BT
Back to Journal
March 15, 20264 min read

Building CIPHER: A Security Engineering Assistant That Actually Knows Things

securityaipythonragclaudeopen-source

The Problem

Security work involves a lot of context switching. One minute you're writing a Sigma detection rule, the next you're reviewing a threat model, then someone asks about GDPR Article 33 notification timelines. Every task pulls from a different part of your brain and a different set of references.

I kept finding myself reaching for the same resources - MITRE ATT&CK mappings, hardening checklists, incident response playbooks, detection engineering patterns. I had bookmarks, notes, cheat sheets scattered everywhere. What I wanted was one tool that had all of it loaded and ready to go, that could think at a senior practitioner level across the full security domain.

So I built one.

What CIPHER Is

CIPHER - Claude Integrated Privacy & Hardening Expert Resource - is a security engineering assistant. It has 96 deep-dive knowledge documents covering offensive security, defensive operations, DFIR, architecture, privacy engineering, governance, and more. Each doc is a dense reference - not a tutorial, not a blog post, but the kind of material you'd want a senior security engineer to have internalized.

The knowledge base feeds into a RAG pipeline. 14,600+ chunks indexed in ChromaDB, with markdown-aware chunking that preserves section context. When you ask a question, the top-5 most relevant chunks get injected into the system prompt before the LLM sees your query. It's not hallucinating attack techniques - it's pulling from documented, verified material.

How It Works

There are 7 operating modes - RED, BLUE, PURPLE, PRIVACY, RECON, INCIDENT, ARCHITECT. Each mode adjusts the system prompt and retrieval focus. Mode detection is automatic based on your query. Ask about Kerberoasting and you're in RED mode. Ask about Sigma rules and you're in BLUE. Ask about GDPR and you're in PRIVACY. If it's ambiguous, it asks.

The gateway architecture routes queries through three layers: mode detection, prompt assembly with skill file injection, and RAG retrieval. Then it hits either Ollama (local, free) or Claude API (cloud, better for complex queries). The --smart flag auto-routes - simple tactical queries go local, complex architectural questions go to Claude.

Bash
# Ask anything
cipher "how do I detect lateral movement via PsExec"

# Auto-route backends
cipher --smart "design a zero trust architecture for multi-cloud"

# Terminal dashboard
cipher dashboard

# Health check
cipher doctor

The Slash Commands

For Claude Code users, CIPHER ships as 28 slash commands organized by domain:

  • Offensive: /cipher:redteam, /cipher:web, /cipher:phishing, /cipher:malware
  • Defensive: /cipher:hunt, /cipher:sigma, /cipher:hardening, /cipher:forensics
  • Architecture: /cipher:threatmodel, /cipher:cloud, /cipher:crypto, /cipher:devsecops
  • Intel: /cipher:threatintel, /cipher:cve, /cipher:recon, /cipher:aisec

Each command activates the relevant mode and skill files. You stay in your terminal, in your flow. No context switching to a browser or a different tool.

The Knowledge Base on blacktemple.net

The 96 knowledge docs now live on blacktemple.net/cipher as a browsable knowledge base. Three-column layout with a collapsible sidebar, scroll-spy table of contents, and prev/next navigation between articles. Same cyberpunk aesthetic as the rest of the site.

Building this was an interesting problem. The docs are plain markdown, not MDX - so they couldn't go through Contentlayer like the blog posts. I built an independent remark/rehype pipeline that processes them at build time. Syntax highlighting, heading anchors, copy buttons on code blocks - all the things you'd expect from a docs site, but rendered natively in Next.js instead of fighting MkDocs into a different visual identity.

The KB cross-links with the blog too. Posts about SQL injection link to the web security knowledge doc. The forensics docs link back to relevant breach coverage. 214 blog posts mapped to KB articles, 32 KB articles linked back. It connects the daily news with the reference material.

The Stack

  • Python 3.10+ with the gateway, CLI, and RAG pipeline
  • ChromaDB for vector storage and retrieval
  • Ollama (qwen2.5:32b) for local inference
  • Claude API (Sonnet) for complex queries
  • Rich for the terminal dashboard UI
  • 318 tests covering mode routing, RAG quality, architecture guardrails

The whole thing installs with pip install cipher-security or a one-liner curl script.

What's Next

The knowledge base keeps growing. The RAG pipeline auto-reindexes when docs change. The Claude Code slash commands keep getting new domains. The Signal bot integration is in progress for mobile access.

The goal hasn't changed since the first skill file - be the last security tool a professional needs. Every interaction should leave the operator more capable, better informed, and faster to action.

GitHub | Knowledge Base | Install