Command Line Flags

Merlin is composed of the following components:

  • Merlin Server - The program that receives and handles Agent traffic and operator CLI commands to control the server and Agents

  • Merlin Agent - The post-exploitation command and control Agent that runs on a compromised host

  • Merlin CLI - The command line interface that allows operators to interact with the Merlin Server and Agents


This page cover the Merlin Command Line Interface (CLI) program

The CLI uses Google RPC (gRPC) protocol buffers over TLS to communicate with the Merlin Server. All API calls require a password to authenticate to the server.

$ ./merlin-cli -h
Usage of merlin-cli:
  -addr string
        The address of the Merlin server to connect to (default "")
  -password string
        the password to connect to the Merlin server (default "merlin")
        Require server TLS certificate verification
  -tlsCA string
        TLS Certificate Authority file path
  -tlsCert string
        TLS certificate file path
  -tlsKey string
        TLS private key file path
        Print the version number and exit



The default address is

The addr flag specifies the address of the Merlin Server to connect to. The connection uses gRPC over TLS.



The default password is merlin and should always be changed to prevent unauthorized access

The password flag sets the password needed to authenticate all gRPC requests.



By default, the Merlin Server will generate a self-signed TLS certificate that will not be trusted by the CLI if this flag is enabled.

The secure flag enables TLS certificate verification. When this flag is set, the CLI will verify the Server’s TLS certificate.


The tlsCA flag specifies a custom CA certificate file to validate and trust the Server’s certificate.


The tlsCert flag specifies the certificate file the Merlin CLI will use for mutual TLS authentication with the Merlin Server.


The tlsKey flag specifies the private key file for the tlsCert.


The version flag prints the version number of the Merlin Server and exits.

$ ./merlin-cli -version
Merlin Version: 1.0.0, Build: nonRelease