Back to MCP Servers

Cyntrisec Cli

Local-first AWS security analyzer that discovers attack paths and generates remediations using graph theory.

securityaws
By cyntrisec
33Updated 1 month agoPythonApache-2.0

Installation

npx -y cyntrisec-cli

Configuration

{
  "mcpServers": {
    "cyntrisec-cli": {
      "command": "npx",
      "args": ["-y", "cyntrisec-cli"]
    }
  }
}

How to use

  1. Run the installation command above (if needed)
  2. Open your Claude Code settings file (~/.claude/settings.json)
  3. Add the configuration to the mcpServers section
  4. Restart Claude Code to apply changes

README

View on GitHub

Cyntrisec CLI

PyPI License Status

<!-- mcp-name: io.github.cyntrisec/cyntrisec -->

Historical pre-company project. cyntrisec-cli was created before Cyntrisec narrowed its company focus to EphemeralML and AIR v1. It is not a current Cyntrisec product, support surface, or commercial offering. The PyPI package name cyntrisec, CLI command cyntrisec, and MCP server ID io.github.cyntrisec/cyntrisec are retained only to avoid breaking historical installs.

image-download

[!CAUTION] Historical Software Disclaimer: This tool is no longer an active Cyntrisec product. It is provided "as is", without warranty of any kind. While the CLI is a read-only analysis tool by default, the user assumes all responsibility for any actions taken based on its findings. Always review generated remediation plans and Terraform code before application.

Historical AWS capability graph analysis and attack path discovery CLI.

A read-only CLI tool that historically:

  • Scans AWS infrastructure via AssumeRole
  • Builds a capability graph (IAM, network, dependencies)
  • Discovers attack paths from internet to sensitive targets
  • Prioritizes fixes by ROI (security impact + cost savings)
  • Identifies unused capabilities (blast radius reduction)
  • Outputs deterministic JSON with proof chains

Demo

Cyntrisec Demo

Watch how to discover attack paths and generate fixes using natural language with Claude MCP.

Architecture

+----------------------------------------------------------------------------------+
|                                   CYNTRISEC CLI                                   |
+----------------------------------------------------------------------------------+
| CLI Layer (Typer)                                                                 |
|   scan   analyze   cuts   waste   report   comply   can   diff   serve   ...      |
+-----------------------------+----------------------------------------------------+
| Core Engine                 | Storage (local)                                     |
|  - AWS collectors           |  ~/.cyntrisec/scans/<scan_id>/                      |
|  - Normalization/schema     |    snapshot.json, assets.json, relationships.json   |
|  - GraphBuilder -> AwsGraph |    findings.json, attack_paths.json                 |
|  - Path search -> paths     |  ~/.cyntrisec/scans/latest -> <scan_id>             |
|  - Min-cut + Cost (ROI)     |  (Windows fallback: latest is a file)               |
+-----------------------------+----------------------------------------------------+
| Outputs: JSON/agent, HTML report, remediation plan + Terraform hints              |
+----------------------------------------------------------------------------------+
<!-- Legacy Unicode diagram (kept for reference; may render oddly in some environments) --> <!-- ``` ┌─────────────────────────────────────────────────────────────────────────────┐ │ CYNTRISEC CLI │ ├─────────────────────────────────────────────────────────────────────────────┤ │ │ │ ┌─────────────────────────────────────────────────────────────────────┐ │ │ │ CLI Layer (typer) │ │ │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │ │ │ scan │ │ analyze │ │ cuts │ │ waste │ │ report │ ... │ │ │ │ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │ │ │ └───────┼──────────┼──────────┼──────────┼──────────┼─────────────────┘ │ │ │ │ │ │ │ │ │ ┌───────▼──────────▼──────────▼──────────▼──────────▼────────────────┐ │ │ │ Core Engine │ │ │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ │ │ Graph │ │ Paths │ │ Compliance │ │ │ │ │ │ (AwsGraph) │ │ (BFS/DFS) │ │ (CIS/SOC2) │ │ │ │ │ └──────────────┘ └──────────────┘ └──────────────┘ │ │ │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ │ │ Cuts │ │ Waste │ │ Simulator │ │ │ │ │ │ (ROI/Min) │ │ (Unused) │ │ (IAM Eval) │ │ │ │ │ └──────────────┘ └──────────────┘ └──────────────┘ │ │ │ │ ┌──────────────┐ │ │ │ │ │ Cost Engine │ │ │ │ │ │ (Estimator) │ │ │ │ │ └──────────────┘ │ │ │ └────────────────────────────────────────────────────────────────────┘ │ │ │ │ │ ┌───────▼────────────────────────────────────────────────────────────┐ │ │ │ AWS Layer │ │ │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ │ │ Collectors │ │ Normalizers │ │ Relationship │ │ │ │ │ │ (EC2, IAM, │ │ (Asset → │ │ Builder │ │ │ │ │ │ RDS, ...) │ │ Schema) │ │ │ │ │ │ │ └──────────────┘ └──────────────┘ └──────────────┘ │ │ │ └────────────────────────────────────────────────────────────────────┘ │ │ │ │ │ │ ┌───────▼──────────────────────┐ ┌──────────────▼──────────────────┐ │ │ │ Storage Layer │ │ MCP Server │ │ │ │ ┌────────────┐ ┌─────────┐ │ │ ┌──────────────────────────┐ │ │ │ │ │ Filesystem │ │ Memory │ │ │ │ Tools: get_scan_summary │ │ │ │ │ │ (~/.cyntri │ │ (tests) │ │ │ │ get_attack_paths, ... │ │ │ │ │ │ sec/) │ │ │ │ │ └──────────────────────────┘ │ │ │ │ └────────────┘ └─────────┘ │ │ │ │ │ └──────────────────────────────┘ └─────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────────────────────┐ │ AWS Account │ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ IAM │ │ EC2 │ │ RDS │ │ S3 │ ... │ │ │ (Roles, │ │ (Instances, │ │ (Databases) │ │ (Buckets) │ │ │ │ Policies) │ │ SGs, VPCs) │ │ │ │ │ │ │ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │ └─────────────────────────────────────────────────────────────────────────────┘ ``` -->

Data Flow

CLI (scan) --AssumeRole--> AWS Session --Describe/Get/List--> AWS APIs (read-only)
     |
     v
Collectors -> normalize -> Assets + Relationships -> AwsGraph
                                                |
                                                v
                                   Attack path search (BFS/DFS)
                                                |
                                                v
                                   Min-cut (remediation cuts)
                                                |
                                                v
                                      Cost engine (ROI)

Local artifacts: ~/.cyntrisec/scans/<scan_id>/*.json
<!-- Legacy Unicode diagram (kept for reference; may render oddly in some environments) --> <!-- ``` ┌──────────┐ AssumeRole ┌──────────┐ Describe/Get/List ┌─────────┐ │ CLI │ ─────────────────▶│ AWS │ ◀─────────────────────▶│ APIs │ │ (scan) │ │ Session │ │(read-only) └────┬─────┘ └──────────┘ └─────────┘ │ ▼ ┌──────────┐ normalize ┌──────────┐ build edges ┌──────────────┐ │Collectors│ ─────────────────▶│ Assets │ ─────────────────▶│Relationships│ └──────────┘ └──────────┘ └──────┬───────┘ │ ┌───────────────────────────────────────────────────────────────┐ ▼ ┌──────────┐ BFS/DFS ┌──────────┐ min-cut ┌──────────────┐ │ AwsGraph │ ─────────────────▶│ Attack │ ─────────────────▶│ Remediation │ │ │ │ Paths │ │ Cuts │ └──────────┘ └──────────┘ └──▲───────────┘ │ (ROI) ┌──────┴───────┐ │ Cost Engine │ └──────────────┘ ``` -->

Installation

pip install cyntrisec

Windows PATH Fix

If you see "cyntrisec is not recognized", the Scripts folder isn't on PATH:

# Option 1: Run with python -m
python -m cyntrisec --help

# Option 2: Add to PATH for current session
$env:PATH += ";$env:APPDATA\Python\Python311\Scripts"

Quick Start

Prerequisite: Ensure you have AWS CLI installed and configured with credentials (e.g., aws configure) or environment variables set. terraform is required for the setup step.

# 1. Create the read-only IAM role in your account
cyntrisec setup iam 123456789012 --output role.tf

# 2. Apply the Terraform
cd your-infra && terraform apply

# 3. Run a scan
cyntrisec scan --role-arn arn:aws:iam::123456789012:role/CyntrisecReadOnly

# 4. View attack paths
cyntrisec analyze paths --min-risk 0.5

# 5. Find minimal fixes (prioritized by ROI)
cyntrisec cuts --format json

# 6. Generate HTML report
cyntrisec report --output report.html

Commands

Core Analysis

CommandDescription
scanScan AWS infrastructure
analyze pathsView attack paths
analyze findingsView security findings
analyze statsView scan statistics
analyze businessBusiness entrypoint analysis
reportGenerate HTML/JSON report

Setup & Validation

CommandDescription
setup iamGenerate IAM role Terraform
validate-roleValidate IAM role permissions

Remediation

CommandDescription
cutsFind minimal fixes (Cost & ROI prioritized)
wasteFind unused IAM permissions
remediateGenerate or optionally apply Terraform plans (gated)

Policy Testing

CommandDescription
canTest "can X access Y?"
diffCompare scan snapshots
complyCheck CIS AWS / SOC2 compliance

Agentic Interface

CommandDescription
`man

View source on GitHub

You might also like

Infrawise
MCP Servers
Cloudwright
MCP Servers
Dawshund
MCP Servers