Prometheus XP is an offensive AI swarm system for security testing. It uses dozens of autonomous agents to automatically probe targets, plan attack paths, execute attack paths, and coordinate agents to automate the entire process.
The system uses LLMs plus a separate unified memory layer so attacks can improve and issue follow-up decisions over time. The retro Windows 95/XP shell operates as a local control panel for watching AI agents, their responses, tool calls, and more.
Annoying Legal Message from Clippy:
"Use this only on systems you own or are explicitly authorized to test. Keep
Dry runenabled unless your scope and permission are clear."
The swarm page shows each agent as its own draggable terminal. This is the visual layer over the real swarm runner: each terminal maps to a role in the backend pipeline, and the lower SWARMCNTRL.CPL panel controls target, scope, preset, dry run, and adaptive improvement.
The dashboard gives a campaign overview, active scan counts, finding totals, severity distribution, and per-agent readiness. It is meant to be the first stop after launching the API.
The findings page behaves like a retro document manager. Local markdown reports and live API memos appear as papers on the left; selecting one opens the generated report in a Word 97 style reader.
Prometheus XP is useful when you want an automated testing system that includes custom reasoning and follow ups on exposed vulnerabilities.
It helps with:
- Running repeatable, scoped security checks from a single local dashboard.
- Comparing classic sequential scans against a multi-agent swarm workflow.
- Watching which agents are active, idle, or reporting errors during a campaign.
- Keeping prompts, responses, findings, and generated reports close to the same UI.
- Preserving evidence and report output in local
reports/and campaign state. - Testing safely with dry-run mode before allowing any command execution.
Prometheus XP has four main layers:
Next.js UI
-> Go HTTP API and WebSocket stream
-> scan engine or swarm engine
-> LLM providers, tool wrappers, reports, and local memory
The frontend lives in web/. It is a Next.js app themed like a Windows 95/XP control panel.
Important pages:
/- dashboard and campaign summary./scan- classic scan launcher./swarm- multiagent terminal wall and swarm controls./campaigns- campaign history and live campaign views./findings- report and memo browser./settings- local settings surface./help- built-in help/readme page.
The sidebar identity uses the bundled w98_msagent.ico icon, the Clippy help prompt, and the local Windows 95/98 icon pack under web/public/win95-icons.
The API lives in internal/api. It exposes campaign, scan, findings, health, and live event endpoints. The UI talks to the API through /api/v1, and the development proxy sends those calls to the Go server on port 8081.
Health check:
curl http://127.0.0.1:8081/api/v1/healthExpected:
{"service":"prometheus","status":"ok"}The classic runner lives in internal/engine. It follows a predictable sequence:
recon -> classify -> plan -> execute if allowed -> report
Use this when you want a simpler, more linear workflow. The /scan page intentionally uses this classic path.
The swarm runner lives in internal/swarm and internal/engine/swarm_runner.go. It uses a blackboard scheduler. Agents wake up when new findings appear, then write their own outputs back to the shared board.
High-level swarm flow:
TARGET_REGISTERED
-> RECON
-> CLASSIFIER
-> CONFIRM
-> EXPLOIT
-> REPORT
Adaptive improvement is only for the swarm path. When enabled, failed exploit attempts can trigger an adapted plan pass, and successful findings can seed follow-up recon. It is more capable, but it can use more tokens.
cmd/prometheus- CLI entrypoint and API server launcher.cli- command line commands for scan, serve, config, report, playbooks, and helpers.internal/api- Go HTTP API and WebSocket event stream.internal/engine- classic scan runner and swarm runner.internal/swarm- blackboard scheduler, agents, pheromone tuning, adaptive improvement.internal/agent- recon, classifier, exploit, orchestrator, and report agents.internal/tools- wrappers for tools such ashttpx,subfinder,nuclei,nmap,katana,dnsx, and others.internal/llm- OpenAI-compatible, Anthropic, Ollama, and LM Studio provider plumbing.web- Windows 95/XP themed Next.js frontend.web/public/win95-icons- the retro.icoand image assets used by the shell.playbooks- built-in scan presets.config.example.yaml- safe config template with no secrets.docs/assets- README screenshots and repo images.
- Go
1.24+ - Node.js
20+ - npm
- An OpenAI or Anthropic API key, or an OpenAI-compatible local endpoint
- Optional security tools for richer recon.
./scripts/setup.shattempts to install these Go-installable tools automatically:subfinderhttpxnucleinaabukatanadnsxgauffufgowitness
These system/package-manager tools are still optional manual installs:
nmapgobustersqlmapamasstrufflehoggitleakssemgrep
The app still runs without every tool installed, but missing tools reduce scan depth.
This repository includes the full source needed to run Prometheus XP:
- Go backend/API source and migrations.
- Next.js frontend source and
package-lock.json. - Built-in playbooks and config templates.
- README screenshots in
docs/assets. - The selected Windows 95/98/XP icons and Clippy images the app uses.
- Setup/build scripts.
These are intentionally not committed:
- API keys or local secrets.
config.yaml.- Generated reports and drafts.
- Compiled binaries.
web/node_modules.- The full third-party Windows icon-pack clone.
The full icon-pack clone is not vendored because the local clone does not include a license file. The repo already bundles the specific .ico and image assets Prometheus XP needs to render the UI.
External recon/scanning tools are not vendored as binaries. Prometheus XP installs Go-based tools such as subfinder and nuclei during ./scripts/setup.sh when possible, and includes wrappers plus install hints for the rest. Run ./bin/prometheus doctor after setup to see what is missing on your machine.
git clone https://github.com/NlCK01/prometheus-xp.git
cd prometheus-xp
cp config.example.yaml config.yaml
./scripts/setup.shEdit config.yaml, or set an environment variable instead:
export PROMETHEUS_ORCHESTRATOR_API_KEY="your-api-key"For OpenAI:
export OPENAI_API_KEY="your-api-key"For Anthropic:
export ANTHROPIC_API_KEY="your-api-key"The frontend is configured to proxy /api/v1 to port 8081.
go build -o bin/prometheus ./cmd/prometheus
./bin/prometheus serve --port 8081In a second terminal:
cd web
npm install
npm run dev -- --port 3001Open:
Use /scan or:
./bin/prometheus scan example.com --scope example.com --dry-run --followClassic scan runs the sequential pipeline and keeps adaptive swarm behavior off.
Use /swarm or:
./bin/prometheus scan example.com --scope example.com --swarm --dry-run --followThis starts the blackboard swarm and displays the agent terminals in the UI.
All config.yaml values can be overridden with PROMETHEUS_ variables:
PROMETHEUS_ORCHESTRATOR_PROVIDER=openai
PROMETHEUS_ORCHESTRATOR_API_KEY=...
PROMETHEUS_SERVER_PORT=8081The frontend can use a direct API URL if you do not want the Next.js rewrite:
cd web
cp .env.example .env.local
echo 'NEXT_PUBLIC_API_URL=http://localhost:8081/api/v1' >> .env.localThese are intentionally not committed:
config.yaml.env*reports/drafts/bin/web/.next/web/node_modules/
Commit config.example.yaml, never your real key.
Backend:
go test ./internal/api ./internal/engine ./internal/swarm ./internal/swarm/agents ./internal/agent/exploitFrontend:
cd web
npm exec tsc -- --noEmit --incremental falsego build -o bin/prometheus ./cmd/prometheus
cd web
npm install
npm run buildThe UI uses local assets under web/public/win95-icons, including:
w98_msagent.ico- the PROMETHEUS.EXE sidebar agent icon.w98_connected_world.icow98_console_prompt.icow98_window_red_hilights.icow98_directory_control_panel_cool.icoclippy.pngprometheus-fire.png
Keep new retro assets in that folder so the app remains self-contained.
This repo is already configured for:
git remote add origin https://github.com/NlCK01/prometheus-xp.git
git push -u origin main