevSecOps、安全意识培训以及 AI 安全。 ## 核心功能 本仓库提供结构化的 agent 文件、技能文件、一个 slash command，以及 20 个可根据安全领域上下文自动激活的 MCP 工具。每个 agent 都包含领域专业知识、方法论、框架和输出模板，以生成一致且专业的安全交付物。 - **分层编排** — CISO 主管并行启动所有 9 个专家 agent，并综合生成统一的 `SecurityPostureReport` - **全栈 CISO 技能体系** — 涵盖风险、合规、威胁情报、架构、IR、漏洞管理、DevSecOps、安全意识培训及 AI/LLM 安全 - **多种集成模式** — 支持 Claude Code agents (协同工作)、技能文件、`/ciso-posture-review` 命令以及 20 个 MCP 工具 - **全面的 AI 安全覆盖** — OWASP LLM Top 10、MITRE ATLAS、NIST AI RMF 1.0、EU AI Act 2024、ISO/IEC 42001、影子 AI 资产盘点 - **基于行业标准** — MITRE ATT&CK、CVSS v3.1、EPSS、CISA KEV、NIST CSF、SOC2、ISO-27001、GDPR、PCI-DSS、CIS Controls - **TypeScript API** — `CISOOrchestrator` 类可独立使用，无需任何外部依赖 - **21 项测试通过** — 完整的单元测试覆盖，可独立运行（无需 monorepo） ## CISO 网络 Agent 架构 ``` ┌─────────────────────────────────────────────────────┐ │ CISO Queen │ │ (ciso-queen — orchestrator) │ │ Topology: hierarchical │ Consensus: raft │ └──────────────────┬──────────────────────────────────┘ │ delegates in parallel ┌───────────┼───────────┐───────────┐ ▼ ▼ ▼ ▼ risk-governance compliance threat-intel security-arch vuln-management devsecops incident-response security-awareness ai-security ``` ## Agent 覆盖范围 | # | Agent | 领域 | 核心框架 | |---|-------|--------|----------------| | 1 | `ciso-queen` | 编排 | 分层蜂群，raft 共识算法 | | 2 | `ciso-risk-governance` | 风险管理 | CVSS v3.1, FAIR, 风险登记册 | | 3 | `ciso-compliance-audit` | 合规 | SOC2-TypeII, ISO-27001, NIST-CSF, GDPR, HIPAA, PCI-DSS, CIS Controls | | 4 | `ciso-threat-intelligence` | 威胁情报 | MITRE ATT&CK (14 种战术, 200+ 种技术), APT 画像 | | 5 | `ciso-security-architecture` | 架构 | NIST SP 800-207 零信任, IAM, 云安全态势 | | 6 | `ciso-incident-response` | 事件响应 / DFIR | NIST SP 800-61, 勒索软件, 数据泄露, 内部威胁 playbook | | 7 | `ciso-vulnerability-management` | 漏洞管理 | CVSS+EPSS 优先级分类, CISA KEV, 4 阶段补丁计划 | | 8 | `ciso-devsecops` | DevSecOps | SAST, DAST, SBOM, 密钥扫描, 12 项控制 pipeline 审计 | | 9 | `ciso-security-awareness` | 安全意识 | 6 个培训模块, 钓鱼模拟, 8 项指标 KPI 看板 | | 10 | `ciso-ai-security` | AI 安全 | OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF 1.0, EU AI Act 2024 | ## 技能覆盖范围 | 技能 | 调用方式 | 功能说明 | |-------|-----------|--------------| | `ciso-posture-review` | `/ciso-posture-review` | 全面企业安全态势审查 — 并行调度全部 9 个专家 | | `ciso-ai-security` | 加载技能 | AI/LLM 威胁评估 + 治理差距分析 | | `ciso-threat-model` | 加载技能 | 针对单个资产构建映射至 MITRE ATT&CK 的威胁场景 | | `ciso-incident-response` | 加载技能 | IR playbook、桌面演练、DFIR 检查清单 | ## MCP 工具 提供 20 个 MCP 工具，可在 Claude Code 及兼容 MCP 的客户端中使用： | 工具 | 描述 | |------|-------------| | `ciso_security_posture_review` | 全面安全态势审查 — 委托给所有 9 个专家执行 | | `ciso_risk_assessment` | 构建包含 CVSS 评分和处理方案的风险登记册 | | `ciso_compliance_gap_analysis` | 针对任何受支持的合规框架进行差距分析 | | `ciso_threat_modeling` | 构建映射至 MITRE ATT&CK 的威胁场景 | | `ciso_incident_playbook` | 获取 IR playbook（勒索软件 / 数据泄露 / 内部威胁） | | `ciso_vulnerability_triage` | 结合 CVSS+EPSS 进行分类，并根据 CISA KEV 分配补丁修复期限 | | `ciso_devsecops_audit` | 12 项控制的 CI/CD pipeline 安全审计 | | `ciso_ai_system_assessment` | 针对 AI 系统的 OWASP LLM Top 10 评估 | | `ciso_ai_governance_assessment` | AI 治理差距分析 (NIST AI RMF / EU AI Act / ISO-42001) | | `ciso_swarm_status` | 查询实时蜂群 agent 状态 | | + 另外 10 个 | (完整列表请参阅 `src/mcp-tools.ts`) | ## 安装说明 ### 选项 1 — Claude Code Agents 与技能（推荐） ``` git clone https://github.com/sarfarazmunir/CISO-agents.git cd CISO-agents # 全局 — 在所有 Claude Code 会话中可用 cp -r .claude/agents/ciso ~/.claude/agents/ cp -r .claude/skills/ciso-* ~/.claude/skills/ cp .claude/commands/ciso-posture-review.md ~/.claude/commands/ # 或项目范围 — 仅在此项目中可用 cp -r .claude/agents/ciso /your/project/.claude/agents/ cp -r .claude/skills/ciso-* /your/project/.claude/skills/ ``` ### 选项 2 — TypeScript API ``` git clone https://github.com/sarfarazmunir/CISO-agents.git cd CISO-agents npm install ``` ``` import { CISOOrchestrator } from './src/ciso-orchestrator.js'; const orch = new CISOOrchestrator('my-org'); const report = await orch.runSecurityPostureReview({ orgProfile: { industry: 'fintech', criticalAssets: ['payment-api'] }, frameworks: ['SOC2-TypeII', 'PCI-DSS'], }); console.log(report.executiveSummary); ``` ### 选项 3 — 软链接（面向贡献者） ``` git clone https://github.com/sarfarazmunir/CISO-agents.git cd CISO-agents ln -s "$(pwd)/.claude/agents/ciso" ~/.claude/agents/ciso ln -s "$(pwd)/.claude/skills/ciso-posture-review" ~/.claude/skills/ciso-posture-review ln -s "$(pwd)/.claude/skills/ciso-ai-security" ~/.claude/skills/ciso-ai-security ln -s "$(pwd)/.claude/skills/ciso-threat-model" ~/.claude/skills/ciso-threat-model ln -s "$(pwd)/.claude/skills/ciso-incident-response" ~/.claude/skills/ciso-incident-response ``` 有关特定平台的说明和验证步骤，请参阅 [INSTALL.md](INSTALL.md)。 ## 快速开始 ### 全面安全态势审查（Claude Code agent 协同工作） 在已安装这些 agent 的任意 Claude Code 会话中： ``` Use ciso-queen to run a full security posture review for a fintech company. Critical assets: payment-api, customer-db, auth-service. Compliance: SOC2-TypeII and PCI-DSS. The CI/CD pipeline has SAST and branch protection but no secrets scanning or container scanning. We deploy on AWS. MFA is enforced but we have no SIEM or EDR. We have a customer-facing LLM chatbot integrated with GPT-4 via API. ``` ### Slash command ``` /ciso-posture-review ``` ### TypeScript API ``` npx tsx examples/collection-integration.ts ``` 有关每个 agent 和技能的详细使用模式和示例，请参阅 [USAGE.md](USAGE.md)。 ## 环境要求 - **Claude Code** — 最新版本 (`claude --version`) - **Node.js** — 20.x 或更高版本（仅在使用 TypeScript API 时需要） - **npm** — 9.x 或更高版本（仅在使用 TypeScript API 时需要） - **Git** — 2.x 或更高版本 无需外部安全工具。所有 agent 和技能均通过 Claude 的推理能力以及 TypeScript orchestrator 内置的领域知识来运作。 ## 测试 ``` npm install npm test # 3 个套件中 21 个测试通过： # CISOSwarmPlugin (2), CISOOrchestrator (10), AISecurityAgent (9) ``` ## 仓库结构 ``` CISO-agents/ ├── src/ # TypeScript orchestrator source │ ├── agents/ # 9 specialist agent classes │ ├── ciso-orchestrator.ts # Queen — coordinates all agents │ ├── mcp-tools.ts # 20 MCP tool definitions │ ├── types.ts # Shared type definitions │ ├── plugin.ts # ClaudeFlow plugin wrapper │ └── index.ts # Public exports ├── __tests__/ # 21-test suite ├── .claude/ │ ├── agents/ciso/ # 10 Claude Code agent files │ ├── skills/ # 4 CISO skill files │ └── commands/ # /ciso-posture-review command └── examples/ # Usage examples ``` ## 部署为自定义 AI Agent 要在 ChatGPT Custom GPT、Microsoft Copilot Studio 或 Claude Projects 中使用 CISO orchestrator，请从 [AGENT_INSTRUCTIONS.md](AGENT_INSTRUCTIONS.md) 复制预构建的 system prompt，并将其粘贴到您的 agent 构建器的指令字段中。 | 平台 | 粘贴位置 | |----------|---------------| | ChatGPT Custom GPT | Explore GPTs → Create → Configure → Instructions | | Microsoft Copilot Studio | Create Agent → Instructions tab | | Claude Projects | Project → Project Instructions | ## 测试提示词 可直接用于在 Claude Code、ChatGPT Custom GPT 或 Microsoft Copilot Studio 中测试该 agent 的现成提示词： **全面态势审查** ``` Run a full security posture review for a 300-person fintech company on AWS. We have MFA, a SIEM, and EDR deployed. We process payments and are subject to PCI-DSS and SOC2-TypeII. We recently deployed an internal GPT-4 chatbot with access to customer transaction data. ``` **风险评估** ``` Build a risk register for a healthcare SaaS company that stores PHI, uses third-party ML models for diagnostics, and has no PAM solution in place. Score and prioritise the top 10 risks. ``` **合规差距分析** ``` Assess our compliance posture against GDPR, ISO-27001, and NIST-CSF. We have encryption in transit but not at rest, no formal data retention policy, and we share customer data with two EU-based subprocessors. ``` **威胁情报** ``` Who are the most likely threat actors targeting a UK-based law firm handling M&A deal data? Map the top 5 threats to MITRE ATT&CK techniques and recommend detection controls. ``` **漏洞分类** ``` Triage these CVEs and give me a patch plan: CVE-2024-3400 (CVSS 10.0), CVE-2023-44487 (CVSS 7.5), CVE-2024-21762 (CVSS 9.6, in CISA KEV), CVE-2023-20198 (CVSS 10.0). Which must be patched this week? ``` **事件响应** ``` Build a ransomware incident response playbook for a hospital with 5,000 endpoints. Include containment steps, backup validation, communication plan, and regulatory notification requirements under HIPAA. ``` **零信任与架构** ``` Assess our zero trust posture. We use Azure AD with MFA, have no microsegmentation, all staff are on VPN, service accounts have standing admin access, and we have no UEBA. Where are the biggest gaps? ``` **DevSecOps Pipeline 审计** ``` Audit our CI/CD security. We use GitHub Actions with branch protection and PR reviews. We run SAST via CodeQL but have no secrets scanning, no SBOM generation, no container scanning, and no dependency review. Give us a findings table and a remediation pipeline template. ``` **AI / LLM 安全** ``` Assess the security of our internal RAG-based LLM assistant. It uses the Anthropic API, has tool-use enabled (can query our CRM and send emails), processes employee PII, and is internet-facing. Map risks to OWASP LLM Top 10 and tell us if we fall under the EU AI Act high-risk category. ``` **安全意识培训** ``` Design a 12-month security awareness programme for a 1,000-person retail company with high staff turnover. Include phishing simulation schedule, role-based training modules, and a KPI dashboard to present to the board. ``` **董事会汇报** ``` Summarise our security posture for a board presentation. Overall risk score is 42/100, we have 3 critical open risks, SOC2 compliance at 67%, and a ransomware incident last quarter. What are the top 5 points the board needs to act on? ``` ## 法律声明 本蜂群架构仅供**授权的安全测试、研究和教育目的使用**。在对您不拥有的系统使用任何功能之前，您必须获得系统所有者的书面授权。 完整的负责任使用政策，请参阅 [SECURITY.md](SECURITY.md)。 ## 许可证 [MIT](LICENSE) © 2026 Sarfaraz Muneer

标签：CISA项目, CISO, Claude Code, DevSecOps, DLL 劫持, IP 地址批量处理, MITM代理, 上游代理, 大语言模型, 威胁情报, 密码管理, 开发者工具, 网络安全管理, 自动化攻击