Knogin
[Developers]

Yawning Titan Autonomous Cyber Defence

Training a blue-team agent to defend a network by running it against live attacks is slow, expensive, and carries operational risk. Abstract simulation changes the calculus: define a network topology as a graph, script r

Back to All Modules
Category: ModulesLast Updated: Mar 25, 2026
modulesai

Overview#

Training a blue-team agent to defend a network by running it against live attacks is slow, expensive, and carries operational risk. Abstract simulation changes the calculus: define a network topology as a graph, script red-agent behaviours, and let the blue agent learn by running thousands of episodes overnight. The outcomes are measurable, the environments are configurable, and the risk is zero. That is the premise behind Yawning Titan, the open-source autonomous cyber-defence simulation framework developed at NCSC UK.

The Yawning Titan Autonomous Cyber Defence module within Argus provides a simulation and evaluation environment for autonomous cyber-defence experiments built around network scenarios, repeated simulations, and blue-team win-rate measurement. Teams track available network environments, monitor simulation volume, measure completion rates, and assess blue-agent performance over time.

Open Standards#

  • GraphQL (June 2018 specification): all query, mutation, and subscription operations for network topologies, simulation runs, and aggregate statistics are exposed through a Strawberry GraphQL schema, giving clients a typed, introspectable interface.
  • OAuth 2.0 Bearer Token (RFC 6750): every outbound call to the Yawning Titan API carries an HTTP Authorization: Bearer header, and every inbound GraphQL operation is gated behind the same bearer-token authentication mechanism.
  • MITRE ATT&CK: the Yawning Titan simulation framework, developed at NCSC/Dstl UK, models red-agent attack behaviours against network graphs using adversarial techniques drawn from the MITRE ATT&CK knowledge base, making ATT&CK the conceptual grounding for the threat scenarios evaluated through this module.
  • Farama Gymnasium API (formerly OpenAI Gym): the reinforcement-learning agents supported by the module (PPO, DQN, A2C) conform to the Gymnasium environment interface, the open standard contract for RL environment observation spaces, action spaces, and episode stepping.
  • JSON (RFC 8259): all payloads exchanged between Argus and the Yawning Titan API are serialised as JSON, with Content-Type: application/json set explicitly on launch requests and Accept: application/json on all retrieval calls.
  • UUID (RFC 4122): network topology identifiers and simulation run identifiers are stored and exchanged as RFC 4122 UUIDs, ensuring globally unique, format-stable references across tenant boundaries.

Last Reviewed: 2026-03-25 Last Updated: 2026-04-14

Key Features#

  • Network Topology Portfolio: Tracks the number of available network environments used for cyber-defence experimentation, from small office graphs to complex enterprise topologies.
  • Simulation Volume Monitoring: Shows total simulation activity and the number of completed runs, giving research leads a clear picture of experimentation throughput.
  • Blue-Team Performance Measurement: Provides average blue win-rate visibility over time, supporting outcome tracking across cohorts, policy versions, and network environments.
  • Active Simulation Awareness: Surfaces currently running simulations for operators supervising experimentation workloads or coordinating compute resources.
  • Autonomous Defence Evaluation: Supports structured comparison of automated cyber-defence behaviour across scenarios, enabling evidence-based selection of agent policies for operational deployment candidates.

Use Cases#

  • Autonomous Defence Research: Teams evaluate how automated blue-team approaches perform across multiple network environments, comparing policy architectures and training strategies.
  • Cyber Range Experimentation: Operators supervise active simulation campaigns during testing or training events, monitoring throughput and flagging anomalous results.
  • Defensive Strategy Benchmarking: Security researchers compare blue win rates across scenario sets to understand which approaches are improving and which have reached a performance ceiling.
  • Exercise Outcome Review: Leadership and analysts review simulation completion and performance trends as part of post-exercise analysis or capability assessment.

Integration#

  • Autonomous cyber-defence simulation services
  • Cyber-range and exercise workflows
  • Assurance and performance measurement dashboards
  • Cyber operations and training workbenches

Ready to Build?

Get started with our APIs or contact our integration team for support.