Mythal · User Guide

01Quick start · 60 seconds

You're at localhost:3090. The console is already populated with real data — the latest CISA KEV catalog has been fetched and matched against 4,310 realistic Class I rail estate assets. Findings have been pre-created. The agent fabric is idle, ready.

The minimum demo run

Land on Command Center. Note the six KPI tiles at the top — they refresh every four seconds.
Click ⚡ Sync CISA KEV → agents in the banner. Wait two seconds. A toast confirms the result.
Watch the Live agent activity panel fill in real time at the bottom right.
Click Live Feeds in the sidebar to see the match table — real CVE IDs against real assets.
Click Plans to see Kanban cards moving through approval / execution.
Click Compliance and export the TSA SD 1580 evidence PDF.

★ The single most important thing to know: Mythal sits above your scanners and patch tools. It does not replace them. It orchestrates them. Everything you see in the console reads from real sources (CISA KEV in the demo, your own scanners in production) and matches against the inventory you provide.

02Core concepts

If any of these are unfamiliar, glance through them before diving into screens.

The 12 agents

Mythal is a fabric of twelve coordinated AI agents. One Supervisor drives a finite-state machine per finding; eleven specialists each own one narrow job — scanner ingest, threat enrichment, patch hunting, impact analysis, change risk, OT safety review, remediation planning, execution, verification, compliance evidence, and inventory insights. Each agent has a typed input, a typed output, and an HMAC-signed audit trail.

The policy gate

Between every agent decision and any side effect that changes a customer asset sits a deterministic policy engine with seven default rules. Agents propose; the policy gate disposes. Auto-apply, single-approval, dual-approval, or deny — every decision routed by code, not by judgment.

The reasoning trace

Every action emits a structured, human-readable record into the reasoning_traces table. The trace is the audit log — same artifact engineers and auditors read. Click any finding to see its full agent-by-agent narrative.

Three reasoning backends

An environment variable AGENT_MODE selects: deterministic (rule-engine, zero external deps), anthropic (Claude Opus 4.7 / Sonnet 4.6), or openai (gpt-4o-mini / o4-mini). If a model call fails, the agent silently falls back to deterministic — the pipeline never crashes on someone else's API outage.

03Sidebar & navigation

The sidebar has three operational sections plus a presentation link.

OPERATEReal-time work · CVEs flowing through the agent fabric · approvals.

DISCOVERWhat you own · proactive findings · OT-specific operations.

GOVERNCompliance · policy · integrations health.

PRESENTExternal-facing decks & documentation — opens in a new tab.

The active page shows a gold left-border accent. The Live Feeds nav item has a pulsing red dot — that's the most-used screen during demos.

04Themes & help

Top right of every page: a theme switcher with four professional themes, and a ? Help link that opens this guide.

CSX — deep navy + gold. Rail-grade operations-room aesthetic. Default. Best for rail / utility / pipeline conversations.
Salesforce — light surfaces, Salesforce-Lightning electric blue. Best for daylight conference rooms and audiences familiar with the Lightning console.
Aurora — refined dark slate with electric-blue accent. Best for evening demos or engineering reviews.
Quantum — deep indigo with cyan + violet accents. AI-infrastructure aesthetic (Linear / Vercel / Anthropic family). Best for cutting-edge AI-buyer conversations.

Theme persists across all pages via localStorage. Cycle through with T from inside the presentation portal.

05Command Center

What & why The home page. The single screen you project on the wall during a demo. Six live KPI tiles with sparklines, two visualizations (asset distribution donut + findings-by-zone bar chart), scenario buttons, compliance progress, and a real-time agent activity stream.

What you can do here

Sync CISA KEV → agents — the primary demo button. Pulls live CISA Known Exploited Vulnerabilities catalog, matches against your inventory by vendor + product, drives matched findings through all 12 agents. Toast confirms result.
Run a Scenario (A–E) — pre-baked synthetic events that drive the full closed loop for storytelling. Scenario A is Patch Tuesday (60 CVEs); C is the OT Safety veto path on a Siemens RTU; E exports compliance evidence.
Watch six KPI tiles refresh every 4 seconds — open critical findings, KEV-listed open, MTR, patches applied 24h, OT under compensating control, total assets. Each has a sparkline showing the last 12 samples.
Asset distribution donut — environment split (IT / OT / DMZ). Hover to see exact counts.
Findings by zone — top 7 zones with open findings, ranked.
Compliance evidence by framework — TSA SD 1580 · NIST CSF · NIST 800-82r3 · IEC 62443. Bars grow as plans close.
Live agent activity — every signed agent message in the last few seconds, refreshing every 2.5s.
Open the Presentation portal — opens the external-facing slide-decks in a new tab.
Download leadership .pptx — 12-slide CSX-themed PowerPoint generated from live tenant data.

★For the demo: always start here. Click Sync CISA KEV first, then narrate while the numbers move. The audience watches the KPI cards animate and the activity panel fill.

06Live Feeds

What & why The screen that proves the platform is real. Pulls the live CISA Known Exploited Vulnerabilities catalog (typically 1,600+ real CVE IDs) and matches every entry against your asset inventory.

What you can do here

Sync CISA KEV · drive through agents — fetches the live catalog (or uses cache < 1 hour old). Matching takes ~2 seconds against 4,310 assets. Drives 10–20 findings through the 12-agent pipeline.
Download inventory CSV — the entire 4,310-row inventory as a comma-separated file. Hostname, IPs, OS, env, zone, criticality, is_ccs, vendor, product, version, owner, tags. Open in Excel and hand to the prospect as "the data shape we'd hold for your estate."
Six summary KPIs after sync — KEV catalog source, entries fetched, CVEs matched, total asset hits, OT/CCS hits, ransomware-associated matches.
Match table — every real CVE that matched your inventory. Real CVE IDs (CVE-2024-3400, CVE-2023-20198, etc.). Hover for the full vendor advisory description. Ransomware-flagged matches are tagged.
Findings created from KEV — the right-hand panel lists every cisa_kev-sourced finding currently in the system with its agent-pipeline state.
Live activity stream — same as Command Center but auto-refreshes every 2 seconds.

★The deal-closer slide. CISA KEV is the single most important threat-intel feed in the US-government cybersecurity ecosystem. Showing live matches against the prospect's vendor stack — Microsoft Exchange, Cisco IOS-XE, PAN-OS, Atlassian Confluence, VMware vCenter — is the moment the platform stops being a deck.

07Findings

What & why Every vulnerability finding in the system, filterable. Click any row to open the full reasoning trace, business impact profile, change risk score, and remediation plan.

What you can do here

Filter by zone — All / IT / OT / DMZ — see only the segment that matters.
Filter by KEV — only show CISA KEV-listed findings (highest priority).
Sort columns — CVE, asset, criticality, CVSS, EPSS, scanner source, status, age.
Click a CVE — opens the full finding detail page with reasoning trace, all agent messages, the remediation plan with steps and rollback, and the business impact profile.
Read the tags — KEV, ITW (in-the-wild), Ransomware, CCS — every finding's classification at a glance.

08Plans · Kanban board

What & why Every remediation plan in flight. Six-column Kanban (PLANNED · AWAITING_APPROVAL · APPROVED · EXECUTING · ROLLED_BACK · CLOSED). The board where security analysts and managers actually live during operations.

What you can do here

Approve a plan — click Approve as security on any AWAITING_APPROVAL card. If the plan requires dual approval (CCS or OT), you'll need a second Approve as ot_operations click. Plans walk through executor → verifier → compliance reporter automatically once approved.
See plan tags at a glance — CCS / OT / KEV / AUTO. Auto-tagged plans skip approval (only allowed for low-criticality IT with high-reliability patches).
Watch state transitions live — every 3 seconds the board refreshes.
Click a card title — opens the underlying finding's reasoning trace.

⚠OT and CCS plans never auto-apply. By policy gate rule SG-POL-001 / SG-POL-002 they require dual approval, an open maintenance window, and a validated rollback — all four before the Executor will touch the asset.

09Agent Activity

What & why The signed audit ledger, presented as a live timeline. Every inter-agent message in the system, every reasoning step, filterable by agent or trace ID. This is the "show your work" view.

What you can do here

Filter by agent — narrow to just supervisor / scanner_liaison / threat_intel / etc.
Filter by trace_id — every finding has one trace ID; paste it to see only that finding's full lifecycle.
Read the payload preview — first ~80 chars of every message's structured payload visible inline.
Confirm HMAC signing — the activity table shows the message_id; the underlying records carry HMAC-SHA256 signatures verifiable via the API.

10Inventory Insights · the 12th agent

What & why Beyond CVE flow. The Inventory Insights agent sweeps the full estate on its own cadence (startup + on demand + scheduled in production) and surfaces risk before any CVE drops.

What you can do here

Rescan estate — re-runs the full inventory sweep. Useful after major CMDB syncs.
See 5 severity KPIs — total · critical · high · medium · low recommendations.
Filter by category — click any of the 8 category tiles to filter the recommendation list. Categories: patch_band_drift · ot_firmware · network_firmware · eol · version_sprawl · shadow_it · ccs_no_owner · identity_hygiene.
Filter by severity — Critical / High / Medium / Low.
Read recommendations — each card shows severity tag, environment tag (IT/OT/DMZ), title, rationale, recommended action, current version, target version, affected asset.

11Asset Estate

What & why A zone-by-zone view of every asset Mythal knows about. Counts per zone, open findings per zone.

Three big KPIs — total assets · open findings · OT zones count.
Asset grouping by environment — OT zones first (most-watched), then DMZ, then IT.
Per-zone card — asset count + open-findings tag with color coding (green = clean, red = open work).

12OT Operations

What & why The OT-only console — where the OT Safety Officer agent's work lives. Compensating-control plans, OT maintenance windows, and the dual-approval queue.

What you can do here

Read compensating-control plans — every OT plan with the agent's veto rationale and the three (or more) compensating controls deployed in place of direct patching.
See planned maintenance windows — upcoming windows by zone, with start/end times and description.
Verify the OT safety guarantee — every plan here shows that the OT Safety Officer signed off AND the policy gate enforced dual approval requirements.

★The OT operator's screen. When the OT lead at the prospect asks "how do I know your tool will never patch a substation RTU outside a window?" — open this page. Walk a single plan's veto rationale aloud. Done.

13Compliance

What & why Framework-by-framework audit posture. Four framework cards · evidence drill-down · one-click PDF export.

What you can do here

Click a framework card — TSA SD 1580-21-01 · NIST CSF 2.0 · NIST 800-82r3 · IEC 62443 · SOX · HIPAA · PCI. Card highlights; table below filters to that framework's evidence.
Read evidence units — control_id · summary · plan reference · captured-at timestamp.
Export evidence PDF — auditor-ready, control-by-control, in under 60 seconds. Watermarked SIMULATED on demo tenants.

14Policy Studio

What & why The seven default policy rules and a live evaluator. See exactly which rule will fire on which conditions.

What you can do here

Read the seven rules — SG-POL-001 (CCS dual approval) through SG-POL-007 (blackout windows). Each with rule ID, name, and behavior.
Try the gate — Construct a hypothetical request: asset_env, criticality, is_ccs, patch_reliability, canary peer, window open, rollback valid. Click Evaluate. See the decision (auto_apply / single_approval / dual_approval / deny) and which rule fired.

15Integrations

What & why Health status of every connector — scanners, intel feeds, CMDB, patch tools, identity, SIEM — plus the three agent reasoning backends.

What you can do here

See three reasoning backends — deterministic / anthropic / openai. Status shows which is currently active, which has a key configured.
Browse 22 integration cards — Qualys · Tenable · Rapid7 · Wiz · Defender · Claroty · Nozomi · Dragos · ServiceNow · Ansible · Intune · Tanium · Catalyst Center · Panorama · Entra ID · Splunk · CISA KEV · NVD · vendor PSIRTs · Glasswing.
Read health tags — healthy · degraded · subscribed · not_configured. Last-sync timestamps.

16The 12 agents · cheat sheet

★ SupervisorDrives the per-finding state machine.

01 · ScannerNormalizes Qualys / Tenable / Wiz / Claroty / Nozomi.

02 · Threat IntelNVD · KEV · EPSS · PSIRTs enrichment.

03 · Patch HunterLocates vendor fix + reliability score.

04 · Impact AnalystBlast radius via CMDB + dependency graph.

05 · Change RiskHistorical failure rate + canary check.

★ 06 · OT SafetyVeto rights on OT / CCS.

07 · PlannerRunbook + rollback.

08 · ExecutorAnsible / SCCM / Panorama / OT-native.

09 · VerifierRescan + health probe + exploit retest.

10 · ComplianceTSA / NIST / IEC evidence PDFs.

★ 12 · InventoryEOL · sprawl · CCS-no-owner · proactive.

Stars mark the three agents that are most-asked-about in demos: Supervisor (the orchestrator), OT Safety Officer (the differentiator), Inventory Insights (the proactive 12th).

17REST API basics

Every screen reads from the FastAPI backend at localhost:8090/docs — the OpenAPI explorer is browsable, the endpoints are documented inline.

Endpoints worth knowing

GET /api/kpis — Command Center KPIs. Polled every 4 seconds.
POST /api/feeds/kev/sync — fetch live CISA KEV + match + drive through agents. The big demo button.
GET /api/estate/export.csv — full inventory as CSV. Bookmark this.
POST /api/scenarios/{A..E}/run — fire a pre-baked scenario.
POST /api/admin/reset — hot reset of tenant data without restarting containers.
GET /api/compliance/export?framework=TSA_SD_1580 — auditor-ready PDF.
GET /api/deck/export — leadership .pptx deck.
GET /api/activity/messages?limit=N&trace_id=… — agent activity stream, filterable.

18Troubleshooting

The KPIs all show "—"

The API isn't reachable. Check docker ps — all four containers should be healthy. If mythal-api (or sentinelgrid-api on the running stack) isn't healthy, docker logs sentinelgrid-api --tail 80 will show the issue. Most commonly: Postgres slow to start on first boot — wait 30 seconds and refresh.

Theme doesn't persist

Browser is in private/incognito mode and blocking localStorage. The theme will reset on page refresh. Use a regular window.

CISA KEV sync says "bundled snapshot" instead of "live + cached"

The container couldn't reach cisa.gov on startup. The bundled snapshot of 32 real KEV entries is still being used and matching works — the data is just from May 2026, not today. Check the container's network or run POST /api/feeds/kev/sync_live manually to force a live fetch.

The Plans Kanban is empty

No findings have been driven through the pipeline yet. Click Sync CISA KEV on Command Center or run any Scenario.

Compliance frameworks show "no_evidence"

Evidence is only emitted when a plan reaches CLOSED. Approve some AWAITING_APPROVAL plans to drive them through executor → verifier → compliance reporter.

How do I reset the demo state?

POST /api/admin/reset truncates the tenant data and reseeds with a fresh inventory + KEV sync. Takes about 25 seconds. The console will reconnect automatically.

★Demo recovery move: if anything goes sideways mid-demo, press T on the presentation portal to flip themes (looks intentional), then sync KEV again. Two clicks, no panic.

User Guide — every screen, every feature.

01Quick start · 60 seconds

The minimum demo run

02Core concepts

The 12 agents

The policy gate

The reasoning trace

Three reasoning backends

03Sidebar & navigation

04Themes & help

05Command Center

What you can do here

06Live Feeds

What you can do here

07Findings

What you can do here

08Plans · Kanban board

What you can do here

09Agent Activity

What you can do here

10Inventory Insights · the 12th agent

What you can do here

11Asset Estate

12OT Operations

What you can do here

13Compliance

What you can do here

14Policy Studio

What you can do here

15Integrations

What you can do here

16The 12 agents · cheat sheet

17REST API basics

Endpoints worth knowing

18Troubleshooting

The KPIs all show "—"

Theme doesn't persist

CISA KEV sync says "bundled snapshot" instead of "live + cached"

The Plans Kanban is empty

Compliance frameworks show "no_evidence"

How do I reset the demo state?

More reading