Cyntrisec Cli

Cyntrisec CLI is an AWS security analysis tool that builds a capabilities graph through read-only scans, discovers attack paths from the internet to sensitive assets, and provides remediation suggestions based on ROI.

Security Cloud platform #AWS security #Attack path analysis #IAM permission audit #Compliance check .Python

rating : 2.5 points

downloads : 6.1K

update time : 2026-03-12

Open Site

What is Cyntrisec?

Cyntrisec is a command-line tool focused on AWS cloud security posture management. It scans your AWS account with read-only permissions, analyzes IAM permissions, network configurations, and resource dependencies to build a complete capabilities graph. Its core function is to discover attack paths from internet entry points to sensitive data (such as databases and S3 buckets) and intelligently recommend remediation solutions, prioritizing security impact and cost savings.

How to use Cyntrisec?

Using Cyntrisec requires three basic steps: 1) Create a read-only IAM role in your AWS account; 2) Run the scan command to collect infrastructure data; 3) Analyze the results and view the recommended remediation solutions. The entire process is read-only and will not modify your AWS resources.

Use cases

Cyntrisec is particularly suitable for the following scenarios: Cloud security teams conducting regular security assessments, DevOps engineers verifying permission configurations before deployment, compliance teams checking CIS AWS or SOC 2 compliance, and security researchers analyzing attack paths in complex cloud environments.

Main features

Read-only security scan

Using the principle of least privilege, scan the AWS account only through read-only API calls such as Describe, Get, and List to ensure that existing resources are not accidentally modified or destroyed.

Attack path discovery

Automatically discover all possible attack paths from internet entry points (such as public EC2 instances and load balancers) to sensitive targets (such as databases and S3 buckets).

ROI-prioritized remediation suggestions

Based on the minimum cut algorithm and cost engine, recommend remediation solutions while considering both security impact and cost savings, providing remediation suggestions with the best return on investment (ROI).

Unused permission identification

Identify permissions granted but not actually used in IAM roles, users, and policies to help reduce the permission blast radius and follow the principle of least privilege.

MCP server integration

Can run as a Model Context Protocol (MCP) server and integrate with AI assistants such as Claude and Gemini to query security analysis results through natural language.

Compliance check

Supports CIS AWS benchmark and SOC 2 compliance checks, automatically identifies non-compliant items and provides remediation suggestions.

Advantages

Safe and non-invasive: Read-only mode by default, will not modify your AWS resources

Local data processing: All scan data is stored locally, no risk of data leakage

Intelligent remediation suggestions: Recommend remediation solutions with the highest ROI based on algorithms

Multi-format output: Supports JSON, HTML reports and Terraform code generation

AI assistant friendly: Seamlessly integrate with AI assistants through the MCP protocol

Limitations

Only supports AWS: Currently only supports the AWS cloud platform, does not support other cloud providers

Requires IAM permissions: Need to create a dedicated read-only IAM role

Beta stage: The software is in the testing stage, there may be unknown issues

Network dependency: Requires a stable network connection to access the AWS API

How to use

Install Cyntrisec

Install the Cyntrisec CLI tool via pip

Create a read-only IAM role

Create a read-only IAM role in your AWS account. Cyntrisec provides Terraform code generation functionality

Apply Terraform configuration

Use Terraform to create the IAM role (Terraform needs to be installed)

Run a security scan

Run a security scan using the created IAM role

Analyze attack paths

View the discovered attack paths, can be filtered by risk score

Get remediation suggestions

Get remediation suggestions prioritized by ROI

Usage examples

Case 1: Discover attack paths to public S3 buckets

The security team needs to check if there are attack paths from the internet to S3 buckets containing sensitive data

Case 2: Check CIS AWS compliance

The compliance team needs to verify if the AWS account complies with the CIS AWS security benchmark

Case 3: Query the security status through an AI assistant

Integrate with Claude Desktop and use natural language to query the AWS security status

Case 4: Identify unused permissions

The DevOps team needs to clean up the permissions granted but not used in IAM policies to reduce the attack surface

Frequently Asked Questions

Will Cyntrisec modify my AWS resources?

Where is the scan data stored?

What AWS permissions are required?

How to integrate with an AI assistant?

Which compliance standards are supported?

What should I do if the command is not available after installation on a Windows system?

Related resources

PyPI package page

The official PyPI page of Cyntrisec, view the latest version and installation instructions

Official website

The official website of Cyntrisec, get more product information and updates

X/Twitter account

Follow the official Cyntrisec Twitter account to get the latest news

Demo video

YouTube demo video showing how to use Cyntrisec to discover attack paths

MCP registry

The official registry of the Model Context Protocol, learn more about MCP servers

EphemeralML project

The main project of Cyntrisec Labs - Confidential AI inference with cryptographic receipts

🚀 Cyntrisec CLI

Cyntrisec CLI is a read - only tool for AWS capability graph analysis and attack path discovery. It can scan AWS infrastructure, build a capability graph, discover attack paths, prioritize fixes, and more.

Cyntrisec Labs project. Cyntrisec's main product is EphemeralML — confidential AI inference with cryptographic receipts (AIR v1). This CLI is a standalone Labs tool. The PyPI package name cyntrisec and MCP server ID io.github.cyntrisec/cyntrisec are stable and will not change.

image-download

⚠️ Important Note

Beta Software Disclaimer: This tool is currently in BETA. It is provided "as is", without warranty of any kind. While Cyntrisec is a read - only analysis tool by default, the user assumes all responsibility for any actions taken based on its findings. Always review generated remediation plans and Terraform code before application.

🚀 Quick Start

💡 Usage Tip

Ensure you have AWS CLI installed and configured with credentials (e.g., aws configure) or environment variables set. terraform is required for the setup step.

# 1. Create the read-only IAM role in your account
cyntrisec setup iam 123456789012 --output role.tf

# 2. Apply the Terraform
cd your-infra && terraform apply

# 3. Run a scan
cyntrisec scan --role-arn arn:aws:iam::123456789012:role/CyntrisecReadOnly

# 4. View attack paths
cyntrisec analyze paths --min-risk 0.5

# 5. Find minimal fixes (prioritized by ROI)
cyntrisec cuts --format json

# 6. Generate HTML report
cyntrisec report --output report.html

✨ Features

Scans AWS infrastructure via AssumeRole
Builds a capability graph (IAM, network, dependencies)
Discovers attack paths from internet to sensitive targets
Prioritizes fixes by ROI (security impact + cost savings)
Identifies unused capabilities (blast radius reduction)
Outputs deterministic JSON with proof chains

📦 Installation

pip install cyntrisec

Windows PATH Fix

If you see "cyntrisec is not recognized", the Scripts folder isn't on PATH:

# Option 1: Run with python -m
python -m cyntrisec --help

# Option 2: Add to PATH for current session
$env:PATH += ";$env:APPDATA\Python\Python311\Scripts"

💻 Usage Examples

Basic Usage

# Run a scan
cyntrisec scan --role-arn arn:aws:iam::123456789012:role/CyntrisecReadOnly

Advanced Usage

# Find minimal fixes (prioritized by ROI) and output in JSON format
cyntrisec cuts --format json

📚 Documentation

Commands

Core Analysis

Property	Details
`scan`	Scan AWS infrastructure
`analyze paths`	View attack paths
`analyze findings`	View security findings
`analyze stats`	View scan statistics
`analyze business`	Business entrypoint analysis
`report`	Generate HTML/JSON report

Setup & Validation

Property	Details
`setup iam`	Generate IAM role Terraform
`validate-role`	Validate IAM role permissions

Remediation

Property	Details
`cuts`	Find minimal fixes (Cost & ROI prioritized)
`waste`	Find unused IAM permissions
`remediate`	Generate or optionally apply Terraform plans (gated)

Policy Testing

Property	Details
`can`	Test "can X access Y?"
`diff`	Compare scan snapshots
`comply`	Check CIS AWS / SOC2 compliance

Agentic Interface

Property	Details
`manifest`	Output machine-readable capabilities
`explain`	Natural language explanations
`ask`	Query scans in plain English
`serve`	Run as MCP server for AI agents

MCP Server Mode

Run Cyntrisec as an MCP server for AI agent integration:

# Install with MCP support (now included by default)
pip install cyntrisec

cyntrisec serve              # Start stdio server
cyntrisec serve --list-tools # List available tools

MCP Tools (15)

Category	Tool	Description
Discovery	`list_tools`	List all available tools
	`set_session_snapshot`	Set active snapshot for session
	`get_scan_summary`	Get summary of latest AWS scan
Assets	`get_assets`	Get assets with type/name filtering
	`get_relationships`	Get relationships between assets
	`get_findings`	Get security findings with severity filtering
Attack Paths	`get_attack_paths`	Get attack paths with risk scores
	`explain_path`	Detailed hop-by-hop path breakdown
	`explain_finding`	Detailed finding explanation
Remediation	`get_remediations`	Find optimal fixes for attack paths
	`get_terraform_snippet`	Generate Terraform code for remediation
Access	`check_access`	Test if principal can access resource
	`get_unused_permissions`	Find unused IAM permissions
Compliance	`check_compliance`	Check CIS AWS or SOC 2 compliance
	`compare_scans`	Compare scan snapshots

Claude Desktop

MacOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "cyntrisec": {
      "command": "python",
      "args": ["-m", "cyntrisec", "serve"]
    }
  }
}

Claude Code (CLI)

Run the following command to configure the server:

claude mcp add cyntrisec -- python -m cyntrisec serve

Google Gemini / Antigravity

Locate your agent configuration (e.g., ~/.gemini/antigravity/mcp_config.json) and add:

{
  "mcpServers": {
    "cyntrisec": {
      "command": "python",
      "args": ["-m", "cyntrisec", "serve"]
    }
  }
}

🔧 Technical Details

Architecture

+----------------------------------------------------------------------------------+
|                                   CYNTRISEC CLI                                   |
+----------------------------------------------------------------------------------+
| CLI Layer (Typer)                                                                 |
|   scan   analyze   cuts   waste   report   comply   can   diff   serve   ...      |
+-----------------------------+----------------------------------------------------+
| Core Engine                 | Storage (local)                                     |
|  - AWS collectors           |  ~/.cyntrisec/scans/<scan_id>/                      |
|  - Normalization/schema     |    snapshot.json, assets.json, relationships.json   |
|  - GraphBuilder -> AwsGraph |    findings.json, attack_paths.json                 |
|  - Path search -> paths     |  ~/.cyntrisec/scans/latest -> <scan_id>             |
|  - Min-cut + Cost (ROI)     |  (Windows fallback: latest is a file)               |
+-----------------------------+----------------------------------------------------+
| Outputs: JSON/agent, HTML report, remediation plan + Terraform hints              |
+----------------------------------------------------------------------------------+

Data Flow

CLI (scan) --AssumeRole--> AWS Session --Describe/Get/List--> AWS APIs (read-only)
     |
     v
Collectors -> normalize -> Assets + Relationships -> AwsGraph
                                                |
                                                v
                                   Attack path search (BFS/DFS)
                                                |
                                                v
                                   Min-cut (remediation cuts)
                                                |
                                                v
                                      Cost engine (ROI)

Local artifacts: ~/.cyntrisec/scans/<scan_id>/*.json

📄 License

Apache-2.0

Output Format

Primary output is JSON to stdout. When stdout is not a TTY, the CLI automatically switches to JSON:

cyntrisec analyze paths --format json | jq '.paths[] | select(.risk_score > 0.7)'

Agent-friendly output wraps results in a structured envelope:

cyntrisec analyze paths --format agent

{
  "schema_version": "1.0",
  "status": "success",
  "data": {...},
  "artifact_paths": {...},
  "suggested_actions": [...]
}

Exit Codes

Code	Meaning
0	Success / compliant
1	Findings / regressions / denied
2	Usage error
3	Transient error (retry)
4	Internal error

Use in CI/CD:

cyntrisec scan --role-arn $ROLE_ARN || exit 1
cyntrisec diff || echo "Regressions detected"

Storage

Scan results are stored locally:

~/.cyntrisec/
|-- scans/
|   |-- 2026-01-17_123456_123456789012/
|   |   |-- snapshot.json
|   |   |-- assets.json
|   |   |-- relationships.json
|   |   |-- findings.json
|   |   `-- attack_paths.json
|   `-- latest -> 2026-01-17_...
`-- config.yaml

Versioning

This project follows Semantic Versioning. See CHANGELOG.md for release notes.

Trust & Safety

Read-Only Guarantees

This tool makes read-only API calls to your AWS account. The IAM role should have only Describe*, Get*, List* permissions.

No Data Exfiltration

All data stays on your local machine. Nothing is sent to external servers. Scan results are stored in ~/.cyntrisec/scans/.

No Auto-Remediation (Default Safe Mode)

By default, Cyntrisec is read-only and does not modify your AWS infrastructure.

It analyzes your account using read-only APIs.
It can generate remediation artifacts (e.g., Terraform modules) for you to review.
It does not apply changes automatically.

Optional Remediation Execution (Explicit Opt-In)

Cyntrisec includes an explicitly gated path that can execute Terraform only if you intentionally enable it.

This mode is:

Disabled by default
Requires --enable-unsafe-write-mode
Requires an additional explicit flag (e.g. --execute-terraform) to run Terraform
Intended for controlled environments (sandbox / CI with approvals), not unattended production

If you do not pass these flags, Cyntrisec will never run terraform apply.

Write Operations

Cyntrisec makes no AWS write API calls during scanning and analysis.

The only supported "write" behavior is optional execution of Terraform locally on your machine, and only when explicitly enabled via unsafe flags.

Every AWS API call is logged in CloudTrail under session name cyntrisec-cli.

Trust & Permissions

Cyntrisec runs with a read-only IAM role. Generate the recommended policy with cyntrisec setup iam <ACCOUNT_ID> and keep permissions to Describe*, Get*, and List*. Live modes (waste --live, can --live) require extra IAM permissions; the generated policy and docs cover those additions.