Modern incident triage for CyberPanel:
- 🧰 Legacy bash cleanup scripts (basic & advanced)
- 🤖 Cyberzard — an AI‑assisted, safety‑constrained CLI for scanning, explaining, and planning remediation
- 📚 Docs: https://elwizard33.github.io/Cyberzard/
- 🧪 Try Cyberzard: see “Install & Use” below
- 🗺️ Roadmap: ROADMAP.md
- 🐞 Issues Guide: ISSUE_GUIDE.md
- 📜 License: MIT
📖 Table of Contents
Experimental preview. Interfaces may change until v0.1.
| Area | What you get |
|---|---|
| Multi‑source scanning | Files, processes, cron, services, users, SSH keys, encrypted files |
| Severity scoring | Critical/High/Medium/Low with rationale |
| Evidence preservation | Optional hashing/archiving prior to actions |
| Dry‑run planning | Generate remediation plan JSON first |
| AI reasoning (optional) | Summaries, prioritization, advice (OpenAI/Anthropic/xAI/none) |
| ReAct loop | Safe tool schema, sandboxed helpers |
| Output | Pretty tables + JSON |
| Chat mode | Interactive, permission‑aware assistant |
| TUI (optional) | Simple terminal UI for scan results |
| Email stack hardening | scan + AI summary + guided execution |
# Basic install
pip install cyberzard
# With AI provider extras
pip install cyberzard[openai] # OpenAI support
pip install cyberzard[anthropic] # Anthropic Claude support
pip install cyberzard[xai] # xAI Grok support
pip install cyberzard[providers] # All AI providers
pip install cyberzard[all] # Everything (AI + TUI + MCP)With pipx (recommended for CLI tools - isolated environment):
pipx install cyberzard
pipx install 'cyberzard[openai]'With uv (fast modern package manager):
uv tool install cyberzard
# Or run without installing:
uvx cyberzard scanbash -c "$(curl -fsSL https://raw.githubusercontent.com/elwizard33/Cyberzard/main/scripts/install.sh)"Upgrade later:
# PyPI upgrade
pip install --upgrade cyberzard
# Binary upgrade
cyberzard --upgrade # quick upgrade using global flag
cyberzard upgrade --channel stable # explicit upgrade commandgit clone https://github.com/elwizard33/Cyberzard.git
cd Cyberzard
python3 -m venv .venv && source .venv/bin/activate
python -m pip install -U pip setuptools wheel
pip install -e .[openai] # or .[anthropic] or .[dev]Notes:
- PyPI: Available at https://pypi.org/project/cyberzard/
- Linux binaries: Pre-built binaries available on GitHub Releases
- macOS/Windows: Use PyPI install (
pip install cyberzard)
Optional TUI (terminal UI):
pip install 'textual>=0.60'
cyberzard tuiCommon commands:
# Scan and pretty print
cyberzard scan
# JSON findings
cyberzard scan --json > findings.json
# Advice (static + optional AI enrichment)
CYBERZARD_MODEL_PROVIDER=openai OPENAI_API_KEY=sk-... cyberzard advise
# Explain findings (AI)
OPENAI_API_KEY=sk-... cyberzard explain --provider openai
# Bounded reasoning loop (ReAct)
OPENAI_API_KEY=sk-... cyberzard agent "Top suspicious processes and rationale" --steps 4
# Interactive chat (permission‑aware)
cyberzard chat
cyberzard chat --auto-approve --max-probes 8
# Remediation (requires explicit flags)
cyberzard remediate --delete --kill --preserve
# n8n deployment assistant (generate + optional apply)
# Native (OpenLiteSpeed reverse-proxy):
cyberzard n8n-setup --domain example.com --subdomain n8n --mode native --basic-auth --out-dir ./out
# Cloudflare Tunnel (docker compose + cloudflared):
cyberzard n8n-setup --domain example.com --subdomain n8n --mode tunnel --out-dir ./out
# Write-only JSON summary (no apply):
cyberzard n8n-setup --domain example.com --mode native --write-only --out-dir ./out --overwrite
# Email security (scan + hardening preview)
cyberzard email-security --dry-run
# Execute guided (still dry-run by default until --no-dry-run)
cyberzard email-security --run --dry-run --max-risk medium
# Full remediation guide + optional execution
cyberzard email-fix --run --dry-run --max-risk low
# JSON output (no rich)
cyberzard email-security --json --run --dry-runTroubleshooting
- Editable install error (missing build_editable hook): upgrade pip/setuptools/wheel in a venv, or use non‑editable install:
python -m pip install -U pip setuptools wheelpip install .[openai](or.[anthropic]or just.)
| Var | Purpose | Default |
|---|---|---|
| CYBERZARD_PROVIDER | openai, anthropic, xai, none |
none |
| OPENAI_API_KEY | API key when provider=openai | — |
| ANTHROPIC_API_KEY | API key when provider=anthropic | — |
| XAI_API_KEY | API key when provider=xai | — |
| CYBERZARD_EVIDENCE_DIR | Evidence dir | /var/lib/cyberzard/evidence |
| CYBERZARD_DRY_RUN | Global dry‑run | true |
Check available providers:
cyberzard providers- No raw shell; curated, allow‑listed tools only
- Dry‑run by default; explicit flags to delete/kill
- Reasoning step cap; sandboxed helpers
- AI optional; offline works fine
Cyberzard can act as an MCP server, exposing all its security tools to AI agents like Claude:
# Start MCP server (stdio transport for Claude Desktop)
cyberzard mcp
# Start with SSE transport for web clients
cyberzard mcp --transport sse --port 8080
# Start with streamable HTTP transport
cyberzard mcp --transport streamable-http --port 8080Configure in Claude Desktop (claude_desktop_config.json):
{
"mcpServers": {
"cyberzard": {
"command": "cyberzard",
"args": ["mcp"],
"env": {}
}
}
}Available tools via MCP:
scan_server- Full security scanread_file- Safe file readingpropose_remediation- Generate remediation plans- CyberPanel management (websites, databases, email, DNS, SSL, backups, firewall)
Cyberzard integrates with CyberPanel's REST API for server management:
# Set CyberPanel credentials
export CYBERPANEL_HOST=https://your-server:8090
export CYBERPANEL_USER=admin
export CYBERPANEL_PASS=your-password
# Use via chat mode
cyberzard chat
> List all websites on this server
> Create a new database called myapp_db
# Or programmatically in Python
from cyberzard.cyberpanel import CyberPanelClient
client = CyberPanelClient()
websites = await client.list_websites()Supported operations:
- Websites: List, create, delete, suspend/unsuspend
- Databases: List, create, delete MySQL/MariaDB databases
- Email: Accounts, forwarders, DKIM
- DNS: Records management
- SSL: Issue/renew certificates
- Firewall: CSF rules, block/unblock IPs
- Backups: Create, restore, schedule
The enhanced TUI provides a split-panel chat interface:
# Install TUI dependencies
pip install 'cyberzard[tui]'
# Run chat TUI
cyberzard chat --tui
# Or legacy scan TUI
cyberzard tuiFeatures:
- Split layout: Conversation on left, tools on right
- Real-time tool tracking: See tool calls as they execute
- Streaming responses: Watch AI responses as they generate
- Keyboard shortcuts: Ctrl+L (clear), Ctrl+T (toggle tools), q (quit)
Basic and Advanced bash scripts to triage and clean common artifacts from the November CyberPanel attacks.
| Capability | Basic | Advanced |
|---|---|---|
| Diagnostics (files, processes, encrypted files) | ✅ | ✅ |
| Cleanup of artifacts | ✅ | ✅ |
| User + SSH key audit | — | ✅ |
| Interactive confirmations | — | ✅ |
| Extra post‑hardening tips | — | ✅ |
Basic:
sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/elwizard33/Cyberzard/main/scripts/wizard_cleanup.sh)"Advanced:
sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/elwizard33/Cyberzard/main/scripts/advanced_wizard_cleanup.sh)".psauxfiles: 1-decrypt.sh.encrypfiles: encryp_dec.out
Please read the Issue Guide before filing.
- Small, focused PRs with tests/docs updates are welcome
- Clearly document environment and reproduction steps
These tools are provided as‑is, without warranty. Validate outputs before acting in production. Maintain backups and snapshots.