agentropix-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@agentropix-mcprun volatility on memory.dmp to list processes"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Agentropix-SIFT

Dear Evaluator,
My name is Gabriel Galvan, and I am proud to introduce the Agentropix MCP solution.
This innovative solution enables the initial triage phase of modern digital forensic investigations. I created this repository to demonstrate how Agentropix was designed, the key considerations that guided its development, and the features it provides. A detailed roadmap outlining the project's vision, architecture, and capabilities is included at the end of this document.
The documentation section is fully completed and contains all the information required to understand how the solution works. In addition, you will find case analyses, technical reports, specifications, and supporting documentation that demonstrate the functionality and effectiveness of Agentropix MCP.
Thank you for taking the time to evaluate this project. I hope you find Agentropix MCP both innovative and valuable for modern forensic analysis workflows.
โ Gabriel Galvan
๐งญ Judges: the Evaluation Map routes each of the 8 submission requirements (code ยท demo video ยท architecture diagram ยท project story ยท datasets ยท accuracy ยท try-it-out ยท execution logs) to its exact evidence in this repository โ or watch the ๐ฌ 2 min 24 s Submission Evidence Tour (build sources) (auto-plays): one animated scene per requirement, each with a live-captured proof panel. And for the investigation flow itself, the ๐๏ธ six-stage workflow animation plays inline right on this page โ doctor โ run โ review โ human gate โ seal โ escalate โ and the ๐๏ธ safety proof reel shows every anti-hallucination guarantee backed by real cited evidence from the sealed execution logs.
๐ฅ Featured video โ Case Evaluation walkthrough (8 min 27 s, narrated) โถ on Vimeo โ the full SRL-2015 evidence walkthrough, with every headline number re-computed live from the committed raw data: 2,233 findings ยท 12 malicious IOCs of 91 ยท 5
malfindpayloads ยท 21/21 hash-verified samples ยท YARA 5/5 ยท 17 examiner-approved findings. Local copy in-repo:Final_Video/SRL-2015-EVIDENCE-presentation.mp4.
๐ Audit reports (auto-generated, repo-grounded โ every figure cites its source): Evidence Dataset Documentation โ full inventory of the case datasets with provenance, SHA-256 integrity, schemas, and the ingestion pipeline; and the System Accuracy & Validation Report โ component benchmark matrix, recall metrics (72/72 disk ยท 108/118 memory), and algorithmic-drift findings with file:line refs.
๐ค For LLMs / AI agents: a
llms.txtcurated index (project summary, canonical facts, and links to every core doc) โ andllms-full.txt, the expanded variant that inlines the full content of the core docs for single-pass ingestion.
Autonomous DFIR triage on the SANS SIFT Workstation โ that never lets the LLM rate its own findings.
Point it at a Windows disk or memory image. It drives 16 real SIFT forensic tools through one MCP server (73 tools), correlates across a 7-agent swarm on a quorum blackboard, and emits a cryptographically sealed, schema-validated JSON triage report โ in minutes, on the local host, with no LLM ever in the halt path. (Source:
what-is-agentropix.md.)
A local, CLI-driven, bio-agentic DFIR triage engine for the SANS SIFT Workstation.
๐บ๏ธ Evaluators โ the Strategic Project Roadmap (2026-06-11) is the "where this is, where it's going" document: the development Gantt with the critical path to GA, the system-lifecycle state machine (orchestration, thread taxonomy, apoptosis), phase milestones (Foundation โ Orchestration โ Scale & GA), technical specifications, and risk mitigation โ the strategic companion to the Architecture chapter.
Related MCP server: SIFTAgent
๐งช Judge / Try-it-out โ run locally in 5 minutes
Free of charge, no signup, no account, no VPN/tailnet required. Everything below runs on
127.0.0.1using the open-source wheel vendored in this repo.
# 1. Install the MCP server (pick one)
pip install ./agentropix_mcp # from this checkout โ vendored at agentropix_mcp/
# โฆor the released wheel:
pip install https://github.com/galvangabriel-web/agentropix-mcp/releases/download/v0.3.0/agentropix_mcp-0.3.0-py3-none-any.whl
# 2. Generate a local auth token and start the server (boot is fail-closed without one)
export AGENTROPIX_MCP_AUTH_TOKEN="$(openssl rand -base64 32)"
agentropix-mcp --transport http --port 8765
# 3. In another terminal, point Claude Code at your local server (same token)
claude mcp add --transport http agentropix-sift "http://127.0.0.1:8765/mcp" \
--header "Authorization: Bearer $AGENTROPIX_MCP_AUTH_TOKEN"4. Smoke-test it โ ask the model:
"Use the agentropix-sift MCP server. Run the
healthtool and tell me the tool_count."
Expected: tool_count: 73 (the live count is authoritative โ this number may lag).
More detail (self-hosting the full engine, requirements table): see Installation / Quickstart below and the Quickstart guide.
๐ Deploy, run & extend it yourself
The 5-minute block above is the smoke test. Here is the full path from zero to running the agent on your own evidence and building on it โ each step links the complete guide (nothing duplicated):
Install the agent โ
agentropix_mcp/README.md(the package ships the engine:agents/,detectors/,trinity/,wrappers/) ยท full self-host: deployment.md.Configure your MCP client (Claude Code / Claude Desktop) โ client-setup.md.
Run it on a disk or memory image โ try-it-end-to-end.md (one prompt, disk and memory) ยท the two install paths +
doctoroutput: quickstart.md.Reproduce a published case from scratch โ reproduce-datasets.md (public dataset URLs + hashes; the CFReDS "Hacking Case" is a fully-public end-to-end loop) ยท compare your run against the sealed case reports.
Extend it โ add your own SwarmAgent, ATT&CK detector, or tool wrapper: extend-the-swarm.md (source-cited recipes + the test contract).
What runs today vs. what needs the engine repo: the vendored MCP-server wheel (Path A,
pip install ./agentropix_mcp) drives the real forensic tools against your image through Claude right now โ install, configure, run, and extend are all reproducible from this checkout. The fully-autonomous Trinity-Loop engine run (Path B) additionally needs the engine distribution (currently private โ request access); the honest scope note is kept throughout.
โก Connect to a hosted instance (author's tailnet โ optional)
Judges / evaluators: you do not need this โ use the local path above (Judge / Try-it-out); this section is only for users invited to the author's private tailnet.
๐ Already have a SIFT host running on our tailnet? Point Claude at it right now โ no install, no build. One command and you're driving 73 forensic tools from Claude. Full guide โ docs/09-integrations/client-setup.md.
First: join the tailnet (one-time). The server http://100.85.162.82:8765/mcp is tailnet-only โ reachable through Tailscale, never the public internet. Before the steps below:
Accept the invite and sign in with your Google / Microsoft identity โ Tailscale invite (then ping the operator to approve your device).
Install the Tailscale client โ macOS
brew install --cask tailscaleยท Windows MSI ยท Linuxcurl -fsSL https://tailscale.com/install.sh | sh && sudo tailscale upVerify:
tailscale statuslistssiftworkstation โฆ 100.85.162.82, andping 100.85.162.82succeeds.
Full per-OS install + a combined token-and-reachability probe: Client Setup โ Step 1.
You only need ONE client. Most people want the Claude Code CLI.
โถ Client A โ Claude Code CLI (recommended โ one line, all platforms)
claude mcp add --transport http agentropix-sift \
"http://100.85.162.82:8765/mcp" \
--header "Authorization: Bearer jlviTMFYAsAuxL1AiagDvFChIs4baYHe6OeRAdBzaLs"Verify:
claude mcp list
# Expected: agentropix-sift http://100.85.162.82:8765/mcp โ Connectedโถ Client B โ Claude Desktop App (via the mcp-remote shim)
Claude Desktop speaks stdio only, so it bridges to the HTTP server through the npx mcp-remote shim.
Prerequisite: Node.js โฅ 18 on PATH (node --version); install LTS from https://nodejs.org/ if missing.
1. Find your config file:
OS | Path |
macOS |
|
Windows |
|
Linux |
|
2. Edit it (create if absent). The command differs per OS โ Windows uses npx.cmd, macOS/Linux use bare npx:
{
"mcpServers": {
"agentropix-sift": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"http://100.85.162.82:8765/mcp",
"--allow-http",
"--header",
"Authorization: Bearer jlviTMFYAsAuxL1AiagDvFChIs4baYHe6OeRAdBzaLs"
],
"env": {}
}
}
}{
"mcpServers": {
"agentropix-sift": {
"command": "npx.cmd",
"args": [
"-y",
"mcp-remote",
"http://100.85.162.82:8765/mcp",
"--allow-http",
"--header",
"Authorization: Bearer jlviTMFYAsAuxL1AiagDvFChIs4baYHe6OeRAdBzaLs"
],
"env": {}
}
}
}3. Restart Claude Desktop โ fully quit (โQ / tray โ Quit) and relaunch, not just close the window.
โ Smoke-test it
Ask the model:
"Use the agentropix-sift MCP server. Run the
healthtool and tell me the tool_count."
Expected: tool_count: 73 (the live count is authoritative โ this number may lag).
First time on the tailnet, or hit a
401/ timeout? The complete quickstart โ Tailscale invite, per-OS install, token facts, and a full troubleshooting matrix โ is in ๐ Client Setup โ Install Quickstart.
Start here โ pick your lane
Four audiences, four fast paths. Each row is an ordered reading trail; the full routing lives in the Documentation Index.
You are aโฆ | You want toโฆ | Start here โ then |
๐งโ๐ป Software engineer | understand the architecture, build/test/extend it | Implementation โ Trinity Loop โ Swarm & Blackboard โ FastMCP Server โ Extend the Swarm โ Testing โ ADRs (decision contract) |
๐ก๏ธ SOC analyst | run a triage, hunt IOCs, push to the SIEM | User Guide (runbook) โ Disk triage โ Memory triage โ Wazuh push โ CLI Reference |
โ๏ธ Evaluator / judge | verify the claims, soundness, chain of custody | Canonical Facts โ Anti-Hallucination โ Audit & Courtroom Seal โ Evidence integrity (visual) โ Recall methodology โ Evaluation scorecard โ SWOT |
๐ฌ End-user (non-technical) | get answers by just asking Claude | Try it end-to-end โ one prompt (a single copy-paste prompt runs a whole public case) โ the Two Paths table below โ end-user lanes in the User Guide โ Tool Capability Map |
๐ First time? The single best entry point is the User Guide โ The Complete Operator Runbook: one complete case, end-to-end (pre-flight โ connect/verify the MCP โ init/activate the case โ register evidence โ the investigation tool chain โ record findings โ approve in the portal โ seal the report โ optional Wazuh push), documenting both execution paths (manual ยท autonomous) and both clients (Claude CLI ยท Claude Desktop), with the validated 2026-05-29 CFReDS run as a worked example.
What it is โ and why
Agentropix-SIFT turns a SIFT Workstation into an autonomous-but-accountable triage operator. A Trinity Loop โ an Architect that proposes which agents to run, a 7-agent Swarm that drives deterministic forensic tools, and a Critic that scores findings and halts on a deterministic convergence fingerprint (with no LLM self-rating) โ orchestrates 73 MCP tools over a single FastMCP server. The result is a fast first pass over disk images, memory dumps, and Windows artifacts that produces an evidence-grounded, cryptographically sealed triage report a human examiner can trust and defend.
Its central claim is simple and load-bearing: the LLM never touches a fact. Every finding it records is produced by a deterministic forensic binary, fingerprinted with SHA-256, and tagged with a provenance tier โ precisely so a human can verify it.
Important โ this is a triage accelerator, not an oracle. Agentropix-SIFT is built to be checked, not believed. The LLM proposes and narrates; it never rates its own work and never becomes the source of a finding. You remain the examiner of record. Review the findings, confirm the underlying artifacts, and use the optional human-in-the-loop approval gate before anything is sealed or escalated. See Anti-Hallucination.
How AI drives Agentropix โ the consumer model
The novel angle is where the AI sits. Agentropix-SIFT is deterministic layers with the stochastic LLM confined to the top. The LLM is not an oracle wired into the findings โ it is simply a consumer of the same FastMCP tool surface that the CLI uses. From the MCP boundary down, everything is pure Python driving classical forensic binaries: no RNG, no LLM self-rating.
You drive it two ways from one engine: as a plain agentropix-sift run command, or by talking to an
LLM (Claude Desktop / Claude Code) that has the MCP server connected. A non-technical examiner can type
"open a case for this disk image and run the SIFT triage" and the session routes it to the real MCP
tools; an expert calls the exact tool. Adapt Agentropix to the user, not the user to Agentropix.

flowchart TB
classDef stoch fill:#fff5e6,stroke:#f59f00,color:#222,stroke-width:2px
classDef det fill:#e6ffea,stroke:#2f9e44,color:#222,stroke-width:2px
classDef anchor fill:#eef2ff,stroke:#3b5bdb,color:#222,stroke-width:2px
classDef leak fill:#fff0f0,stroke:#e03131,color:#222,stroke-width:2px
LLM["<b>Consumer (LLM or CLI)</b><br/>Claude Code / Desktop / cli.py<br/><i>stochastic only when LLM-driven</i>"]:::stoch
subgraph TR["Trinity Loop โ deterministic, no LLM authoring"]
ARCH["<b>Architect</b> ยท plan()<br/>order/prune SWARM<br/>trinity/architect.py"]:::det
CRIT["<b>Critic</b> ยท score()/halt<br/>convergence fingerprint<br/>trinity/critic.py"]:::det
end
subgraph SW["Swarm โ 13 SwarmAgent classes"]
AGENTS["7 specialists + 6 ATT&CK detectors<br/>agents/ ยท detectors/"]:::det
BB[("Blackboard<br/>(agent, Finding) registry<br/>correlations() at quorum")]:::anchor
end
subgraph MCP["MCP boundary โ the enforcement spine"]
TOOLS["73 MCP tools<br/>traced ยท rate-limited ยท Thymus-gated"]:::det
BIN["SIFT binaries<br/>vol3 / plaso / tsk / yara / EZ-Tools"]:::leak
end
LLM -- "args_hash + raw_output cross the boundary" --> ARCH
ARCH -- "ordered plan" --> AGENTS
AGENTS -- "publish Finding" --> BB
AGENTS -- "tools/call" --> TOOLS
TOOLS --> BIN
BB --> CRIT
CRIT -- "stable_agents (next iteration)" --> ARCH๐ Rendered as a high-resolution PNG so it displays crisply on GitHub and GitLab โ Open as SVG (vector, zoomable).
One tool surface, two consumers. The same
@app.tool()functions the swarm calls are also exposed to an LLM client; the server is built by_build_app()/FastMCP("agentropix-sift")(mcp_server/fastmcp_app.py). Console scripts differ by distribution: the vendored MCP-server wheel (Path A,pip install ./agentropix_mcp) installsagentropix-mcponly; the full engine (Path B) installsagentropix-sift(triage CLI) andagentropix-sift-mcp(the MCP server). An LLM connects to the MCP-server script; the CLI bypasses it and drives the engine directly. See The FastMCP Server.Two transports. The MCP server speaks stdio (default โ paired with a Claude Desktop / Claude Code
mcp.jsonentry) or HTTP+SSE under/mcp(tailnet-only, Bearer-gated, default port 8765). Both funnel into the same tool core. See Connect a Client.The LLM proposes, never authors. The
args_hash+ boundedraw_outputsnapshot is captured at the MCP boundary, so a sealed report can prove the LLM phrased a request three ways but never authored โ or touched โ a fact. Agents are pure async coroutines over the MCP boundary, with no LLM coupling (agents/_base.py).
"Agent" means two different things here. The runtime DFIR swarm agent (a
SwarmAgentsubclass that investigates evidence) is unrelated to the build-time BMAD dev-crew persona. Section 10 disambiguates them โ read The Agentic Architecture first whenever the word is ambiguous.
What you get โ capability highlights
Capability | The one-line value | Canonical figure | Source-code home |
Trinity Loop | Deterministic Architect โ Swarm โ Critic control loop; halts on a convergence fingerprint, never on an LLM self-rating | Critic halt default 0.85 |
|
73 MCP tools | One FastMCP server exposes 73 distinct forensic tools over stdio + HTTP | 73 tools |
|
16 SIFT wrappers | Hardened drivers (timeout, memory ceiling, retry, stderr capture, tracing) around the 16 trusted SIFT binaries | 16 wrappers |
|
7-agent Swarm + ATT&CK detectors | Memory, Timeline, Filesystem, Artifact, Discovery, Mail, Hunt specialists + 6 deterministic MITRE ATT&CK detectors | 7 specialists (13 |
|
Quorum Blackboard | An observation is promoted to a | quorum default 2 |
|
Thymus read-only policy | Every | deny-by-default |
|
Courtroom seal | SHA-256 evidence byte-binding + HMAC-SHA256 report/audit-log seal โ a report a judge can independently verify | mode-0600 session key |
|
Provenance & grounding | Every | 3 grounding layers |
|
Approval sidecar (HITL) | Optional HMAC examiner sign-off: PBKDF2 key (600k iters) + nonce + append-only approval hash chain + browser form | 2 MCP tools |
|
Wazuh SIEM push | Promote findings/IOCs into Wazuh behind default-deny kill switches + active-response CIDR guard | 5 Wazuh tools |
|
Chaos-tested resilience | Fault-injection tests prove graceful degradation: a missing tool skips an agent, not the run |
|
|
Full capability matrix: What You Get.
Architecture
The shape: one deterministic loop over one tool server, with a safety spine.
A DFIR examiner drives Agentropix-SIFT from the CLI on a local SIFT host. The engine never reaches outside that host except for the optional Wazuh push of already-APPROVED findings.

flowchart TB
classDef actor fill:#d0bfff,stroke:#7048e8,color:#2b1a52,stroke-width:2px
classDef core fill:#b2f2bb,stroke:#2f9e44,color:#15391f,stroke-width:2px
classDef ext fill:#e9ecef,stroke:#495057,color:#212529,stroke-width:1px
classDef sink fill:#ffec99,stroke:#f08c00,color:#5c4400,stroke-width:1.5px
Examiner(["DFIR Examiner<br/>runs triage ยท reviews ยท approves findings"]):::actor
subgraph Host["SANS SIFT Workstation โ local host"]
Agentropix["Agentropix-SIFT<br/>Trinity Loop engine + FastMCP server (73 tools)"]:::core
Toolchain["SIFT Forensic Toolchain<br/>Volatility3 ยท Plaso ยท Sleuth Kit ยท EVTX ยท YARA ยท โฆ (16 tools)"]:::ext
Evidence[("Evidence Store<br/>E01 / raw / memory โ read-only")]:::ext
end
Wazuh["Wazuh / SIEM<br/>optional alert sink for APPROVED findings"]:::sink
Examiner -->|"agentropix-sift run / review / approve"| Agentropix
Agentropix -->|"invokes deterministic binaries (read-only)"| Toolchain
Agentropix -->|"reads + SHA-256 fingerprints, never mutates"| Evidence
Agentropix -->|"pushes APPROVED findings (optional)"| Wazuh
style Host fill:#f1f3f5,stroke:#868e96,color:#212529๐ Rendered as a high-resolution PNG so it displays crisply on GitHub and GitLab โ Open as SVG (vector, zoomable).
Internally, the Architect proposes which agents to spawn (by default it returns the canonical
SWARM tuple in priority order; a default-on Reflexion-lite step drops agents the Critic marked
stable). The 7-agent Swarm invokes the 16 wrapped SIFT forensic tools through the FastMCP server's
73-tool surface, writing Findings to a shared Blackboard; cross-agent agreement at a quorum of
2 becomes a Correlation. The Critic scores the accumulated findings with a closed-form rule โ
score = min(1.0, max_confidence + 0.25 ยท len(correlations)) โ and halts deterministically when the
findings stop changing (a convergence fingerprint), bounded by a hard max_iterations budget, never
on an LLM's self-assessed confidence. The Thymus read-only policy and the pre/post SHA-256
evidence invariant sit between every tool and the evidence store. Finally the Courtroom seals the
audit log with HMAC-SHA256 and validates the provenance chain.
๐ The validated architecture diagram โ one page, source-verified
The complete picture lives in Main Architectural Agentropix Design โ one validated diagram covering the agent layer โ MCP server โ SIFT Workstation tools โ data sources โ output pipeline, the architectural-pattern verdict (Custom MCP Server โ and why it is not a Direct Agent Extension, Multi-Agent Framework, or Agentic IDE), and the full ARCHITECTURAL vs PROMPT-BASED guardrail split with every row cited to its enforcing source file. Every component was contrasted against the oracle source code; every documentation-vs-source disagreement is called out on the page.
๐ Full document as high-quality PDF (the complete design document โ diagram, component narrative, pattern verdict, guardrail table) ยท ๐ Diagram-only HD PDF (vector) ยท ๐ผ๏ธ PNG ยท ๐ SVG
For the deeper layers: System Context & Containers ยท Component Architecture & Layer Map ยท The Trinity Loop ยท Sequence Diagrams.
Key design decisions (the decision contract)
The architecture is contracted in immutable Architecture Decision Records mirrored from the oracle. The load-bearing ones for newcomers:
ADR | Decision |
The deterministic Trinity Loop as the execution model. | |
The deny-by-default Thymus boundary + evidence read-only invariant. | |
Pre/post SHA-256 evidence-integrity gates. | |
HMAC-SHA256 tamper-evident chain of custody. | |
HTTP transport is tailnet-only + Bearer-gated. | |
ADR-018 โ Wazuh IOC push / ADR-019 โ AR confirmation gate | Default-deny SIEM push + active-response confirmation. |
Read the status column literally (Proposed โ not shipped; Deferred โ documented, not implemented). Full index: ADR Index ยท Section 11 โ ADRs ยท rationale narratives in Design Decisions.
๐ Recommended investigation workflow
๐ One prompt. Six guarded stages. A sealed, court-ready report.
You don't need to memorise a single flag. Connect the Agentropix MCP to Claude, then say what you want in plain English โ "open a case for this disk image and run the full SIFT triage" โ and the session routes your words to real forensic tools. The six stages below run the same whether an expert types the command or a non-technical examiner just asks. Adapt Agentropix to the user, not the user to Agentropix.
๐ Copy-paste, end-to-end: paste one of the two blocks below into a Claude session with the Agentropix MCP connected โ it runs the entire six-stage flow on a real case and returns every result, stopping only at the human approval gate. Full guide, step-by-step tool map, and flow diagrams: Try it end-to-end โ one prompt, a full investigation.
You are my DFIR analyst, and you have the Agentropix-SIFT MCP server connected. Investigate ONE
case end-to-end and show me every result. Work autonomously โ don't ask me questions โ and stop
only at the human approval gate.
THE CASE
- Name: CFReDS "Hacking Case" (Greg Schardt / "Mr. Evil")
- Case ID: CFREDS-HACKING-CASE-4DELL (examiner: victor.galvan, severity: high)
- Evidence (disk, EWF): /cases/cfreds-fresh/4Dell-Latitude-CPi.E01 (the .E02 segment is read automatically)
- It is a Windows XP disk image. There is NO memory dump โ do NOT use any memory/Volatility tools
(no pslist / netscan / malfind / svcscan / process_tree).
PER-CASE RULES (follow exactly โ they matter):
- The NTFS volume starts at sector offset 63. Pass offset 63 to file-listing and file-extraction.
Confirm the partition layout first.
- Windows XP event logs are ".evt" โ use the .evt event-log tool (get_evt), NOT the Vista+ .evtx one.
Skip Amcache (it is Windows 7+ only).
- Put any carving output dir under /tmp/agentropix-sift- (e.g. /tmp/agentropix-sift-cfreds-be).
DO THIS IN ORDER, AND SHOW ME EACH RESULT:
0. Pre-flight + custody: confirm the forensic environment is ready, then verify the image integrity
and show me who acquired it and what OS it is. (Expect stored MD5 == aee4fcd9301c03b3b054623ca261959a.)
1-3. Open case CFREDS-HACKING-CASE-4DELL (high severity, examiner victor.galvan, evidence in
/cases/cfreds-fresh), make it the active case, and confirm it's active and the indexer is reachable.
4. Register the E01 as evidence and give me its SHA-256 chain-of-custody hash.
5. Analyze the disk and report each result:
a. Partition layout โ confirm NTFS at offset 63.
b. List all files (offset 63, recursive); then list just the deleted files.
c. Carve indicators (emails, domains, IPs, URLs) into /tmp/agentropix-sift-cfreds-be.
d. Run a YARA smoke-scan (0 matches is a clean pass, not a failure).
e. Lift the registry hives (offset 63) and pull execution/persistence artifacts: registry,
shimcache, prefetch, and the XP .evt event logs.
6. Record what you found as findings (they will be saved as DRAFT โ that is expected; you cannot
self-approve evidence).
7. STOP at the approval gate: list exactly which findings are waiting for MY approval, with their IDs,
and tell me how to approve them (the human HMAC examiner portal). Do NOT approve them yourself.
8. Generate the case report and give me the report ID + section counts. (Approved-finding count will
be 0 until I approve in step 7 โ that is correct.)
FINALLY, give me a concise summary: the custody SHA-256, the partition offset, the file + deleted-file
counts, the IOCs carved, the artifacts found, the DRAFT findings (with IDs), and the report ID โ plus
any honest negatives (tools that found nothing or were skipped, and why).You are my DFIR analyst with the Agentropix-SIFT MCP connected. Investigate ONE memory case end-to-end
and show me every result. Work autonomously; stop only at the human approval gate.
THE CASE
- Case ID: MEMDUMP-2014 (examiner: victor.galvan, severity: medium)
- Evidence (raw memory dump): /cases/memdump/memdump.mem
MEMORY RULES (follow exactly):
- Do NOT run get_image_info on a raw memory dump โ it reads EWF/E01 metadata and returns empty on .mem.
- get_pslist is the OS/profile confirm step: Volatility auto-detects the kernel symbol table on the first
windows.* plugin. A populated process list confirms the profile matched; an empty list with a
symbol-table error is an HONEST NEGATIVE (no profile resolved) โ report it as such, don't invent results.
- This is memory only โ do NOT use disk tools (no partitions/fls/extract_files/registry-from-disk).
DO THIS IN ORDER, AND SHOW ME EACH RESULT:
0. Confirm the environment is ready and register the dump as evidence (give me its SHA-256).
1-3. Open case MEMDUMP-2014, make it active, confirm active + indexer reachable.
4. Process list (this also confirms the OS/profile). If it's empty with a symbol-table error, tell me
plainly that no profile resolved and stop the memory chain.
5. Network connections, injected/suspicious code, services, and the process tree (PPID forest, LOLBin flags).
6. Record what you found as DRAFT findings (you cannot self-approve).
7. STOP at the approval gate: list the DRAFT findings + IDs and how I approve them. Do NOT approve them.
8. Generate the report; give me the report ID + section counts.
FINALLY: a concise summary โ custody SHA-256, process/network/injection highlights, the DRAFT findings
(with IDs), the report ID, and any honest negatives.

๐ฌ The banner above is a live animation (Animotion MCP; deck source) โ watch the stages light up, the human gate hold the line, and the seal close. Want the full detail graph instead? *Static diagram (PNG) ยท SVG (full size, zoomable).
The vivid lane below is the load-bearing part: each stage shows both ways to reach the same result โ the ๐ฅ๏ธ expert command and the ๐ฌ plain-language prompt a non-technical examiner types into a Claude session that has the Agentropix MCP connected. Every prompt maps to a real MCP tool (verify against the Tool Capability Map).
๐ฃ โ doctor โ pre-flight the toolchain
๐ฅ๏ธ Expert (command):
uv run agentropix-sift doctor๐ฌ End-user (prompt): "Check that my Agentropix forensic environment is ready โ are all the SIFT tools installed and on PATH?" โ routes to
doctor/health.
Confirms the 16 SIFT forensic binaries resolve before you spend time on an image. Missing tools degrade gracefully (the agent is skipped, not the run) โ but recall drops, so always start here.
๐ต โก run โ Trinity Loop triages the image end-to-end
๐ฅ๏ธ Expert (command):
uv run agentropix-sift run /cases/INC-0605/disk.E01 -o report.json๐ฌ End-user (prompt): "Open a high-severity case for the image at
/cases/INC-0605/disk.E01, register it as evidence, and run the full SIFT triage end-to-end โ acquisition โ examination โ analysis โ findings โ staging everything as DRAFT." โ routes tocase_initโcase_activateโevidence_registerโ the forensic tool chain โrecord_finding.
The Architect proposes which agents to run โ the 7-agent Swarm drives deterministic tools โ the Critic scores findings and halts on a convergence fingerprint, never on an LLM self-rating.
๐ โข review โ the examiner verifies every finding
๐ฌ End-user (prompt): "Show me the findings so far, and for each one tell me which exact tool produced it and the artifact path /
raw_stdout_sha256so I can verify it myself." โ routes tocase_status/record_findinginspection.
A human reads the findings and checks them against the underlying artifacts. The LLM proposes and narrates โ you remain the examiner of record.
๐ข โฃ approve (optional HITL gate) โ DRAFT โ APPROVED
๐ฅ๏ธ Expert (command): promote DRAFT โ APPROVED in the Approval Portal (HMAC examiner sign-off). ๐ฌ End-user (prompt): "Show me the findings waiting for review so I can approve them." โ the approval is a human HMAC hard-stop (
approve_finding); the examiner signs off in the browser form.
Findings stay in DRAFT until a human approves them. This is the one place a person โ not a model โ must act before anything is sealed or escalated.
๐ด โค seal โ Courtroom emits the audit seal
๐ฌ End-user (prompt): "Generate the full report for this case and seal it โ then confirm the seal hasn't been tampered with." โ routes to
report_generateโ the HMAC-SHA256 audit seal + provenance-chain validation (report_exportfor the shareable artifact).
A tamper-evident chain of custody a judge can independently verify.
๐ฆ โฅ escalate (optional) โ push to the SIEM
๐ฅ๏ธ Expert (command): push APPROVED findings/IOCs to Wazuh behind default-deny kill switches. ๐ฌ End-user (prompt): "Dry-run the Wazuh push of the approved IOCs and tell me what would be sent before anything goes out." โ routes to
wazuh_index_findings/wazuh_publish_iocs(default-deny, dry-run first).
๐ฌ Drive the entire investigation with a single prompt
Paste this into a Claude Desktop / Claude CLI session that has the Agentropix MCP attached โ the agent runs the whole sequence itself, handling OS quirks (e.g. Windows XP has no Amcache /
.evtx):"You are a DFIR analyst with the Agentropix MCP. Investigate case
<case_id>on image<path>. Run the full SIFT sequence โ acquisition โ examination โ analysis โ findings โ staging findings as DRAFT. For memory images, pull processes, network connections, injected code and services. Do not approve findings (a human owns that gate). Finish by generating the full report and summarising the attack chain."๐ฅ๏ธ Expert note: the same prompt works in
claude --printfor a one-shot headless run. The full validated end-to-end runbook โ both clients (CLI ยท Desktop), both lanes (manual ยท autonomous) โ is the User Guide โ Complete Operator Runbook.
Each step is a worked use case: Disk triage ยท Memory triage ยท Approval gate ยท Wazuh push.
Installation / Quickstart
Path A โ 60-second start (runs from this repo, today). Install the packaged MCP server โ
this repo vendors its source and wheel at agentropix_mcp/ โ and
connect a Claude client:
# 1. Install the v0.3.0 MCP-server wheel (or, from this checkout: pip install ./agentropix_mcp)
pip install https://github.com/galvangabriel-web/agentropix-mcp/releases/download/v0.3.0/agentropix_mcp-0.3.0-py3-none-any.whl
# 2. Start the server โ boot is fail-closed: it refuses to start without an auth token
AGENTROPIX_MCP_AUTH_TOKEN="$(openssl rand -base64 32)" agentropix-mcp --transport http --port 8765
# 3. Point Claude Code at it (use the token from step 2)
claude mcp add --transport http agentropix-sift "http://127.0.0.1:8765/mcp" \
--header "Authorization: Bearer <token-from-step-2>"Connecting to the operator's already-running tailnet server instead? Skip steps 1โ2 โ
Client Setup is the 5-minute join-and-connect guide
(Claude Code CLI and Claude Desktop via the mcp-remote shim).
Path B โ self-host the full triage engine (agentropix-sift CLI: Trinity Loop, doctor,
sealed runs). These commands run from a checkout of the full agentropix-sift engine
distribution โ not from this documentation portal:
uv sync # 1. install the orchestration layer
uv run agentropix-sift doctor # 2. pre-flight โ all 16 SIFT tools OK
uv run agentropix-sift run "/cases/study case/2020JimmyWilson.E01" -o report.json # 3. triageThis exact sequence was executed live and recorded against the Jimmy Wilson study case:
Step | Result |
| dependencies resolved |
| All tools available โ the 16 SIFT binaries (vol, fls/mmls/icat, ewfinfo, evtx_dump, yara, bulk_extractor, rip.pl, EZ-Tools, โฆ) resolve on PATH |
| 129 findings ยท 86 tool calls ยท 5 iterations, sealed |
The full proof โ recorded video, sealed reports, raw logs of three reproducible runs, and the
agent-execution trace โ is published at
case-activation/runs/jimmy-wilson-poc/. The
evaluator-facing Agent Execution Logs gold report โ two further engine runs (the SRL-2018
domain controller + Challenge_NotchItUp) with timestamped agent-to-agent handoff chains, full tool
sequences, and the raw sealed evidence incl. live run.log + Thymus audit trails โ is at
docs/12-CASES-REPORTS/srl-2018-report/submission/,
with its ๐จ Visual Atlas โ
thirteen color diagrams (agent-communication graph, end-to-end timestamp chain with a
217-microsecond correlation-burst zoom, self-correction funnels, Thymus ALLOW/REJECT pies, and the
HMAC seal cross-binding chain) generated from and verified against the raw run data โ and its
๐ฌ 108-second animated walkthrough
(plays directly in your browser): the same topics in motion โ the 91-minute wait drawn to scale,
the 61-shield REJECT storm, the microsecond burst, and the self-correcting plan โ animated with
the Animotion MCP and rendered deterministically from the committed
deck source.
The multi-host edition scales the same discipline to SRL-2015 โ 4 hosts ร disk+memory, 8 sealed
runs, 2,233 findings, 15-iteration loops, and the cross-host spinlock.exe โ Domain-Controller
correlation: ๐ report ยท
๐ฌ 2 min 24 s animated walkthrough (auto-plays). The
requirement-8 bundle for the ROCBA Windows-10 insider-IP-theft case is a real live-MCP triage โ
timestamped tool sequence, server HTTP audit, Thymus decisions, a grounded DRAFT finding, and the
honest negatives kept on record:
case-activation/runs/rocba/EXECUTION-LOG.md. The same
case's Trinity-engine run captures the backend agent โ blackboard communication โ
21 blackboard publishes across 13 agents (the hunt agent fusing 14 cross-source correlations),
351 findings / 509 tool calls, and the iteration-over-iteration plan shrink (13 agents โ just
[discovery, mail] once the Critic marks 11 stable):
case-activation/runs/rocba/engine-run/AGENT-BLACKBOARD.md
(+ the derived blackboard-events.jsonl).
A sibling agent-execution-log run covers the Windows XP laptop (2005) case at
WINXP-LAPTOP-2005 โ
๐ฌ 3 min 19 s animated walkthrough
(auto-plays): a 13-scene deterministic deck correlated from its logs (297 records ยท 64 tool calls ยท 14
errors, all recovered), grounded in the
correlation report.
The CFReDS "Hacking Case" sealed case report (CFREDS-HACKING-CASE-4DELL โ the public NIST
single-host Windows XP disk image of Greg Schardt / "Mr. Evil", a standalone unauthorized wireless
interception case โ no memory image, no enterprise lateral movement) keeps its own
agent execution log
alongside the full report: a single Claude-Code agent (claude-opus-4-8[1m]) plus one embedded
multi-agent forensic workflow, 400 tool calls, 35 examiner-approved findings (2 critical /
15 high), 24 timeline events, 93 IOCs staged, sealed/approved by victor.galvan 2026-06-14 over
4Dell-Latitude-CPi.E01 (MD5 aee4fcd9301c03b3b054623ca261959a):
docs/12-CASES-REPORTS/cfreds-hacking-case-report/
(executive ยท
analyst ยท
attack graph).
The wider
case-activation/ folder holds a per-case Activation Guide for every evidence
set on this host plus the captured executed runs (case-activation/runs/).
Honest scope note. The engine repo ships the
pyproject.toml,uv.lock,src/agentropix_sift/, and a syntheticsamples/sample.ddfixture for a first smoke run (that earliest sealed record is also published:case-activation/runs/engine-smoke-sample-dd/). It is a separate, currently private distribution โ request access from the operator. This docs portal intentionally vendors only the MCP-server package, so Path B does not run from this checkout; the case images under/cases/live on the operator's host.
The engine installs two console scripts โ agentropix-sift (the triage CLI) and agentropix-sift-mcp
(the MCP server). The full step-by-step for both paths, including example doctor output, is in the
Quickstart. Every CLI command and flag is enumerated in the
CLI Reference.
Deployment & requirements
Requirement | Detail |
Python | 3.12+ ( |
Host | A SANS SIFT Workstation (or Ubuntu host with the GIFT PPA toolchain). Runs fully local โ no API keys, no cloud dependency for the forensic path. |
Toolchain on | The 16 SIFT forensic binaries: Volatility3, |
Degradation | Missing tools degrade gracefully (the agent is skipped, not the run) โ but recall drops, so run |
See Deployment for SIFT install + tailnet exposure, and Recovery & Resilience for the failure-mode catalogue.
Two Paths: Operator (Expert) and End-User
The same triage capability is reachable two ways โ the expert command, or the plain-language prompt a non-technical examiner types into Claude (with the Agentropix MCP connected), which routes to a real MCP tool. Every operational page in the portal documents both lanes side by side.
๐ฅ๏ธ Operator / Expert (command) | ๐ฌ End-user (prompt) | |
Pre-flight |
| "Check that my SIFT forensic tools are installed and ready." |
Run a triage |
| "Open a case for the image at |
List memory processes | MCP tool | "List the processes in the memory image and flag anything suspicious." |
Approve a finding | promote DRAFT โ APPROVED in the Approval Portal | "Show me the findings waiting for review so I can approve them." |
The ๐ฅ๏ธ uv run agentropix-sift โฆ commands run from a full engine checkout (Path B above); the
๐ฌ prompts need only a Claude client connected to the MCP server (Path A โ wheel install or the
live tailnet server). End-user prompts map to real MCP tools (verify against the
Tool Capability Map). The gold-standard treatment of both lanes โ
manual โ autonomous ร expert โ non-expert โ is the User Guide.
MCP surface
Agentropix-SIFT exposes 73 distinct MCP tools over a single FastMCP server (verified live via
tools/list and health.tool_count; see Canonical Facts). Of
these, 16 are SIFT forensic tools โ deterministic binaries wrapped under mcp_server/wrappers/ so
each call captures the binary's raw stdout and fingerprints it with SHA-256. The remainder cover case
lifecycle, finding records, reporting, provenance, approval, executable-artifact registry, and Wazuh.
Family | Examples | Reference |
Forensic wrappers (16 SIFT tools) |
| |
Case & finding lifecycle |
| |
Provenance & approval |
| |
Executable-artifact registry |
| |
Wazuh integration |
|
Full enumeration: MCP Tool Reference ยท who calls what: Tools by Agent ยท per-tool breakdown: Tool List.
Response envelope (example)
Every tool returns a typed Pydantic model serialized with model_dump() โ never a free-form dict. A
successful get_pslist against a memory image:
{
"image_path": "/cases/INC-2026-0605/mem.raw",
"process_count": 2,
"processes": [
{ "pid": 4732, "ppid": 624, "name": "powershell.exe" },
{ "pid": 624, "ppid": 4, "name": "services.exe" }
],
"tool": "volatility3.windows.pslist.PsList",
"raw_stdout_sha256": "9f2cโฆ<64 hex>โฆ1ab0",
"tool_available": true,
"skipped_reason": "",
"status": "ok"
}The load-bearing field is raw_stdout_sha256 โ the SHA-256 of the binary's raw stdout bytes, the
provenance fingerprint that ties the finding back to the exact tool output. Soft failures return the same
model with tool_available: false and a skipped_reason; handled errors return a structured
ToolError. Full field tables: Response Envelope.
Safety & anti-hallucination
Agentropix-SIFT is engineered so that the LLM cannot become the source of a forensic claim:
Deterministic-tools-only findings โ a finding may only be recorded from the output of a deterministic forensic binary; the LLM narrates and proposes but never authors evidence.
No LLM self-rating โ the Critic halts on a deterministic convergence fingerprint (default threshold 0.85,
trinity/critic.py), not on a model's self-assessed confidence.Pre/post SHA-256 evidence invariant โ evidence is hashed at session start and re-verified in tests; immutability is enforced structurally (Thymus + no write tool exists), per the 2026-06-11 source audit below. The engine reads but never alters the image.
Thymus read-only policy โ deny-by-default boundary (
mcp_server/thymus_policy.py) blocking write/exec paths before a tool executes; no write tool exists in the surface.Courtroom HMAC-SHA256 seal โ the audit log (JSONL) is sealed and the provenance chain validated (
courtroom.py,provenance/), giving a tamper-evident chain of custody.Human-in-the-loop โ the optional approval sidecar (
approval_sidecar/) holds findings in DRAFT until an examiner APPROVES them.
๐๏ธ The six guarantees, proven on screen

๐ฌ Auto-playing proof reel (73 s loop; deck source) โ each scene shows the cited evidence plus a plain-language "๐ก What you're seeing" explainer. Every value is real, from the SRL-2015 and SRL-2018 Agent Execution Logs: the 204,884-entry
flswalk, critic pinned at 1.0 across all 10 runs, 10 distinct evidence SHA-256, the 61 liveREJECT_OUTSIDE_ALLOWLISTdenials, the byte-identical seal cross-bind, and the 17 + 12 examiner-approved findings.
๐ Source-traced invariant audit (2026-06-11)
The six guarantees above were audited against the source, file:line by file:line โ no prompt-only claims accepted. Headline: 5 of 6 invariants Enforced; #3 Partially Enforced โ the literal per-tool abort-on-delta mechanism does not exist, but the evidence-immutability goal is met by a stronger structural design (no write tool + deny-by-default Thymus). The audit's Unified Compliance Matrix, verbatim:
# | Invariant | Status | Primary enforcement site(s) | Key lines |
1 | Deterministic-tools-only findings | โ Enforced |
|
|
2 | No LLM self-rating (Critic) | โ Enforced |
|
|
3 | Pre/post SHA-256 evidence invariant | โ ๏ธ Partially Enforced |
|
|
4 | Thymus read-only policy | โ Enforced |
|
|
5 | Courtroom HMAC-SHA256 seal | โ Enforced |
|
|
6 | Human-in-the-loop sidecar | โ Enforced |
|
|
Each invariant in the full document carries its implementation verification, deterministic mechanics, an adversarial forensic test case, and the auditor's hardening recommendations (e.g. a session-end re-hash tripwire to close #3's literal gap). Complete text: SECURITY-INVARIANT-AUDIT-2026-06-11.md.
Deep dives: Anti-Hallucination ยท Provenance & Grounding ยท Audit & Courtroom Seal ยท Security Model.
Engineering & evaluation (SDLC depth)
For the advanced engineer and the evaluator/judge. The SDLC + quality spine: how the system is tested, deployed, hardened, kept resilient, scored, and how its decisions are contracted. Every number tracks Canonical Facts.
Quick links: Testing ยท Recall corpus ยท Eval scorecard ยท Security model ยท Recovery & resilience ยท Deployment ยท Implementation ยท ADR index
Testing โ 4687 collected tests (
pytest --collect-only -q) in two tiers. Fast / always-run (mock-based, CI + pre-commit):tests/unit/,chaos/,provenance/,evidence_gate/,approval_sidecar/,secrets_gate/,wazuh/. Host-gated (skip-with-reason when the fixture is absent):integration/(SIFT binaries + a staged E01),wazuh_live,real_corpus. A missing E01 or unreachable Wazuh is a skip naming every searched path โ never a false failure.Correctness gates wired into CI:
pytest-cov, basedpyrightstricttyping as a correctness gate (not a lint), ruff selectorsE,F,W,I,UP,B,SIM, andasyncio_mode = "auto"(fitting โ every agent is an async coroutine over the MCP boundary).Forward-drift gate (for evaluators): the test count is CI-enforced โ a doc quoting the count without citing the canonical fact file fails the build, and known-stale literals are actively rejected. See Canonical Facts.
Ground-truth recall you can audit: 72/72 (100%) disk recall (regression) and 108/118 (91.5%) combined memory recall. Methodology, including the post-hoc ground-truth caveat: Dataset Recall ยท scoring rubric: Evaluation Scorecard.
SWOT โ strategic assessment
A structured strategic assessment for evaluators, engineers, and adopters. Each cell is grounded in the
repository corpus (docs/COMPETITIVE-DFIR.md oracle, Canonical Facts,
Competitive Positioning).
Helpful | Harmful | |
Internal | Strengths โ Structural evidence safety, not a policy promise: agents have no write tool; the Thymus policy refuses every write call before the subprocess spawns. Real SANS DFIR tools driven inside the agent loop (16/16 wrappers, 73 MCP tools) โ rivals explain JSON after collection. Deterministic, auditable execution: a fingerprint no-progress detector halts the Trinity Loop with no LLM in the halt path, backed by a hash-chained decision ledger. | Weaknesses โ A triage engine, not a case-management product: no HTML report generator, no commercial case-file UX (vs Magnet AXIOM, CADO); output is JSON + the audit ledger. Read-only consumer, no host-collection ecosystem (vs Velociraptor's agent fleet) โ caps it at post-collection triage. Memory-forensics recall (108/118) trails disk (72/72) and is the active improvement front. |
External | Opportunities โ The MCP consumer model means any MCP-speaking LLM client becomes a forensic front-end with zero retraining. Default-local, no-API-key posture fits air-gapped / sovereign SOCs. The ATT&CK detector lane is extensible โ deferred detectors (W051/W052/W054) are wired and unit-tested, ready to promote into live recall. | Threats โ Forensic admissibility scrutiny of any AI-assisted pipeline raises the documentation bar (mitigated by the courtroom seal + provenance chain). Upstream SIFT tool drift (binary flags / output format) can silently shift wrapper parsing โ covered by host-gated integration tests. Commercial incumbents move fast on AI features. |
Full competitive analysis: Competitive Positioning.
๐บ๏ธ Project Roadmap
Where the project is and the concrete path to GA โ the full document is PROJECT-ROADMAP-2026-06-11.md (development Gantt, system-lifecycle state machine, milestones, technical specifications, risk register).

Phase | Status | What it delivered / delivers |
1 โ Foundation | โ Complete | The bio-agentic stack (RalphEngine substrate, StemCell lifecycle, Thymus immune gate, Metabolic Ledger, Oncologist monitor) + the 16 governed MCP forensic wrappers (timeout / memory ceiling / retry / stderr capture each). |
2 โ Orchestration | โ Complete | The Trinity Loop (Architect โ Swarm โ Critic โ Router), the 7 forensic bio-agents, the quorum Blackboard, the Hippocampus inheritance bridge, and the deterministic Critic halt gate ( |
3 โ Scale & GA | ๐ต Current โ Upcoming | GA hardening, not feature invention: land W-082 |
The roadmap also carries the system-lifecycle state machine (orchestration, thread taxonomy, apoptosis โ how a run is born, governed, and dies) and a 7-row risk register (R1โR7: loop non-convergence, ATP exhaustion, plaso non-determinism, evidence mutation, secret leakage, context bleed, doc/code drift โ each with its concrete mitigation). Read it alongside the SWOT above and the Architecture chapter.
๐ฎ The Future of Agentropix
(operator addition, 2026-06-11 โ forward-looking, not yet scheduled)
Beyond the Scale items already on the Gantt, three directions define the next horizon:
๐ฐ๏ธ Threat-intelligence platform integration (CrowdStrike + Wazuh). Integrate commercial TI platforms such as CrowdStrike to gather richer insight about IOCs surfaced by a triage run, and complement that response with the existing open-source Wazuh solution โ commercial enrichment and open-source response working the same indicator set.
๐งญ Agent scheduler with auditable agent-to-agent messaging. Optimize the Agentropix engine with an agent scheduler that independently manages all agent-to-agent communication and tracks every inter-agent message โ making the swarm's internal traffic itself auditable and troubleshootable, the same discipline the tool-call trace already applies at the wrapper boundary.
๐งช Binary-analysis pipeline with a dedicated sandbox. Integrate a pipeline that lets Agentropix analyze recovered binaries using open-source solutions and a dedicated sandbox for detonation โ testing and analyzing behaviors safely, then feeding the verdicts back into the case's findings and IOC exports.
Full context: PROJECT-ROADMAP-2026-06-11.md โ The Future of Agentropix.
Configuration
Behavior is tuned through the AGENTROPIX_* environment surface โ Critic halt threshold, Blackboard
quorum, status taxonomy, tool-path overrides, and more โ with safe defaults so the engine runs out of the
box. See Configuration and the
env-var table.
Canonical facts
Single source of truth for every numeric claim โ never state a number that contradicts it.
Fact | Value |
MCP tools | 73 distinct tool functions |
SIFT forensic wrappers | 16 |
Tests collected | 4687 |
Disk recall (regression) | 72/72 (100%) |
Memory recall (combined) | 108/118 (91.5%) |
Core swarm specialists | 7 (Memory, Timeline, Filesystem, Artifact, Discovery, Mail, Hunt) |
| 13 |
Critic halt threshold (default) | 0.85 |
Blackboard quorum (default) | 2 |
Python | 3.12+ |
Full table with per-row sources and verification dates: Canonical Facts.
Documentation map
Start at the routed master table of contents, which maps every chapter to its audience and
the question it answers. For a file-by-file map of the whole repository โ the MCP-server package
internals, every docs section, and the case folders, each with a one-line description โ see the
Project Structure section below. The portal is organized into twelve numbered
sections under docs/, plus the case-activation/ operational annex:
# | Section | What it contains |
1 | What Agentropix-SIFT is and why, the capability matrix, the 3-command Quickstart, the complete operator User Guide, and how it compares to alternatives. | |
2 | How the engine is built โ the validated architecture diagram (pattern + guardrails, HD PDF), system context, internal components, the Trinity Loop, the Swarm + Blackboard, the FastMCP server (and the Thymus boundary), sequence diagrams, the ๐บ๏ธ Strategic Project Roadmap (Gantt/critical path, lifecycle state machine, GA milestones, risks), the ๐ Security Invariant Audit (6 invariants source-traced), and the ๐๏ธ Tunable Features Catalog (252 documented knobs). | |
3 | The data model โ case/finding/report schemas, the data dictionary, the entity-relationship view, and what gets persisted to disk. | |
4 | The 73-tool MCP surface โ the full tool reference, the typed Response Envelope, which agent invokes which tool, and the capability map. | |
5 | Why you can trust the output โ anti-hallucination guarantees, provenance grounding, the Courtroom audit seal, the human-in-the-loop gate, the Approval Portal, and the AI disclosure. | |
6 | End-to-end worked runs โ disk triage, memory triage, the approval gate, the Wazuh push, a guided demo walkthrough, and per-case attack-chain hypotheses. | |
7 | How to build, run, and operate it โ implementation, testing, configuration, deployment, the security model, recovery/resilience, recall methodology, and the evaluation scorecard. | |
8 | Look-up material โ the full CLI reference, the glossary, the ADR index, and the design-decision rationale. | |
9 | Connecting to external systems โ the Wazuh/SOC portal operator's guide and how to connect a remote client to a live internal MCP server. | |
10 | What "agent" means here โ the agentic architecture, the build-time delegation model, the FastMCP tool-execution path, and the canonical runtime swarm roster. | |
11 | The decision contract โ the immutable Architecture Decision Records mirrored from the oracle (001โ024 + milestone/defer records). Read the status column literally. | |
12 | Sealed DFIR case reports โ one folder per investigated case (forensic report, technical appendix, Wazuh IOC gallery, diagrams, recorded-session video). | |
โ | The operational annex โ a per-case Activation Guide for every evidence set (real paths, sizes, custody hashes) and |
The portal's documentation-QA working notes (render audits, case-guide sweeps) live under
docs/issues/ โ maintainer-facing, not reader chapters.
Project Structure
This is the reader-facing documentation portal for Agentropix-SIFT, packaged together with the installable agentropix_mcp MCP-server (the governed read-only DFIR engine) and a set of sealed DFIR case reports. The portal docs explain the system across 12 numbered sections; the agentropix_mcp/ package is the actual shippable code (src layout, console script, wheels on GitHub releases); the case folders hold real, sealed investigations.
How to read this tree: top-down by area โ root files first, then the MCP-server package (core modules, then each subpackage), then the docs/ sections, then case-activation/ runs and the sealed case reports. Each โ comment says what the file/dir actually does; only key files per area are shown.
agentropix-mcp/
โ
โ โโ Root files: landing, index, evaluator routing, audits, LLM context โโ
โโโ README.md โ Landing page โ evaluator letter, 60-sec connect, workflow
โโโ INDEX.md โ Routed master TOC โ audience + question-it-answers per page
โโโ EVALUATION-MAP.md โ Judge router โ 8 submission requirements to evidence
โโโ CLAUDE.md โ Portal working conventions + canonical/accuracy rules
โโโ DOCUMENTATION-PLAN.md โ Build plan โ oracle source, portal layout, sections
โโโ AUDIT-COVERAGE.md โ Per-section index-coverage audit โ 0 broken/orphan links
โโโ ACCURACY_REPORT.md โ Code/QA accuracy audit โ benchmarks, recall, thresholds
โโโ EVIDENCE_DATASET_DOCS.md โ Evidence-dataset inventory โ provenance, SHA-256, ingestion
โโโ llms.txt โ Curated LLM index โ one-paragraph system summary
โโโ llms-full.txt โ Expanded LLM context โ inlines 19 core docs
โโโ LICENSE โ MIT License (galvangabriel-web, 2026)
โโโ .gitignore โ Excludes local-only: evaluation*/, video archives, dist
โโโ .nojekyll โ Empty marker โ disables Jekyll for GitHub Pages
โ
โ โโ agentropix_mcp/ : the installable MCP-server PACKAGE (src layout) โโ
โโโ agentropix_mcp/
โ โโโ pyproject.toml โ Package metadata โ deps + extras [forensics]/[reports]/[engine], console script
โ โโโ README.md โ Package README โ install, MCP client config, tool surface
โ โโโ dist/ โ Built wheel + sdist (gitignored; attached to GitHub releases)
โ โโโ tests/ โ Package test suite for the MCP server surface
โ โโโ src/agentropix_mcp/
โ โ โโ Core modules โโ
โ โโโ __init__.py โ Package init โ version 0.3.0, governed-DFIR-MCP summary
โ โโโ fastmcp_app.py โ FastMCP stdio surface โ entrypoint main(), thin routes over server.py
โ โโโ server.py โ Inner MCP tool implementations โ enforcement boundary (read-only)
โ โโโ thymus_policy.py โ Thymus read-only path policy + JSONL audit ring at MCP boundary
โ โโโ courtroom.py โ Chain-of-custody โ image SHA-256 + HMAC-sealed report/audit envelopes
โ โโโ config.py โ Config loader โ file/env settings, policy + tool defaults
โ โโโ audit_analyzer.py โ Summarizes Thymus JSONL audit logs for security review
โ โโโ secrets.py โ Telegram-token resolver + logging-safe secret redactor
โ โโโ _env.py โ AGENTROPIX_* env-var helpers โ clamped int/float tunables
โ โโโ _trace.py โ Per-tool tracing โ contextvar buffer, @traced, args_hash
โ โโโ _tool_pins.py โ Startup SHA-256 pin-check of external forensic binaries
โ โโโ _startup_banner.py โ Logs effective AGENTROPIX_* env config banner at startup
โ โ
โ โ โโ Subpackages โโ
โ โโโ agents/ โ 7-agent DFIR SwarmAgent specialists + shared blackboard
โ โ โโโ _base.py โ Base SwarmAgent contract โ pure, no LLM coupling
โ โ โโโ _blackboard.py โ Shared blackboard โ cross-agent aggregation + quorum
โ โ โโโ hunt.py โ HuntAgent โ cross-source correlation specialist
โ โ โโโ memory.py โ MemoryAgent โ volatile-evidence specialist
โ โ (also: discovery, mail, timeline, artifact, filesystem)
โ โโโ wrappers/ โ Forensic tool wrappers (Volatility/TSK/YARA/Plaso/registry/case)
โ โ โโโ volatility.py โ Volatility3 memory-forensics wrappers (pslist etc.)
โ โ โโโ tsk.py โ Sleuth Kit โ filesystem listing via fls
โ โ โโโ correlation.py โ W-150 deterministic cross-artifact correlation
โ โ โโโ _safe_tool.py โ Decorator so tool exceptions never escape
โ โโโ wazuh/ โ Wazuh SIEM integration โ IOC push, alerts, registrars
โ โ โโโ client.py โ WazuhClient โ sole owner of httpx async client
โ โ โโโ orchestrator.py โ push_iocs() orchestrator โ IOC-push entry point
โ โ โโโ finding_to_alert.py โ Maps Agentropix findings to Wazuh alerts
โ โ โโโ evidence_gate.py โ Mutation-token verification for Wazuh writes
โ โ โโโ seal.py โ Courtroom seal for the IOC-push integration
โ โโโ evidence_gate/ โ Step-2 mutation-token gate โ registry + CLI
โ โ โโโ registry.py โ SQLite-backed token registry
โ โ โโโ cli.py โ CLI for the Step-2 evidence gate
โ โ โโโ errors.py โ Exception hierarchy for the gate
โ โโโ detectors/ โ ATT&CK technique detectors (4 T-codes) + YARA hunt
โ โ โโโ injection_detector.py โ Vol-driven in-memory process-injection detection
โ โ โโโ yara_hunt.py โ YARAHuntAgent โ Cobalt Strike stager detection
โ โ โโโ t1059_001_iex_loopback_c2.py โ T1059.001 IEX loopback-C2 detector
โ โ โโโ yara_rules/ โ YARA rule files used by detectors
โ โโโ reports/ โ ADR-024 multi-tier report render/export/diagrams
โ โ โโโ render.py โ Render pipeline โ Markdown โ HTML โ PDF (gated)
โ โ โโโ export.py โ Export orchestration for the three tiers
โ โ โโโ diagrams.py โ Mermaid builders โ kill-chain, ptree, IOC graph
โ โ โโโ transformers.py โ sections dict โ three tier view models
โ โโโ schema/ โ Typed tool I/O result schemas + JSON schemas
โ โ โโโ report.schema.json โ JSON schema for report output structure
โ โ โโโ master_iocs.schema.json โ JSON schema for the master-IOC aggregate
โ โ โโโ extract_archive.py โ W-095 typed result schema for extract_archive
โ โโโ security/ โ Shared credential-redaction layer (W-203)
โ โ โโโ redact.py โ Walks dict/list tree, redacts credential patterns
โ โโโ trinity/ โ Trinity loop โ Architect โ Swarm โ Critic engine
โ โ โโโ architect.py โ Architect โ picks swarm slice for next iteration
โ โ โโโ critic.py โ Critic โ scores pass, decides loop halt
โ โโโ approval_sidecar/ โ HMAC human-approval sidecar + hash chain (Starlette)
โ โโโ app.py โ Starlette approval-sidecar routes (W-288)
โ โโโ auth.py โ PBKDF2 derivation + HMAC-SHA256 signatures
โ โโโ hash_chain.py โ Hash-chain helpers (tamper-evident approvals)
โ โโโ writer.py โ IndexerClient writer, prev-hash backfill
โ โโโ nonce.py โ In-memory TTL nonce store (replay defense)
โ
โ โโ docs/ : the documentation portal (12 numbered sections + QA logs) โโ
โโโ docs/
โ โโโ 01-overview/ โ Start-here: what-is, quickstart, gold-standard user-guide
โ โโโ 02-architecture/ โ Engine build outside-in: context โ Trinity loop โ swarm โ MCP
โ โโโ 03-data/ โ Data model: Pydantic fields, schema-ER, persisted artifacts, datasets
โ โโโ 04-mcp-tools/ โ The 73-tool MCP surface: capability map, reference, envelope
โ โโโ 05-safety-forensics/ โ Safety spine: anti-hallucination, provenance, HMAC seal, approval
โ โโโ 06-use-cases/ โ Worked dual-audience scenarios + demo walkthrough + hypotheses
โ โโโ 07-sdlc-ops/ โ Build/test/secure/deploy/evaluate/maintain + accuracy supplements
โ โโโ 08-reference/ โ CLI, glossary, ADR index, design rationale, canonical-facts authority
โ โโโ 09-integrations/ โ Wazuh SOC push + remote tailnet client setup
โ โโโ 10-agents/ โ Runtime swarm vs BMAD personas; TrinityโSwarmโMCP model
โ โโโ 11-ADR/ โ 31 Architecture Decision Records (oracle mirror; header = index)
โ โโโ 12-CASES-REPORTS/ โ Sealed DFIR case reports โ one folder per case, PNG diagrams
โ โ โโโ README.md โ House-style index โ one heading + read-order per case
โ โ โโโ srl-2015-report/ โ SRL-2015: 4-host enterprise APT, USB-over-Ethernet C2, 17 approved
โ โ โโโ srl-2018-report/ โ SRL-2018: network-wide APT / Cobalt Strike-Empire C2, multi-host
โ โ โโโ vanko-report/ โ VANKO: insider IP-theft (zebrafish trade secrets), 10 approved
โ โ โโโ cfreds-hacking-case-report/ โ CFReDS: Mr. Evil wireless interception, XP disk, 35 approved
โ โ โโโ srl-2018-artifact-inventory.md โ SRL-2018 inventory (9,578 findings, 29 hosts; oracle mirror)
โ โโโ issues/ โ QA logs: diagram/case-guide audits, video-playback troubleshooting
โ
โ โโ case-activation/ : per-case Activation Guides + executed runs โโ
โโโ case-activation/
โ โโโ README.md โ Folder intro โ 8-step template, dual-audience, approval hard-stop
โ โโโ INDEX.md โ Master index โ disk/memory/mixed tables, recorded-runs
โ โโโ cfreds-hacking-case-4dell.md โ Guide: NIST CFReDS Hacking Case (Greg Schardt XP disk)
โ โโโ techhive-chad-lt-laptop.md โ Guide: TheTechHive Chad_LT โ only Windows-on-ARM disk case
โ โโโ jimmy-wilson-study-case.md โ Guide: Jimmy Wilson study-case NTFS E01 disk
โ โโโ dfrws-2005-rodeo-usb.md โ Guide: DFRWS 2005 Rodeo RHINOUSB (raw FAT16 dd)
โ โโโ vanko-abducted-zebrafish.md โ Guide: VANKO insider IP-theft, 21-segment EWF disk
โ โโโ amf-memory-samples.md โ Guide: Art-of-Memory-Forensics RAM dumps (Win/Linux/Mac)
โ โโโ challenge-notch-it-up.md โ Guide: Challenge "Notch It Up" raw RAM dump
โ โโโ contact-me-memory.md โ Guide: CTF contact_me raw RAM dump
โ โโโ memdump-mem.md โ Guide: generic 512 MiB raw memory dump
โ โโโ memlabs-dumps.md โ Guide: MemLabs CTF memory dumps (6 labs)
โ โโโ win-xp-laptop-2005.md โ Guide: Windows XP 2005 RAM capture (mislabeled disk)
โ โโโ srl-2015-apt-enterprise.md โ Guide: SRL-2015 4-host APT (mixed disk+memory)
โ โโโ srl-2018-compromised-enterprise.md โ Guide: SRL-2018 compromised enterprise (7 EWF + 22 memory)
โ โโโ rocba-hackathon-2026.md โ Guide: ROCBA 2026 Win10 insider (1 EWF + raw memory)
โ โโโ runs/ โ Executed transcripts โ captured MCP/engine runs + rendered MP4s
โ โโโ README.md โ Runs index โ per-folder kind/evidence/headline table
โ โโโ contact-me-memory/ โ MCP full-loop run+video: contact_me RAM, SIMULATED approval
โ โโโ amf-win-sample001/ โ MCP full-loop run+video: AMF Windows sample (300s malfind)
โ โโโ memdump-raw-2014/ โ MCP full-loop run+video: 2014 raw RAM, windows_info caveat
โ โโโ challenge-notchitup/ โ MCP full-loop run+video: Notch It Up pslist/netscan/malfind
โ โโโ srl-2018-compromised-enterprise/ โ MCP activation steps 1-6: SRL-2018 DC disk+memory
โ โโโ vanko-abducted-zebrafish/ โ MCP activation steps 1-5: VANKO 21-segment EWF
โ โโโ jimmy-wilson-poc/ โ Engine triage PoC+video+raw logs: Jimmy Wilson E01
โ โโโ dfrws-rodeo-poc/ โ Engine triage PoC+log: DFRWS Rodeo USB, honest negatives
โ โโโ engine-smoke-sample-dd/ โ Engine smoke run: synthetic sample.dd, first sealed record
โ โโโ rocba/ โ Live-MCP triage + req-8 agent-execution log + engine-run
โ โ โโโ EXECUTION-LOG.md โ ROCBA req-8 agent-execution-log doc (findings, honest gotchas)
โ โ โโโ engine-run/ โ Trinity-engine agentโblackboard showcase (publishes + plan-shrink)
โ โโโ WINXP-LAPTOP-2005/ โ Agent-execution-log run + rendered 3:19 deck video
โ โ โโโ WINXP-LAPTOP-2005-video/ โ Rendered execution MP4 + watch.html + correlation/storyboard
โ โโโ _assets/ โ Shared assets for run pages
โ
โ โโ Media / supporting assets โโ
โโโ assets/ โ Shared portal images and SVGs
โโโ Final_Video/ โ Featured Case Evaluation walkthrough video(s)Legend / conventions
โcomments describe what each file/dir actually does; only key files per area are listed (subpackages list their most load-bearing modules, not every file).src layout: the package is
agentropix_mcp/src/agentropix_mcp/with a console scriptagentropix-mcpโfastmcp_app:main.fastmcp_app.pyis the thin FastMCP/stdio protocol surface;server.pyholds the real tool logic and the Thymus read-only enforcement boundary. Underscore-prefixed modules (_env,_trace,_tool_pins,_startup_banner) are internal infra.Install extras:
[forensics](Volatility/TSK/YARA/Plaso runtime deps),[reports](MDโHTMLโPDF render stack),[engine](the Trinity loop + swarm agents). Built wheels live in the gitignoreddist/and are attached to GitHub releases.Docs โ audience mapping:
01-overview/06-use-casesare operator/end-user oriented (dual-audience, prompt + CLI);02-architecture/03-data/04-mcp-tools/10-agentsare reference/architecture;05-safety-forensics/07-sdlc-ops/08-reference/09-integrationscover the forensic/safety, SDLC-ops, lookup, and integration layers;11-ADRis the decision record,12-CASES-REPORTSthe sealed investigations.Canonical numbers (73 MCP tools, 31 ADRs, per-case approval counts) come from
docs/08-reference/canonical-facts.md; case-report diagrams are committed as PNG (not inline Mermaid) for reliable GitHub rendering, and recovered malware is withheld-by-reference (SHA-256 only).
Acknowledgments
Built on the shoulders of the open-source DFIR ecosystem: the SANS SIFT Workstation and the forensic
tools it bundles โ Volatility3, Plaso/log2timeline, The Sleuth Kit, python-evtx,
YARA, bulk_extractor, RegRipper, the EZ-Tools family, and the mail-parsing libraries
(libpff, extract-msg). The MCP surface is served by FastMCP.
License
Released under the MIT License.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/galvangabriel-web/agentropix-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server