diff --git a/.github/workflows/discord-notify.yml b/.github/workflows/discord-notify.yml
new file mode 100644
index 0000000..7682764
--- /dev/null
+++ b/.github/workflows/discord-notify.yml
@@ -0,0 +1,53 @@
+name: Discord Push Notification
+
+on:
+  push:
+    branches: ['**']
+
+jobs:
+  notify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Send Discord notification
+        env:
+          DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK_URL }}
+          COMMIT_MSG: ${{ github.event.head_commit.message }}
+        run: |
+          BRANCH="${GITHUB_REF#refs/heads/}"
+          REPO="${{ github.repository }}"
+          AUTHOR="${{ github.event.head_commit.author.username }}"
+          COMMIT_SHA="${{ github.sha }}"
+          SHORT_SHA="${COMMIT_SHA:0:7}"
+          COMMIT_URL="${{ github.event.head_commit.url }}"
+          COMPARE_URL="${{ github.event.compare }}"
+          COMMIT_COUNT="${{ github.event.size }}"
+          TIMESTAMP="$(date -u +%Y-%m-%dT%H:%M:%S.000Z)"
+
+          # Truncate commit message for embed
+          FIRST_LINE=$(echo "$COMMIT_MSG" | head -n1 | cut -c1-256)
+
+          curl -s -o /dev/null -w "%{http_code}" -H "Content-Type: application/json" \
+            -X POST "$DISCORD_WEBHOOK" \
+            -d @- <<EOF
+          {
+            "embeds": [{
+              "title": "Push on \`${BRANCH}\`",
+              "url": "${COMPARE_URL}",
+              "color": 16312092,
+              "author": {
+                "name": "${AUTHOR}",
+                "url": "https://github.com/${AUTHOR}",
+                "icon_url": "https://github.com/${AUTHOR}.png"
+              },
+              "description": "[\`${SHORT_SHA}\`](${COMMIT_URL}) ${FIRST_LINE}",
+              "fields": [
+                { "name": "Repository", "value": "[${REPO}](https://github.com/${REPO})", "inline": true },
+                { "name": "Branch", "value": "\`${BRANCH}\`", "inline": true }
+              ],
+              "timestamp": "${TIMESTAMP}",
+              "footer": {
+                "text": "GitHub Push"
+              }
+            }]
+          }
+          EOF
diff --git a/.gitignore b/.gitignore
index 7d78310..dd0d1c8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -38,11 +38,22 @@ tools/flasher/__pycache__/
 tools/flasher/devices.json
 tools/flasher/devices.*.json
 tools/C3PO/config.json
+tools/deploy.json
 **/config.local.json
 
 # C3PO runtime / secrets
 tools/C3PO/keys.json
 tools/C3PO/*.db
+tools/C3PO/data/
+
+# Honeypot runtime databases (can appear anywhere)
+honeypot_events.db
+honeypot_events.db-shm
+honeypot_events.db-wal
+honeypot_alerts.db
+honeypot_geo.db
+*.db-shm
+*.db-wal
 
 # Logs
 *.log
@@ -106,6 +117,10 @@ htmlcov/
 *.backup
 *_backup
 
+# Internal planning
+plan.md
+*.plan.md
+
 # Hardware-specific configs (optional)
 # Uncomment if you don't want to track these
 # espilon_bot/partitions.csv
diff --git a/MODULE_IDEAS.md b/MODULE_IDEAS.md
new file mode 100644
index 0000000..33660cf
--- /dev/null
+++ b/MODULE_IDEAS.md
@@ -0,0 +1,796 @@
+# Espilon Module Ideas
+
+Future module ideas for the Espilon agent framework, organized by category. Each entry includes hardware requirements, estimated cost, complexity (1-5), and key C2 commands.
+
+> **Legend**: Complexity 1 = simple wrapper, 5 = full protocol stack. Cost = additional hardware beyond ESP32.
+
+---
+
+## Table of Contents
+
+- [Radio & Wireless](#radio--wireless)
+- [USB & HID](#usb--hid)
+- [Hardware Hacking](#hardware-hacking)
+- [Network & Protocols](#network--protocols)
+- [Industrial & SCADA](#industrial--scada)
+- [Exfiltration & Covert Channels](#exfiltration--covert-channels)
+- [Sensors & Environment](#sensors--environment)
+- [Crypto & WiFi Attacks](#crypto--wifi-attacks)
+- [Automotive](#automotive)
+- [Physical Security](#physical-security)
+
+---
+
+## Radio & Wireless
+
+### mod_ble — Bluetooth Low Energy
+
+**Hardware**: ESP32 built-in | **Cost**: 0 EUR | **Complexity**: 3/5
+
+BLE scanning, GATT enumeration, beacon spoofing, and device tracking.
+
+**Commands**:
+- `ble_scan [duration]` — Discover BLE devices (name, RSSI, services)
+- `ble_enum <addr>` — Enumerate GATT services and characteristics
+- `ble_read <addr> <handle>` — Read characteristic value
+- `ble_write <addr> <handle> <hex>` — Write to characteristic
+- `ble_beacon <uuid> [major] [minor]` — Spoof iBeacon/Eddystone
+- `ble_track <addr> [duration]` — Track device RSSI over time
+- `ble_flood [count]` — Broadcast random BLE advertisements
+
+**Use cases**: IoT device recon, BLE lock testing, asset tracking, Bluetooth phishing.
+
+---
+
+### mod_zigbee — IEEE 802.15.4 / Zigbee
+
+**Hardware**: CC2530/CC2531 module via UART | **Cost**: ~4 EUR | **Complexity**: 4/5
+
+Sniff, inject, and replay Zigbee/802.15.4 frames. Targets smart home (Philips Hue, SmartThings, Ikea).
+
+**Commands**:
+- `zigbee_scan [channel]` — Discover Zigbee networks and devices
+- `zigbee_sniff <channel> [duration]` — Capture 802.15.4 frames
+- `zigbee_inject <channel> <hex_frame>` — Inject raw frame
+- `zigbee_replay` — Replay captured frames
+- `zigbee_key_sniff [duration]` — Capture transport key exchange
+- `zigbee_jam <channel>` — Channel jamming
+
+**Use cases**: Smart home testing, IoT protocol analysis, Zigbee network penetration.
+
+---
+
+### mod_nfc — RFID / NFC
+
+**Hardware**: RC522 (MIFARE) or PN532 (full NFC) via SPI | **Cost**: ~3 EUR | **Complexity**: 3/5
+
+Read, write, clone, and emulate RFID/NFC tags. Supports MIFARE Classic, NTAG, and ISO 14443.
+
+**Commands**:
+- `nfc_scan` — Detect tags in range (UID, type, ATQA, SAK)
+- `nfc_read <sector> [key]` — Read MIFARE sector
+- `nfc_write <sector> <hex> [key]` — Write to sector
+- `nfc_clone` — Read tag → store → emulate (UID-level clone)
+- `nfc_crack <sector>` — MIFARE Classic key recovery (nested/hardnested)
+- `nfc_dump` — Dump full tag contents
+- `nfc_emulate <uid>` — Emulate tag UID
+
+**Use cases**: Access card cloning, NFC payment research, badge system testing.
+
+---
+
+### mod_subghz — Sub-GHz Radio (433/868/915 MHz)
+
+**Hardware**: CC1101 module via SPI | **Cost**: ~3 EUR | **Complexity**: 4/5
+
+Sniff, decode, record, and replay sub-GHz radio signals. Targets garage doors, remotes, weather stations, sensors.
+
+**Commands**:
+- `subghz_rx <freq_mhz> [modulation]` — Listen on frequency (ASK/FSK/GFSK)
+- `subghz_tx <freq_mhz> <hex_data> [repeat]` — Transmit raw data
+- `subghz_scan <start_mhz> <end_mhz>` — Frequency scanner (find active freqs)
+- `subghz_record <freq_mhz> [duration]` — Record raw signal
+- `subghz_replay [speed]` — Replay recorded signal
+- `subghz_decode <protocol>` — Decode known protocols (Oregon, LaCrosse, etc.)
+- `subghz_bruteforce <freq_mhz> <bits> [delay]` — Brute-force fixed codes
+
+**Use cases**: Garage door testing, remote control analysis, sensor spoofing, ISM band recon.
+
+---
+
+### mod_lora — LoRa Long-Range Mesh
+
+**Hardware**: SX1276/SX1278 module via SPI | **Cost**: ~5 EUR | **Complexity**: 3/5
+
+LoRa-based backup C2 channel and mesh network for long-range, low-bandwidth communication.
+
+**Commands**:
+- `lora_start <freq_mhz> [sf] [bw]` — Init LoRa radio (spreading factor, bandwidth)
+- `lora_send <hex_data>` — Send raw LoRa packet
+- `lora_listen [duration]` — Receive packets
+- `lora_mesh_start` — Enable mesh relay mode (multi-hop)
+- `lora_c2_enable` — Use LoRa as backup C2 channel
+- `lora_range_test` — Ping-pong range measurement
+
+**Use cases**: Backup C2 (1-10 km range), field mesh network, exfiltration when WiFi unavailable.
+
+---
+
+### mod_ir — Infrared TX/RX
+
+**Hardware**: IR LED + IR receiver (VS1838B) | **Cost**: ~1 EUR | **Complexity**: 2/5
+
+Capture, decode, and replay infrared remote signals. Universal remote functionality.
+
+**Commands**:
+- `ir_learn [timeout]` — Record IR signal from any remote
+- `ir_send <protocol> <code>` — Send known protocol (NEC, Sony, RC5, Samsung)
+- `ir_replay` — Replay last captured signal
+- `ir_scan` — Brute-force common power codes (TV-B-Gone style)
+- `ir_raw_send <timing_data>` — Send raw pulse/space timing
+
+**Use cases**: TV/AC control, IR protocol analysis, physical access (some locks use IR).
+
+---
+
+### mod_espnow_swarm — Coordinated ESP-NOW Swarm
+
+**Hardware**: Additional ESP32 agents | **Cost**: 0 EUR per agent | **Complexity**: 4/5
+
+Coordinate multiple Espilon agents via ESP-NOW for distributed operations. Mesh-aware task distribution.
+
+**Commands**:
+- `swarm_discover` — Find nearby Espilon agents
+- `swarm_broadcast <command>` — Send command to all agents
+- `swarm_assign <agent_id> <command>` — Targeted task assignment
+- `swarm_sync` — Synchronize clocks for coordinated actions
+- `swarm_scan_distributed <target>` — Parallel network scanning from multiple positions
+- `swarm_relay <agent_id>` — Use agent as relay for out-of-range C2
+
+**Use cases**: Distributed WiFi scanning, coordinated deauth, coverage extension, multi-angle recon.
+
+---
+
+### mod_tpms — Tire Pressure Monitoring
+
+**Hardware**: CC1101 (315 or 433 MHz) | **Cost**: ~3 EUR | **Complexity**: 3/5
+
+Sniff and spoof TPMS sensors at 315/433 MHz. Vehicle identification via unique sensor IDs.
+
+**Commands**:
+- `tpms_listen [duration]` — Capture TPMS broadcasts
+- `tpms_decode` — Show decoded sensor data (pressure, temp, ID)
+- `tpms_track <sensor_id>` — Track specific vehicle presence
+- `tpms_spoof <sensor_id> <pressure> <temp>` — Inject fake reading
+
+**Use cases**: Vehicle tracking via TPMS IDs, TPMS protocol research.
+
+---
+
+## USB & HID
+
+### mod_badusb — USB HID Injection
+
+**Hardware**: ESP32-S2 or ESP32-S3 (native USB) | **Cost**: 0 EUR | **Complexity**: 3/5
+
+Keystroke injection attack via USB HID. Triggered remotely from C2.
+
+**Commands**:
+- `badusb_run <payload_name>` — Execute named payload
+- `badusb_type <text>` — Type arbitrary text
+- `badusb_key <combo>` — Send key combo (e.g., `WIN+R`, `CTRL+ALT+DEL`)
+- `badusb_delay <ms>` — Wait between keystrokes
+- `badusb_upload <script>` — Upload Ducky Script payload
+- `badusb_list` — List stored payloads
+- `badusb_os_detect` — Detect target OS via timing analysis
+
+**Use cases**: Physical access exploitation, credential harvesting, reverse shell deployment.
+
+---
+
+### mod_rubber_ducky — Ducky Script Interpreter
+
+**Hardware**: ESP32-S2/S3 | **Cost**: 0 EUR | **Complexity**: 2/5
+
+Full Ducky Script interpreter for scripted USB HID payloads. Companion to mod_badusb.
+
+**Commands**:
+- `ducky_load <script>` — Load script from NVS or C2
+- `ducky_exec` — Execute loaded script
+- `ducky_store <name> <script>` — Save payload to NVS
+- `ducky_list` — List stored scripts
+
+---
+
+### mod_usb_mitm — USB Man-in-the-Middle
+
+**Hardware**: ESP32-S3 (dual USB ports) | **Cost**: 0 EUR | **Complexity**: 5/5
+
+Transparent USB proxy: sniff, modify, or inject traffic between host and device.
+
+**Commands**:
+- `usb_mitm_start` — Start USB proxy
+- `usb_mitm_sniff [class]` — Log traffic (HID, mass storage, etc.)
+- `usb_mitm_inject <hex>` — Inject USB packets
+- `usb_mitm_filter <rule>` — Modify packets in transit
+
+**Use cases**: USB protocol analysis, keyboard sniffing, mass storage interception.
+
+---
+
+## Hardware Hacking
+
+### mod_jtag — JTAG/SWD Debug Interface
+
+**Hardware**: GPIO wires (no extra module) | **Cost**: 0 EUR | **Complexity**: 4/5
+
+Bit-bang JTAG/SWD for firmware extraction, debug access, and boundary scan on target devices.
+
+**Commands**:
+- `jtag_scan` — Detect JTAG chain (IDCODE scan)
+- `jtag_read <addr> <size>` — Read memory via debug port
+- `jtag_write <addr> <hex>` — Write memory
+- `jtag_dump <addr> <size>` — Dump firmware to C2
+- `swd_scan` — Detect SWD target
+- `swd_read <addr> <size>` — Read via SWD
+- `swd_halt` / `swd_resume` — Halt/resume target CPU
+
+**Use cases**: Firmware extraction from IoT devices, bypassing read-out protection, live debugging.
+
+---
+
+### mod_uart_bridge — UART Sniff/Inject
+
+**Hardware**: GPIO wires (no extra module) | **Cost**: 0 EUR | **Complexity**: 2/5
+
+UART bridge: sniff serial console traffic or inject commands. Auto-detect baud rate.
+
+**Commands**:
+- `uart_scan [gpio]` — Auto-detect baud rate on GPIO pin
+- `uart_listen <baud> <rx_gpio> [duration]` — Sniff UART traffic
+- `uart_send <baud> <tx_gpio> <data>` — Send data
+- `uart_bridge <baud> <rx> <tx>` — Bidirectional bridge (relay to C2)
+
+**Use cases**: Router console access, IoT device debug ports, embedded system exploitation.
+
+---
+
+### mod_i2c_scan — I2C Bus Discovery
+
+**Hardware**: GPIO wires | **Cost**: 0 EUR | **Complexity**: 2/5
+
+Scan, read, and write I2C devices. EEPROM dumping and sensor spoofing.
+
+**Commands**:
+- `i2c_scan [sda] [scl]` — Discover devices on bus
+- `i2c_read <addr> <reg> <len>` — Read registers
+- `i2c_write <addr> <reg> <hex>` — Write registers
+- `i2c_dump_eeprom <addr> <size>` — Dump EEPROM contents
+
+**Use cases**: EEPROM credential extraction, sensor data manipulation, I2C device enumeration.
+
+---
+
+### mod_spi_flash — SPI Flash Dumper
+
+**Hardware**: SOIC-8 clip + GPIO wires | **Cost**: ~5 EUR | **Complexity**: 3/5
+
+Read/write SPI NOR flash chips (25xx series). In-circuit or off-board.
+
+**Commands**:
+- `spi_flash_detect` — Read JEDEC ID, detect chip
+- `spi_flash_read <addr> <size>` — Read flash to C2
+- `spi_flash_write <addr> <hex>` — Write data
+- `spi_flash_erase <addr> <size>` — Erase sectors
+- `spi_flash_dump` — Full chip dump
+
+**Use cases**: Firmware extraction, credential recovery, flash image modification.
+
+---
+
+### mod_glitch — Voltage/Clock Glitching
+
+**Hardware**: MOSFET + GPIO (voltage glitch) or clock inject circuit | **Cost**: ~5 EUR | **Complexity**: 5/5
+
+Fault injection: precise voltage or clock glitches to bypass secure boot, skip instructions, or corrupt crypto.
+
+**Commands**:
+- `glitch_config <width_ns> <offset_ns> <repeat>` — Set glitch parameters
+- `glitch_arm <trigger_gpio>` — Arm, fire on trigger edge
+- `glitch_fire` — Manual trigger
+- `glitch_sweep <start_ns> <end_ns> <step>` — Automated parameter sweep
+
+**Use cases**: Secure boot bypass, read-out protection defeat, crypto fault injection.
+
+---
+
+## Network & Protocols
+
+### mod_dns — DNS Spoofing & Tunneling
+
+**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
+
+DNS server for spoofing + DNS tunnel for covert data exfiltration through firewalls.
+
+**Commands**:
+- `dns_spoof_start <domain> <ip>` — Spoof specific domain resolution
+- `dns_spoof_all <ip>` — Redirect all DNS queries to IP
+- `dns_spoof_stop` — Stop spoofing
+- `dns_tunnel_start <domain>` — Start DNS tunnel (data over TXT/CNAME)
+- `dns_tunnel_send <hex>` — Exfiltrate data via DNS
+
+**Use cases**: Pharming, captive portal bypass, firewall evasion, covert exfiltration.
+
+---
+
+### mod_dhcp — DHCP Attacks
+
+**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
+
+DHCP starvation and rogue DHCP server for MitM via gateway redirection.
+
+**Commands**:
+- `dhcp_starve [count]` — Exhaust DHCP pool with fake MACs
+- `dhcp_rogue_start <gateway_ip> <dns_ip>` — Start rogue DHCP server
+- `dhcp_rogue_stop` — Stop rogue server
+- `dhcp_discover` — Passive DHCP monitoring
+
+**Use cases**: MitM setup, network disruption, rogue gateway for traffic interception.
+
+---
+
+### mod_mdns — mDNS/Bonjour Discovery
+
+**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 2/5
+
+Discover and spoof local services via mDNS (Bonjour, Avahi).
+
+**Commands**:
+- `mdns_scan [duration]` — Discover all mDNS services
+- `mdns_query <service>` — Query specific service type (_http._tcp, _ssh._tcp, etc.)
+- `mdns_spoof <hostname> <ip>` — Spoof mDNS response
+- `mdns_register <service> <port>` — Advertise fake service
+
+**Use cases**: Local service enumeration, service spoofing, printer/AirPlay impersonation.
+
+---
+
+### mod_mqtt — MQTT Broker/Client
+
+**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
+
+MQTT client for IoT device interaction + rogue broker for message interception.
+
+**Commands**:
+- `mqtt_connect <broker> [user] [pass]` — Connect to broker
+- `mqtt_sub <topic>` — Subscribe and stream messages to C2
+- `mqtt_pub <topic> <payload>` — Publish message
+- `mqtt_enum` — Enumerate all topics (wildcard subscribe)
+- `mqtt_broker_start [port]` — Start rogue MQTT broker
+- `mqtt_intercept <topic>` — MitM specific topic
+
+**Use cases**: IoT device control, smart home exploitation, message injection, credential sniffing.
+
+---
+
+### mod_coap — CoAP Discovery & Exploitation
+
+**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
+
+CoAP client for constrained IoT device interaction (UDP-based REST).
+
+**Commands**:
+- `coap_discover <ip>` — Discover CoAP resources (.well-known/core)
+- `coap_get <uri>` — GET resource
+- `coap_put <uri> <payload>` — PUT resource
+- `coap_observe <uri>` — Subscribe to resource changes
+
+**Use cases**: IoT device enumeration, sensor data extraction, actuator control.
+
+---
+
+### mod_upnp — UPnP/SSDP Discovery
+
+**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 2/5
+
+Discover and interact with UPnP devices on the network. Map router port forwards.
+
+**Commands**:
+- `upnp_scan` — Discover UPnP devices (SSDP M-SEARCH)
+- `upnp_describe <url>` — Get device description XML
+- `upnp_port_map <ext_port> <int_ip> <int_port>` — Add port mapping on router
+- `upnp_port_list` — List existing port mappings
+- `upnp_port_del <ext_port>` — Remove port mapping
+
+**Use cases**: Router exploitation, port mapping for persistence, device enumeration.
+
+---
+
+### mod_socks — SOCKS5 Proxy
+
+**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
+
+Full SOCKS5 proxy running on the agent for network pivoting.
+
+**Commands**:
+- `socks_start [port] [auth]` — Start SOCKS5 server
+- `socks_stop` — Stop proxy
+- `socks_status` — Active connections, bandwidth stats
+- `socks_whitelist <ip>` — Allow only specific clients
+
+**Use cases**: Network pivoting, traffic routing through agent, accessing internal networks.
+
+---
+
+### mod_wifi_rogue — Advanced Evil Twin
+
+**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 5/5
+
+WPA2-Enterprise Evil Twin with EAP credential interception (EAP-TTLS, PEAP, MSCHAPv2).
+
+**Commands**:
+- `rogue_start <ssid> [eap_type]` — Start evil twin with RADIUS
+- `rogue_stop` — Stop
+- `rogue_creds` — List captured credentials
+- `rogue_deauth <bssid> <station>` — Force client reconnection to rogue AP
+
+**Use cases**: Enterprise WiFi credential harvesting, WPA2-Enterprise testing.
+
+---
+
+## Industrial & SCADA
+
+### mod_modbus — Modbus TCP/RTU
+
+**Hardware**: None (TCP) or MAX485 (~2 EUR for RTU) | **Cost**: 0-2 EUR | **Complexity**: 3/5
+
+Modbus protocol for SCADA/ICS reconnaissance and interaction.
+
+**Commands**:
+- `modbus_scan <ip_range>` — Discover Modbus TCP devices
+- `modbus_read <ip> <unit> <addr> <count> [type]` — Read holding/input registers
+- `modbus_write <ip> <unit> <addr> <value>` — Write register
+- `modbus_coils <ip> <unit> <addr> <count>` — Read/write coils
+- `modbus_enum <ip>` — Enumerate function codes and unit IDs
+- `modbus_rtu_scan <baud>` — Scan RTU bus (RS-485)
+
+**Use cases**: SCADA assessment, PLC interaction, industrial network mapping.
+
+---
+
+### mod_bacnet — Building Automation
+
+**Hardware**: None (WiFi/Ethernet) | **Cost**: 0 EUR | **Complexity**: 4/5
+
+BACnet protocol for building automation system interaction (HVAC, lighting, access).
+
+**Commands**:
+- `bacnet_discover` — Who-Is broadcast, discover BACnet devices
+- `bacnet_read <device> <object> <property>` — Read property
+- `bacnet_write <device> <object> <property> <value>` — Write property
+- `bacnet_enum <device>` — Enumerate objects on device
+
+**Use cases**: Building automation testing, HVAC control, access system research.
+
+---
+
+### mod_ethernet — Wired Ethernet (W5500)
+
+**Hardware**: W5500 or ENC28J60 SPI module | **Cost**: ~4 EUR | **Complexity**: 3/5
+
+Wired Ethernet connectivity — bypass WiFi isolation, direct LAN access.
+
+**Commands**:
+- `eth_start [dhcp|static <ip>]` — Init Ethernet interface
+- `eth_status` — Link state, IP config
+- `eth_scan` — ARP scan on wired LAN
+- `eth_bridge` — Bridge WiFi ↔ Ethernet traffic
+
+**Use cases**: Drop box on wired network, bypass wireless ACLs, physical pentesting.
+
+---
+
+## Exfiltration & Covert Channels
+
+### mod_dns_tunnel — C2 over DNS
+
+**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 4/5
+
+Full C2 communication over DNS queries/responses. Bypasses most firewalls.
+
+**Commands**:
+- `dns_c2_start <domain> <resolver>` — Start DNS C2 channel
+- `dns_c2_stop` — Revert to TCP
+- `dns_c2_status` — Throughput, latency stats
+
+**Use cases**: Firewall bypass, restricted network C2, exfiltration through corporate DNS.
+
+---
+
+### mod_icmp_tunnel — C2 over ICMP
+
+**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
+
+Backup C2 channel using ICMP echo request/reply payloads.
+
+**Commands**:
+- `icmp_c2_start <server_ip>` — Start ICMP tunnel
+- `icmp_c2_stop` — Revert to TCP
+- `icmp_exfil <hex_data>` — One-shot data exfiltration
+
+**Use cases**: C2 when TCP is blocked, ping-based covert channel.
+
+---
+
+### mod_audio_exfil — Audio Capture
+
+**Hardware**: INMP441 I2S MEMS microphone | **Cost**: ~3 EUR | **Complexity**: 4/5
+
+Audio recording and optional ultrasonic covert channel for air-gapped data transfer.
+
+**Commands**:
+- `audio_record [duration] [quality]` — Record audio, stream to C2
+- `audio_level` — Ambient noise level (trigger-based recording)
+- `audio_vad_start` — Voice Activity Detection — record only when speaking
+- `audio_ultrasonic_tx <hex>` — Transmit data via ultrasound (18-22 kHz)
+
+**Use cases**: Environmental awareness, meeting capture, air-gap bridging.
+
+---
+
+### mod_sdcard — SD Card Storage
+
+**Hardware**: MicroSD module via SPI | **Cost**: ~2 EUR | **Complexity**: 2/5
+
+Local offline storage for dead-drop operations, large data dumps, and logging.
+
+**Commands**:
+- `sd_init` — Mount SD card
+- `sd_write <filename> <data>` — Write file
+- `sd_read <filename>` — Read and stream to C2
+- `sd_list` — List files
+- `sd_log_start` — Log all C2 traffic to SD
+- `sd_space` — Free/total space
+
+**Use cases**: Offline data collection, dead-drop exfiltration, large firmware dumps.
+
+---
+
+## Sensors & Environment
+
+### mod_gps — GPS/GNSS Tracking
+
+**Hardware**: NEO-6M/NEO-7M via UART | **Cost**: ~5 EUR | **Complexity**: 2/5
+
+GPS positioning, geofencing, and location-stamped events.
+
+**Commands**:
+- `gps_start` — Begin GPS acquisition
+- `gps_position` — Current lat/lon/alt/speed
+- `gps_track [interval]` — Stream position to C2
+- `gps_geofence <lat> <lon> <radius_m> <action>` — Trigger action on enter/exit
+- `gps_log_start` — Log positions to NVS
+
+**Use cases**: Asset tracking, geofenced triggers, location-aware operations.
+
+---
+
+### mod_environment — Environmental Sensors
+
+**Hardware**: DHT22/BME280/PIR/LDR | **Cost**: ~3 EUR | **Complexity**: 1/5
+
+Read temperature, humidity, pressure, motion, and light sensors.
+
+**Commands**:
+- `env_read` — Read all connected sensors
+- `env_monitor [interval]` — Stream readings to C2
+- `env_motion_alert` — Alert C2 on PIR trigger
+- `env_trigger <sensor> <threshold> <action>` — Conditional triggers
+
+**Use cases**: Physical security awareness, environmental monitoring, trigger-based activation.
+
+---
+
+### mod_power — Power Management
+
+**Hardware**: TP4056 + LiPo battery | **Cost**: ~5 EUR | **Complexity**: 3/5
+
+Battery management, intelligent deep sleep, and solar charging support.
+
+**Commands**:
+- `power_status` — Battery voltage, charging state, estimated runtime
+- `power_sleep <seconds>` — Enter deep sleep with wake timer
+- `power_sleep_until <gpio_trigger>` — Sleep until GPIO event
+- `power_profile <mode>` — Power profiles (aggressive, balanced, stealth)
+- `power_schedule <cron> <command>` — Scheduled wake + command execution
+
+**Use cases**: Long-duration deployment, battery-powered field operations, solar-powered persistent presence.
+
+---
+
+### mod_display — OLED/TFT Display
+
+**Hardware**: SSD1306 OLED (0.96") or ST7735 TFT via SPI/I2C | **Cost**: ~3 EUR | **Complexity**: 2/5
+
+Local status display for field operations (no C2 needed to see agent state).
+
+**Commands**:
+- `display_text <text>` — Show text on screen
+- `display_status` — Show device info, connection state, active module
+- `display_qr <data>` — Generate QR code on display
+- `display_off` — Turn off (stealth)
+
+**Use cases**: Field status monitoring, debug output, one-way info display.
+
+---
+
+## Crypto & WiFi Attacks
+
+### mod_deauth — 802.11 Deauthentication
+
+**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 2/5
+
+Targeted 802.11 deauth for forcing client reconnection (handshake capture setup).
+
+**Commands**:
+- `deauth <bssid> <station> [count]` — Targeted deauth
+- `deauth_all <bssid> [count]` — Broadcast deauth
+- `deauth_continuous <bssid> [interval]` — Persistent deauth
+
+**Use cases**: WPA handshake capture setup, client denial, forced AP migration.
+
+---
+
+### mod_wpa_crack — WPA Handshake Capture
+
+**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 4/5
+
+Capture 4-way handshake and attempt dictionary attack with embedded wordlist.
+
+**Commands**:
+- `wpa_capture <bssid> [channel] [timeout]` — Wait for handshake (or deauth to force)
+- `wpa_crack <bssid> [wordlist]` — Dictionary attack on captured handshake
+- `wpa_export <bssid>` — Export handshake as pcap/hccapx to C2
+
+**Use cases**: WiFi security assessment, credential recovery.
+
+---
+
+### mod_pmkid — PMKID Attack
+
+**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 4/5
+
+Capture PMKID from AP without any connected client. Faster than handshake capture.
+
+**Commands**:
+- `pmkid_scan [duration]` — Scan APs and capture PMKIDs
+- `pmkid_target <bssid>` — Target specific AP
+- `pmkid_export` — Export PMKIDs for offline cracking
+
+**Use cases**: WiFi testing without connected clients, faster WPA cracking.
+
+---
+
+### mod_rfcrack — Rolling Code Analysis
+
+**Hardware**: CC1101 via SPI | **Cost**: ~3 EUR | **Complexity**: 5/5
+
+Analyze and attack rolling code systems (garages, car key fobs, gates).
+
+**Commands**:
+- `rfcrack_listen <freq>` — Capture rolling code transmissions
+- `rfcrack_analyze` — Identify protocol (KeeLoq, etc.)
+- `rfcrack_rolljam <freq>` — RollJam attack (jam + capture + replay)
+- `rfcrack_desync <freq>` — De-synchronization attack
+
+**Use cases**: Physical security research, rolling code protocol analysis.
+
+---
+
+## Automotive
+
+### mod_lin_bus — LIN Bus
+
+**Hardware**: MCP2004A LIN transceiver | **Cost**: ~3 EUR | **Complexity**: 3/5
+
+LIN bus (Local Interconnect Network) — sub-bus used for windows, seats, mirrors, lights.
+
+**Commands**:
+- `lin_start [baud]` — Init LIN transceiver (default 19200)
+- `lin_sniff [duration]` — Capture LIN frames
+- `lin_send <id> <data_hex>` — Send LIN frame
+- `lin_master_start` — Become LIN master (send schedule table)
+- `lin_enum` — Enumerate slave nodes
+
+**Use cases**: Automotive body control testing, seat/window/mirror manipulation.
+
+---
+
+### mod_obd_tracker — OBD-II GPS Tracker
+
+**Hardware**: MCP2515 + NEO-6M GPS | **Cost**: ~8 EUR | **Complexity**: 3/5
+
+Autonomous vehicle tracker: logs GPS position + OBD-II data, reports to C2 when connectivity available.
+
+**Commands**:
+- `tracker_start [interval]` — Begin tracking (OBD + GPS)
+- `tracker_stop` — Stop and upload buffered data
+- `tracker_status` — Current position + vehicle stats
+- `tracker_geofence <lat> <lon> <radius>` — Alert on geofence breach
+- `tracker_trips` — Summarize recorded trips
+
+**Use cases**: Vehicle tracking, fleet monitoring, trip analysis.
+
+---
+
+### mod_flexray — FlexRay Bus
+
+**Hardware**: FlexRay transceiver (TJA1080) | **Cost**: ~15 EUR | **Complexity**: 5/5
+
+FlexRay monitoring for premium vehicles (BMW, Mercedes, Audi). Deterministic, time-triggered protocol.
+
+**Commands**:
+- `flexray_listen <channel>` — Monitor FlexRay channel (A or B)
+- `flexray_decode` — Decode known frame IDs
+- `flexray_status` — Bus state, cycle time, slot info
+
+**Use cases**: Premium vehicle bus analysis, FlexRay protocol research.
+
+---
+
+## Physical Security
+
+### mod_keylogger — PS/2 Keyboard Logger
+
+**Hardware**: PS/2 connector + GPIO wires | **Cost**: ~2 EUR | **Complexity**: 2/5
+
+Hardware keylogger for PS/2 keyboards. Inline transparent interception.
+
+**Commands**:
+- `keylog_start` — Begin capturing keystrokes
+- `keylog_stop` — Stop and send buffer to C2
+- `keylog_dump` — Send current buffer
+- `keylog_live` — Stream keystrokes in real-time to C2
+
+**Use cases**: Physical access keystroke capture.
+
+---
+
+### mod_relay — Relay Control
+
+**Hardware**: Relay module (1/2/4 channel) | **Cost**: ~2 EUR | **Complexity**: 1/5
+
+GPIO relay control for physical actuators (doors, power, devices).
+
+**Commands**:
+- `relay_on <channel>` — Activate relay
+- `relay_off <channel>` — Deactivate relay
+- `relay_pulse <channel> <duration_ms>` — Momentary activation
+- `relay_schedule <channel> <cron>` — Scheduled activation
+
+**Use cases**: Physical access control, remote power switching, automated triggers.
+
+---
+
+## Priority Matrix
+
+Modules ranked by impact/effort ratio for implementation priority:
+
+| Priority | Module | Why |
+|----------|--------|-----|
+| **High** | mod_ble | Built-in hardware, zero cost, huge IoT attack surface |
+| **High** | mod_deauth | Simple, essential for WiFi assessment workflows |
+| **High** | mod_badusb | ESP32-S2/S3 native USB, high impact physical access |
+| **High** | mod_uart_bridge | Zero cost, essential for hardware hacking |
+| **High** | mod_dns | WiFi only, enables MitM and exfiltration |
+| **Medium** | mod_nfc | Cheap hardware, wide applicability (access cards) |
+| **Medium** | mod_subghz | CC1101 is cheap, covers huge attack surface |
+| **Medium** | mod_mqtt | IoT everywhere, zero additional hardware |
+| **Medium** | mod_socks | Pivoting capability, WiFi only |
+| **Medium** | mod_gps | Cheap module, enables location-aware operations |
+| **Medium** | mod_modbus | SCADA is a growing target, dual TCP/RTU |
+| **Medium** | mod_sdcard | Simple, enables offline operations |
+| **Low** | mod_lora | Good range but low throughput |
+| **Low** | mod_glitch | High complexity, niche use case |
+| **Low** | mod_flexray | Expensive hardware, niche vehicles |
+| **Low** | mod_usb_mitm | Requires ESP32-S3 dual USB, very complex |
diff --git a/QUICKSTART.md b/QUICKSTART.md
new file mode 100644
index 0000000..fbf60e8
--- /dev/null
+++ b/QUICKSTART.md
@@ -0,0 +1,147 @@
+# Espilon — Quick Start Guide
+
+Get a working C2 server in **under 5 minutes**.
+
+> For full documentation see [README.md](README.md) and [tools/C3PO/README.md](tools/C3PO/README.md).
+
+---
+
+## Option A: Without Docker (recommended for development)
+
+### 1. Clone and install
+
+```bash
+git clone https://github.com/Espilon-Net/epsilon-source.git
+cd epsilon-source/tools/C3PO
+
+python3 -m venv .venv
+source .venv/bin/activate
+pip install -r requirements.txt
+```
+
+### 2. Configure
+
+```bash
+cp .env.example .env
+# Edit .env to change default passwords (optional for local testing)
+```
+
+### 3. Start the C2 server
+
+```bash
+python c3po.py
+```
+
+The TUI (terminal interface) starts automatically. You'll see a multi-pane interface with device list and logs.
+
+### 4. Deploy to ESP32
+
+```bash
+cd tools
+python deploy.py -p /dev/ttyUSB0 -d my-device-01 \
+    --wifi "YourSSID" "YourPassword" \
+    --srv 192.168.1.100
+```
+
+This will:
+- Generate a unique crypto key
+- Build the firmware
+- Flash the ESP32
+- Register the key in C3PO's keystore
+
+The device connects automatically and appears in the TUI.
+
+### 5. Send commands
+
+In the C3PO TUI command bar (bottom), type:
+
+```
+send <device_id> system_info
+send <device_id> ping 8.8.8.8
+send <device_id> arp_scan
+send <device_id> system_mem
+```
+
+Replace `<device_id>` with the ID shown in the TUI.
+
+---
+
+## Option B: With Docker
+
+### 1. Start C3PO
+
+```bash
+cd tools/C3PO
+cp .env.example .env
+docker compose up -d
+```
+
+### 2. Open the web dashboard
+
+Open http://localhost:8000 in your browser. Login: `admin` / `admin` (change in `.env`).
+
+### 3. Deploy to ESP32
+
+```bash
+cd tools
+python deploy.py -p /dev/ttyUSB0 -d my-device-01 \
+    --wifi "YourSSID" "YourPassword" \
+    --srv <your-machine-ip>
+```
+
+---
+
+## Prerequisites for ESP32 hardware
+
+- ESP-IDF v5.3.2 installed ([install guide](https://docs.espressif.com/projects/esp-idf/en/v5.3.2/esp32/get-started/))
+- ESP32 connected via USB
+- Python 3.8+
+
+---
+
+## Web dashboard
+
+Start the web server from the TUI:
+
+```
+web start
+```
+
+Then open http://localhost:8000. Pages available:
+
+| Page | URL | Description |
+|------|-----|-------------|
+| Dashboard | `/dashboard` | Device list and status |
+| Cameras | `/cameras` | Live camera feeds |
+| MLAT | `/mlat` | Multilateration map |
+| OTA | `/ota` | Firmware build & deploy |
+
+---
+
+## Common commands reference
+
+```
+help                              Show all commands
+list                              List connected devices
+send <id> system_info             Device info (chip, modules, memory)
+send <id> system_mem              Memory usage
+send <id> ping <host>             ICMP ping
+send <id> arp_scan                Scan local network
+send <id> fakeap_start <ssid>     Start a fake AP (if module enabled)
+send all system_info              Broadcast to all devices
+group add scanners <id1> <id2>    Create device group
+send group scanners arp_scan      Send to group
+web start                         Start web dashboard
+camera start                      Start camera UDP receiver
+```
+
+---
+
+## Troubleshooting
+
+| Problem | Solution |
+|---------|----------|
+| `ModuleNotFoundError: textual` | `pip install -r requirements.txt` |
+| Device connects but commands fail | Check `keys.json` — the device key must match |
+| Web dashboard not loading | Run `web start` in TUI first, then open http://localhost:8000 |
+| `Decrypt/auth failed` | Key mismatch — re-provision the device with `deploy.py` |
diff --git a/README.md b/README.md
index f76a51e..70007af 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,8 @@
 [![Platform](https://img.shields.io/badge/Platform-ESP32-red.svg)](https://www.espressif.com/en/products/socs/esp32)
 
 > **IMPORTANT**: Espilon is intended for security research, authorized penetration testing, and education. Unauthorized use is illegal. Always obtain written permission before any deployment.
+>
+> **New here?** Check the [Quick Start Guide](QUICKSTART.md) — get a working C2 with a simulated device in under 5 minutes, no ESP32 required.
 
 ---
 
@@ -27,6 +29,10 @@
   - [Network Module](#network-module)
   - [FakeAP Module](#fakeap-module)
   - [Recon Module](#recon-module)
+  - [Red Team Module](#red-team-module)
+  - [Honeypot Module](#honeypot-module)
+  - [CAN Bus Module](#can-bus-module-mcp2515)
+  - [OTA Module](#ota-module)
 - [Tools](#tools)
   - [Multi-Device Flasher](#multi-device-flasher)
   - [C2 Server (C3PO)](#c2-server-c3po)
@@ -143,7 +149,8 @@ Espilon transforms affordable ESP32 microcontrollers (~$5) into powerful network
 |         |              |                 |              |
 |  +-----------------------------------------------------+|
 |  |           Module System (FreeRTOS)                  ||
-|  |  [Network] [FakeAP] [Recon] [Custom...]             ||
+|  |  [Network] [FakeAP] [Recon] [RedTeam] [Honeypot]   ||
+|  |  [CAN Bus] [OTA] [Custom...]                        ||
 |  +-----------------------------------------------------+|
 +---------------------------------------------------------+
                         | Encrypted TCP
@@ -166,7 +173,7 @@ Espilon transforms affordable ESP32 microcontrollers (~$5) into powerful network
 
 ## Available Modules
 
-> **Important note**: Modules are **mutually exclusive**. You must choose **only one module** during configuration via menuconfig.
+> Modules are enabled independently via `idf.py menuconfig` → Espilon Bot Configuration → Modules. Multiple modules can be active simultaneously (subject to flash/RAM constraints).
 
 ### System Module (Built-in, always active)
 
@@ -175,10 +182,11 @@ Basic system commands:
 - `system_reboot`: Reboot the ESP32
 - `system_mem`: Display memory usage (heap free, heap min, internal free)
 - `system_uptime`: Uptime since boot
+- `system_info`: Chip info, SDK version, active modules
 
 ### Network Module
 
-Module for network reconnaissance and testing:
+Network reconnaissance and testing:
 
 - `ping <host> [args...]`: ICMP connectivity test
 - `arp_scan`: Discover hosts on local network via ARP
@@ -188,20 +196,18 @@ Module for network reconnaissance and testing:
 
 ### FakeAP Module
 
-Module for creating simulated WiFi access points:
+Simulated WiFi access points with captive portal and traffic sniffing:
 
 - `fakeap_start <ssid> [open|wpa2] [password]`: Start a fake access point
 - `fakeap_stop`: Stop the fake AP
 - `fakeap_status`: Display status (AP, portal, sniffer, clients)
 - `fakeap_clients`: List connected clients
-- `fakeap_portal_start`: Enable captive portal
-- `fakeap_portal_stop`: Disable captive portal
-- `fakeap_sniffer_on`: Enable network traffic capture
-- `fakeap_sniffer_off`: Disable capture
+- `fakeap_portal_start` / `fakeap_portal_stop`: Captive portal
+- `fakeap_sniffer_on` / `fakeap_sniffer_off`: Traffic capture
 
 ### Recon Module
 
-Reconnaissance and data collection module. Two modes available:
+Reconnaissance and data collection. Two modes:
 
 #### Camera Mode (ESP32-CAM)
 
@@ -213,16 +219,57 @@ Reconnaissance and data collection module. Two modes available:
 - `trilat start <mac> <url> <bearer>`: Start BLE trilateration with HTTP POST
 - `trilat stop`: Stop trilateration
 
+### Red Team Module
+
+Autonomous WiFi hunting, credential attacks, and ESP-NOW mesh relay:
+
+- `hunt_start [profile]`: Launch autonomous WiFi scan + attack cycle
+- `hunt_stop`: Stop hunting
+- `hunt_status`: Current targets, progress, captured credentials
+- Stealth features: MAC randomization, passive scanning, timing jitter
+- ESP-NOW mesh: multi-hop relay for out-of-range C2
+
+### Honeypot Module
+
+Fake network services that log attacker interactions:
+
+- Emulated services: SSH, Telnet, HTTP, FTP (configurable ports)
+- WiFi monitor: detect rogue APs and deauth attacks
+- Network anomaly detection: ARP spoofing, port scanning alerts
+- All events streamed to C2 with attacker fingerprints
+
+### CAN Bus Module (MCP2515)
+
+Automotive CAN bus: sniff, inject, UDS diagnostics, OBD-II, and fuzzing via external MCP2515 SPI controller.
+
+- `can_start [bitrate] [mode]`: Init bus (normal/listen/loopback)
+- `can_sniff [duration]` / `can_record` / `can_replay`: Capture and replay
+- `can_send <id> <data>`: Frame injection
+- UDS: `can_scan_ecu`, `can_uds_read`, `can_uds_dump`, `can_uds_auth`
+- OBD-II: `can_obd <pid>`, `can_obd_vin`, `can_obd_dtc`, `can_obd_monitor`
+- Fuzzing: `can_fuzz_id`, `can_fuzz_data`, `can_fuzz_random`
+
+See [mod_canbus documentation](espilon_bot/components/mod_canbus/README.md) for full details.
+
+### OTA Module
+
+Over-the-air firmware updates from C2 server:
+
+- Secure HTTPS firmware download (optional HTTP fallback)
+- Dual partition scheme (A/B) for safe rollback
+- Progress reporting to C2
+
 ---
 
-**Configuration**: `idf.py menuconfig` -> Espilon Bot Configuration -> Modules
+**Configuration**: `idf.py menuconfig` → Espilon Bot Configuration → Modules
 
-Choose **only one module**:
-
-- `CONFIG_MODULE_NETWORK`: Enable the Network Module
-- `CONFIG_MODULE_FAKEAP`: Enable the FakeAP Module
-- `CONFIG_MODULE_RECON`: Enable the Recon Module
-  - Then choose: `Camera` or `BLE Trilateration`
+- `CONFIG_MODULE_NETWORK`: Network Module
+- `CONFIG_MODULE_FAKEAP`: FakeAP Module
+- `CONFIG_MODULE_RECON`: Recon Module (Camera or BLE Trilateration)
+- `CONFIG_MODULE_REDTEAM`: Red Team Module
+- `CONFIG_MODULE_HONEYPOT`: Honeypot Module
+- `CONFIG_MODULE_CANBUS`: CAN Bus Module (requires MCP2515 hardware)
+- `CONFIG_ESPILON_OTA_ENABLED`: OTA Updates
 
 ---
 
@@ -333,22 +380,27 @@ Espilon should only be used for:
 
 ## Roadmap
 
-### V2.0 (In Progress)
+### V2.0 (Complete)
 
 - [x] ChaCha20-Poly1305 AEAD + HKDF crypto upgrade
 - [x] Per-device factory NVS key provisioning
 - [x] C3PO C2 rewrite with per-device crypto
-- [ ] Mesh networking (BLE/WiFi)
-- [ ] OTA updates
-- [ ] Collaborative multilateration
-- [ ] Memory optimization
+- [x] OTA firmware updates
+- [x] Red Team module (autonomous WiFi hunting)
+- [x] Honeypot module (fake services + monitoring)
+- [x] CAN Bus module (MCP2515 — sniff, inject, UDS, OBD-II, fuzzing)
+- [x] Web dashboard with device management, camera, MLAT, OTA, CAN
 
 ### Future
 
+- [ ] BLE module (scan, GATT enum, beacon spoofing)
+- [ ] Sub-GHz module (CC1101 — 433/868/915 MHz)
+- [ ] BadUSB module (ESP32-S2/S3 HID injection)
 - [ ] Custom Espilon PCB
 - [ ] ESP32-S3/C3 support
 - [ ] Module SDK for third-party extensions
-- [ ] Web UI for C2
+
+See [MODULE_IDEAS.md](MODULE_IDEAS.md) for the full list of planned modules.
 
 ---