[ A Hesed & Emet platform ]

We attack first. So no one else can.

An agentic AI red team that pentests your whole stack and your people, then proves every finding.

Request a briefing See how it works
3attack surfaces in one campaign. network, cloud, identity, and people
0unvalidated findings shipped to your board
24/7continuous, never a once a year snapshot

The adversary now moves at machine speed, chaining a cloud misconfiguration to domain admin, and reaching your people with cloned voices and live deepfakes. Cherubim meets them on every front, with proof, under your control.

The console

One console for the whole engagement.

Launch, watch agents work, prove findings, coach your people, and export audit evidence, all from one place.

Sign in to explore

The platform

Four guardians. One campaign. One narrative.

Most tools cover one surface. Real attackers do not. Cherubim runs four engines under one intelligence layer, so a weak signal in one becomes the opening move in the next.

01

Autonomous Offensive Engine

A swarm of reasoning agents that maps, exploits, and chains weaknesses across web, API, cloud, and identity, at machine speed.

Explore the engine
02

Full Stack Attack Coverage

Network, web, API, cloud, Kubernetes, identity, Active Directory, wireless, OT, and supply chain. Every layer, one continuous kill chain.

Explore the coverage
03

Omnichannel Social Engineering

Orchestrated campaigns across email, SMS, WhatsApp, voice, and live deepfake video on Zoom and Teams, with Slack and Teams follow up.

Explore social engineering
04

Human Resilience & Truth Reporting

Every result becomes a graded, reproducible finding and a kind, blame free coaching path for the people who were tested.

Explore reporting

Guardian 01

Autonomous Offensive Engine

Cherubim does not run one scanner and hand you a list. It deploys a coordinated set of autonomous agents, each focused on a specific objective, that reason about your environment, attempt real exploit paths, and chain low signals into a full attack.

The difference that matters is what happens after a finding. Every candidate vulnerability is passed to a deterministic validator that reproduces the exploit in a sandbox and captures the proof. A finding only reaches you once it has been demonstrated, never because a model felt confident.

  • Recon and attack surface mapping across web apps, APIs, cloud configuration, and identity.
  • Exploit and chain with multi step reasoning, the way a human operator pivots from a small misconfiguration to domain impact.
  • Deterministic validation that reproduces each finding and attaches a proof of concept, so triage time drops to near zero.
  • Continuous mode that re tests on every release and tells you the moment a fix regresses.
  • Safe by construction with scoped targets, rate control, and a hard stop the moment a boundary is touched.

The agentic core

Built like an operator, not a loop.

Anyone can put a model in a while loop. What makes an engagement real is the machinery underneath: many specialists working together, a disciplined way to use real tooling, and the patience to pursue a goal over hundreds of steps. This is the part that takes Cherubim from a clever prototype to an operator that finishes the job.

01

Multi-agent coordination

Cherubim runs a fleet of specialised agents, each an expert in one surface, reconnaissance, web, cloud, identity, network, and exploitation. They share one world model and coordinate over a common blackboard, so an artifact one agent recovers becomes the key another agent uses several steps later. A supervisor arbitrates priority, removes duplicate work, and holds the whole fleet inside scope.

  • Role specialised agents with their own skills, prompts, and tools per surface.
  • Shared world model and a blackboard for live artifact handoff between agents.
  • Supervisor arbitration for priority, deconfliction, and no wasted effort.
  • Fleet wide control of concurrency, rate, and scope, with a hard stop on any boundary.

// blackboard architecture · supervisor or worker · up to 120 concurrent agents

02

Tool integration

Agents do not improvise. Every offensive capability, from a port scan to a Kerberos attack to a cloud API call, is a registered tool with a typed schema, scoped permissions, and an audit record, the same pattern as the Model Context Protocol. Cherubim wraps battle tested open source and commercial tooling rather than reinventing it, and mediates every call so it is logged, sandboxed, and reversible.

  • Typed tool interface in the MCP style, every call schema checked and permissioned.
  • Wraps real tooling for recon, exploitation, identity, cloud, and synthetic media, not toy reimplementations.
  • Deterministic validators as tools that reproduce an exploit before it is ever called a finding.
  • Stack connectors that read your AWS, Azure, identity, and messaging through official interfaces.

// typed schemas · per-call audit · sandboxed and reversible execution

03

Long-horizon planning

Real attacks unfold over many steps, so Cherubim plans like an operator. It sets an objective, reach the crown jewel, decomposes it into subgoals and tasks, and continuously replans as the environment responds. It carries state across hundreds of actions, backtracks out of dead ends, and keeps a persistent memory of what worked, so the next engagement starts smarter than the last.

  • Objective decomposition into a live goal, subgoal, and task tree the operator can read.
  • Continuous replanning and backtracking as new information and dead ends appear.
  • Persistent memory of state and outcomes across long runs, with checkpoint and resume.
  • Cost and risk aware action selection that favours the quietest path to impact.

// goal graph · reflection and memory · resumable across hundreds of steps

See it live. The console shows the agent mesh, the tools each agent is calling, and the plan tree updating in real time during an engagement.

Guardian 02

Full Stack Attack Coverage

A real adversary does not respect the boundaries of your tooling. They start at an exposed edge, pivot through the network, and do not stop until they own identity. Cherubim runs the same kill chain across every layer of the stack, as one continuous engagement, not a folder of disconnected reports.

The autonomous engine performs reconnaissance, exploitation, lateral movement, privilege escalation, and exfiltration simulation, then proves the full attack path end to end the way an operator would walk it.

  • External and internal network. Perimeter, segmentation, and assumed breach scenarios from foothold to domain impact.
  • Web, API, and mobile. Business logic abuse, access control, and chained application flaws, not a header scan.
  • Cloud and Kubernetes. Misconfiguration, over scoped roles, container escape, and metadata service abuse across AWS, Azure, and GCP.
  • Identity and Active Directory. Credential attacks, Kerberos abuse, trust relationships, and the path to domain administrator.
  • Wireless, OT, and supply chain. The forgotten surfaces, from rogue access points to vendor and dependency risk.

Guardian 03

Orchestrated Omnichannel Social Engineering

A real social engineering attack is not one email. It is a calendar invite, then a WhatsApp message that sounds like your CFO, then a Teams call where the face on screen is convincing enough to move money. Cherubim runs that full chain, safely, with consent, and with a central intelligence layer that adapts each stage to how the target responded to the last one.

Phishing email

Context aware lures generated from open source signals about your organisation, graded by who clicked, who reported, and who escalated.

Smishing and WhatsApp

SMS and WhatsApp pretexting that mirrors how modern attackers move a target off corporate channels and onto a personal device.

Voice and vishing

Consented voice cloning of an authorised internal persona to test whether a phone call alone can unlock a process it should not.

Live deepfake video

Real time face and voice synthesis that can join a scheduled Zoom, Microsoft Teams, or Google Meet call, to test executive impersonation under live conditions.

Slack and Teams

Internal messaging follow up that exploits the trust people place in tools inside the perimeter, the channel attackers love most.

Helpdesk and process

Targeted engagements against password reset, MFA recovery, and vendor onboarding, the human processes that bypass every control you bought.

Why orchestration is the product

Each channel on its own is a commodity. The value is the narrative engine that keeps one story consistent across all of them, escalating only when the target leans in and standing down when they resist or report. That is exactly how a serious adversary operates, and it is the only honest way to measure whether your people would actually catch them.

Guardian 04

Human Resilience and Truth Reporting

The name behind this platform means kindness and truth. Cherubim is built to honour both. Findings are delivered with the truth a board needs to act, and the people who were tested are met with coaching, never blame.

Every technical and human result lands in one evidence graded report. Leadership sees risk in business terms. Engineers get a reproducible proof of concept and a fix. The tested employee gets a short, supportive lesson tied to the exact moment that mattered, so the next attempt fails.

  • Board ready narrative that ties every finding to business impact and a clear owner.
  • Reproducible evidence for engineering, with severity and remediation, no noise.
  • Blame free coaching delivered in the moment, designed to build resilience, not fear.
  • Trend lines over time so you can prove the programme is making the organisation harder to attack.

Why Cherubim

What everyone does, done honestly and in one place.

The market is full of point tools. An autonomous web pentester here. A separate network scanner there. A cloud posture tool. A phishing button. A deepfake demo. Cherubim is the flagship that unifies the entire stack, and refuses to ship a finding it cannot prove.

The usual approach

  • Separate vendors for code, AI, and people
  • Confident findings, no reproducible proof
  • Annual snapshot that is stale on day two
  • Phishing as a single channel checkbox
  • Reports that blame the employee

Cherubim

  • One coordinated campaign across all three surfaces
  • Deterministic validation, no proof means no finding
  • Continuous testing tied to every release
  • True omnichannel orchestration with a narrative engine
  • Truth for the board, coaching for the people

For the technical reader

Architecture and feasibility

Nothing here is speculative. Every capability maps to techniques that are already proven in offensive security and synthetic media. Cherubim is the engineering discipline around them.

Orchestration layer

A planner that decomposes an engagement into objectives and dispatches specialised agents. Tool use is mediated through a typed interface, so every action an agent takes is logged, scoped, and reversible.

Deterministic validators

Findings are confirmed by non model code that reproduces the exploit in an isolated sandbox. This is the documented reason autonomous pentesters reach human grade precision rather than drowning teams in false positives.

Synthetic media pipeline

Voice cloning and real time face synthesis feed a virtual camera and audio device, which is how a deepfake persona joins a standard Zoom, Teams, or Meet session. Every asset is watermarked and access controlled.

Channel connectors

Email, SMS, WhatsApp, voice telephony, and workspace messaging integrate through their official interfaces, so a campaign runs on the same rails your organisation already uses.

Narrative state engine

A shared state object carries the pretext across channels and stages, so the WhatsApp message, the call, and the video meeting all reference one consistent story and escalate only on engagement.

Evidence store

Immutable, access controlled storage for transcripts, recordings, payloads, and proofs, with full chain of custody for legal and audit review.

Governance

Powerful by design, safe by obligation

A platform that can clone a voice and join a live call carries real responsibility. Cherubim treats authorization, consent, and restraint as core features, not paperwork.

  • Authorization gate. No campaign starts without scoped, signed authorization from a named accountable owner.
  • Consent and roster control. Cloned personas require explicit consent. Targeting respects defined rosters and exclusion lists.
  • Built in restraint. Campaigns stand down on distress signals and never pursue real financial or data loss.
  • Disclosure by default. Watermarked synthetic media and a clear post engagement reveal to everyone involved.
  • Privacy aligned. Designed for regulated environments, with data residency and retention controls suited to Singapore and the wider region.

Compliance

One click from attack proof to audit evidence.

Most teams run a test, then spend weeks translating findings into the language an auditor or a regulator accepts. Cherubim closes that gap. Every validated finding is mapped, in real time, to the control objectives of the frameworks you are held to, and assembled into an evidence pack you can hand over as is.

NIST CSF 2.0

Findings mapped across Govern, Identify, Protect, Detect, Respond, and Recover, with SP 800-53 and 800-115 control references.

Singapore Cybersecurity Act

Evidence aligned to Critical Information Infrastructure obligations and CSA audit and risk assessment expectations.

CSA Cyber Trust mark

Coverage mapped to the risk based domains, so certification preparation becomes a report export, not a project.

CSA Cyber Essentials mark

Direct evidence for the baseline measures, ideal for organisations on the first rung of the certification ladder.

ISO/IEC 27001:2022

Annex A control mapping with reproducible proof attached to each applicable statement of applicability item.

MAS TRM Guidelines

Penetration testing and adversarial attack simulation evidence formatted for financial sector supervisory review.

PDPA

Demonstrated protection of personal data with attack path proof that controls hold under real adversary pressure.

MITRE ATT&CK

Every step of every proven attack path tagged to ATT&CK techniques for defensive coverage analysis.

CIS Critical Controls

Implementation Group mapping that shows which controls actually withstood the engagement and which did not.

One click audit

Run the adversary. Export the audit.

The audit pack is not a second exercise. It is generated from the same campaign that proved the findings, so the evidence an auditor reads is the exact proof Cherubim captured, with timestamps and chain of custody intact.

  • Live control mapping. Each validated finding is tagged to every framework you select, as it is found.
  • Evidence pack assembly. Proofs, payloads, transcripts, and remediation, bundled and signed.
  • Auditor ready export. Structured output and a formatted report, accepted as is by assessors and regulators.
  • Continuous attestation. Re run on a cadence so certification stays evidenced between audit cycles, not just at audit time.

Executive reporting

One truth, told the way each room needs to hear it.

The same engagement produces every view automatically. The board sees risk and decisions. The auditor sees control evidence. Engineering sees a reproducible fix. Nobody re writes the story for a different audience, because there is only one story.

  • Board pack. A one page narrative tying proven exposure to business impact, owners, and a decision to make.
  • Posture score and residual risk. A defensible number with the evidence behind it, not a vendor opinion.
  • Control coverage heatmap. What held, what failed, per framework, at a glance.
  • Quarter over quarter trend lines. Proof to leadership that the programme is making the organisation harder to attack.
  • Tailored exports. Board, CISO, engineering, and audit views from one source of truth.

Outcomes

What you actually get

Proven exposure

A validated picture of how an adversary reaches impact across network, cloud, identity, and people, with the evidence to back every claim.

Faster remediation

Reproducible proofs of concept remove triage debate, so fixes ship instead of stalling in a backlog.

Measurable resilience

Trend lines that show leadership the organisation is genuinely harder to attack quarter over quarter.

A confident board

One narrative that turns technical and human risk into decisions an executive team can actually make.

Questions

Straight answers

Is this safe to run against a live organisation?

Yes, by design. Cherubim never pursues real loss. It demonstrates the path, captures the proof, and stops. Every engagement is gated by signed authorization, bounded by rosters and exclusion lists, and stands down on distress.

How is this different from a scanner with an AI label?

A scanner reports possibilities. Cherubim reasons, exploits, and then proves the finding with a deterministic validator. If it cannot reproduce the exploit, it does not become a finding.

Do you really join live video calls with a deepfake?

Under explicit authorization and consent, yes. Real time synthesis feeds a virtual camera and audio device into a scheduled Zoom, Teams, or Meet call. This mirrors a real and growing attacker technique, which is exactly why it must be tested.

What about the people who fail a test?

They are coached, not blamed. The truth goes to the board. Kindness goes to the team. That balance is the point of the platform.

Can it run continuously instead of once a year?

Yes. Continuous mode re tests on every release and on a defined cadence for the human surface, so resilience is measured, not assumed.

Request a briefing

Meet the adversary on your terms.

Bring Cherubim into a scoped engagement and see, with proof, exactly how a serious attacker would move through your code, your AI, and your people.

Start the conversation

A Hesed & Emet platform. Advising where AI, cybersecurity, and human behaviour collide.