Step 1: Confirm the install opened cleanly
Zypheron Desktop is an Electron workspace for Linux. When it launches, sign in through the secure HTTPS deep-link flow back to zypheron.net (the same pattern Cursor uses). On first launch the app probes your PATH for the tooling it can drive directly. The binaries it looks for are listed below.
nmap, nuclei, httpx, bloodhound-python, secretsdump.py
nxc, certipy, hashcat, tesseract, msfrpcd, sliver-server
Step 2: Open the workspace and pick a starting point
The app opens into a set of workspaces: Network Map, AD/Identity, Cloud Architecture, Code/RE, Tools and Config, and Command and Control, with a Chat sidebar alongside them. For a first run, start in Network Map. It gives you live host, port, and service topology, groups results by subnet, and draws a public-exposure boundary so you can see what is reachable from outside.
Step 3: Run one nmap scan and watch the map populate
Run a single nmap scan against a scope you are authorized to test. As results come back, hosts, ports, and services appear on the map and group themselves under their subnets. Right-click any host to "Open in terminal as $T" or "Add to scope". Resist the urge to chain everything at once: one scan gives you cleaner signal and a map you can actually reason about.
The map is the anchor for everything downstream. After a BloodHound or SharpHound run in the AD/Identity workspace, AD-graph nodes overlay onto the same view, so Active Directory and identity weaknesses show up against the hosts you already mapped.
Step 4: Know where your artifacts land
Everything you produce is written to an encrypted local SQLite store on your own disk. There is no cloud sync of your findings. If you wire up cloud AI chat later, it uses your own Anthropic or OpenAI key from Settings and AI, and Zypheron does not proxy model traffic. Local models run through Ollama. Your scan data and your prompts stay yours.
This matters for the deliverable. A consolidated, locally-held record of what you ran and what you found is what turns into a board-ready report. No $50k pentest required.
Step 5: Recover if the environment is incomplete
If a tool you need is not on your PATH, the app surfaces a banner rather than failing silently. Open the Tools and Config workspace to confirm install state. It defaults to "From Path", showing only the 130+ tools currently on $PATH, and you can filter by ATT&CK profile and install state. Install the missing binary, then return to Network Map and re-run.
Send to terminal
From Tools and Config, "Send to terminal" pastes the operator command with placeholders intact. You fill in the targets, you stay in control of what runs.
PATH banner
A missing binary is a fixable environment gap. Install it (for example nmap or nuclei), and the workspace picks it up on the next launch.
Step 6: Let the Next Actions panel populate
Next Actions is findings-gated, so it stays empty until you run at least one scan. Once your first nmap pass lands findings on the map, the panel fills in with concrete suggestions shaped by your selected ATT&CK profile (APT29, Wizard Spider, or APT18). That is the point where the workspace starts driving the engagement with you.
Thirty-minute checkpoint: the app is signed in, Network Map shows a populated topology with a public-exposure boundary, your artifacts are in local SQLite, and Next Actions is suggesting where to look next.
Get AD security drops in your inbox
Release notes, identity attack-path research, and early access. Low volume, real signal only. Unsubscribe anytime.