Last updated: April 26, 2026
Mythic is the multi-agent C2 framework that supports multiple implant types within a single operator console. Unlike Sliver and Havoc which ship one primary implant, Mythic is a platform — operators choose the agent (Apollo for Windows, Apfell for macOS, Athena for cross-platform, Atlas for Linux) per target. This article covers Mythic for red-team operators, the agent ecosystem, and the detection challenges it creates.
Why a multi-agent framework
Single-implant frameworks tie operators to one set of capabilities. If the implant gets caught, you regenerate from the same toolkit and try again — same fingerprint. Mythic’s design separates the C2 server (Mythic itself) from the agent. Operators pick agents per engagement based on target environment, EDR posture, and operational requirements.
Common agents in the Mythic ecosystem:
- Apollo — Windows .NET agent, mature and feature-rich
- Apfell — JavaScript-for-Automation (JXA) agent for macOS
- Athena — cross-platform .NET agent
- Atlas — Linux Go agent
- Poseidon — Go-based cross-platform
- Tetanus — Rust-based agent
- Custom — operators write their own agents in any language; Mythic provides the C2 protocol spec
Mythic operator workflow
# Install Mythic
git clone https://github.com/its-a-feature/Mythic
cd Mythic
sudo ./mythic-cli start
# Install an agent
sudo ./mythic-cli install github https://github.com/MythicAgents/apollo
# Install a C2 profile
sudo ./mythic-cli install github https://github.com/MythicC2Profiles/http
# Access UI at https://localhost:7443Agent generation via UI; payload deployment depends on agent type.
The detection challenge
Each Mythic agent has distinct signatures. Apollo (.NET) detection patterns differ from Athena (.NET) which differ from Poseidon (Go) which differ from Tetanus (Rust). Defenders need detection coverage across implant types, not a single signature.
Mythic’s strength is also its detection complexity: operators can rotate agents within a single engagement, evading detection that’s tuned to one implant family.
Detection — what works
- C2 protocol fingerprinting — Mythic’s HTTP / HTTPS profiles have specific patterns (URL paths, header sequences, cookie names). Detection at the network layer.
- Beacon timing analysis — like other C2s, Mythic agents beacon at intervals. Long-window timing analysis catches.
- Per-agent endpoint detection — separate detection rules for each common agent’s runtime behaviour.
- SIGMA rules — community has Mythic-specific rules in the SigmaHQ repository.
Mythic vs Sliver vs Havoc — when each is used
| Framework | Strength | Operator type |
|---|---|---|
| Sliver | Mature, broad capability, large community | General-purpose red team |
| Havoc | EDR evasion-focused, modern Demon agent | Hard targets, EDR-mature defenders |
| Mythic | Multi-agent flexibility, customisation | Long engagements, sophisticated targets, custom-implant requirements |
Defender priorities
- Behavioural detection rather than tool-specific signatures — works across all C2 frameworks
- Network-layer detection (JA4, beacon timing, traffic analysis)
- EDR coverage spanning multiple agent runtimes (.NET, Go, Rust, JS)
- Threat-intel updates on Mythic-specific IoCs from CTI feeds
The takeaway
Mythic represents the evolution toward platform-style C2 — separation of concerns between the orchestration server and the agents. For defenders, the implication is that signature-based detection of “the C2 framework” is insufficient; behavioural detection across multiple implant types is required. Test your detection against at least Apollo, Athena, and Poseidon in a lab. The defender stack that catches all three is mature; one that catches none has work to do.
Get a VAPT scoping call
Senior practitioner-led VAPT — not a checklist run by juniors. CVSS-scored findings, free retest, attestation letter. India's SMBs and SaaS teams.