Camoflauge: An AI-Driven Automated Cybersecurity Exercise Framework for Red-Blue Team Adversarial Drills

Camoflauge is a multi-agent cybersecurity simulation framework based on LangGraph and local LLMs, designed to enable autonomous adversarial drills between AI red and blue teams. It uses air-gapped Docker sandbox environments to allow agents to conduct offensive and defensive operations using real cybersecurity tools. Its core values include reducing exercise costs, accelerating talent development, validating defense strategies, and supporting AI security research.

Traditional red-blue team confrontations rely heavily on manual participation, which is costly and difficult to scale. With the evolution of LLM capabilities, the Camoflauge project emerged—it builds a fully autonomous multi-agent framework that allows AI to continuously conduct offensive and defensive operations in isolated environments, addressing the efficiency and cost issues of traditional exercises.

Camoflauge adopts a director-actor architecture: the central Director acts as the coordination brain, routing intelligence and assigning tasks via LangGraph; the red team includes a scanner (for port/service reconnaissance) and an exploiter (for building vulnerability payloads); the blue team includes a defender (for monitoring logs to detect anomalies) and a patcher (for deploying firewall rules). Each agent focuses on its professional domain, enabling efficient collaboration.

The technology selection balances security and practicality: Ollama is used as the local LLM engine (default Qwen2.5:7b) to ensure local data isolation; agents use real tools (nmap, iptables, vulnerability exploitation frameworks) in Docker containers, making the exercise results practically referable.

After executing the run command, the full cycle starts: 1. Environment preparation (clear old rules); 2. Reconnaissance and detection (red team nmap scan); 3. Vulnerability exploitation (red team builds and executes payloads); 4. Threat detection (blue team monitors logs to identify anomalies); 5. Automatic remediation (blue team deploys iptables rules); 6. Metric reporting (W&B records data such as MTTD and mitigation rate).

Core metrics are tracked via Weights & Biases: Mean Time to Detect (MTTD), mitigation rate (percentage of successfully blocked attacks), token efficiency, hallucination rate (proportion of missed threats), and agent routing paths. These metrics help optimize performance and provide a quantitative benchmark for AI offensive and defensive capabilities.

Practical value: reducing exercise costs (24/7 automation), accelerating talent development (newcomers learn offensive and defensive strategies), validating defense strategies, and supporting AI security research. Future roadmap: support for more LLM models, batch execution cycles, web interface, CVE vulnerability database, and multi-target sandboxes.