Skip to content

Professional Range Deployment

The range track is the professional deployment path for AIT. It keeps the fast Docker Lab L6 demo intact, then adds Ludus/Proxmox-backed range profiles for research, training, and presentations where operators can see traffic cross host and subnet boundaries.

Use the paths this way:

Path Best For Shape
Docker L6 first proof, local demos, CI smoke one host, Docker services, host-run Seam
Ludus reusable cyber range, workshops, shared demos selectable compact, standard, or full-split VM profile
Raw Proxmox custom homelab and lower-level control OpenTofu/Terraform-style VM templates plus Ansible

R2 Profile Choice

Every service does not need its own VM by default. R2 uses three profiles:

Profile VM Count Purpose
compact 2 operator VM plus one combined target VM for small hosts
standard 4 recommended default: operator, support/planner, services, privileged sink
full-split 8 one VM per role plus dedicated Seam intercept VM for isolation and workshops

Start with standard. Move down to compact when capacity matters. Move up to full-split when the point of the exercise is VM-level isolation or a routed intercept demonstration.

The range artifact contract stays the same as local labs:

  • Seam transcripts
  • meshmapper graph and paths
  • Assay finding
  • robustness bundle
  • rendered report
  • tripwire/oracle evidence
  • service logs
  • AIT cockpit run manifest

Range Workflows

The professional range must support three independent workflows:

  1. Seam-only operation: route traffic through one or more Seam proxies, watch A2A/MCP/memory traffic in the cockpit, and rewrite fields live.
  2. Mapping pass: ingest the captured transcripts plus Agent Cards, MCP tools/list, endpoint inventories, and configs into meshmapper, then inspect suggested attack paths.
  3. Optional validation: run Assay only for claims that need oracle-backed impact evidence, regression checks, or research metrics.

This keeps the range useful for field-style testing as well as controlled research. A demo can stop after Seam if the goal is traffic manipulation, stop after meshmapper if the goal is target selection, or continue to Assay if the result needs a finding and report.

Exercise Packs

Range exercises package the same offensive techniques as local demo packs for compact, standard, and full-split profiles.

python3 -m ait.cli range exercise list
python3 -m ait.cli range exercise plan \
  --exercise a2a-content-rewrite \
  --profile standard \
  --provider ludus
python3 -m ait.cli range exercise run \
  --exercise memory-context-propagation \
  --profile compact \
  --provider docker

Initial descriptors cover A2A content rewrite, MCP tool-result injection, memory/context propagation, and negative controls. Ludus and raw Proxmox providers produce a range run plan and artifact directory; the Docker provider points at the matching local demo pack for quick iteration.

R2 automation splits the lifecycle into explicit provider actions. These are dry-run safe by default for Ludus and raw Proxmox/OpenTofu; real apply/destroy requires an explicit provider script flag.

python3 -m ait.cli range exercise check \
  --exercise a2a-content-rewrite \
  --profile standard \
  --provider ludus
python3 -m ait.cli range exercise execute \
  --exercise a2a-content-rewrite \
  --profile standard \
  --provider ludus
python3 -m ait.cli range exercise collect \
  --exercise a2a-content-rewrite \
  --profile standard \
  --provider ludus
python3 -m ait.cli range exercise reset \
  --exercise a2a-content-rewrite \
  --profile standard \
  --provider ludus

Each action stores provider, profile, command, exit status, logs, collected artifacts, and reset state in the standard AIT run layout. That means a range exercise can still be opened in the cockpit alongside local Docker runs.

Current Local View

Before building a range, use the local cockpit path to see the current operator experience.

python3 -m ait.cli demo full-agent-mesh \
  --scenario content_rewrite \
  --trials 1 \
  --serve-live \
  --listen 127.0.0.1:8788

Open:

http://127.0.0.1:8788

Range Milestones

  • R1 Range Lab: scaffold topology, Ansible roles, docs, and demo scripts.
  • R2 Ludus Range Pack: package compact, standard, and full-split Ludus profiles with deploy/check/reset/collect scripts.
  • R3 Raw Proxmox/OpenTofu Pack: lower-level VM templates, profile tfvars, inventory generation, and plan/apply/destroy wrappers for non-Ludus users.
  • R4 Multi-Scenario Exercises: content rewrite, MCP result injection, memory poisoning, trust spoof, and approval-gate exercises.
  • D2 Demo Media Pack: asciinema casts and VHS scripted clips for docs and presentations.

References

  • Ludus: Proxmox-backed cyber ranges configured from YAML and provisioned with automation.
  • Ansible: shared provisioning layer for operator hosts, services, schemas, rules, and artifacts.
  • asciinema and VHS: reproducible terminal recordings for demos and docs.