Why Every C2 Framework Was Built Wrong — And What AI-Native Design Actually Looks Like

Every C2 framework you’ve used was designed for a human being sitting at a terminal.

Cobalt Strike. Sliver. Havoc. Metasploit. Empire. All of them, without exception, were architected around a human operator typing commands, reading output, making decisions, and executing the next step manually.

That made sense in 2010. It made sense in 2015. It made sense right up until the moment AI agents became capable enough to execute complex multi-step operations autonomously.

That moment has arrived. And the entire architecture of offensive security tooling is wrong for it.

The Problem Nobody Is Talking About

When you look at how existing C2 frameworks expose their operator interface, you see the same pattern everywhere.

Interactive REPLs designed for human reading speed. Output formatted for human eyes. Command structures built around human intuition. Workflow assumptions baked in around a person thinking between each step.

When you try to put an AI agent in the operator seat of one of these frameworks — which people are now doing — you’re forcing a fundamentally different kind of intelligence to wear a suit tailored for someone else entirely.

The agent can do it. But it’s fighting the tool the entire time.

It’s parsing human-readable output instead of consuming structured data. It’s navigating interactive prompts designed for tab completion by human fingers. It’s working around assumptions that a person will be making contextual judgments between steps.

The result is fragile, slow, and unpredictable. Not because the agent isn’t capable. Because the tool wasn’t designed for it.

What AI-Native Actually Means

When we started building Erebus — the C2 framework inside Zypheron — we made one foundational decision that changed every subsequent architectural choice:

The primary consumer of this framework is an AI agent. Not a human.

That sounds simple. The implications are profound.

The Wire Protocol

Every existing C2 framework that tries to add AI integration does it at the wrong layer. They bolt an AI interface onto a framework that speaks in human-readable formats and interactive prompts.

We designed the wire protocol for machine consumption from day one.

Erebus uses Protocol Buffers for all communications. Every message between the implant and teamserver is a structured protobuf. Every response from the operator API is typed, predictable, and machine-parseable.

Channel          Protocol              Auth
Implant ↔ Team   HTTPS + Protobuf      HMAC-SHA256 + AES-256-GCM
Operator ↔ Team  gRPC                  mTLS

An AI agent calling ExecuteTask gets back a structured TaskResult with typed fields, not a blob of terminal output it has to parse with regex. The difference in reliability is not marginal. It’s categorical.

The Operator API

Traditional C2 frameworks expose their functionality through interactive CLIs. You type commands. Output comes back. You decide what to do next.

Erebus exposes its functionality through a gRPC service with a clean RPC surface:

ExecuteTask          — Dispatch a task to an implant
GetTaskResult        — Poll for task result
Subscribe            — Stream real-time events
ListPendingApprovals — Human approval gate
Approve/Deny         — Human decision injection point

An AI agent can call these RPCs directly. No terminal parsing. No interactive session management. No fighting the interface designed for human hands.

The agent calls ExecuteTask. It gets a task ID. It calls GetTaskResult when ready. It gets a structured result. It makes its next decision based on typed data.

That’s AI-native design. Every other framework requires the agent to simulate a human using a human tool.

The Async Task Queue

Human operators work sequentially. You run a command. You read the output. You decide what to do next. The entire interaction model of traditional C2 frameworks assumes this pattern.

AI agents don’t work this way. An agent running a complex engagement wants to dispatch multiple operations simultaneously, track them independently, and make decisions based on whichever completes first or produces the most interesting result.

Erebus has an async task queue with non-blocking dispatch. An agent can fire fifteen tasks simultaneously and subscribe to the event stream for results. No waiting. No sequential bottleneck. Parallelism is a first-class citizen.

// Agent dispatches multiple tasks without blocking
ExecuteTask(session, TASK_LDAP_ENUM, ldapParams)
ExecuteTask(session, TASK_NET_PORTSCAN, scanParams)
ExecuteTask(session, TASK_PROCESS_LIST, nil)

// Subscribes to event stream
Subscribe() // receives results as they complete

A human operator doing this manually would need to manage multiple terminal windows. An AI agent using Erebus just subscribes to the stream.

The Approval Gate — Where Human Intelligence Belongs

Here’s the most important architectural decision we made.

An AI-native C2 framework doesn’t mean a fully autonomous one. The human operator isn’t removed from the loop. They’re placed in the loop at exactly the right point — high-risk decision making.

Erebus has a built-in approval gate for high-impact operations. Before an agent executes credential dumping, lateral movement, persistence installation, or privilege escalation, the operation enters a pending queue. A human reviews it. Approves or denies with an optional reason.

pending     List pending approvals
approve     Approve a high-risk operation
deny        Deny operation with reason

This is the correct separation of responsibility.

The agent handles enumeration, recon, pattern recognition, and tactical decision-making at machine speed. The human handles strategic approval of consequential actions.

Not human-in-the-loop for everything — that defeats the purpose of AI augmentation. Human-in-the-loop for the decisions that actually matter. That’s AI-native design thinking applied correctly to offensive security.

The Module Architecture

Traditional C2 modules are written for human operators to invoke manually. The syntax, the parameters, the output — all designed around human interaction.

Erebus modules are registered in a compiled-in registry with a consistent interface. Every module speaks the same protocol. An AI agent doesn’t need to know the idiosyncrasies of each module’s CLI syntax. It calls TASK_MODULE with a module name and structured parameters. It gets structured output back.

The Active Directory attack surface illustrates this clearly:

TASK_LDAP_ENUM     — 12 pre-defined query types, structured results
TASK_KERBEROAST    — TGS extraction, hashcat-compatible output
TASK_ASREP_ROAST   — Pre-auth bypass, hashcat mode 18200 output
TASK_CREDS_DUMP    — LSASS, SAM, browser credentials
TASK_LATERAL_MOVE  — WinRM, PsExec, WMI, DCOM
TASK_PERSIST       — Scheduled tasks, registry, services
TASK_PRIVESC       — Token theft, UAC bypass

An AI agent can enumerate all kerberoastable SPNs, identify high-value targets, dispatch a kerberoasting operation, receive hashcat-formatted output, and chain that into a lateral movement decision — all as a structured data flow. No manual parsing. No human reading intermediate output.

Why This Matters For Real Engagements

The practical impact of AI-native design shows up in engagement speed and coverage.

A senior human operator running a complex AD engagement manually might cover 60-70% of the attack surface in a standard engagement window. Not because they’re not skilled — because there’s a physical limit to how fast a human can enumerate, analyze, and execute sequentially.

An AI agent operating Erebus can parallelize enumeration across the entire visible attack surface simultaneously, process all results structurally, identify the highest-value attack paths, queue them for human approval, and have a prioritized exploitation plan ready before a human operator has finished their first cup of coffee.

The human then reviews the plan, approves the high-impact operations, and the agent executes. The operator’s cognitive load shifts from execution to strategy. From doing to deciding.

That’s a categorically different engagement capability. Not marginally better. Categorically different.

The Infrastructure Layer

Beyond the conceptual architecture, AI-native design shows up in infrastructure decisions too.

mTLS everywhere. Every operator-to-teamserver connection requires mutual TLS with client certificates. An AI agent authenticates to Erebus the same way a human operator does — cryptographically. No weaker authentication path for programmatic access.

HMAC-SHA256 implant verification. Every beacon is verified by pre-shared secret. The teamserver doesn’t accept implant callbacks it can’t verify. This matters more in AI-operated engagements where the agent might be making rapid decisions that increase operational tempo.

AES-256-GCM session encryption. All implant payloads are encrypted at the session layer. The agent’s communications are as protected as a human operator’s.

SQLite persistence. All sessions, tasks, and loot are stored locally in a structured database. The agent can query engagement history, cross-reference findings, and build context across a long engagement. Human operators scroll through terminal history. Agents query a database.

DNS covert channel. TXT record queries with base32-encoded data for environments where HTTPS traffic is monitored. The agent can select transport automatically based on network conditions.

The Zypheron CLI — The Human Layer

Erebus is the engine. Zypheron CLI is where human operators and AI agents meet.

The open source CLI provides the operator-facing workflow layer — recon, scanning, AI-assisted analysis, session management — all built with the same AI-native philosophy. Local and hosted model support. Structured output throughout. A 30MB self-contained binary with no external AI dependencies.

No LangChain. No abstraction layers we don’t control. Runs in air-gapped environments where most AI security tools fail immediately.

The CLI and Erebus are designed together. The CLI speaks the same structured data language as the C2 layer. The agent’s context flows from recon through exploitation without translation layers losing information.

What We’re Building Toward

The current generation of AI security tools can be summarized as: take existing tools, add an AI wrapper, call it AI-native.

That’s not what we’re building.

We’re building from the assumption that AI agents will be the primary operators of offensive security tooling within the next 3 years. That assumption changes every architectural decision — wire protocols, module interfaces, task queuing, event streaming, approval gates, output formatting.

The C2 framework is the hardest part to get right. It’s the core of every offensive operation. It’s where the real capability lives. And it’s the part that existing players can’t retrofit without rebuilding from scratch.

We rebuilt from scratch. Because we had no legacy to protect.

Erebus runs today. The GUI platform is in development. The community is building around the open source CLI.

If you’re in offensive security and you want to see what operating an AI-native C2 actually looks like, follow along.

GitHub: Zypheron CLI

The full platform waitlist opens soon.