Cyber Agents: Technical Architecture

Architecture Overview

Cyber Agents is built on three foundational pillars: a multi-agent system with specialized roles, a shared knowledge Blackboard for real-time coordination, and an intelligent Attack Tree engine that drives strategic decision-making with automatic backtracking.

The Blackboard Architecture

The Blackboard is a shared knowledge space where all 58 agents read and write information. It serves as the central nervous system of Cyber Agents.

When an agent discovers a new host, open port, running service, credential, or vulnerability, it posts this finding to the Blackboard with structured metadata. Other agents subscribe to relevant categories. An exploitation agent watching for new vulnerability findings will immediately pick up work posted by enumeration agents. The Moderator Agent monitors the Blackboard for conflicting findings, duplicate efforts, and resource contention, ensuring efficient operation even with 58 concurrent agents.

This architecture enables emergent collaboration — complex multi-step attacks that no single agent could orchestrate alone arise naturally from the interaction of specialists sharing a common knowledge base.

The Moderator Agent

The Moderator Agent is the conductor of the Cyber Agents orchestra. It does not perform any offensive actions itself. Instead, it allocates tasks to the most appropriate specialist agent based on current findings and phase. It manages agent priorities to focus effort on the most promising attack paths. It monitors progress across all 9 phases, ensuring no phase is skipped or neglected. It triggers backtracking when the Attack Tree indicates a dead end, redirecting agents to alternative branches. And it enforces rules of engagement defined during the pre-engagement phase.

The Attack Tree Engine

At the heart of Cyber Agents’ strategic intelligence is the Attack Tree — a dynamic, hierarchical representation of all known and potential attack paths through the target environment.

As the engagement progresses, the Attack Tree grows. Each new finding — a host, service, vulnerability, credential — creates new branches in the tree, representing potential next steps. The engine continuously evaluates which branches are most promising based on the likelihood of success, potential impact, and current phase objectives.

When an agent exhausts a branch — exploitation fails, access is denied, a service is patched — the engine automatically backtracks to the nearest viable decision point and selects the next most promising branch. The combination of tree expansion and backtracking ensures that Cyber Agents explores the attack surface with the thoroughness of an expert pentester who systematically tries every viable approach.

This is fundamentally different from the linear playbook approach used by most automated tools. Cyber Agents doesn’t follow a script — it reasons about the best path forward, adapts when things don’t work, and always has a fallback strategy.