npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

bmad-cybersec

v4.7.0

Published

Production-ready BMAD security and automation framework with comprehensive validation, authentication, and audit capabilities

Downloads

1,532

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

schenlongschenlong

Keywords

bmadsecurityframeworktypescriptvalidationauthenticationrbacaudithooksenterpriseproduction

Readme

BMAD CYBERSEC 🔐

Production-Ready AI Cybersecurity Operations Framework

🛡️ Enterprise Security Operations 🕵️ Intelligence Operations ⚖️ Legal Operations 🎯 Strategic Planning

Version: 2.3.0 Node.js 20+ TypeScript ES Module

🤖 LLM Provider Support

Claude OpenAI Ollama LM Studio GLM Kimi vLLM Groq

MIT License Production Ready

🛡️ Security & Compliance

TPI-CrowdStrike OWASP LLM 95/100 OWASP Top 10 OWASP API Top 10 ASVS v4.0 SOC 2 Ready GDPR Compliant ISO 27001 NIST 800-53 PCI-DSS HIPAA FedRAMP CMMC

✅ Testing & Quality

7,117+ Tests 208 Test Files Zero Regressions

Quick Start · Features · Security · Documentation · Changelog

🧠 What is BMAD CYBERSEC?

BMAD CYBERSEC is a production-ready multi-agent operations framework that brings together specialized AI teams for cybersecurity operations, intelligence gathering, legal counsel, and strategic planning. Each agent has deep domain expertise and can collaborate through orchestrated workflows.

Abdul, the Master Project Manager, orchestrates all operations — routing requests to the right specialists and coordinating multi-team workflows.

You → Abdul → Right Team → Expert Agent(s) → Results

🚀 Quick Start

Install via NPX (Recommended)

npx bmad-cybersec install

Or Clone Repository

git clone https://github.com/SchenLong/BMAD-CYBERSEC.git
cd BMAD-CYBERSEC && git checkout BMAD-CYBEROPS-RP

Launch

claude-code /agents/abdul

That's it. Abdul will guide you from there.

📦 Modules Overview

BMAD CYBERSEC consists of two distinct product families:

🎯 CYBERSEC Modules

Purpose-built security operations framework — hardened, compliance-focused, and designed for professional cybersecurity workflows.

| Module | Agents | Workflows | Focus | |---------|--------|-----------|-------| | Cybersecurity Team | 15 | 13 | Penetration testing, incident response, threat modeling, compliance audits | | Intelligence Team | 11 | 19 | OSINT, threat actor profiling, dark web research, attribution | | Legal Team | 13 | 7 | Contract review, corporate formation, cross-border matters | | Strategy Team | 14 | 16 | Executive decisions, board prep, crisis response, M&A due diligence |

🎨 BMAD-METHOD Modules

Original framework for software development and innovation — versatile, creative, and designed for general business operations.

| Module | Workflows | Focus | |---------|-----------|-------| | BMM (BMAD Method) | 35 | Software development, requirements analysis, architecture | | BMB (Module Builder) | 1 | Agent, module, and workflow architecture | | BMGD (Game Development) | 36 | Game design, development pipelines | | CIS (Creative Innovation) | 4 | Brainstorming, design thinking, innovation | | Core | 23 | Project management, orchestration, templates |

✨ Features

🛡️ CYBERSEC Features

🔒 Security-First Architecture

  • OWASP AI Security compliance — 95/100 score
  • TPI-CrowdStrike compliant — 6 epics covering all prompt injection vectors
  • 139+ production validators across all attack vectors
  • Prompt injection defense with 35+ detection patterns
  • Rate limiting with sliding window algorithm
  • PII/GDPR detection with Luhn/IBAN validation
  • Tamper-evident audit logging with SHA256 hash chains
  • RBAC with deny-by-default policy

📜 Compliance Framework Support (20+)

  • US: NIST 800-53, SOC 2, PCI-DSS, HIPAA, FedRAMP, CMMC
  • EU: GDPR, NIS2, Cyber Resilience Act, DORA, AI Act
  • Global: ISO 27001/27017/27018, CIS Controls, CSA STAR
  • Industry: SWIFT CSP, NERC CIP, TISAX

🔧 Security Workflows

  • Incident Response Playbook (19-step automated response)
  • Security Architecture Review
  • STRIDE Threat Modeling
  • Compliance Audit Preparation
  • Virtual CISO Consulting
  • Blockchain/Mobile/Web App Security Testing
  • Network/Infrastructure/Cloud Security Assessment
  • Vulnerability Management (full lifecycle)

🎨 BMAD-METHOD Features

💻 Software Development

  • Requirements analysis and PRD generation
  • Architecture design and tech specifications
  • Sprint planning and story management
  • Code review (ADVERSARIAL style)
  • Test-first development with ATDD support

💡 Creative & Innovation

  • Brainstorming facilitation
  • Design thinking workshops
  • Storytelling and presentation mastery
  • Creative problem-solving

🔧 Module Building

  • Custom agent creation
  • Workflow builder
  • Module architecture system

🎮 Game Development

  • Game design documents (GDD)
  • Game brief creation
  • QA and testing workflows
  • Performance testing

⚡ Platform Features

🤖 Multi-Agent Orchestration

  • Abdul coordinates specialists across teams
  • Party Mode — spawn multiple agents working in parallel
  • Cross-module workflows

👨‍💻 Developer Experience

  • 201 production workflows
  • Direct slash commands — /workflow-name (112 aliases)
  • AI-powered help — /bmad-help for interactive discovery
  • Multi-LLM support (Claude, OpenAI, Groq, Ollama, LM Studio, vLLM)

✅ Quality Assurance

  • 2,938+ tests passing across 351 test files
  • Zero regressions
  • CI/CD pipelines with automated testing
  • Performance benchmarking

📋 Compliance Framework

BMAD CYBERSEC aligns with 20+ global security standards and compliance frameworks:

🇺🇸 United States Regulations

| Standard | Status | Coverage | |----------|--------|----------| | NIST 800-53 | ✅ Compliant | All control families (AC, AU, SC, SI, etc.) | | SOC 2 Type II | ✅ Ready | Trust Services Criteria (Security, Availability, Confidentiality) | | PCI-DSS 4.0 | ✅ Compliant | All 12 requirement domains | | HIPAA | ✅ Ready | Privacy, Security, and Breach Notification Rules | | FedRAMP | ✅ Ready | Low, Moderate, and High Impact Levels | | CMMC 2.0 | ✅ Ready | Levels 1-3 (Basic, Advanced, Expert) |

🇪🇺 European Regulations

| Standard | Status | Coverage | |----------|--------|----------| | GDPR | ✅ Compliant | Articles 25, 32, 33 (Data Protection by Design/Default) | | NIS2 | ✅ Ready | Network and Information Security Directive | | DORA | ✅ Ready | Digital Operational Resilience Act | | EU AI Act | ✅ Ready | High-risk AI systems compliance |

🌍 Global Standards

| Standard | Status | Coverage | |----------|--------|----------| | ISO 27001 | ✅ Compliant | ISMS controls and Annex A controls | | ISO 27017 | ✅ Ready | Cloud security controls | | ISO 27018 | ✅ Ready | PII protection in cloud | | CIS Controls v8 | ✅ Ready | All 8 Implementation Groups | | CSA STAR | ✅ Ready | Cloud Controls Matrix (CCM) |

🏭 Industry-Specific Standards

| Standard | Industry | Status | |----------|----------|--------| | SWIFT CSP | Financial Services | ✅ Ready | | NERC CIP | Energy/Utilities | ✅ Ready | | TISAX | Automotive | ✅ Ready |

🎯 OWASP Alignment

| Standard | Score | Coverage | |----------|-------|----------| | OWASP LLM Top 10 | 95/100 | All 10 vulnerability categories | | OWASP API Top 10 | ✅ Compliant | Full coverage | | OWASP Top 10 (2021) | ✅ Compliant | Full coverage | | ASVS v4.0 | ✅ Ready | Application Security Verification Standard |

🛡️ TPI-CrowdStrike Taxonomy

Prompt Injection Defense — Fully compliant with CrowdStrike's 2026 Taxonomy

  • ✅ 6 epics covering all prompt injection vectors
  • ✅ 35+ detection patterns
  • ✅ 540+ automated tests
  • ✅ 14 identified gaps (G1-G14) closed

🛡️ Security Features

| Category | Feature | Status | |----------|----------|--------| | Prompt Injection | 35+ detection patterns | ✅ Protected | | | Jailbreak prevention (28 patterns) | ✅ Protected | | | TPI-CrowdStrike taxonomy coverage | ✅ Compliant | | Output Security | Command injection prevention | ✅ Protected | | | Path traversal blocking | ✅ Protected | | | ANSI escape sanitization | ✅ Protected | | Rate Limiting | Sliding window algorithm | ✅ Active | | | Per-operation limits (Bash:60, Write:100, Read:400, Task:40) | ✅ Active | | PII Protection | 65+ secret pattern detection | ✅ Active | | | GDPR compliance module | ✅ Active | | | Luhn/IBAN validation | ✅ Active | | Supply Chain | SHA256+GPG verification | ✅ Active | | | Ed25519 artifact signing | ✅ Active | | | npm audit integration | ✅ Active | | Access Control | RBAC with deny-by-default | ✅ Active | | | Token-based authentication | ✅ Active | | | 9 roles, 80+ agents mapped | ✅ Active | | Audit Logging | Tamper-evident hash chains | ✅ Active | | | SIEM integration (Splunk/ELK) | ✅ Ready | | | Category-based retention (7yr/3yr/1yr/90d) | ✅ Active | | Resource Protection | Context window limits (75% warn, 95% block) | ✅ Active | | | Recursion depth limits | ✅ Active | | | Fork bomb detection | ✅ Active |

👥 Specialized Teams

🛡️ Cybersecurity

15 specialists covering the full security lifecycle

  • Bastion — Security Architect
  • Cipher — Threat Intelligence Lead
  • Ghost — Penetration Tester
  • Phoenix — Incident Commander
  • Sentinel — Compliance Guardian
  • Trace — Forensic Investigator
  • Watchman — SOC Analyst
  • Nimbus — Cloud Security Specialist
  • Ledger — Blockchain Security Expert
  • Weaver — Web Application Security Expert
  • Gateway — API Security Expert
  • Oracle — LLM/AI Security Expert
  • Shield — Blue Team Lead
  • Phantom — Mobile Security Expert
  • Specter — Social Engineer

🕵️ Intelligence

11 analysts for comprehensive OSINT operations

  • OSINT Lead — Intelligence Operations
  • Corporate Intel Specialist — Business intelligence
  • Dark Web Analyst — Underground monitoring
  • Domain Intel Specialist — Network intelligence
  • Geospatial Analyst — Location-based intel
  • HUMINT Specialist — Human intelligence
  • Signal Intelligence Specialist — SIGINT operations
  • Social Media Analyst — Social monitoring
  • Technical Researcher — Technical intelligence
  • Threat Actor Profiler — Actor analysis
  • Field Operative — Ground operations

⚖️ Legal

13 attorneys covering multiple jurisdictions

  • General Counsel — Legal oversight
  • US Counsel — American law (Liberty)
  • EU Counsel — European law (Europa)
  • Spain Corporate Counsel — Spanish corporate law (Castile)
  • Spain Labor Law Counsel — Spanish employment law (Gremio)
  • Spain Civil Law Counsel — Spanish civil law (Iberia)
  • Estonia Corporate Counsel — Baltic corporate law
  • IP Counsel — Intellectual property (Insignia)
  • Real Estate Counsel — Property law (Deed)
  • Tax Counsel — Cross-jurisdictional tax (Tribute)
  • Contract Specialist — Contracts (Covenant)
  • Corporate Governance Counsel — Governance (Charter)
  • Litigation Strategist — Dispute resolution (Advocate)

🎯 Strategy

14 advisors for executive decision-making

  • The Master Strategist — Strategic leadership
  • The Realist — Practical analysis
  • The Conservative — Risk-averse perspective
  • The Revolutionary — Disruptive innovation
  • The Principled Commander — Values-based leadership
  • The Strategist Warrior — Competitive strategy
  • The Liberator — Change management
  • The Technocrat — Technology strategy
  • The Political Strategist — Political analysis
  • Policy Analyst — Policy development
  • Ethics Advisor — Ethical guidance
  • Stakeholder Mediator — Conflict resolution
  • Communications Director — Messaging strategy
  • Debate Coach — Argumentation skills

📚 Documentation

| Guide | Description | |-------|-------------| | Getting Started | Full setup and first workflow | | Agents Reference | All agents by team with capabilities | | Slash Command Reference | Direct invocation guide (112 aliases) | | Workflows Reference | All 200+ workflows documented | | Security Overview | Security architecture and hardening | | Security Advanced Topics | Audit logs, chain of custody, RBAC operations | | Troubleshooting | Common issues and solutions | | FAQ | Frequently asked questions | | Configuration Guide | System configuration options | | RBAC Roles Guide | Role-based access control |

Documentation Index

User Guides (Docs/02-user-guides/)

  • Getting Started, Agents Reference, Slash Commands, Workflows Reference
  • Security Overview, Troubleshooting, FAQ
  • Configuration, RBAC Roles, Party Mode

Advanced Topics (Docs/02-user-guides/Advanced/)

  • Custom Agent Creation, Custom Workflow Creation
  • Custom Party Presets, LLM Provider Advanced

Security (Docs/02-user-guides/Security/)

  • Audit Log Guide, Chain of Custody
  • RBAC Operations Guide, Token Management Guide
  • Security Maintenance Checklist

Reference (Docs/06-reference/)

  • Agent specifications, workflow definitions
  • Security implementation details

📝 Changelog

v2.3.0 (2026-02-13)

🛡️ TPI-CrowdStrike Prompt Injection Taxonomy

  • Complete prompt injection defense with 6 epics, ~540 tests
  • Closes all 14 identified gaps (G1-G14)

✅ OWASP Compliance Testing Framework

  • Complete OWASP security testing: Top 10, API Top 10, LLM Top 10, ASVS v4.0
  • 6 epics, 24 stories, 113 unique test IDs, 404 test functions

🔄 V6 Alignment and Phase 2 Upgrade

  • Testing infrastructure modernization
  • CLI modernization with @clack/prompts migration
  • 7,117+ tests passing across 208 files

View Full Changelog

v2.2.0 (2026-02-09)

Hybrid v6 Upgrade

  • Cherry-picked best features from BMAD v6 while preserving security infrastructure

AI-Powered Help

  • /bmad-help interactive command for discovering modules, agents, workflows
  • Natural language search with 4-tier fuzzy matching

Node.js 20 Upgrade

  • Minimum Node.js version updated to 20.0.0
  • Verified crypto compatibility across all APIs

Slash Command Invocation

  • 112 unique aliases mapped to 200+ workflows
  • RBAC enforcement and audit trail integration

Security Enhancements

  • Path sanitization hardening (6 bypass vector protections)
  • YAML CRLF normalization
  • Cross-file reference validation
  • Settings.json SPOF protection

Testing

  • 2,938+ tests passing across 351 test files
  • Zero regressions

v2.0.0 (2026-01-31)

Multi-Agent Architecture

  • 4 specialized teams with 53 AI agents
  • 55 workflows with step-by-step execution
  • Abdul Master Project Manager for cross-team orchestration

Testing Framework

  • 232 test suites (unit, integration, e2e)
  • Performance testing with 8.5x improvement
  • Enterprise security testing framework

CI/CD Pipeline

  • 4 automated GitHub Actions workflows
  • Continuous testing, extraction QA, quality gate, release automation

View Full Changelog

⚙️ Requirements

📊 Key Statistics

| Metric | Value | |--------|-------| | Total Agents | 81+ | | Total Workflows | 201+ | | CYBERSEC Agents | 53 | | BMAD-METHOD Workflows | 99+ | | Security Validators | 139+ | | Test Files | 351 | | Passing Tests | 2,938+ | | Compliance Frameworks | 20+ | | OWASP LLM Score | 95/100 | | TPI-CrowdStrike | Compliant |

📜 License

MIT — BMAD-CYBERSEC A BlackUnicorn Open Source Project 🦄

Built with BMAD-METHOD

BMAD CYBERSEC extends the BMAD-METHOD framework with specialized cybersecurity operations, intelligence gathering, legal counsel, and strategic planning capabilities while maintaining full compatibility with the original development, creative, and business workflows.

⭐ Star us on GitHub — Join the BlackUnicorn community!