Authorized internal security platform

Argus

An AI-driven, sandbox-first penetration testing platform that discovers security gaps across the network, Linux/Windows hosts, and Active Directory — strictly read-only, fully audited, and safe for sensitive internal environments.

🛡️ 7-layer guardrail 🧠 Claude · local Gemma · offline 🔬 network · host · AD 🏥 HIPAA-aware 📝 HMAC-audited

The pipeline — how a scan flows

Every action descends through the same layered path. Nothing reaches a target without passing the guardrail.

Layer 1🎛️ Operator ConsoleCLI + FastAPI GUI. Pick targets, profile, and AI brain.
Layer 2🛡️ Guardrail (fail-closed)Scope canonicalization · tool/command catalog · budget · HMAC audit.
Layer 3📦 SandboxIsolated --internal Docker net · argv-only exec · OS timeouts.
Layer 4🔬 Collectors16 network tools · Linux/SSH · Windows/WinRM · AD/LDAP — all read-only.
Layer 5🧠 AI AnalysisCost-aware triage → correlation. CVSS · MITRE ATT&CK · attack paths.
Layer 6📊 ReportingPlatform mitigation playbooks → CSV/MD/JSON into the the ticket tracker.

The guardrail — 7 layers, fail-closed

Borrowed from Phantom's defense model, hardened by adversarial review.

Layer 1

Scope guard

Targets canonicalized (decimal/hex/octal) then subnet_of the allowed range. Default-deny on anything unparseable.

Layer 2

Tool / command firewall

Closed allowlists. Per-tool dangerous-flag denial. Exploit tools armed-only.

Layer 3

Sandbox isolation

Argv-only exec in an internet-isolated Docker network. No shell, no host route.

Layer 4–5

Budget & time

Wall-clock + token + dollar ceilings on a monotonic ledger. Kill on breach.

Layer 6

HMAC audit

SHA-256 chained, tamper-evident log of every authorize/exec/deny.

Layer 7

Output sanitizer

Redacts secrets/PHI (passwords, SSN, MRN); tool output treated as untrusted.

Coverage — what Argus sees

Network outside-in, plus credentialed host and directory depth.

Network

16 read-only tools

nmap · masscan · nuclei · sslscan · whatweb · enum4linux · smbmap · snmp · ldapsearch — 9 profiles.

Host · Linux

SSH audit

SUID/GTFOBins · NOPASSWD sudo · weak sshd · world-writable · Lynis.

Host · Windows

WinRM audit

SMB signing · AlwaysInstallElevated · unquoted services · WDigest · UAC · LAPS.

Active Directory

LDAP / AD

Anonymous bind · RootDSE disclosure · user enumeration. PingCastle/BloodHound hooks.

The brain — switchable, cost-aware

One scan, three interchangeable engines — pick per run.

ClaudeHaiku → Sonnet
cloud, deepest reasoning
OllamaGemma / Qwen
local · PHI-safe · $0
Offlineheuristic rules
no network, always works

Agentic reasoning — propose, then the guardrail disposes

Beyond a linear checklist: Argus reasons over the evidence graph, chains findings into attack paths, and adapts what it runs next — every action still re-authorized by the 7-layer guardrail, so autonomy never escapes scope.

Module 1

Web / API recon

Curated read-only probe for .env, .git, actuator, Swagger/OpenAPI — maps the unauthenticated foothold surface.

Module 5

Segmentation validator

Reframes recon as architecture: flags database/management/directory planes reachable from a user VLAN.

Module 4

Shadow-AI discovery

Finds ungoverned local LLMs/notebooks (Ollama, Jupyter, Gradio, vLLM, vector DBs).

Module 2

Credential exposure

Detects GPP cpassword, exposed .env/.git, history/registry secrets — reports the path, never the secret.

Module 3

Chaining engine

Deterministic decision-trees derive multi-step attack paths, each tagged proof: observed | theoretical.

Module 3b

Planner loop

observe → plan → authorize → collect → re-plan, bounded by budget/depth. Guardrail vets every step.

PoC verifier

Lab-only, 3-gate

Armed and in AEGIS_LAB_NET and isolation-attested — connect/read-only probes, never against clinical scope.

Security posture — strict by default

Built for a internal enterprise network: read-only, isolated, least-privilege, auditable.

Read-only everywhere. No exploitation, credential spraying, writes, or DoS. Credentialed checks use null/guest/audit-mode only.
Sandbox-first. Targets run on an internet-and-LAN-isolated network; live work requires written authorization + CIDR scope + sensitive/regulated systems exclusions.
Least privilege & strict transport. Dedicated read-only audit accounts; WinRM defaults to HTTPS with cert validation; SSH key-auth preferred.
Credentials never logged. The audit records only the check + target; secrets and PHI are redacted from all output.
Tamper-evident. HMAC-chained audit trail; aegis audit verifies the chain end-to-end.
PHI-safe AI. Local Ollama keeps sensitive data on-host; cloud Claude is reserved for offline report-writing.