Mephit
Mephit · cybersecurity platform

The cybersecurity platform
that does the work.

An end-to-end offensive-security workspace: scoped projects, streaming chat, your own SSH infrastructure, and continuous perimeter monitors — backed by a router that dispatches across a full bench of specialist skills, with a CLI, IDE plugin, and autonomous agents in the pipeline.

Start a chatOpen a projectRead the docs →
recon engine online
mephit · /chatmephit engine
/type a message — slash for the command picker
Maps
Your target's surface

Domains, IPs, certs, subdomains, leaked configs, dorks — stitched into one pass.

Triages
Indicators in real time

Hashes, IOCs, CVEs, brand abuse — cross-checked against live feeds, not stale training data.

Ships
Payloads & detections

Reverse shells, privesc, Sigma / KQL / SPL rules and hunt queries from TTPs or pasted logs.

Runs
On your own boxes

Register SSH targets, then /run @host <cmd> from any chat — every command proposed for review first.

12s agorecon11 subs · 24 certs · nginx/1.2531s agointel-threatsVT 4/94 · greynoise: malicious47s agocryptodecoded: bcrypt $2a$ · 12 rounds1m agointel-vulnCVE-2024-3094 · CVSS 10.01m agoblue-teamsigma rule · LSASS handle access2m agoctf-webblind SQLi confirmed in /search?q=2m agointel-breachHIBP · 3 breaches · 2018-20233m agopost-exploitSeImpersonate → JuicyPotatoNG3m agoreverse-engx86_64 · stripped · UPX-packed4m agooffensivemsfvenom · windows/x64/meterpreter12s agorecon11 subs · 24 certs · nginx/1.2531s agointel-threatsVT 4/94 · greynoise: malicious47s agocryptodecoded: bcrypt $2a$ · 12 rounds1m agointel-vulnCVE-2024-3094 · CVSS 10.01m agoblue-teamsigma rule · LSASS handle access2m agoctf-webblind SQLi confirmed in /search?q=2m agointel-breachHIBP · 3 breaches · 2018-20233m agopost-exploitSeImpersonate → JuicyPotatoNG3m agoreverse-engx86_64 · stripped · UPX-packed4m agooffensivemsfvenom · windows/x64/meterpreter
Platform

More than a chat box

Mephit is a platform. Use whichever surface fits your workflow — they all share the same skills, projects, and history.

WEB CHAT
Live

The interactive console

Streaming chat with slash-command picker, attachments, conversation history, and auto-titled threads scoped to projects.

PROJECTS
Live

Per-engagement workspaces

Group chats, assets (servers, domains, IPs, apps, services), tech-stack tags, goals and notes under one engagement. Context follows you into every chat.

SSH SERVERS
Live

Bring your own boxes

Register a Kali jumphost, a CTF VM, or a hardened pentest dropper. `/run @host` proposes commands; you approve before anything executes.

SKILLS
Live

Toggleable specialists

Recon, intel, RE, blue team, post-exploit — turn skills on or off per workspace, see which ones the router activated last turn.

CLI
Soon

Run from your terminal

`mephit scan acme.com`, `mephit cve CVE-2024-3094`, `mephit triage <hash>`. Pipe into jq, save to disk, script it.

IDE PLUGIN
Soon

VSCode & JetBrains

Inline `/cve`, `/decode`, `/sigma` from the editor. Highlight a hash, ask Mephit. Highlight disassembly, ask Mephit. No context-switching.

AGENTS
Soon

Autonomous loops

Long-running agents that recon a target, pivot through findings, and report back when they're done — or escalate when they need a human.

MONITORS
Soon

Continuous CVE & leak watch

Project assets get watched. New CVE matching your stack? New paste mentioning your domain? New cert minted on your TLD? You hear about it.

Per-engagementLive

Project workspaces, not lonely chats

Spin up a project per engagement. Drop in the assets, tag the stack, write the goals. Every chat inside that project picks up the context automatically — no re-pasting scope, no re-explaining the target.

Open projects
Acme Production Audit
Acme Corp · 14 days left
Active
Assetsservers · domains · IPs · apps · services
Tech stacktag the moving parts
Goalswhat 'done' looks like
Chatsevery conversation scoped
Notesmarkdown engagement journal
acme.com · api.acme.com · admin.acme.com
Bring your own boxesLive

Register a target.
Run from any chat.

Wire up an SSH endpoint once — your Kali jump host, a CTF VM, a hardened pentest dropper. From any chat, type /run @host and Mephit drafts the command. You approve it, the platform executes over SSH, and the output streams back into the conversation.

  1. 01
    Encrypted at rest

    SSH private key stored AES-256-GCM encrypted; never returned to the client. Connection test runs `whoami` to verify.

  2. 02
    Human-in-the-loop

    Every command is proposed first — you see the host, command, intent, and risk level. Click run, or edit it inline.

  3. 03
    Audit & guardrails

    Append-only run log per server. Destructive patterns (`rm -rf /`, `mkfs`, fork bombs, `curl | sh`) are refused unless explicitly confirmed.

Set up your first server
01Register a target
+add server
kali-jumponline
[email protected]:22 · ed25519
tested 2m ago
connection ok · whoami → kali
02Run from chat
/run @kali-jump nmap -F acme.com
command proposal
low risk
  • onkali-jump
  • cmdnmap -F acme.com
  • whyfast top-100 port scan
exit 0 · 1.4s
kali-jump
Starting Nmap 7.94 ( https://nmap.org )
Nmap scan report for acme.com (1.2.3.6)
Host is up (0.018s latency).
Not shown: 97 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  open   https
Nmap done: 1 IP address scanned in 1.36s
ContinuousSoon

Monitors, not one-shot scans

One-time recon is a snapshot. Real engagements move. Hook your project assets into continuous monitors and let Mephit watch the perimeter for you between chats.

CVE watch

Tag your stack once. New advisory matching nginx 1.25 / postgres 16 / k8s 1.30? Inbox + chat ping with severity, exploitability, and a draft remediation note.

Leak watch

Domain or brand watchlist scanned against pastes, breach dumps, and dark-web channels. Hits land with source, timestamp, and the leaked excerpt redacted by default.

Cert transparency

Every new certificate minted on your TLD or close-typo neighbours. Catches phishing infra and shadow IT before they go live.

Surface drift

Periodic recon snapshot diffs: new ports, new subdomains, new tech fingerprints. Know what changed since last week, without re-scanning manually.

Capabilities

Built for the actual workflow

Every skill, tool, and prompt is written for security work — not retrofitted from a general assistant.

RECON

Surface what's exposed

Pivot from a domain or IP into open services, certs, leaked configs, dorks, subdomains. Parallel tools stitched into one pass.

THREAT INTEL

Hashes, IOCs, brands

Cross-reference samples and indicators against major reputation and malware feeds. Pull brand and identity context from a domain.

OFFENSE

Payloads & post-exploit

Reverse / bind shells, web shells, CTF web triage, Linux/Windows/AD privesc. RE help for Ghidra, radare2, GDB.

DEFENSE

Detections that ship

Sigma, KQL, SPL rules from TTPs or pasted logs. Hunt queries for credential dumping, C2, lateral movement.

CRYPTO

Identify, decode, crack

Hash fingerprinting, base64/hex/URL-safe, classical ciphers, known-plaintext hints. CTFs ship.

REMOTE

Execute on your boxes

Register SSH servers once, then `/run @kali whoami` from any chat. Always proposed for review first.

Under the hood

Watch one prompt fan out across the platform

The router fires multiple specialists in parallel — passive DNS, cert transparency, breach indices, paste crawlers, mindmap renderers. Each lane runs independently, then the model stitches the findings into a single answer. Below: a live trace cycling through three real scenarios.

trace · recon
T+ 0.00s/2.4s
/scan acme.comrouter · 6 lanes · parallel
Passive DNS
queued
Cert transparency
queued
Service fingerprint
queued
Reputation
queued
Paste / leak hits
queued
Tech fingerprint
queued
synthesis…aggregating

Production: nginx 1.25 behind Cloudflare. 11 subs, 24 certs (4 wildcard). 22/tcp open on a.example.net (OpenSSH 9.6). Two paste leaks reference internal s3 buckets. No malicious reputation. Suggested next step: enumerate s3://acme-internal-* and probe 22/tcp for known CVEs.

01
Recon trace

6 lanes fan out: passive DNS, cert transparency, port fingerprint, reputation, paste crawl, tech stack. ~2.4s wall-clock.

02
Leak analysis

Breach indices, paste crawl, dark-channel scrape, credential clusters, reuse correlation. Hits land grouped by source + severity.

03
Mindmap synthesis

Topic decomposition, OWASP graft, leaf expansion, tool linking, Mermaid render — produces a radial tree on demand.

Slash commands

Every tool, one keystroke away

Type `/` in the composer to open the picker. 24 commands, grouped by category, each wired to a real skill.

Flows· 6
/flow-perimeterFlow · Perimeter audit

Full external attack surface — domain → subdomains → IPs → ports → services → certs → fingerprints.

/flow-perimeter acme.com
/flow-leaksFlow · Leak audit

Sweep breach indices, paste sites, and code hosts for credentials and tokens tied to a domain or brand.

/flow-leaks acme.com
/flow-squatFlow · Typosquat watch

Generate lookalike-domain set, resolve each, score for live phishing infrastructure, draft takedown packets.

/flow-squat acme.com
/flow-vulnsFlow · Vuln sweep

Match recent CVEs against the detected stack on the target. Sorted by exploitability × severity.

/flow-vulns acme.com
/flow-kickoffFlow · Engagement kickoff

First-hour brief — perimeter + leak audit + light typosquat + draft threat model. Run it after creating a project.

/flow-kickoff acme.com
/flow-iocFlow · IOC triage

Indicator → impact in one pass: reputation, sandbox, passive-DNS pivot, ASN/cert correlation, incident packet.

/flow-ioc 1.1.1.1
Recon· 1
/scanRecon scan

Map a target — IPs, ports, services, subdomains, technology fingerprint.

/scan acme.com
Intel· 4
/checkleakBreach / leak check

Search dark-web breaches and HIBP for an email or domain.

/checkleak [email protected]
/cveCVE lookup

Resolve a CVE ID — CVSS, vendor advisories, exploits.

/cve CVE-2024-3094
/threatThreat intel

Reputation lookup — VirusTotal, AbuseIPDB, GreyNoise, urlscan.

/threat 1.2.3.4
/brandBrand OSINT

Extract a site's logos, color palette, and brand identity.

/brand https://stripe.com
Offensive· 5
/payloadGenerate payload

Reverse / bind shells, msfvenom, web shells.

/payload reverse_shell lhost=1.2.3.5 lport=4444
/ctfCTF web triage

Approach a CTF web challenge — recon, vuln triage, exploit.

/ctf http://1.2.3.6/login
/postPost-exploit guidance

Privesc, lateral movement, persistence, AD attacks.

/post i have a shell as www-data on debian
/revReverse engineering

Static / dynamic binary analysis — Ghidra, GDB, radare2.

/rev pasted Ghidra decompilation here
/runRun on server

Propose a command for one of your registered SSH servers. Combine with @<server>.

/run @kali-docker df -h
Defensive· 2
/sigmaSigma / detection rule

Generate a Sigma / KQL / SPL detection rule for a TTP or pasted log.

/sigma LSASS access via WinAPI
/huntThreat hunt query

Hunt query for credential dumping, lateral movement, C2.

/hunt unusual outbound DNS volume per host
Crypto· 1
/decodeHash / cipher ID

Identify a hash (md5/sha*/bcrypt) or decode common encodings.

/decode 5f4dcc3b5aa765d61d8327deb882cf99
Meta· 5
/mindmapMindmap

Generate a Mermaid mindmap (center node + radial branches) for a topic.

/mindmap web app pentest checklist
/diagramDiagram

Render a Mermaid diagram — flowchart, sequence, kill chain, DFD.

/diagram OAuth2 PKCE flow
/cvssCVSS score

Compute a CVSS v3.1 vector + score from a description.

/cvss SQL injection in /api/login
/reportPentest finding

Draft a vulnerability finding — title, impact, repro, remediation.

/report XSS reflected in search param
/threatmodelThreat model

STRIDE / PASTA / attack-tree analysis of a system.

/threatmodel SaaS app with public API + mobile clients
Plugged in

Live intel, not stale training data

Every lookup hits real sources at query time — reputation, breaches, certs, advisories, sandbox scans. No hallucinated CVEs, no made-up WHOIS.

Questions

Direct answers, since you're here

Is this just ChatGPT with a wrapper?+

No. Mephit is a router-driven multi-skill system — every turn picks the right specialists (recon, intel, RE, blue team, etc.), runs real lookups in parallel, and synthesizes. The model is the cheapest part of the stack.

Will it refuse offensive-security questions?+

No. Mephit is built for pentesters, CTF players, and researchers — scope is yours. We don't lecture, we don't apologize, we don't add disclaimers.

Where do the lookups go?+

Live, at query time. No baked-in stale knowledge for IOCs, CVEs, certs, or breaches. Specific provider names are intentionally not advertised on this page.

Can I run commands on my own machines?+

Yes. Register SSH targets in the dashboard, then `/run @host <cmd>` from any chat. Every command is proposed for human approval before execution.

How do projects work?+

Each engagement gets its own workspace: assets (servers/domains/IPs/apps/services), tech-stack tags, goals, notes, and scoped chats. The model picks up that context automatically when you talk to it from inside a project.

What about my data?+

Chats are stored against your account so you can resume them. SSH credentials are encrypted at rest. We don't train on your conversations.

Set up a project.
Run your first scan.

Free to try. No credit card. Add your assets, register your boxes, start chatting — the rest of the platform lights up as it ships.

Open the chatGo to dashboard