Cybersecurity
Mode
A professional-grade security environment for HackerOS. Offensive penetration testing and defensive auditing in one unified interface, powered by an isolated BlackArch Linux container.
Introduction
Cybersecurity Mode is a dedicated security workstation environment designed for HackerOS. It provides a unified graphical interface for both offensive security professionals (penetration testers, red teamers) and defensive security practitioners (auditors, blue teamers), running all tools inside an isolated BlackArch Linux Podman container.
The application is designed to run as a dedicated TTY session (similar to Steam's
Gamescope session) launched via cage, providing a clean, distraction-free security workspace.
It can also be launched inside an existing desktop session.
Architecture
Cybersecurity Mode is built from three separate compiled components that work together:
Components
| Component | Language | Binary | Purpose |
|---|---|---|---|
| GUI Frontend | Python 3.13 + PyQt6 | cybersec-mode-main |
Main graphical interface, all UI panels, compiled with Nuitka to static binary |
| Backend | Rust (tokio) | cybersec-mode-backend |
Container lifecycle management, network scanning, IPC server over Unix socket |
| CLI | Crystal | cybersec |
Command-line interface, session launcher, update/plugin management |
Communication Flow
cybersec (CLI)
│
├── launches cybersec-mode-main (GUI)
│ │
│ ├── connects via Unix socket ──► cybersec-mode-backend (Rust)
│ │ │
│ │ └── manages ──► Podman Container (BlackArch Linux)
│ │ └── security tools (nmap, metasploit, …)
│ │
│ └── embeds ──► Terminal Panel ──► shell inside container
│
└── direct commands ──► container exec / podman / system/tmp/cybersec-mode-backend.sock.
Operational Modes
On first launch (or every launch if configured), Cybersecurity Mode asks you to select an operational mode. This determines which tools are prominently displayed and sets the visual theme accent color.
🔴 Red Mode — Offensive / Pentest
Designed for penetration testers and red teamers. Focuses on:
- Network reconnaissance and port scanning (nmap, masscan)
- Vulnerability exploitation (Metasploit, searchsploit)
- Web application attacks (Burp Suite, sqlmap, nikto, gobuster)
- Password attacks (hashcat, john, hydra)
- Wireless security (aircrack-ng, airmon-ng)
- Post-exploitation and pivoting
🔵 Blue Mode — Defensive / Audit
Designed for security auditors and blue teamers. Focuses on:
- Network traffic analysis (Wireshark, tcpdump, Zeek)
- Intrusion detection (Suricata, Snort, OSSEC)
- System hardening and auditing (Lynis, auditd, chkrootkit)
- Malware analysis (ClamAV, rkhunter, YARA)
- Vulnerability assessment (OpenVAS, Nessus)
- Log analysis and SIEM integration
Switching Modes
You can switch modes at any time using:
- Hacker Menu → Change Mode in the GUI
cybersec set-mode redorcybersec set-mode bluefrom the CLI
Startup Behavior
In Settings → Always ask mode at startup, you control whether the mode selection dialog appears every time. If disabled, Cybersecurity Mode remembers your last choice.
Requirements
System Requirements
| Component | Minimum | Recommended |
|---|---|---|
| OS | HackerOS (Arch-based) | |
| RAM | 4 GB | 8+ GB |
| Disk | 20 GB free | 50+ GB |
| Display | 1280×800 | 1920×1080 or higher |
| Network | Required for container image pull | |
Runtime Dependencies
| Package | Purpose |
|---|---|
| podman | Container engine (preferred over docker) |
| cage | Wayland compositor for TTY session mode |
| python3.13 | Python runtime (bundled in binary via Nuitka) |
| qt6-base | Qt6 runtime libraries for PyQt6 |
| libwayland | Wayland client libraries |
Installing
For HackerOS
hacker unpack cybersecurity-modeThis command will fetch and install the precompiled Cybersecurity Mode package directly on your HackerOS system.
Container Setup
All security tools run inside a BlackArch Linux Podman container. The container is created automatically when you click Start Container in the Main panel, or you can manage it manually.
Manual Container Management
bash# Pull the BlackArch image manually
podman pull blackarchlinux/blackarch
# Create the container (done automatically by the app)
podman run -d \
--name cybersec-mode-env \
--privileged \
--network host \
--cap-add NET_ADMIN \
--cap-add NET_RAW \
-v /home:/home:rw \
blackarchlinux/blackarch \
sleep infinity
# Open a shell inside the container
podman exec -it cybersec-mode-env bash
# Install additional tools
podman exec -it cybersec-mode-env pacman -S metasploit burpsuite--privileged and
--network host flags to allow raw network access required by security tools.
Only run this container in controlled lab environments.
Persistent Tool Data
Tool configurations and output files can be stored in /home/<user>
which is bind-mounted into the container. Results saved to /home persist
across container restarts.
Main Panel
The Main panel is the central dashboard showing available security tools for the currently selected mode. It displays tool cards, container status, and provides quick-launch access.
- Tool Cards — Click the
▶button on any tool card to open it in the terminal - Search — Filter tools by name using the search box (top right)
- Container Status — Shows if the BlackArch container is running with a Start/Stop button
- Mode title — Changes between "⚔ Offensive / Pentest" and "🛡 Defensive / Audit"
Terminal Panel
The Terminal panel provides an embedded shell connected directly to the BlackArch container.
It uses bash by default (configurable in Settings).
Features
- Command history with ↑/↓ arrow key navigation
- Output scrollback buffer (10,000 lines)
- Clear button to reset output
- New terminal button (opens additional session)
- Direct container shell — commands run inside BlackArch
Shell Environment
terminal# The terminal connects to:
podman exec -it cybersec-mode-env bash
# All BlackArch tools are available:
nmap --version
msfconsole --version
sqlmap --versionDocs Panel
The Docs panel provides in-app reference documentation organized by topic. It is designed to be beginner-friendly while remaining useful for experienced practitioners.
Documentation Categories
- Getting Started — Welcome guide, first steps, container setup
- Penetration Testing — Reconnaissance, exploitation, web testing, post-exploitation
- Defensive Security — Network monitoring, system hardening, incident response
- CLI Reference — Complete
cybersecCLI documentation
Settings Panel
All user preferences are stored in ~/.cache/HackerOS/Cybersecurity-Mode/config.json.
Available Settings
| Setting | Options | Default |
|---|---|---|
| Theme | dark_gray, dark_black, dark_slate, light | dark_gray |
| UI Font Size | 9–24 px | 13 |
| Terminal Font Size | 9–24 px | 13 |
| Always Ask Mode | on / off | on |
| Container Engine | podman, docker | podman |
| Container Image | any OCI image | blackarchlinux/blackarch |
| Shell | bash, zsh, fish, sh | bash |
| Log Level | DEBUG, INFO, WARNING, ERROR | INFO |
cybersec CLI Reference
The cybersec binary is installed at /usr/bin/cybersec.
| Command | Description |
|---|---|
| cybersec | Launch Cybersecurity Mode as a TTY session (requires TTY) |
| cybersec please | Open the GUI in the current session (no TTY check) |
| cybersec help | Show command reference |
| cybersec version | Print version string |
| cybersec status | Show container, binary, and config status |
| cybersec update | Update container image and application (live output) |
| cybersec set-mode red | Switch to Red mode (saved to config) |
| cybersec set-mode blue | Switch to Blue mode (saved to config) |
| cybersec exec <cmd> | Execute a command inside the container |
| cybersec plugin list | List installed plugins |
| cybersec plugin install <n> | Install a plugin (placeholder) |
| cybersec plugin remove <n> | Remove an installed plugin |
| cybersec plugin info <n> | Show plugin metadata |
CLI Examples
bash# Start a Cybersecurity Mode session from a TTY (e.g. Ctrl+Alt+F2)
cybersec
# Open the GUI inside your current KDE/GNOME session
cybersec please
# Check everything is working
cybersec status
# Run nmap directly in the container
cybersec exec 'nmap -sV 192.168.1.0/24'
# Run a full update (shows live output in terminal)
cybersec update
# Switch to blue mode permanently
cybersec set-mode blue
# List installed plugins
cybersec plugin listIPC Protocol
The GUI communicates with the Rust backend via newline-delimited JSON-RPC over a Unix domain socket.
Request Format
json{"method": "container_status", "params": {"name": "cybersec-mode-env"}}Response Format
json{"ok": true, "result": {"name": "cybersec-mode-env", "running": true, "state": "running"}}
{"ok": false, "error": "Container not found"}Available RPC Methods
| Method | Params | Returns |
|---|---|---|
| ping | — | {"pong": true} |
| container_status | name | running, state, engine |
| container_start | image, name | started, reused |
| container_stop | name | stopped |
| container_exec | name, cmd | stdout, stderr, exit_code |
| list_tools | — | tools[] |
| system_info | — | hostname, kernel, uptime |
| scan_network | target | raw nmap XML output |
Plugin System
Plugins extend Cybersecurity Mode with additional tools, documentation pages, and UI panels.
Plugin metadata is stored as JSON files in ~/.cache/HackerOS/Cybersecurity-Mode/plugins/.
Plugin Manifest Format (planned)
json{
"name": "my-plugin",
"version": "1.0.0",
"description": "Adds custom recon tools",
"author": "security-researcher",
"tools": ["amass", "subfinder"],
"docs": "docs/recon-advanced.html",
"panel": "panels/recon.py"
}Configuration Reference
Config file: ~/.cache/HackerOS/Cybersecurity-Mode/config.json
{
"mode": null,
"always_ask_mode": true,
"theme": "dark_gray",
"font_size": 13,
"terminal_font": "JetBrains Mono",
"terminal_font_size": 13,
"shell": "bash",
"container_engine": "podman",
"container_image": "blackarchlinux/blackarch",
"container_name": "cybersec-mode-env",
"backend_socket": "/tmp/cybersec-mode-backend.sock",
"session_mode": false,
"show_welcome": true,
"sidebar_collapsed": false,
"log_level": "INFO",
"keybindings": {
"toggle_terminal": "Ctrl+T",
"toggle_docs": "Ctrl+D",
"toggle_main": "Ctrl+M",
"toggle_settings": "Ctrl+,",
"hacker_menu": "Ctrl+H"
}
}Paths & Directories
Key runtime paths for Cybersecurity Mode:
- User config:
~/.cache/HackerOS/Cybersecurity-Mode/config.json - Logs:
~/.local/share/HackerOS/Cybersecurity-Mode/logs/cybersec-mode.log - IPC socket:
/tmp/cybersec-mode-backend.sock - Container home mount:
/homeinside container → host home
Default Keybindings
| Shortcut | Action |
|---|---|
| Ctrl+M | Go to Main panel |
| Ctrl+T | Go to Terminal panel |
| Ctrl+D | Go to Docs panel |
| Ctrl+, | Go to Settings panel |
| Ctrl+H | Toggle Hacker Menu |
All keybindings are customizable in Settings → Keybindings.
Tool Reference
Red Mode Tools
| Tool | Category | Description |
|---|---|---|
| nmap | Scanning | Network discovery and port scanning |
| metasploit | Exploitation | Penetration testing framework |
| burpsuite | Web | Web proxy, scanner, and attack tool |
| sqlmap | Web | Automated SQL injection |
| hydra | Brute-force | Login credential brute-forcing |
| aircrack-ng | Wireless | WiFi security auditing suite |
| hashcat | Password | GPU-accelerated password cracking |
| john | Password | John the Ripper password cracker |
| gobuster | Web | Directory and DNS brute-forcing |
| nikto | Web | Web server vulnerability scanner |
Blue Mode Tools
| Tool | Category | Description |
|---|---|---|
| wireshark | Network | Graphical packet analyzer |
| suricata | IDS/IPS | Network threat detection engine |
| lynis | Audit | Security auditing and hardening tool |
| openvas | Scanner | Full-featured vulnerability scanner |
| fail2ban | Prevention | Log-based intrusion prevention |
| auditd | Logging | Linux kernel audit daemon |
| clamav | Malware | Open-source antivirus engine |
| rkhunter | Malware | Rootkit detection and scanning |
| tcpdump | Network | Command-line packet capture |
| snort | IDS/IPS | Intrusion detection and prevention |