Back to Talks 2026
Talk

CyberKB: When Your AI Copilot Runs the Recon, Crawls the Dark Web, and Maps the Kill Chain

Recon Village @ DEF CON 34August 6-9, 2026

Saturday, August 8 · 5:00 PM – 5:30 PMDEF CON Creator Stage 2

Abstract

What if your recon tool could understand "find leaked credentials for this company on the dark web, cross-reference with their exposed infrastructure, and show me the attack path" — and then actually do it, autonomously, with zero manual commands?

CyberKB is a 214,000-line open platform that puts an AI copilot (Keke) in command of 131 offensive tools spanning reconnaissance, dark web OSINT, Shodan intelligence, breach databases, and a full Kali Linux shell — all orchestrated through natural language conversation.

The Dark Web Intelligence Pipeline (DarkMonitor):

CyberKB's DarkMonitor module queries .onion search engines concurrently through Tor, uses LLM-powered query refinement to generate optimal dark web search terms, applies AI relevance filtering to surface the most critical results.

The AI Copilot (Keke):

Keke isn't a wrapper around ChatGPT. It's a function-calling agent with direct execution access to: a privileged Kali container (nmap, curl, nikto, sqlmap, gobuster, hydra — the full toolkit), 16 dark web search engines via Tor, breach and paste database aggregators, a RAG-powered knowledge base with semantic search over ingested recon data, Shodan lookups and CVE correlation, MITRE ATT&CK technique mapping, attack graph generation and path prioritization, and engagement management (targets, credentials, findings, reports).

Scale Proof — 2,250-Domain Assessment:

We demonstrate CyberKB against a real-world external attack surface assessment: 2,250 domains belonging to a single organization, producing 11,968 unique IPs, 8,494 hostnames, 2,444 CVEs, 80,238 open ports, and a knowledge graph of 6,390 nodes with 51,990 infrastructure relationship edges. The entire dataset was parsed, correlated, and ingested into the AI-queryable knowledge base in 25 seconds. Keke can now answer questions like "which x domains share infrastructure with known-vulnerable IPs" by searching the graph, not by re-scanning.

What This Means for Defenders:

Every autonomous recon step Keke performs leaves detectable artifacts. We discuss what blue teams should monitor: DNS burst patterns from multi-engine enumeration, Tor exit node correlation with target infrastructure, behavioral signatures of AI-driven sequential probing, and how to distinguish human recon from autonomous agent recon. The same platform that empowers red teams reveals the detection surface that defenders can leverage.

Key Takeaways:

1. AI copilots with direct tool execution compress hours of reconnaissance into minutes of conversation — fundamentally changing the operator's role from command executor to strategic decision-maker.

2. Dark web OSINT can be systematically automated with LLM-driven search refinement and relevance filtering, making it accessible beyond specialized analysts.

3. Infrastructure-scale attack surface mapping (2,250+ domains) becomes practical when AI handles correlation instead of humans.

4. Autonomous recon creates detectable patterns that blue teams should be actively hunting for.

Tool Stack: Python, Flask, ChromaDB (RAG), Docker (Kali + Tor + Browser Agent), OpenAI-compatible LLM API, SQLite, Playwright, BeautifulSoup. 105 Python modules. Fully self-hosted — no cloud dependencies for core functionality.

Speakers

Suriya Prasath S

zoho, red teamer, manager

A Red Teamer and Security Manager at Zoho CRM–Red Team, with 6+ years of experience driving adversarial simulations and real-world attack emulation at scale. He focuses on uncovering critical security gaps by thinking like an attacker—blending deep technical expertise with practical red team operations to challenge assumptions and strengthen defences.

View full speaker profile →
Chandru J

Zoho, Product Security Manager

Product Security Manager with over 12 years of experience in driving cybersecurity initiatives, enhancing organizational security posture, and ensuring compliance with international standards such as ISO 27001, SOC 2, and GDPR. Adept at leading and mentoring teams, managing enterprise-wide security programs, and developing in-house security tools to address vulnerabilities effectively. Proven expertise in vulnerability management, incident response, security governance, and implementing secure development lifecycle (SDLC) practices. Recognized for fostering a security-first culture and collaborating with cross-functional teams to mitigate risks, protect assets, and improve processes in rapidly evolving environments.

View full speaker profile →
Muthu Kumar

Security Engineer

I am a Security Engineer with 10 years of experience specializing in web application security and security tool development. I have extensive experience identifying security vulnerabilities, improving secure development practices, and building tools that help organizations detect and prevent security risks at scale. My expertise includes application security testing, secure code reviews, threat modeling, vulnerability assessment, and developing security automation solutions that reduce manual effort and improve detection accuracy. I have worked on enhancing security tools by reducing false positives and helping engineering teams address vulnerabilities more efficiently. I am passionate about building secure systems and solving complex security challenges through automation, innovation, and practical security engineering approaches. My focus is on strengthening application security while enabling development teams to build and ship secure products faster.

View full speaker profile →