copyleftdev · copyleftdev · Aug 6, 2025 · Aug 6, 2025
diff --git a/examples/cybersecurity/apt-simulation.sigmos b/examples/cybersecurity/apt-simulation.sigmos
@@ -0,0 +1,73 @@
+spec "APTSimulation" v3.2 {
+  description: "Advanced Persistent Threat simulation platform for expert red team operations with AI-enhanced multi-stage attack campaigns."
+
+  inputs:
+    campaign_id: string
+    threat_actor: string { default: "custom" }
+    organization_type: string
+    target_size: string
+    security_maturity: string { default: "intermediate" }
+    geographic_region: string
+    campaign_duration: int { default: 90 }
+    stealth_level: string { default: "stealthy" }
+
+    infrastructure_domains: string
+    infrastructure_servers: string
+    infrastructure_redirectors: string
+    c2_protocols: string
+
+    reconnaissance_scope: string
+    social_engineering_enabled: bool { default: true }
+    technical_attacks_enabled: bool { default: true }
+    physical_attacks_enabled: bool { default: false }
+
+    ai_models: string
+    threat_intel_feeds: string
+    evasion_techniques: string
+
+    compliance_mode: bool { default: true }
+    logging_level: string { default: "detailed" }
+    audit_trail: bool { default: true }
+
+  computed:
+    campaign_start_time: -> now()
+    estimated_duration: -> campaign_duration
+    risk_score: -> calculate_risk_score()
+
+  events:
+    on_create(campaign): initialize_campaign
+    on_change(stealth_level): adjust_tactics
+    on_error(detection): execute_evasion
+
+  actions:
+    initialize_campaign {
+      description: "Initialize campaign infrastructure and settings"
+      mcp_call: "campaign/init"
+      parameters: {
+        campaign_id: campaign_id,
+        threat_actor: threat_actor,
+        organization_type: organization_type,
+        target_size: target_size,
+        security_maturity: security_maturity,
+        geographic_region: geographic_region,
+        campaign_duration: campaign_duration,
+        stealth_level: stealth_level
+      }
+    }
+
+    adjust_tactics {
+      description: "Adjust tactics based on stealth level"
+      mcp_call: "tactics/adjust"
+      parameters: {
+        stealth_level: stealth_level
+      }
+    }
+
+    execute_evasion {
+      description: "Execute evasion techniques"
+      mcp_call: "evasion/execute"
+      parameters: {
+        evasion_techniques: evasion_techniques
+      }
+    }
+}
diff --git a/examples/cybersecurity/c2-infrastructure.sigmos b/examples/cybersecurity/c2-infrastructure.sigmos
@@ -0,0 +1,70 @@
+spec "C2InfrastructureManagement" v4.2 {
+  description: "Advanced command and control infrastructure management with AI-powered traffic analysis and dynamic scaling for expert red team operations."
+
+  inputs:
+    infrastructure_id: string
+    deployment_region: string { default: "global" }
+    server_count: int { default: 3 }
+    protocol_type: string { default: "https" }
+    stealth_level: string { default: "high" }
+
+    domain_fronting: bool { default: true }
+    traffic_shaping: bool { default: true }
+    load_balancing: bool { default: true }
+    failover_enabled: bool { default: true }
+
+    encryption_method: string { default: "aes256" }
+    authentication_required: bool { default: true }
+    session_management: bool { default: true }
+    heartbeat_interval: int { default: 300 }
+
+    ai_models: string
+    monitoring_tools: string
+    evasion_techniques: string
+
+    compliance_mode: bool { default: true }
+    operational_security: bool { default: true }
+    logging_level: string { default: "operational" }
+    audit_trail: bool { default: true }
+
+  computed:
+    infrastructure_start_time: -> now()
+    server_health_score: -> calculate_health()
+    traffic_analysis_score: -> analyze_traffic()
+
+  events:
+    on_create(infrastructure): initialize_c2_infrastructure
+    on_change(server_count): scale_infrastructure
+    on_error(server_failure): handle_failover
+
+  actions:
+    initialize_c2_infrastructure {
+      description: "Initialize C2 infrastructure deployment"
+      mcp_call: "c2/initialize"
+      parameters: {
+        infrastructure_id: infrastructure_id,
+        deployment_region: deployment_region,
+        server_count: server_count,
+        protocol_type: protocol_type,
+        stealth_level: stealth_level
+      }
+    }
+
+    scale_infrastructure {
+      description: "Scale infrastructure based on demand"
+      mcp_call: "c2/scale"
+      parameters: {
+        server_count: server_count,
+        infrastructure_id: infrastructure_id
+      }
+    }
+
+    handle_failover {
+      description: "Handle server failures and failover procedures"
+      mcp_call: "c2/failover"
+      parameters: {
+        infrastructure_id: infrastructure_id,
+        failover_enabled: failover_enabled
+      }
+    }
+}
diff --git a/examples/cybersecurity/data-exfiltration.sigmos b/examples/cybersecurity/data-exfiltration.sigmos
@@ -0,0 +1,70 @@
+spec "DataExfiltrationFramework" v3.8 {
+  description: "Advanced data exfiltration framework with AI-powered data classification and multi-vector steganographic channels for expert red team operations."
+
+  inputs:
+    exfiltration_id: string
+    target_data_types: string { default: "sensitive" }
+    data_volume_limit: int { default: 1000 }
+    stealth_level: string { default: "maximum" }
+    exfiltration_method: string { default: "steganography" }
+
+    data_classification: bool { default: true }
+    encryption_enabled: bool { default: true }
+    compression_enabled: bool { default: true }
+    obfuscation_enabled: bool { default: true }
+
+    bandwidth_throttling: bool { default: true }
+    timing_randomization: bool { default: true }
+    multi_channel_enabled: bool { default: true }
+    detection_avoidance: bool { default: true }
+
+    ai_models: string
+    steganography_tools: string
+    encryption_methods: string
+
+    compliance_mode: bool { default: true }
+    data_retention_limit: int { default: 30 }
+    logging_level: string { default: "operational" }
+    audit_trail: bool { default: true }
+
+  computed:
+    exfiltration_start_time: -> now()
+    data_classification_score: -> classify_data()
+    stealth_effectiveness: -> calculate_stealth()
+
+  events:
+    on_create(exfiltration): initialize_data_exfiltration
+    on_change(data_volume_limit): adjust_exfiltration_scope
+    on_error(detection): execute_emergency_cleanup
+
+  actions:
+    initialize_data_exfiltration {
+      description: "Initialize data exfiltration operation"
+      mcp_call: "exfiltration/initialize"
+      parameters: {
+        exfiltration_id: exfiltration_id,
+        target_data_types: target_data_types,
+        data_volume_limit: data_volume_limit,
+        stealth_level: stealth_level,
+        exfiltration_method: exfiltration_method
+      }
+    }
+
+    adjust_exfiltration_scope {
+      description: "Adjust exfiltration scope based on volume limits"
+      mcp_call: "exfiltration/adjust_scope"
+      parameters: {
+        data_volume_limit: data_volume_limit,
+        exfiltration_id: exfiltration_id
+      }
+    }
+
+    execute_emergency_cleanup {
+      description: "Execute emergency cleanup procedures"
+      mcp_call: "exfiltration/emergency_cleanup"
+      parameters: {
+        exfiltration_id: exfiltration_id,
+        cleanup_level: "comprehensive"
+      }
+    }
+}