On this page

Bolt

Bolt provides access to 100+ Kali Linux security tools through a remote MCP server running in a Docker container. It features Ed25519 authentication and optional port knocking for secure remote access.

📸 SCREENSHOT: bolt-hero.png

Bolt running nmap scan through Cyberstrike

Why Bolt?

Bolt solves the problem of running security tools that require a Linux environment. Instead of installing dozens of tools locally, Bolt runs them in an isolated Docker container.

🎞️ MARP SLIDE: why-bolt.md

Benefits of using Bolt vs local installation

Feature	Without Bolt	With Bolt
Tool Installation	Manual for each tool	Pre-installed
Platform Support	Linux only for most tools	Any platform with Docker
Isolation	Tools run on your system	Sandboxed in container
Setup Time	Hours	Minutes
Updates	Manual	`docker pull`

Architecture

🎞️ MARP SLIDE: bolt-architecture.md

Detailed Bolt architecture presentation

flowchart TB
    subgraph Client["Cyberstrike CLI"]
        Agent[AI Agent]
        MCPClient[MCP Client]
        Auth[Ed25519 Auth]
    end

    subgraph Network["Network Layer"]
        HTTP[HTTP/MCP Transport]
        Knock[Port Knocking]
    end

    subgraph Bolt["Bolt Container"]
        Server[HTTP Server]
        Session[Session Manager]
        Registry[Tool Registry]
        Executor[Tool Executor]
    end

    subgraph Kali["Kali Tools"]
        Recon[Reconnaissance]
        Web[Web Application]
        AD[Active Directory]
        Pass[Password Attacks]
    end

    Agent --> MCPClient
    MCPClient --> Auth
    Auth --> Knock
    Knock --> HTTP
    HTTP --> Server
    Server --> Session
    Session --> Registry
    Registry --> Executor
    Executor --> Recon
    Executor --> Web
    Executor --> AD
    Executor --> Pass

    style Client fill:#3b82f6,color:#fff
    style Network fill:#8b5cf6,color:#fff
    style Bolt fill:#10b981,color:#fff
    style Kali fill:#f59e0b,color:#fff

Component Details

Component	Description
MCP Client	Handles JSON-RPC communication with Bolt
Ed25519 Auth	Asymmetric key authentication for secure access
Port Knocking	Optional SPA to hide server from port scans
Session Manager	Per-client registry isolation
Tool Registry	Dynamic tool loading system
Tool Executor	Spawns Kali tool processes

Quick Start

🎬 GIF: bolt-quickstart.gif

Complete Bolt setup in 60 seconds

1. Start Bolt Server

# One-liner install (pulls from ghcr.io)
curl -sSL https://bolt.cyberstrike.io/install.sh | bash

Or manually with Docker:

docker run -d \
  --name bolt \
  -p 3001:3001 \
  -e MCP_ADMIN_TOKEN=$(openssl rand -hex 32) \
  ghcr.io/cyberstrike/bolt:latest

2. Get the Admin Token

docker logs bolt | grep "Admin token"

📸 SCREENSHOT: bolt-docker-logs.png

Docker logs showing admin token

3. Add to Cyberstrike

Use the /bolt command in the TUI:

Press / and type bolt
Press a to add a new server
Enter URL: http://localhost:3001
Enter the admin token
Give it a name (e.g., “local”)

🎬 GIF: bolt-add-dialog.gif

Adding Bolt server via /bolt dialog (20s)

Or add manually to config:

{
  "mcp": {
    "bolt": {
      "type": "remote",
      "url": "http://localhost:3001/mcp",
      "bolt": true,
      "headers": {
        "Authorization": "Bearer YOUR_ADMIN_TOKEN"
      }
    }
  }
}

4. Use Bolt Tools

> Search for reconnaissance tools on bolt
> Load nmap and scan 192.168.1.1

🎬 GIF: bolt-nmap-scan.gif

Running nmap scan via Bolt (30s)

Installation Methods

Docker (Recommended)

🎞️ MARP SLIDE: docker-installation.md

Docker installation options

The official Docker image includes all Kali tools pre-installed:

# Using docker run
docker run -d \
  --name bolt \
  --restart unless-stopped \
  -p 3001:3001 \
  -v bolt-data:/data \
  -e MCP_ADMIN_TOKEN=$(openssl rand -hex 32) \
  --cap-add NET_RAW \
  --cap-add NET_ADMIN \
  ghcr.io/cyberstrike/bolt:latest

# View the admin token
docker logs bolt

Docker Compose

services:
  bolt:
    image: ghcr.io/cyberstrike/bolt:latest
    ports:
      - "3001:3001"
    environment:
      - MCP_ADMIN_TOKEN=${MCP_ADMIN_TOKEN}
    cap_add:
      - NET_RAW
      - NET_ADMIN
    volumes:
      - bolt-data:/data
    restart: unless-stopped

volumes:
  bolt-data:

export MCP_ADMIN_TOKEN=$(openssl rand -hex 32)
docker compose up -d

Local Installation (Without Docker)

If you have Kali tools installed locally:

{
  "mcp": {
    "bolt-local": {
      "type": "local",
      "command": ["npx", "@cyberstrike/mcp-kali"]
    }
  }
}

Info

Local installation requires each Kali tool to be installed separately on your machine.

TUI Management

The /bolt command is the unified interface for managing all MCP servers - both the Bolt Kali container and your custom local/remote MCP servers.

🎬 GIF: bolt-tui-full-demo.gif

Complete TUI management demo (40s)

The /bolt Command

Access MCP server management with /bolt in the TUI:

Key	Action
a	Add new MCP server (local or remote)
space	Toggle connection
d	Delete server
esc	Close dialog

Server Type Indicators

Icon	Type
⚡	Bolt container (Kali tools)
◆	Local MCP server (stdio)
◇	Remote MCP server (HTTP)

Connection States

Color	Status
Green	Connected and ready
Gray	Disabled
Red	Failed
Yellow	Needs authentication

📸 SCREENSHOT: bolt-status-states.png

All possible Bolt status states

Available Tools

🎞️ MARP SLIDE: tool-categories.md

Visual overview of 100+ tools by category

Bolt provides 100+ tools organized by category:

Reconnaissance

Tool	Description
nmap	Network scanner and service detection
masscan	Fast port scanner
subfinder	Passive subdomain discovery
amass	Attack surface mapping
httpx	HTTP probing
whatweb	Web technology identification
wafw00f	WAF detection

Web Application

Tool	Description
sqlmap	SQL injection automation
ffuf	Web fuzzer
gobuster	Directory/DNS enumeration
wfuzz	Web application fuzzer
nuclei	Template-based scanner
nikto	Web server scanner
wpscan	WordPress scanner

Active Directory

Tool	Description
netexec	Network execution tool
impacket-scripts	Windows protocol tools
enum4linux-ng	SMB enumeration
bloodhound	AD relationship mapping
certipy-ad	AD CS exploitation
responder	LLMNR/NBT-NS poisoning

Password Attacks

Tool	Description
john	Password cracker
hashcat	GPU password cracker
hydra	Online password attacks
medusa	Parallel password cracker

Exploitation

Tool	Description
metasploit-framework	Exploitation framework
exploitdb	Exploit database search
msfvenom	Payload generator

Meta-Tools

🎞️ MARP SLIDE: meta-tools.md

How meta-tools manage dynamic loading

Bolt uses a dynamic tool loading system. These meta-tools manage which Kali tools are available:

list_tools

List all available tools or filter by category:

{
  "category": "reconnaissance",
  "limit": 20
}

search_tools

Search tools by name or description:

{
  "query": "sql injection",
  "limit": 10
}

load_tool

Load a tool into the current session:

{
  "tool": "nmap"
}

execute

Execute a loaded tool:

{
  "tool": "nmap",
  "args": ["-sV", "-sC", "192.168.1.1"]
}

list_loaded_tools

Show currently loaded tools and token usage:

{
  "loaded": ["nmap", "nikto"],
  "estimatedTokens": 2500,
  "budgetRemaining": 17500
}

unload_tool

Free up token budget by unloading tools:

{
  "tool": "nmap"
}

Usage Examples

🎬 GIF: bolt-usage-examples.gif

Multiple tool usage scenarios (45s)

Network Reconnaissance

> Use bolt to scan 192.168.1.0/24 for open ports and services

The agent will:

Load nmap via bolt_load_tool
Execute scan via bolt_execute
Parse and present results

Subdomain Enumeration

> Find all subdomains of example.com using bolt

Uses subfinder, amass, or similar tools.

SQL Injection Testing

> Test https://target.com/page?id=1 for SQL injection via bolt

Loads sqlmap and runs automated testing.

Active Directory Assessment

> Enumerate the AD environment at 192.168.1.10 using bolt

Uses netexec, enum4linux-ng, and related tools.

Security Features

🎞️ MARP SLIDE: security-architecture.md

Bolt security features deep dive

Authentication Methods

flowchart LR
    subgraph Simple["Admin Token (Simple)"]
        Token[Bearer Token]
        Header[Authorization Header]
        Token --> Header
    end

    subgraph Advanced["Ed25519 (Advanced)"]
        KeyPair[Key Pair]
        Sign[Sign Request]
        Verify[Server Verify]
        KeyPair --> Sign
        Sign --> Verify
    end

    style Simple fill:#3b82f6,color:#fff
    style Advanced fill:#10b981,color:#fff

Admin Token (Simple)

Use a bearer token for authentication:

{
  "headers": {
    "Authorization": "Bearer YOUR_ADMIN_TOKEN"
  }
}

Ed25519 Keys (Advanced)

For production deployments, use asymmetric key authentication:

Generate client keys
Pair with the server via /pair endpoint
Sign requests with your private key

Port Knocking (SPA)

🎞️ MARP SLIDE: port-knocking.md

How port knocking hides the server

Enable port knocking to hide the server from port scans:

docker run -d \
  --name bolt \
  -p 3001:3001 \
  -p 49152-65535:49152-65535/udp \
  -e KNOCK_ENABLED=true \
  ghcr.io/cyberstrike/bolt:latest node dist/http.js --knock

How it works:

sequenceDiagram
    participant Client as Cyberstrike
    participant FW as Firewall
    participant Bolt as Bolt Server

    Note over FW: Port 3001 blocked
    Client->>FW: UDP knock to port X
    Note over FW: HMAC(key, time/60) = X
    FW->>FW: Verify knock
    FW->>FW: Open port 3001 (60s)
    Client->>Bolt: HTTP/MCP request
    Bolt-->>Client: Response

With knock enabled:

Port 3001 is blocked by iptables
Clients must send a UDP knock packet first
Knock ports rotate every 60 seconds
Port is derived from: HMAC-SHA256(boltKey, timestamp/60)

Tip

Port knocking is ideal for internet-exposed Bolt servers. For local Docker, it’s optional.

Configuration

Environment Variables

Variable	Default	Description
`PORT`	3001	HTTP server port
`HOST`	0.0.0.0	Bind address
`MCP_ADMIN_TOKEN`	-	Admin bearer token
`DATA_DIR`	/data	Persistent data directory
`KNOCK_ENABLED`	false	Enable port knocking

Docker Capabilities

For full functionality, Bolt needs:

Capability	Purpose
`NET_RAW`	Raw socket access for nmap SYN scans
`NET_ADMIN`	Network configuration for iptables

Volumes

Path	Purpose
`/data`	Persistent keys, scan results

Comparison: Local vs Remote

🎞️ MARP SLIDE: local-vs-remote.md

Detailed comparison table with use cases

Feature	Local	Remote (Docker)
Tool Installation	Manual	Pre-installed
Isolation	None	Container
Performance	Faster	Network overhead
Setup	Complex	One command
Updates	Manual	`docker pull`
Cross-platform	No	Yes

Troubleshooting

📸 SCREENSHOT: bolt-errors.png

Common Bolt errors and their appearance

Connection Refused

Error: Connection refused

Check Docker is running: docker ps
Verify port mapping: docker port bolt
Test health endpoint: curl http://localhost:3001/health

Tools Not Loading

> Agent says "tool not found"

Verify MCP is connected: /bolt in TUI
Check model supports MCP (not subprocess models like claude-cli)
Restart Cyberstrike after adding Bolt

Subprocess Models

Caution

Models running as subprocesses (like claude-cli/opus) cannot access Cyberstrike’s MCP servers.

Use direct API models:

anthropic/claude-sonnet-4
anthropic/claude-opus-4
openai/gpt-4o

Port Knocking Issues

If knock is enabled but connection fails:

Ensure UDP ports are forwarded: -p 49152-65535:49152-65535/udp
Check bolt key is correct
Verify system clocks are synchronized

API Reference

Health Check

curl http://localhost:3001/health

Response:

{
  "status": "ok",
  "version": "1.0.0",
  "tools": 100,
  "sessions": 2
}

MCP Endpoint

POST /mcp

Standard MCP JSON-RPC endpoint for tool calls.

Pairing (Ed25519)

POST /pair          # Start pairing with code
POST /pair/exchange # Exchange public keys
GET  /pair/clients  # List paired clients (admin only)

Bolt / MCP Overview - Architecture and concepts
Remote Servers - Remote MCP configuration
Local Servers - Alternative local setup
Permissions - Tool permissions

Danger

Only use Bolt tools against authorized targets. Unauthorized penetration testing is illegal.