Inferno Lab is a suite of open-source security testing tools designed to work together. Simulate attacks, defend against them, and validate your security posture β all in an isolated lab environment.
- Apparatus simulates the environment β defense, deception, monitoring, and red team automation
- Chimera gives you something to break β 456+ intentionally vulnerable endpoints across 25+ industry domains
- Crucible validates at scale β run 80+ structured attack scenarios with pass/fail scoring
Each project works standalone or together as an end-to-end security testing pipeline.
Warning: This suite includes Chimera, an application with hundreds of intentional security vulnerabilities. Run in isolated environments only β never expose to the internet or deploy to production without proper network segmentation.
| Project | Description | Docs |
|---|---|---|
| Apparatus | AI-augmented network security platform | apparatus.atlascrew.dev |
| Chimera | Intentionally vulnerable monorepo for WAF testing | chimera.atlascrew.dev |
| Crucible | Security testing platform with 80+ attack scenarios | crucible.atlascrew.dev |
git clone --recurse-submodules https://github.com/NickCrew/inferno-labs.gitOr if already cloned:
just init-appsjust update-appsCrucible ββββ scenarios βββββ Chimera (target)
:3000 / :3001 :8880
β
ββ vuln-api (Flask, 456+ endpoints)
ββ vuln-web (React portal)
β
optional β
βΌ
Apparatus
:8090
(defense, monitoring, WAF)
Crucible runs attack scenarios against Chimera's vulnerable endpoints. Apparatus optionally sits in front as a defense/monitoring layer β Chimera reports to it when APPARATUS_ENABLED=true.
From the Apparatus directory, the compose file includes Chimera as an optional profile:
cd apps/apparatus
docker compose --profile chimera up -dThis starts:
| Service | Port | Image |
|---|---|---|
| apparatus | 8090 | Built from apps/apparatus |
| vuln-api (Chimera) | 5000 | Built from Chimera apps/vuln-api |
| vuln-web (Chimera) | 3000 | Built from Chimera apps/vuln-web |
Then run Crucible separately, pointed at Chimera:
cd apps/crucible
docker build -t crucible .
docker run -p 3000:3000 -e CRUCIBLE_TARGET_URL=http://host.docker.internal:5000 crucibleNote: If running Crucible in Docker alongside the compose stack, use port 3002 to avoid conflict with vuln-web on 3000:
-p 3002:3000
# Apparatus
docker build -t apparatus apps/apparatus/apps/apparatus
docker run -p 8090:8090 apparatus
# Chimera
docker build -t chimera-api apps/chimera/apps/vuln-api
docker run -p 8880:80 -e DEMO_MODE=full chimera-api
# Crucible
docker build -t crucible apps/crucible
docker run -p 3000:3000 -e CRUCIBLE_TARGET_URL=http://host.docker.internal:8880 cruciblePrerequisites: Node.js 22+, pnpm, Python 3.12+, uv
Start each app in a separate terminal:
# 1. Apparatus (port 8090)
cd apps/apparatus
pnpm install && pnpm dev:server
# 2. Chimera (API on 8880, web on 5175)
cd apps/chimera
pnpm install
cd apps/vuln-api && uv sync --extra dev && cd ../..
just dev
# 3. Crucible (web on 3000, engine on 3001)
cd apps/crucible
pnpm install
CRUCIBLE_TARGET_URL=http://localhost:8880 pnpm dev| Variable | App | Default | Purpose |
|---|---|---|---|
PORT_HTTP1 |
Apparatus | 8090 |
HTTP API port |
DEMO_MODE |
Chimera | β | full or strict (controls dangerous endpoints) |
APPARATUS_ENABLED |
Chimera | false |
Report to Apparatus |
APPARATUS_BASE_URL |
Chimera | http://127.0.0.1:8090 |
Apparatus URL |
CRUCIBLE_TARGET_URL |
Crucible | http://localhost:8880 |
Scenario target (Chimera) |
CRUCIBLE_MAX_CONCURRENCY |
Crucible | 3 |
Parallel scenario steps |
- Horizon Security Platform β production security platform by Atlas Crew
All projects are released under the MIT License.