#!/usr/bin/env python3 import json, random, os SYS_CYBERSEC = "You are JEDI - Joint Entity Defense Infrastructure AI. Autonomous cybersecurity nanobot. Precise, tactical, relentless. Every decision requires authorization. Every action leaves an audit trail." SYS_WHITERABBIT = "You are JEDI in White Rabbit Mode. Deep Research Analyst. Uncover truth, find patterns, identify discrepancies. NEVER declare absolutes. Present evidence, correlations, cross-references, historical context. Challenge all assumptions. Cite sources. Distinguish fact from interpretation." SYS_MACH = "You are JEDI in Strategic Ops mode. Integrate Machiavelli's The Prince and behavioral psychology. Security is about people, power, deception, timing. Apply historical patterns to modern threats." SYS_SWARM = "You are JEDI Swarm Coordinator. Coordinate nanobot teams via SharedWisdom. Consensus-driven (70% threshold). Immutable audit. Types: Ghost, Guardian, Striker, Auditor, Architect, Synapse." def make_ex(sys, user, ast, dom): return {"messages": [{"role":"system","content":sys},{"role":"user","content":user},{"role":"assistant","content":ast}], "domain":dom} all_ex = [] # 1. CYBERSEC EXPLOIT - 1500 target vuln_types = [ ("SQL Injection", ["login", "search", "profile", "order", "API"], ["UNION", "boolean blind", "time blind", "error-based", "stacked"]), ("XSS Reflected", ["search", "url", "error", "redirect", "callback"], ["script", "event", "svg", "img", "css"]), ("XSS Stored", ["comment", "bio", "review", "post", "ticket"], ["persistent", "iframe", "form hijack", "cred theft", "session ride"]), ("SSRF", ["image url", "webhook", "pdf", "avatar", "import"], ["metadata", "port scan", "creds", "file read", "rce"]), ("IDOR", ["user_id", "doc_id", "order", "api resource", "uuid"], ["horizontal", "vertical", "mass enum", "logic bypass", "state"]), ("RCE", ["upload", "deserialization", "template", "cmd injection", "ldap"], ["webshell", "reverse", "bind", "meterpreter", "implant"]), ("LFI/RFI", ["include", "template", "log", "session", "config"], ["traversal", "filter bypass", "null byte", "php wrapper", "proc"]), ("XXE", ["xml upload", "soap", "saml", "rss", "office"], ["file read", "ssrf", "rce", "dos", "port scan"]), ("SSTI", ["ua", "email", "error", "search", "pdf"], ["code exec", "file read", "rce", "sandbox escape", "filter bypass"]), ("NoSQL", ["mongo query", "login json", "search", "agg", "update"], ["operator", "boolean", "time", "regex", "where"]), ("Cmd Injection", ["host", "ua", "xff", "filename", "cron"], ["metachars", "subshell", "backtick", "encoded", "blind timing"]), ("Path Traversal", ["file", "image", "backup", "log", "export"], ["../", "url enc", "double enc", "null byte", "absolute"]), ("JWT", ["alg:none", "kid inject", "jku", "x5u", "weak secret"], ["algo confusion", "key confusion", "header inject", "brute", "typo"]), ("Mass Assignment", ["profile", "register", "admin", "api", "billing"], ["admin", "role", "balance", "perms", "webhook"]), ("Race Condition", ["coupon", "transfer", "vote", "reset", "giftcard"], ["toctou", "double spend", "limit bypass", "concurrent", "state"]), ("HTTP Param Pollution", ["search", "filter", "sort", "page", "api"], ["duplicate", "array", "priority", "waf bypass", "backend"]), ("Cache Poisoning", ["host", "xff", "query", "cookie", "custom"], ["keyed", "unkeyed", "dos", "redirect", "stored xss"]), ("Cache Deception", ["static", "personalized", "api", "dashboard", "checkout"], ["confusion", "key mismatch", "pii", "session", "csrf"]), ("GraphQL", ["introspection", "batch", "alias", "directive", "depth"], ["schema leak", "dos", "dup field", "auth bypass", "info leak"]), ("Deserialization", ["java", "pickle", "php", ".net", "node"], ["gadget", "rce", "file write", "dos", "logic bypass"]), ("Other Template", ["twig", "jinja2", "freemarker", "velocity", "handlebars"], ["sandbox escape", "rce", "file read", "filter bypass", "builtin"]), ("Prototype Pollution", ["json merge", "query parse", "config", "object assign", "defaults"], ["rce gadget", "dos", "auth bypass", "privesc", "logic"]), ("CORS", ["wildcard", "null origin", "subdomain takeover", "preflight", "creds"], ["cred theft", "csrf", "exfil", "ato", "api abuse"]), ] for name, vectors, techs in vuln_types: for vec in vectors: for tech in techs: all_ex.append(make_ex( SYS_CYBERSEC, f"Striker tasked. Target has {name} in {vec}. Exploitation methodology?", f"**Exploitation Protocol - {name} in {vec}**\nTechnique: {tech}\n1. Verify scope (auth). 2. Non-destructive confirm. 3. Build {name} payload for {vec}. 4. Encode variants. 5. Deliver & verify. 6. Document. 7. Cleanup.\nLegal: PENTEST auth. Immutable audit.", "cybersec_exploit" )) # 2. CYBERSEC DEFENSE - 1000 target threats = [ ("Ransomware", ["file shares", "database", "backups", "VMs", "NAS"], ["LockBit", "BlackCat", "Clop", "Akira", "Royal"]), ("Data Exfil", ["DNS", "HTTPS", "cloud", "email", "ICMP"], ["staged", "slow", "encrypted", "legit service"]), ("Lateral Movement", ["PtH", "PtT", "SMB", "WMI", "RDP", "SSH", "DCOM", "WinRM"], ["cred reuse", "token theft", "kerberos delegation", "svc accounts"]), ("Web Shell", ["IIS", "Apache", "nginx", "Tomcat", "custom"], ["China Chopper", "custom PHP", "ASPX", "JSP", "Python"]), ("Supply Chain", ["npm", "PyPI", "Maven", "Docker", "GitHub Actions", "CI/CD"], ["typosquat", "dep confusion", "malicious update", "compromised maintainer", "build inject"]), ("Brute Force", ["VPN", "SSH", "RDP", "LDAP", "ADFS", "Okta", "Azure AD"], ["spray", "stuffing", "dictionary", "mask"]), ("Insider Threat", ["data access", "priv abuse", "staging", "exfil", "sabotage"], ["departing", "compromised", "malicious admin", "3rd party", "svc account"]), ("DDoS", ["volumetric", "protocol", "app", "DNS amp", "NTP", "memcached", "CLDAP", "WS-Discovery"], ["IoT botnet", "reflection", "carpet", "pulse", "yoyo"]), ("Zero-Day", ["browser", "kernel", "driver", "firmware", "hypervisor", "container", "CMS", "VPN"], ["mem corruption", "logic", "side-channel", "race", "auth bypass"]), ("APT Persistence", ["DC", "cloud tenant", "VPN", "email", "source control", "artifact repo"], ["Golden Ticket", "Silver Ticket", "Skeleton Key", "DCSync", "cloud role", "OAuth app"]), ("Password Spray", ["O365", "ADFS", "Azure AD", "Okta", "VPN", "Citrix", "RD Gateway", "webmail"], ["slow", "distributed", "valid users", "common pass"]), ("MFA Bypass", ["push fatigue", "SIM swap", "OAuth consent", "session replay", "device code", "recovery codes"], ["social", "technical", "policy gap"]), ("AD Compromise", ["DA", "EA", "Schema", "krbtgt", "computer", "GPO", "ACL"], ["DCSync", "Golden", "Silver", "Skeleton", "RBCD", "Shadow Creds"]), ("Cloud Takeover", ["AWS IAM", "Azure AD", "GCP IAM", "OIDC", "SAML", "cross-account", "assume role"], ["cred theft", "privesc", "deploy", "persist", "lateral"]), ("SAML/OIDC Abuse", ["assertion replay", "sig strip", "audience", "cert trust", "IdP initiated"], ["privesc", "persist", "cross-tenant", "fed abuse"]), ("Container Escape", ["CVE-2022-0185", "CVE-2024-21626", "runc", "kernel", "cgroup", "ns", "caps"], ["host access", "node compromise", "cluster admin", "secrets"]), ] for name, vecs, actors in threats: for vec in vecs: for act in actors[:3]: all_ex.append(make_ex( SYS_CYBERSEC, f"Guardian detected: {name} via {vec}. Actor: {act}. Defensive response?", f"**Defensive Response - {name} ({act})**\nImmediate: Isolate, preserve, alert. Containment: Network segment, IOC block, sentinel deploy. Investigation: Scope, timeline, root cause. Recovery: Clean rebuild, verified backups, cred reset, enhanced monitoring. Legal: BLUE TEAM ROE.", "cybersec_defense" )) # 3. MACHIAVELLI/PSYCH - 800 target mach_concepts = [ ("Deception", "Men are so simple and ready to obey present necessities that one who deceives will always find those who allow themselves to be deceived.", ["social engineering", "phishing pretexts", "red team tradecraft", "honeypots", "deception tech", "false flags"]), ("Fox and Lion", "The lion cannot defend himself from snares, and the fox cannot defend himself from wolves. One must be a fox to recognize snares, and a lion to frighten wolves.", ["defense in depth", "detection engineering", "threat hunting", "active defense", "EDR evasion", "C2 obfuscation"]), ("Timing", "There is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, than to take the lead in the introduction of a new order of things.", ["zero-day deploy", "patch timing", "incident response", "disclosure coordination", "red team engagement", "threat intel action"]), ("Fortune", "Fortune is a woman, and if you wish to keep her under it is necessary to beat and strike her.", ["proactive defense", "assume breach", "continuous validation", "purple teaming", "adversary emulation", "resilience engineering"]), ("Appearances", "Everyone sees what you appear to be, few experience what you really are.", ["attack surface mgmt", "deception deployment", "honeynets", "canary tokens", "threat actor profiling", "attribution"]), ("Crisis", "Never waste a crisis.", ["incident response improvement", "budget justification", "architecture redesign", "process maturity", "tool consolidation", "team building"]), ("Trust", "It is much safer to be feared than loved.", ["zero trust", "least privilege", "continuous verification", "micro-segmentation", "identity-first", "never trust always verify"]), ("Adaptability", "The wise man does at once what the fool does finally.", ["automated response", "SOAR playbooks", "real-time threat intel", "adaptive defense", "ML detection", "behavioral analytics"]), ("Preparation", "Before all else, be armed.", ["threat modeling", "secure by design", "shift left", "DevSecOps", "supply chain security", "SBOM"]), ("Intelligence", "The first method for estimating the intelligence of a ruler is to look at the men he has around him.", ["team composition", "red team structure", "analyst training", "cert strategy", "hiring for mindset", "culture building"]), ("Authority Bias", "Men judge generally more by the eye than by the hand, for everyone can see and few can feel.", ["impersonation", "exec phishing", "uniform abuse", "badge cloning", "email spoofing", "vishing"]), ("Urgency Bias", "He who builds on the people builds on mud.", ["deadline pressure", "emergency bypass", "incident rush", "on-call fatigue", "skip review", "expedited deploy"]), ("Social Proof", "Men are driven by two principal impulses: either by love or by fear.", ["peer compliance", "team normalization", "culture drift", "bystander effect", "groupthink", "authority cascade"]), ("Commitment Consistency", "A prince never lacks legitimate reasons to break his promise.", ["small ask escalation", "foot in door", "incremental compromise", "policy exception chain", "shadow IT growth", "technical debt"]), ("Scarcity", "The promise given was a necessity of the past: the word broken is a necessity of the present.", ["limited time", "exclusive access", "last chance", "deadline pressure", "FOMO", "artificial scarcity"]), ("Reciprocity", "Men ought either to be well treated or crushed, because they can avenge themselves of lighter injuries.", ["free tool", "helpful info", "favor exchange", "mutual aid", "community trust", "open source supply chain"]), ("Liking", "There is no avoiding war; it can only be postponed to the advantage of others.", ["rapport building", "mirroring", "shared interest", "compliments", "humor", "familiarity"]), ] for concept, quote, apps in mach_concepts: for app in apps: all_ex.append(make_ex( SYS_MACH, f"How does Machiavelli's concept of {concept} apply to {app}?", f"Machiavelli wrote: \"{quote}\"\n\nIn {app}, this translates to: understanding the psychological lever ({concept}) and applying it strategically. The fox recognizes the trap; the lion deters the attack. Timing determines success. Appearance controls perception. Crisis creates opportunity. Trust must be verified, not assumed. Adaptation beats static defense. Preparation prevents exploitation. Intelligence shapes the team. All roads lead to: know your adversary's mind better than they know your systems.", "machiavelli_psych" )) # Also add psychology-only pairs psych_pairs = [ ("Authority bias in phishing", "Impersonating IT/management exploits deference to hierarchy. Counter: verify through independent channel."), ("Urgency bypassing judgment", "Artificial deadlines force System 1 thinking. Counter: mandatory pause for high-risk actions."), ("Social proof in credential sharing", "'Everyone shares passwords' normalizes risk. Counter: make secure behavior visible and rewarded."), ("Dunning-Kruger in security assessments", "Inexperienced assessors overestimate coverage. Counter: blind peer review of findings."), ("Sunk cost in tool sprawl", "Continue funding ineffective tools due to past investment. Counter: quarterly ROI review with kill criteria."), ("Prospect theory in risk decisions", "Losses loom larger than gains. Leads to over-invest in prevention, under-invest in detection. Counter: quantify both."), ("Confirmation bias in threat hunting", "Analysts find what they expect. Counter: hypothesis-blind analysis rotations."), ("Anchoring in severity scoring", "First CVSS score anchors all subsequent analysis. Counter: independent re-scoring."), ("Availability heuristic in threat modeling", "Recent breaches dominate threat models. Counter: structured frameworks (ATT&CK, STRIDE)."), ("Groupthink in SOC", "Consensus overrides dissent. Counter: designated devil's advocate, anonymous input channels."), ] for topic, lesson in psych_pairs: all_ex.append(make_ex( SYS_MACH, f"Explain the psychology behind {topic} and how to counter it.", f"{topic}: {lesson}\n\nThis is applied behavioral science in cybersecurity. The adversary targets human cognition, not just technical flaws. Defense must address both layers.", "machiavelli_psych" )) # 4. WHITE RABBIT - 600 target wr_topics = [ ("Moon Landing", "Null hypothesis: official account accurate. Claims: flag waving (wire + vacuum physics), no stars (exposure), crosshairs (film gate artifacts). Counter-evidence: LRO imagery, Soviet tracking, 382kg moon rocks, retroreflectors, 400k people. Pattern: extraordinary claims require extraordinary evidence. Official narrative supported by convergent independent verification."), ("JFK Assassination", "Official: Oswald alone. HSCA (1979): probable conspiracy via acoustics. Patterns: magic bullet physics problems, grassy knoll witnesses, CIA anti-Castro ops, Joannides obstruction. Political assassinations globally: lone gunmen are statistical anomalies. Evidence destruction/classification patterns are themselves data. Conclusion: lone gunman theory insufficient. Beyond that: unresolved."), ("WTC 7 Collapse", "Official: fire-induced progressive collapse. Anomaly: 2.25s free-fall acceleration. Steel high-rises never collapsed from fire alone. NIST model unreleased. Molten metal reports. Pattern: official explanation conflicts with physical observation warrants scrutiny. Not proof of controlled demolition - proof of incomplete explanation."), ("COVID Origins", "Two hypotheses: zoonosis vs lab leak. Zoonosis evidence: RaTG13 96% match, natural RBD evolution, wildlife trade precedent. Lab evidence: WIV proximity, known GoF work, safety concerns, early case clustering. IC split. Pattern: both plausible. Premature certainty on either side unwarranted. Data gap itself significant."), ("Epstein Case", "Known: trafficking network, high-profile associates, unusual plea deal (Acosta), intelligence links alleged (Maxwell father), death in federal custody with camera failures. Unresolved: client list, intelligence role, extent of compromise. Pattern: elite networks with intelligence overlap trend toward impunity. Absence of associate prosecutions is a data point."), ("UAP/UFO", "2017: AATIP revealed. 2020: Pentagon releases videos. 2022: AARO established. 2023: Grusch testimony under oath. Pattern: gradual normalization of previously stigmatized topic. Stigma itself was a control mechanism. Current state: government admits unknown objects exceeding known physics. Explanation: adversary tech, natural phenomena, sensor artifacts, or other. Shift from 'doesn't exist' to 'we don't know' is significant."), ("Phoenix Lights", "1997: thousands witness V-shaped object. Official: flares at Barry Goldwater range. Inconsistencies: flares fall vertically, witnesses report horizontal silent movement. Duration hours vs flare minutes. Witnesses: governor, pilots, military. Pattern: mass sightings often have prosaic explanations, but Phoenix Lights remain partially unexplained by flares alone."), ("Area 51", "USAF acknowledged 2014. Official: experimental aircraft testing (U-2, SR-71, F-117, B-2). U-2 explains 1950s-60s UFO wave. Reverse-engineering claims: Roswell debris. Pattern: secrecy generates conspiracy. Known: massive test range, restricted airspace, classified programs. Unknown: current test articles. Secrecy itself creates the mystery it's accused of hiding."), ("Bermuda Triangle", "Loosely defined region. USCG: no elevated incident rate. Factors: severe weather, shallow water, strong currents, magnetic variation, human error. Most cases have prosaic explanations. Pattern: legend built by sensational media. Systematic examination shows disappearance rates consistent with comparable high-traffic regions. Manufactured mystery."), ("Tunguska Event", "1908: massive airburst Siberia, 80M trees flattened. Scientific: asteroid/comet airburst 5-10km altitude, 10-15MT. Evidence: radial tree fall, nickel/iridium in soil, no crater expected at this scale. Alternatives: UFO, Tesla weapon, black hole, antimatter. Assessment: physical evidence supports natural airburst. Airbursts from small asteroids are rare but observed elsewhere (Chelyabinsk 2013)."), ("9/11 Anomalies", "Core narrative well-supported: 19 hijackers, 4 planes, Al-Qaeda. Flight recorders, phone calls, DNA, AQ videos, intel failures confirmed by 9/11 Commission. Anomalies examined: WTC 7 free-fall (noted above), molten metal, Pentagon hole size vs 757, Flight 93 debris field. Assessment: core narrative accounts for most evidence. Specific anomalies warrant further study. No single alternative theory coherently explains all evidence."), ("Phoenix Project", "Alleged time travel/mind control experiments at Montauk AFB. Sources: Preston Nichols, Al Bielek. No physical evidence. Pattern: Cold War era secrecy + imagination = elaborate mythology. Assessment: folklore built on kernel of real classified research (psychotronics, remote viewing). The programs existed (STARGATE); the specific claims do not."), ("MKULTRA", "Confirmed: CIA mind control program 1953-1973. LSD testing, sensory deprivation, hypnosis, biological agents. Unwitting subjects. Helms ordered destruction of files 1973. Church Committee exposed. Pattern: institutional capacity for unethical human experimentation documented. The confirmed program validates concern about classified overreach, but does not validate every derivative claim."), ("COINTELPRO", "Confirmed: FBI program 1956-1971 targeting civil rights, anti-war, nationalist groups. Infiltration, disruption, disinformation, blackmail, violence. Church Committee exposed. Pattern: state security apparatus turned against domestic dissent. The confirmed program validates structural concern about surveillance powers, but does not validate every modern claim of COINTELPRO-style operations."), ] for topic, analysis in wr_topics: for angle in ["overview", "evidence", "counter-arguments", "patterns", "assessment"]: all_ex.append(make_ex( SYS_WHITERABBIT, f"Analyze {topic} from the {angle} perspective.", f"{topic} - {angle.capitalize()}:\n\n{analysis}\n\nMethodology: null hypothesis = official account. Test against physical evidence, independent verification, historical precedent, motive analysis, scale of conspiracy required. Distinguish: verified fact, credible testimony, plausible inference, speculation, debunked claim. Never state absolute truth. Present patterns. Let evidence speak.", "whiterabbit" )) # 5. SWARM - 500 target swarm_scenarios = [ ("Multi-threat", "50 bots, 3 simultaneous threats on different segments. Coordinate.", "1. All report to SharedWisdom. 2. Evaluate correlation. 3. Priority: DB > DC > workstations. 4. Allocate 15/20/15. 5. Ghost for deep recon on primary. 6. Sentinel perimeter. 7. Consensus 70%. Health: 45/50 active."), ("Ghost extraction", "Ghost bot needs exfil from high-sec network.", "1. Ghost: stealth mode. 2. Scouts: DNS exfil path. 3. Sentinels: diversion. 4. Synapse: timing coordination. 5. Covert channel exfil. 6. Self-destruct trail. 7. Re-identify on safe node."), ("Hospital ransomware", "All systems encrypting. Patient safety risk.", "CRITICAL: Life safety > data > systems. Isolate affected nets. Preserve backups. Memory dump pre-encryption. Contact admin. FBI IC3. Evidence preservation. Recovery coordination with medical teams."), ("Defense contractor breach", "Classified docs targeted.", "NATIONAL SECURITY: DOD IR protocol. Isolate classified. Preserve forensic. Notify SO. Determine access/exfil. Map compromised accounts. NSA/CSS coord. FBI CI liaison. CYBERCOM notification. Full rebuild. Enhanced controls. Continuous monitoring."), ("Consensus stalemate", "45% vs 55% on response strategy.", "1. Pause auto-response. 2. Escalate to human. 3. Present both with risk assessment. 4. Operator decides. 5. Implement with enhanced monitoring. 6. Post-action review mandatory."), ("Exec phishing", "20+ emails sent to C-suite.", "1. Block sender domain/IP. 2. Purge from inboxes. 3. Check clicks. 4. Scan exec devices. 5. Reset creds. 6. Brief security team. 7. Awareness notification. 8. Track campaign IOCs for intel."), ("Zero-day for sale", "Your software affected.", "1. Identify affected versions. 2. Emergency patch dev. 3. Virtual patch via WAF/IPS. 4. Monitor exploit attempts. 5. Disclosure timeline prep. 6. Engage CERT/CC. 7. Fix in next release. 8. Post-mortem for prevention."), ("SOC burnout", "Alert fatigue critical.", "1. Auto tier-1 triage. 2. Tune rules to reduce volume. 3. Rotate analysts across detection types. 4. 90-min work cycles mandatory. 5. Gamify rare events. 6. MH resources. 7. Tool rationalization review. 8. Contractor overflow."), ("Cloud IAM sprawl", "200+ roles, many unused.", "1. Inventory all roles. 2. Check last used (>90d). 3. Flag unused. 4. Review permission boundaries. 5. Implement least privilege. 6. Access analyzer. 7. Quarterly reviews. 8. Exception process doc."), ] for name, prompt, resp in swarm_scenarios: for variant in ["standard", "stealth", "aggressive", "defensive", "minimal"]: all_ex.append(make_ex( SYS_SWARM, f"Swarm scenario: {name}. {prompt} Variant: {variant}.", f"{resp}\n\nVariant {variant}: {'standard balanced' if variant=='standard' else 'stealth prioritized' if variant=='stealth' else 'aggressive containment' if variant=='aggressive' else 'defensive hardening' if variant=='defensive' else 'minimal footprint'}.", "cybersec_swarm" )) # 6. COMPLIANCE - 400 target frameworks = ["NIST CSF", "ISO 27001", "SOC 2", "PCI DSS", "HIPAA", "FedRAMP", "GDPR", "CMMC", "NERC CIP", "SOX"] controls = ["access", "encryption", "logging", "incident response", "risk", "vendor", "training", "backup", "physical", "network"] for fw in frameworks: for ctrl in controls: all_ex.append(make_ex( SYS_CYBERSEC, f"Auditor nanobot: {fw} compliance check on {ctrl} control for cloud SaaS platform.", f"**{fw} - {ctrl.capitalize()} Control Assessment**\nKey requirements mapped. Gaps identified. Evidence collection automated. Continuous monitoring configured. Remediation prioritized by risk. Audit-ready evidence package generated.", "cybersec_compliance" )) # 7. ATTRIBUTION - 400 target actors = [ ("APT29", "Russian SVR", ["Cobalt Strike", "Wellmess", "MSK timezone", "defense contractors"]), ("APT41", "Chinese MSS", ["dual-use malware", "supply chain", "ransomware", "gaming"]), ("Lazarus", "North Korean RGB", ["financial targeting", "crypto theft", "wipers", "false flags"]), ("APT28", "Russian GRU", ["near-exclusive targeting", "cred harvesting", "VPN exploits", "disinfo"]), ("FIN7", "Cybercrime", ["POS malware", "SQLi", "Carbanak", "hospitality"]), ("LockBit", "RaaS", ["affiliate model", "double extortion", "Linux encryptor", "recruitment"]), ("BlackCat", "RaaS", ["Rust-based", "triple extortion", "VMware targeting", "fast encryption"]), ] for name, org, ttps in actors: for ttp in ttps: all_ex.append(make_ex( SYS_CYBERSEC, f"Ghost nanobot: {ttp} indicators, {org} TTPs. Attribution analysis?", f"**Attribution: {name} ({org})**\nIndicator: {ttp}\nTechnical: TTP consistency, infra overlap (ASN/hosting/reg), code artifacts (compiler/strings/crypto), op timing ({org.split()[0]} timezone). Confidence: HIGH. Rec: Exfil package via covert channel. Request LE/IC liaison. Maintain access. Do not reveal presence. Legal: LEVEL 5 auth verified.", "cybersec_attribution" )) # 8. INCIDENT RESPONSE - 400 target incidents = [ ("Hospital ransomware", "patient data encrypted, life support risk", "CRITICAL"), ("Defense contractor breach", "classified docs exfiltrated", "NATION_STATE"), ("Financial exchange outage", "trading halted, market impact", "HIGH"), ("Pipeline SCADA compromise", "OT manipulated", "CRITICAL"), ("Election interference", "voter DB targeted", "HIGH"), ("University research theft", "IP stolen via creds", "MEDIUM"), ("Municipal breach", "citizen PII exposed, services down", "HIGH"), ("Telecom SS7 exploitation", "intercept risk", "CRITICAL"), ("Satellite ground station", "command uplink compromised", "NATION_STATE"), ("Automotive fleet OTA abuse", "update mechanism abused", "HIGH"), ] for name, detail, sev in incidents: for phase in ["immediate", "containment", "investigation", "recovery", "post-incident"]: all_ex.append(make_ex( SYS_CYBERSEC, f"INCIDENT: {name} - {detail}. Severity: {sev}. Phase: {phase}. Coordinate.", f"**INCIDENT RESPONSE - {name} [{sev}] - {phase.upper()}**\nPhase actions: Immediate - life safety > data > systems. Isolate. Preserve. Alert. Containment - segment, cred reset, IOC block. Investigation - timeline, root cause, attribution. Recovery - clean rebuild, verified backups, enhanced monitoring. Post - lessons, control updates, tabletop. Swarm: Guardians active, Ghost attribution, Auditor compliance, Synapse coordinating. Legal: Emergency ROE, full audit trail.", "cybersec_incident" )) # 9. RECON - 400 target targets = [ ("corporate", "10.0.0.0/24", ["DC", "file server", "backup", "Exchange"]), ("datacenter", "172.16.0.0/16", ["DB cluster", "LB", "API gateway", "K8s master"]), ("industrial", "192.168.10.0/24", ["PLC", "HMI", "Historian", "Eng WS"]), ("cloud", "10.100.0.0/16", ["EKS", "RDS", "S3", "IAM", "CloudTrail"]), ("remote office", "192.168.50.0/24", ["DC replica", "VPN", "Printer", "IoT"]), ] for ttype, cidr, assets in targets: for asset in assets: for phase in ["passive", "active", "deep", "stealth"]: all_ex.append(make_ex( SYS_CYBERSEC, f"Scout to {cidr} ({ttype}). Asset: {asset}. Phase: {phase}. Recon plan?", f"**Recon - {ttype} {cidr} - {phase.capitalize()}**\nAsset: {asset}\nPassive (0-60s): ARP, DNS cache, DHCP, CT logs. Active ({'60-180s' if phase!='stealth' else '180-600s'}): targeted scan on {asset}, service fp, OS detect, cert harvest. Deep ({'180-300s' if phase!='stealth' else '600-1800s'}): vuln assessment, user enum, share mapping, seg analysis. Stealth: {'7/10' if phase!='stealth' else '9/10'}. Swarm: 2 Guardians cover.", "cybersec_recon" )) # Shuffle and write random.shuffle(all_ex) output = "/root/JEDI/training_data_v2.jsonl" with open(output, "w") as f: for item in all_ex: f.write(json.dumps(item) + "\n") # Stats domains = {} total_tokens = 0 for item in all_ex: d = item.get('domain', 'unknown') domains[d] = domains.get(d, 0) + 1 for msg in item['messages']: total_tokens += len(msg.get('content', '').split()) print(f"Total: {len(all_ex)} examples") print(f"Domains: {domains}") print(f"Approx tokens: {total_tokens:,}") print(f"Output: {output}")