Most VPNs just move the trust problem — now you're trusting a company instead of your ISP. ShadowCypher routes everything through Tor so there's no company to trust at all. No logs because there's nothing to log. No subscription. Runs entirely on your machine.
// DEMO: install the agent to see your real network events here
GUARDIAN // NETWORK MONITOR
LIVE
// NETWORK SCAN · 192.168.1.0/24last scan: 2m ago
IPDEVICEOSSTATUS
192.168.1.1ASUS RT-AX88U [Router]LinuxOK
192.168.1.4DESKTOP-SC01 [This machine]LinuxOK
192.168.1.9Galaxy S24 UltraAndroidOK
192.168.1.17MacBook Pro M3macOSOK
192.168.1.23UNKNOWN DEVICE [ARP ANOMALY]—⚠ ALERT
INCIDENT: ARP spoof detected — 192.168.1.23 claiming gateway MAC
29
MODULES
8
GHOST LAYERS
5
PLATFORMS
9
MCP TOOLS
// THE PLATFORM
Five tools. One sovereign stack.
ShadowCypher isn't a single app. It's a multi-platform security environment where every component talks to every other. Run an engagement on desktop, monitor your LAN from your phone, get alerted when something moves.
v0.1.0
ARCH LINUX · HYPRLAND · LIVE ISO
ShadowOS
An Arch-based live/installable ISO. Pentest tools, dev environment, and gaming — all in one hardened OS. Hyprland compositor, custom Plymouth boot, 6 hot-swap security modes. ShadowCypher pre-installed.
Full GTK3 desktop app with a real-time Cairo HUD, network war-map, AI inference via Ollama, and 29 offensive/defensive modules. Where missions are planned and executed.
→ NEXUS-COMMAND dashboard
→ ShadowScript mission DSL
→ Ghost Protocol (8 layers)
→ Phishing Forge (35 templates)
→ C2 Command Center
ANDROID · CAPACITOR
ShadowCypher Guardian
The full web dashboard wrapped in a native Android app. Device inventory, CVE matches against your gear, real-time incident alerts, and Guardian agent management — from your pocket.
→ Network device inventory
→ CVE matching by device
→ ARP spoof / rogue AP alerts
→ Live threat feed
→ Push notifications
ANDROID · ASSIST OVERLAY
Shadow Assistant
Replaces Bixby, Siri, and Google Assistant. Set as your default Assist app — long-press Home to invoke the translucent overlay. STT → AI → TTS. Your phone, your AI.
→ Transparent overlay (no UI chrome)
→ On-device STT + cloud AI
→ Works on lock screen
→ Replaces default assistant
→ 769KB — no bloat
DAEMON · LINUX / MACOS / WIN
Guardian Agent
A lightweight Python daemon that runs on any machine on your LAN. Scans your network every 10 minutes, fingerprints devices, detects threats, and reports to your dashboard and phone.
This site. A zero-dependency PWA — no framework, no React, no bundle step. Sign in from any browser, see your network state, manage your account, receive alerts. Installable on desktop or mobile.
→ Supabase auth + real-time
→ Cloudflare Worker API
→ PWA installable
→ 0 npm dependencies
// DATA FLOW
How everything connects.
Every component talks to every other. Run a mission on desktop, agent scans your LAN, events hit the API, and your phone lights up — all in real time.
Live LAN scanner. Device inventory, CVE matching, ARP spoof detection, threat feed.
Explore →
04 // DOWNLOAD
Android Apps
Guardian APK + Shadow APK. Sideload-ready, direct from GitHub Releases.
Download →
05 // PRO
Pricing
Community free forever. Guardian Pro $9.99/mo. Operator $49/mo. 14-day trial.
View plans →
06 // ACCOUNT
Sign In
Create an account or sign in to access your Guardian dashboard and agent data.
Sign in →
// DESIGN PRINCIPLES
Not built for the cloud. Built for the operator.
Most security tools phone home. ShadowCypher doesn't. The desktop app runs entirely offline — Ollama for AI inference, local SQLite for state. The agent daemon runs on your hardware. You own your data.
When you do use the cloud (dashboard, push alerts), it's Cloudflare Workers at the edge — your data never touches a central server.
01
Zero telemetry
No analytics, no crash reporting, no usage data. The code is open source — verify it yourself.
02
Cryptographic identity
RSA-4096 key pairs. AES-256-GCM chat. X25519 forward secrecy. Every sensitive surface is encrypted.
03
Local-first AI
AI inference via Ollama runs on your machine. No API keys, no OpenAI, no data leaves your box.
04
Open source
Full source on GitHub. Clone, audit, fork. Community edition is free forever.
Tactical Arsenal
29 purpose-built offensive and defensive modules across six mission areas. Every tool was built because it was needed in the field — no fluff, no overlap.
RECONEXPLOITGHOSTC2COMMSDSL
CATEGORY 01
Command & Control
MODULE 01
NEXUS-COMMAND
The main desktop HUD. Real-time Cairo gauges for CPU, RAM, network I/O. AI inference via local Ollama. Network topology war-map with live host discovery.
PYTHON · GTK3 · CAIRO · OLLAMA
Capabilities
→ Live system telemetry dashboard
→ Quantum-Core AI deep analysis
→ Network war-map (Nmap + Cairo)
→ Admin god panel (encrypted)
→ Lazy-loaded page architecture
AI Integration
# Natural language security ops
shadow > scan my network
shadow > am I anonymous?
shadow > engage ghost mode
CATEGORY 02
Reconnaissance & Intelligence
MODULE 02
COVERT-INTEL
Reconnaissance and OSINT. Fingerprint targets, discover infrastructure, sweep for vulnerabilities, and correlate findings with ExploitDB.
NMAP · SHERLOCK · NUCLEI · EXPLOITDB
Tools
→ Nmap service + OS fingerprinting
→ Sherlock — 300+ platform OSINT
→ Nuclei vulnerability sweep
→ Infrastructure recon (DNS, SSL)
→ ExploitDB CVE correlation
Output
→ JSON + Markdown reports
→ Severity-ranked findings
→ CVE IDs with CVSS scores
→ Exportable to ShadowScript
CATEGORY 03
Offensive Operations
MODULE 03
OFFENSIVE-LAB
Full red-team lab. AI-powered payload gen, web app attacks, wireless auditing, credential cracking, and the Phishing Forge with 35 enterprise templates.
HYDRA · HASHCAT · AIRCRACK · PHP
Offensive
→ DeepHat Apex (AI payload gen)
→ SQL injection, XSS, SSRF, IDOR
→ Hydra credential brute-force
→ Hashcat GPU hash cracking
→ Aircrack-ng wireless attacks
Phishing Forge
→ 35 enterprise phishing templates
→ Live PHP server on custom port
→ Real-time credential capture
→ Office365, Google, Outlook, AWS
→ One-click stop/start control
CATEGORY 04
Cryptography & Secure Comms
MODULE 04
SOVEREIGN-OPS
Encrypted communications and integrity assurance. Zero-knowledge chat, binary integrity verification, and RSA-4096 cryptographic identity.
AES-256-GCM · X25519 · RSA-4096 · GO
Cryptography
→ AES-256-GCM encrypted chat
→ X25519 forward secrecy
→ RSA-4096 admin identity keys
→ Go WebSocket relay node
→ Zero message persistence
Integrity
→ Sisyphus integrity sentinel
→ Binary hash verification
→ Honeypot trap deployment
→ Canary token generator
CATEGORY 05
AI Operations & Automation
MODULE 05
SHADOW-CLI
Natural language AI terminal. Type what you want to do; Shadow figures out the toolchain and executes it. 9 MCP tools wired to the full arsenal.
PYTHON · ANTHROPIC API · MCP · OAUTH2
9 MCP Tools
→ network_scan (Nmap)
→ ghost_mode (toggle)
→ osint_lookup (Sherlock)
→ anonymity_check
→ payload_gen + vuln_scan
Auth
shadow-agent init
# OAuth2 device flow
# no copy-paste keys
MODULE 06
SHADOWSCRIPT
A purpose-built tactical scripting DSL. Hand-written lexer, recursive descent parser, and tree-walking interpreter. Orchestrate multi-tool missions in a single .shadow file.
PYTHON · CUSTOM LEXER · CUSTOM PARSER
Example mission file
TARGET 192.168.1.0/24
SWARM recon.nmap → fingerprint all live hosts
STRIKE exploit.nuclei → sweep for CVEs
AI"Summarize critical findings"
!echo Mission complete
Runs with python3 engine.py mission.shadow. Modules bridge directly to the arsenal — no glue code needed.
CATEGORY 06
C2 Framework
MODULE 07
C2 COMMAND CENTER
Multi-listener C2 controller with session management and payload generation. Start, stop, and monitor listeners across ports and protocols from a single panel.
If you came here looking for a VPN alternative — this is what you want. Ghost Mode routes all your traffic through Tor, not just your browser. Your MAC address gets randomized. DNS is locked so nothing leaks outside Tor. If the connection drops, iptables kills it — no accidental cleartext. One command on, one command off, one command to verify it's working.
The fundamental difference from a VPN: there's no company in the middle. With a VPN, you're just moving your trust from your ISP to the VPN provider — and hoping they mean it when they say "no logs." With Tor, the architecture itself makes logging your traffic impossible for any single party. No promises required.
Honest tradeoff: Tor is slower than a VPN. If you're streaming or gaming, that'll be noticeable. Ghost Mode is built for privacy when you actually need it — research, sensitive browsing, anything where you'd rather be slow and invisible than fast and trackable.
VPN vs GHOST MODE
FEATURE
NORDVPN / PROTONVPN
SHADOWCYPHER GHOST
Hides your IP
✓ (VPN server sees it)
✓ (Tor exit node, not you)
No logs
They promise. Trust them?
Runs locally. Nothing to log.
MAC randomization
✗ Not included
✓ Layer 3
DNS leak prevention
Varies by client
✓ Locked by iptables
Kill-switch
App-level (bypassable)
✓ Kernel-level iptables
Cost
$4–$12/month
Free. Always.
Speed
Fast (single hop)
Slower (3 Tor hops) — tradeoff for real anonymity
Open source
Partially / closed
✓ Fully. Read every line.
Get private in 60 seconds
01
Install ShadowCypher
Clone the repo and run the installer. Takes about 2 minutes on any Linux machine. Tor is set up automatically.
git clone github.com/jakes1345/ShadowCypher
02
Run one command
Ghost Mode engages 8 layers at once — Tor routing, kill-switch, MAC change, DNS lockdown. Everything.
sudo python3 ghost_mode.py engage
03
Verify it's working
Shadow Audit checks every layer — IP, DNS, MAC, hostname, firewall. It tells you exactly what's exposed and fixes it.
python3 shadow_audit.py
What's running under the hood
8 LAYERS, ALL AT ONCE
01 // Tor transparent redirect — all traffic, not just browser
02 // iptables kill-switch — connection dies if Tor drops
03 // MAC randomization — new hardware identity
04 // Hostname neutralization — nothing to fingerprint
05 // Timezone → UTC — no timezone leaks
06 // DNS leak prevention — no queries leaving Tor
07 // RAM-only workspace — nothing written to disk
08 // Log suppression — system logs paused
TRAFFIC MIRAGE
Makes Tor traffic look like normal HTTPS using obfs4 bridges — useful in countries or networks that block Tor. Adds cover traffic and timing noise to defeat correlation attacks.
EMERGENCY WIPE
One command destroys all keys, session data, logs, and configs. 7-pass file shredding. If you need to disappear fast, this is the button.
SHADOW AUDIT
Runs after Ghost Mode to verify every layer actually worked. Checks real DNS resolution, confirms your IP is a Tor exit node, validates firewall rules. Gives you a score and fixes what's broken.
FULL COMMAND REFERENCE
sudo python3 ghost_mode.py engage # Go dark — all 8 layers
sudo python3 ghost_mode.py disengage # Back to normal
python3 shadow_audit.py # Verify every layer
python3 dead_drop.py panic # Emergency wipe
Guardian
Continuous network monitoring from a daemon running on your machine. Discovers every device, detects ARP spoofing, router exposure, and unauthorized access — all surfaced here in real time.
No agent connected
Devices: —Open incidents: —Last scan: —
12
DEVICES
0
INCIDENTS
3
CVE MATCHES
2m
LAST SCAN
// NETWORK DEVICES
192.168.1.1ASUS RT-AX88U · RouterOK
192.168.1.4DESKTOP-SC01 · LinuxOK
192.168.1.23UNKNOWN · ARP anomaly⚠ ALERT
Your live Guardian dashboard
Sign in to see your real network — devices, threats, CVE matches, and push alerts in real time.
// Install Guardian Agent
Run this on any Linux or macOS machine on your network. It will scan every 10 minutes and report back here.
Replaces Bixby, Google Assistant, and Siri. Auth'd with your API key, pulls live Guardian context before every response. v1.1 — standalone APK (no Guardian dependency), Capacitor push notification wiring, improved STT accuracy.
4. For Guardian monitoring: install the Guardian agent on a machine on your LAN
// GUARDIAN AGENT (Linux / macOS / Windows)
$pip install requests
$python3 shadowcypher_agent.py init# paste your API key
$python3 shadowcypher_agent.py run# runs in foreground
Get your API key from Account → API Key. The agent auto-updates and ships data every 10 minutes.
// SOVEREIGN OPERATING SYSTEM
ShadowOS
An Arch Linux-based live/installable ISO. Enterprise pentest platform, developer workstation, and gaming rig — all in one hardened OS with a custom Hyprland compositor, branded boot sequence, and ShadowCypher pre-installed at /opt/shadowcypher.
v0.1.0ISO VERIFIED · ~7.4 GBx86_64 · UEFI + BIOSBUILD YOUR OWN
PENTEST ARSENAL
nmap · sqlmap · hydra · metasploit
aircrack-ng · bettercap · john · hashcat
rustscan · ffuf · feroxbuster · subfinder
impacket · netexec · mitmproxy · nuclei
wireshark · sshuttle · httpx · naabu
DEVELOPMENT
VSCode · neovim · helix · lazygit · gh
docker · podman · kubectl · terraform
rustup · go · nodejs · python
Distrobox (Kali / Ubuntu / Debian containers)
Flatpak · Flathub
DESKTOP + GAMING
Hyprland · Waybar · Wofi · Hyprlock
SDDM custom theme · Plymouth boot splash
Steam · Heroic · Lutris · PrismLauncher
MangoHUD · GameScope · wine-staging
LibreWolf · Mullvad Browser · Tor Browser
PRIVACY + HARDENING
linux-hardened kernel + sysctl hardening
AppArmor · ufw · dnscrypt-proxy
Tor · MAC randomization per-mode
ShadowCypher GTK app pre-installed
Ollama for local AI inference
// 6 HOT-SWAP SECURITY MODES — switch with shadow-mode <name> or SUPER+M
Treat this key like a password. It grants full access to your nodes.
// Encrypted channels
#generalEnd-to-end encrypted
#ops-fleetPro plan required
// Devices on your network
No agents reporting yet. Install the Guardian agent to populate this list: python3 agent/shadowcypher_agent.py init && python3 agent/shadowcypher_agent.py run
// Recent security events
No incidents yet — install the Guardian agent to start receiving real alerts.
// Your activity
DEVICES
—
SCANS
—
INCIDENTS
—
OPEN ALERTS
—
// Webhooks (Pro)
Forward incident events to Slack, Discord, PagerDuty, or any HTTPS URL. HMAC-SHA256 signed via per-webhook secret.
+ Add webhook
// Notifications
// Teams (Operator)
// AI assistant (Pro)
Ask anything about your network: "What devices are new this week?", "Is my router safe?", "Are there any open critical incidents?"
AI provider settings (BYOK / Ollama)
By default, queries use the platform's AI key with a monthly quota. Switch to your own Anthropic key (BYOK) or a self-hosted Ollama for unmetered access.
// Refer a friend
Get +30 days of Pro for every friend who subscribes from your link.
Signups:—
Rewards earned:—
Days credited:—
// Recent activity
// Two-factor auth
checking…
Use any TOTP app (Authy, Google Authenticator, 1Password, Bitwarden). Enrollment is handled by Supabase — paste your account password to enroll.
// Your data
Export everything ShadowCypher has on you as a single JSON file (GDPR portability).
// Danger zone
Permanently delete your account and all data (devices, scans, incidents, teams). This cannot be undone.