AEGIS: Autonomous Cyber-Defense

Autonomous real-time defense that detects AI-driven cyberattacks, classifies threat stages, and triggers kill-switches faster than humans can react

Comment

Inspiration

In November 2025, the first publicly documented AI-orchestrated cyberattack occurred. The attacker used an autonomous AI system to perform reconnaissance, scanning, exploit generation, credential harvesting, and exfiltration with 80–90% automation. This event made one thing clear: If AI can perform cyberattacks autonomously, cybersecurity defense must also become autonomous.

Zyberpol AEGIS was inspired by this shift — to build a defender specifically for the agentic era, capable of identifying AI-generated attack patterns and responding faster than humans can react.

What it does

AEGIS is an autonomous cyber-defense agent that: • Detects multi-stage attack fingerprints (recon → scan → exploit → credential-harvest → exfil). • Performs real-time rate analysis and pattern detection. • Activates autonomous countermeasures: kill-switch, credential rotation, and quarantine. • Uses BrowserUse to replay the exploit path for investigation. • Uses Claude to generate a full forensic summary and timeline. • Shows all incidents in a live TUI dashboard. • Sends anomaly and error signals to Sentry.

It is built to counter AI agents with an AI-powered defense loop.

How we built it

We built AEGIS as a multi-agent system running inside Daytona: • A simulated attacker agent triggers realistic multi-stage AI attack behavior. • A detector engine consumes events, performs pattern recognition, and calculates threat confidence. • Responder agents activate kill-switch actions, mock credential rotation, and environment quarantine. • BrowserUse reconstructs the exploit flow for audit purposes. • Claude generates structured incident reports and forensic summaries. • Sentry captures anomalies, spikes, and errors during the simulated intrusion. • Galileo stores reasoning traces and allows quality evaluation of analyses. • A Rich TUI dashboard displays real-time threat updates.

All components run inside an isolated Daytona workspace to ensure safety and reproducibility.

Challenges we ran into • Getting multiple sponsor tools to work together in a single loop under time pressure. • Ensuring real-time detection while maintaining deterministic behavior for the live demo. • Managing thread-safe event processing and avoiding race conditions. • Designing a kill-switch structure that is realistic but safe for a hackathon environment. • Integrating BrowserUse actions reliably inside the container. • Creating a clean and understandable visualization for judges in just one day.

Accomplishments that we’re proud of • Built a functioning autonomous defense system in under 6 hours. • Integrated all major sponsor tools meaningfully: Daytona, BrowserUse, Claude, Sentry, Galileo, CodeRabbit. • Successfully recreated an AI-orchestrated attack chain and defended against it. • Delivered a live replay of the exploit path using BrowserUse. • Generated real-time forensic reports using Claude. • Created a TUI dashboard that visualizes active threats. • Provided a safety-aware design aligned with modern cybersecurity practices.

What we learned • Agentic attacks move faster than any human can monitor — real defense must also be autonomous. • Sentry is extremely effective for multi-threaded anomaly detection during attack bursts. • BrowserUse allows reproducible exploit replay sequences, which is invaluable for investigations. • Claude can serve as a strong reasoning engine for forensic summarization. • Galileo is useful for evaluating reasoning consistency and identifying anomalies in LLM-driven outputs. • Daytona workspaces make it easy to isolate, run, and present an agentic system safely.

What’s next for AEGIS: Autonomous Cyber-Defense • Multi-agent coordination between multiple AI defenders. • Integration with real SOC pipelines for production-grade deployments. • Autonomous patch generation and self-healing actions. • Extending detection to cover LLM jailbreaks, tool-use abuse, and supply-chain attacks. • Real-time dashboard with heatmaps and threat timelines. • Training on real telemetry datasets for more accurate fingerprinting. • Expanding to cloud-native, multi-region defense clusters.

Built With

Share this project:

Updates