Skip to main content

Network Isolation

Decepticon’s architecture is built on a fundamental principle: the management infrastructure and operational infrastructure share zero network access. Two isolated Docker networks enforce this separation:
┌─────────────────────────────────────┐     ┌──────────────────────────────────────┐
│        decepticon-net (mgmt)        │     │        sandbox-net (operational)      │
│                                     │     │                                      │
│  ┌─────────────┐ ┌──────────────┐  │     │  ┌──────────┐ ┌──────────────────┐  │
│  │  Agent API  │ │ LiteLLM Proxy│  │     │  │   Kali   │ │ Target Infra     │  │
│  │   Server    │ │              │  │     │  │ Sandbox  │ │ (Metasploitable, │  │
│  └─────────────┘ └──────────────┘  │     │  │          │ │  custom targets) │  │
│                                     │     │  └──────────┘ └──────────────────┘  │
│  ┌─────────────┐                   │     │                                      │
│  │  Database   │                   │     │  ┌──────────────────┐               │
│  └─────────────┘                   │     │  │ Sliver C2 Server │               │
│                                     │     │  │   (optional)     │               │
└─────────────────────────────────────┘     └──────────────────────────────────────┘
         │                                              ↑
         │         Docker Socket (not network)           │
         └──────────────────────────────────────────────┘
The LangGraph orchestrator reaches the sandbox exclusively via Docker socket — not the network. No management traffic flows into the operational network. No operational traffic flows back.

Management Network (decepticon-net)

Houses the control plane:
ComponentRole
LangGraph PlatformAgent orchestration, SSE streaming, lifecycle management
LiteLLM ProxyModel routing, provider fallback, API key management
PostgreSQLEngagement state, findings, objective tracking, OPPLAN persistence
Web DashboardNext.js operator interface (Soundwave interview, attack-graph canvas, OPPLAN tracker)
Neo4jKnowledge graph — bridges both networks so agents in the sandbox can write findings while the dashboard reads them from management

Operational Network (sandbox-net)

Houses everything that touches targets:
ComponentRole
Kali Linux SandboxFull offensive toolkit — nmap, Sliver client, sqlmap, Impacket, and more
Sliver C2 Team ServerCommand and control infrastructure (profile-based activation)
Target InfrastructureVictim machines — Metasploitable, custom targets, or VPN access to real environments

Dynamic Workload Lifecycle (opscontrol)

The default stack — LangGraph, LiteLLM, PostgreSQL, Neo4j, Skillogy, sandbox — is brought up once and stays running across engagements. Heavyweight specialist workloads (Sliver C2, BloodHound CE for Active Directory, reversing tooling, future Havoc / Mythic frameworks) are not in the default stack. Bringing them up by hand on every launch wastes minutes of cold-start time and burns RAM the operator never asked for. Instead, the agent decides when a workload is needed and asks for it on the fly (ADR-0006). The orchestrator calls a small set of tools:
ToolWhat it does
ops_start("c2-sliver")Spin up the Sliver C2 stack (Sliver team server + supporting containers) on sandbox-net. Returns immediately with state: "starting".
ops_stop("c2-sliver")Graceful shutdown when the workload is no longer needed.
ops_status()Snapshot of every workload’s current state — used for polling fallbacks.
Behind the scenes:
  • A per-user opscontrol daemon owns the host’s Docker socket and runs Compose on the agent’s behalf. It is installed once as a systemd user unit (Linux) or a launchd LaunchAgent (macOS); the launcher falls back to spawning the daemon itself when no init system is available (Windows, WSL2 without systemd).
  • The daemon talks to the agent over a Unix domain socket at $DECEPTICON_HOME/run/ops.sock — never TCP. Network isolation is preserved.
  • A strict allowlist caps what the agent can spawn: ad, c2-sliver, c2-havoc, reversing, cloud, mobile, phishing, forensics, ics, iot, supply-chain, wireless. Anything outside the list is rejected.
  • When state changes (starting → running, running → exited, etc.), an OpsControlNotificationMiddleware injects the new state into the agent’s next turn automatically — the agent does not poll.
Operators can override on .env: setting COMPOSE_PROFILES=cli,c2-sliver,ad,reversing brings the listed workloads up at launch (useful for CI regression runs). For day-to-day use, leave it empty and let the agent decide.

Why This Matters

This separation mirrors real Red Team infrastructure design:
  • No credential leakage — API keys and LLM tokens never exist on the operational network
  • No cross-contamination — A compromised sandbox cannot reach the management plane
  • Auditable boundaries — Clear network separation makes activity attribution straightforward
  • Production-grade isolation — The same architecture you’d use for a real engagement
  • No wasted startup cost — Heavyweight workloads (C2, BloodHound) only run when the agent actually needs them

Docker Compose Architecture

All components are defined in Docker Compose with explicit network assignments:
services:
  langgraph:
    networks: [decepticon-net]

  litellm:
    networks: [decepticon-net]

  postgres:
    networks: [decepticon-net]

  web:
    networks: [decepticon-net]

  neo4j:
    networks: [decepticon-net, sandbox-net]   # bridges both for graph access

  sandbox:
    networks: [sandbox-net]

  c2-sliver:
    profiles: [c2-sliver]
    networks: [sandbox-net]

  cli:
    networks: [decepticon-net]
    profiles: [cli]

networks:
  decepticon-net:
    driver: bridge
  sandbox-net:
    driver: bridge
The c2-sliver and cli services activate via Compose profiles, but the profiles are driven by opscontrol at runtime (see Dynamic Workload Lifecycle below) — the agent calls ops_start("c2-sliver") and the daemon flips the profile on. The cli service is brought up on demand by the launcher when the operator runs decepticon. Future C2 frameworks (Havoc, Mythic) ship as additional c2-* profile services on sandbox-net, each surfaced through the same allowlisted ops_start(...) call. Cross-network access is governed by service-level network membership — Neo4j is the only service that holds membership in both, and the LangGraph platform reaches the sandbox exclusively through the Docker socket (not the network).

Agents

Learn about the sixteen specialist agents that operate within this infrastructure.