Skip to main content
Glama
galvangabriel-web

agentropix-mcp

Agentropix-SIFT

Agentropix-SIFT โ€” MCP Unified Forensic Triage Architecture: 73 tools and 16 SIFT forensic wrappers behind one MCP interface; an agent swarm cuts days of disk + memory triage to minutes, with every finding deterministic and hashed

Dear Evaluator,

My name is Gabriel Galvan, and I am proud to introduce the Agentropix MCP solution.

This innovative solution enables the initial triage phase of modern digital forensic investigations. I created this repository to demonstrate how Agentropix was designed, the key considerations that guided its development, and the features it provides. A detailed roadmap outlining the project's vision, architecture, and capabilities is included at the end of this document.

The documentation section is fully completed and contains all the information required to understand how the solution works. In addition, you will find case analyses, technical reports, specifications, and supporting documentation that demonstrate the functionality and effectiveness of Agentropix MCP.

Thank you for taking the time to evaluate this project. I hope you find Agentropix MCP both innovative and valuable for modern forensic analysis workflows.

โ€” Gabriel Galvan

๐Ÿงญ Judges: the Evaluation Map routes each of the 8 submission requirements (code ยท demo video ยท architecture diagram ยท project story ยท datasets ยท accuracy ยท try-it-out ยท execution logs) to its exact evidence in this repository โ€” or watch the ๐ŸŽฌ 2 min 24 s Submission Evidence Tour (build sources) (auto-plays): one animated scene per requirement, each with a live-captured proof panel. And for the investigation flow itself, the ๐ŸŽž๏ธ six-stage workflow animation plays inline right on this page โ€” doctor โ†’ run โ†’ review โ†’ human gate โ†’ seal โ†’ escalate โ€” and the ๐ŸŽž๏ธ safety proof reel shows every anti-hallucination guarantee backed by real cited evidence from the sealed execution logs.

๐ŸŽฅ Featured video โ€” Case Evaluation walkthrough (8 min 27 s, narrated) โ–ถ on Vimeo โ€” the full SRL-2015 evidence walkthrough, with every headline number re-computed live from the committed raw data: 2,233 findings ยท 12 malicious IOCs of 91 ยท 5 malfind payloads ยท 21/21 hash-verified samples ยท YARA 5/5 ยท 17 examiner-approved findings. Local copy in-repo: Final_Video/SRL-2015-EVIDENCE-presentation.mp4.

๐Ÿ”Ž Audit reports (auto-generated, repo-grounded โ€” every figure cites its source): Evidence Dataset Documentation โ€” full inventory of the case datasets with provenance, SHA-256 integrity, schemas, and the ingestion pipeline; and the System Accuracy & Validation Report โ€” component benchmark matrix, recall metrics (72/72 disk ยท 108/118 memory), and algorithmic-drift findings with file:line refs.

๐Ÿค– For LLMs / AI agents: a llms.txt curated index (project summary, canonical facts, and links to every core doc) โ€” and llms-full.txt, the expanded variant that inlines the full content of the core docs for single-pass ingestion.

License: MIT Python 3.12+ MCP tools: 73 SIFT wrappers: 16 Tests: 4687 Disk recall: 72/72

Autonomous DFIR triage on the SANS SIFT Workstation โ€” that never lets the LLM rate its own findings.

Point it at a Windows disk or memory image. It drives 16 real SIFT forensic tools through one MCP server (73 tools), correlates across a 7-agent swarm on a quorum blackboard, and emits a cryptographically sealed, schema-validated JSON triage report โ€” in minutes, on the local host, with no LLM ever in the halt path. (Source: what-is-agentropix.md.)

A local, CLI-driven, bio-agentic DFIR triage engine for the SANS SIFT Workstation.

๐Ÿ—บ๏ธ Evaluators โ€” the Strategic Project Roadmap (2026-06-11) is the "where this is, where it's going" document: the development Gantt with the critical path to GA, the system-lifecycle state machine (orchestration, thread taxonomy, apoptosis), phase milestones (Foundation โ†’ Orchestration โ†’ Scale & GA), technical specifications, and risk mitigation โ€” the strategic companion to the Architecture chapter.


Related MCP server: SIFTAgent

๐Ÿงช Judge / Try-it-out โ€” run locally in 5 minutes

Free of charge, no signup, no account, no VPN/tailnet required. Everything below runs on 127.0.0.1 using the open-source wheel vendored in this repo.

# 1. Install the MCP server (pick one)
pip install ./agentropix_mcp        # from this checkout โ€” vendored at agentropix_mcp/
# โ€ฆor the released wheel:
pip install https://github.com/galvangabriel-web/agentropix-mcp/releases/download/v0.3.0/agentropix_mcp-0.3.0-py3-none-any.whl

# 2. Generate a local auth token and start the server (boot is fail-closed without one)
export AGENTROPIX_MCP_AUTH_TOKEN="$(openssl rand -base64 32)"
agentropix-mcp --transport http --port 8765

# 3. In another terminal, point Claude Code at your local server (same token)
claude mcp add --transport http agentropix-sift "http://127.0.0.1:8765/mcp" \
  --header "Authorization: Bearer $AGENTROPIX_MCP_AUTH_TOKEN"

4. Smoke-test it โ€” ask the model:

"Use the agentropix-sift MCP server. Run the health tool and tell me the tool_count."

Expected: tool_count: 73 (the live count is authoritative โ€” this number may lag).

More detail (self-hosting the full engine, requirements table): see Installation / Quickstart below and the Quickstart guide.


๐Ÿš€ Deploy, run & extend it yourself

The 5-minute block above is the smoke test. Here is the full path from zero to running the agent on your own evidence and building on it โ€” each step links the complete guide (nothing duplicated):

  1. Install the agent โ€” agentropix_mcp/README.md (the package ships the engine: agents/, detectors/, trinity/, wrappers/) ยท full self-host: deployment.md.

  2. Configure your MCP client (Claude Code / Claude Desktop) โ€” client-setup.md.

  3. Run it on a disk or memory image โ€” try-it-end-to-end.md (one prompt, disk and memory) ยท the two install paths + doctor output: quickstart.md.

  4. Reproduce a published case from scratch โ€” reproduce-datasets.md (public dataset URLs + hashes; the CFReDS "Hacking Case" is a fully-public end-to-end loop) ยท compare your run against the sealed case reports.

  5. Extend it โ€” add your own SwarmAgent, ATT&CK detector, or tool wrapper: extend-the-swarm.md (source-cited recipes + the test contract).

What runs today vs. what needs the engine repo: the vendored MCP-server wheel (Path A, pip install ./agentropix_mcp) drives the real forensic tools against your image through Claude right now โ€” install, configure, run, and extend are all reproducible from this checkout. The fully-autonomous Trinity-Loop engine run (Path B) additionally needs the engine distribution (currently private โ€” request access); the honest scope note is kept throughout.


โšก Connect to a hosted instance (author's tailnet โ€” optional)

Judges / evaluators: you do not need this โ€” use the local path above (Judge / Try-it-out); this section is only for users invited to the author's private tailnet.

๐Ÿš€ Already have a SIFT host running on our tailnet? Point Claude at it right now โ€” no install, no build. One command and you're driving 73 forensic tools from Claude. Full guide โ†’ docs/09-integrations/client-setup.md.

NOTE

First: join the tailnet (one-time). The server http://100.85.162.82:8765/mcp is tailnet-only โ€” reachable through Tailscale, never the public internet. Before the steps below:

  1. Accept the invite and sign in with your Google / Microsoft identity โ†’ Tailscale invite (then ping the operator to approve your device).

  2. Install the Tailscale client โ€” macOS brew install --cask tailscale ยท Windows MSI ยท Linux curl -fsSL https://tailscale.com/install.sh | sh && sudo tailscale up

  3. Verify: tailscale status lists siftworkstation โ€ฆ 100.85.162.82, and ping 100.85.162.82 succeeds.

Full per-OS install + a combined token-and-reachability probe: Client Setup โ†’ Step 1.

You only need ONE client. Most people want the Claude Code CLI.

โ–ถ Client A โ€” Claude Code CLI (recommended โ€” one line, all platforms)

claude mcp add --transport http agentropix-sift \
  "http://100.85.162.82:8765/mcp" \
  --header "Authorization: Bearer jlviTMFYAsAuxL1AiagDvFChIs4baYHe6OeRAdBzaLs"

Verify:

claude mcp list
# Expected: agentropix-sift  http://100.85.162.82:8765/mcp  โœ“ Connected

โ–ถ Client B โ€” Claude Desktop App (via the mcp-remote shim)

Claude Desktop speaks stdio only, so it bridges to the HTTP server through the npx mcp-remote shim. Prerequisite: Node.js โ‰ฅ 18 on PATH (node --version); install LTS from https://nodejs.org/ if missing.

1. Find your config file:

OS

Path

macOS

~/Library/Application Support/Claude/claude_desktop_config.json

Windows

%APPDATA%\Claude\claude_desktop_config.json

Linux

~/.config/Claude/claude_desktop_config.json

2. Edit it (create if absent). The command differs per OS โ€” Windows uses npx.cmd, macOS/Linux use bare npx:

{
  "mcpServers": {
    "agentropix-sift": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "http://100.85.162.82:8765/mcp",
        "--allow-http",
        "--header",
        "Authorization: Bearer jlviTMFYAsAuxL1AiagDvFChIs4baYHe6OeRAdBzaLs"
      ],
      "env": {}
    }
  }
}
{
  "mcpServers": {
    "agentropix-sift": {
      "command": "npx.cmd",
      "args": [
        "-y",
        "mcp-remote",
        "http://100.85.162.82:8765/mcp",
        "--allow-http",
        "--header",
        "Authorization: Bearer jlviTMFYAsAuxL1AiagDvFChIs4baYHe6OeRAdBzaLs"
      ],
      "env": {}
    }
  }
}

3. Restart Claude Desktop โ€” fully quit (โŒ˜Q / tray โ†’ Quit) and relaunch, not just close the window.

โœ… Smoke-test it

Ask the model:

"Use the agentropix-sift MCP server. Run the health tool and tell me the tool_count."

Expected: tool_count: 73 (the live count is authoritative โ€” this number may lag).

First time on the tailnet, or hit a 401 / timeout? The complete quickstart โ€” Tailscale invite, per-OS install, token facts, and a full troubleshooting matrix โ€” is in ๐Ÿ“˜ Client Setup โ€” Install Quickstart.


Start here โ€” pick your lane

Four audiences, four fast paths. Each row is an ordered reading trail; the full routing lives in the Documentation Index.

You are aโ€ฆ

You want toโ€ฆ

Start here โ†’ then

๐Ÿง‘โ€๐Ÿ’ป Software engineer

understand the architecture, build/test/extend it

Implementation โ†’ Trinity Loop โ†’ Swarm & Blackboard โ†’ FastMCP Server โ†’ Extend the Swarm โ†’ Testing โ†’ ADRs (decision contract)

๐Ÿ›ก๏ธ SOC analyst

run a triage, hunt IOCs, push to the SIEM

User Guide (runbook) โ†’ Disk triage โ†’ Memory triage โ†’ Wazuh push โ†’ CLI Reference

โš–๏ธ Evaluator / judge

verify the claims, soundness, chain of custody

Canonical Facts โ†’ Anti-Hallucination โ†’ Audit & Courtroom Seal โ†’ Evidence integrity (visual) โ†’ Recall methodology โ†’ Evaluation scorecard โ†’ SWOT

๐Ÿ’ฌ End-user (non-technical)

get answers by just asking Claude

Try it end-to-end โ€” one prompt (a single copy-paste prompt runs a whole public case) โ†’ the Two Paths table below โ†’ end-user lanes in the User Guide โ†’ Tool Capability Map

๐Ÿ‘‹ First time? The single best entry point is the User Guide โ€” The Complete Operator Runbook: one complete case, end-to-end (pre-flight โ†’ connect/verify the MCP โ†’ init/activate the case โ†’ register evidence โ†’ the investigation tool chain โ†’ record findings โ†’ approve in the portal โ†’ seal the report โ†’ optional Wazuh push), documenting both execution paths (manual ยท autonomous) and both clients (Claude CLI ยท Claude Desktop), with the validated 2026-05-29 CFReDS run as a worked example.


What it is โ€” and why

Agentropix-SIFT turns a SIFT Workstation into an autonomous-but-accountable triage operator. A Trinity Loop โ€” an Architect that proposes which agents to run, a 7-agent Swarm that drives deterministic forensic tools, and a Critic that scores findings and halts on a deterministic convergence fingerprint (with no LLM self-rating) โ€” orchestrates 73 MCP tools over a single FastMCP server. The result is a fast first pass over disk images, memory dumps, and Windows artifacts that produces an evidence-grounded, cryptographically sealed triage report a human examiner can trust and defend.

Its central claim is simple and load-bearing: the LLM never touches a fact. Every finding it records is produced by a deterministic forensic binary, fingerprinted with SHA-256, and tagged with a provenance tier โ€” precisely so a human can verify it.

Important โ€” this is a triage accelerator, not an oracle. Agentropix-SIFT is built to be checked, not believed. The LLM proposes and narrates; it never rates its own work and never becomes the source of a finding. You remain the examiner of record. Review the findings, confirm the underlying artifacts, and use the optional human-in-the-loop approval gate before anything is sealed or escalated. See Anti-Hallucination.


How AI drives Agentropix โ€” the consumer model

The novel angle is where the AI sits. Agentropix-SIFT is deterministic layers with the stochastic LLM confined to the top. The LLM is not an oracle wired into the findings โ€” it is simply a consumer of the same FastMCP tool surface that the CLI uses. From the MCP boundary down, everything is pure Python driving classical forensic binaries: no RNG, no LLM self-rating.

You drive it two ways from one engine: as a plain agentropix-sift run command, or by talking to an LLM (Claude Desktop / Claude Code) that has the MCP server connected. A non-technical examiner can type "open a case for this disk image and run the SIFT triage" and the session routes it to the real MCP tools; an expert calls the exact tool. Adapt Agentropix to the user, not the user to Agentropix.

Diagram โ€” rendered at high resolution

flowchart TB
    classDef stoch fill:#fff5e6,stroke:#f59f00,color:#222,stroke-width:2px
    classDef det fill:#e6ffea,stroke:#2f9e44,color:#222,stroke-width:2px
    classDef anchor fill:#eef2ff,stroke:#3b5bdb,color:#222,stroke-width:2px
    classDef leak fill:#fff0f0,stroke:#e03131,color:#222,stroke-width:2px

    LLM["<b>Consumer (LLM or CLI)</b><br/>Claude Code / Desktop / cli.py<br/><i>stochastic only when LLM-driven</i>"]:::stoch

    subgraph TR["Trinity Loop โ€” deterministic, no LLM authoring"]
        ARCH["<b>Architect</b> ยท plan()<br/>order/prune SWARM<br/>trinity/architect.py"]:::det
        CRIT["<b>Critic</b> ยท score()/halt<br/>convergence fingerprint<br/>trinity/critic.py"]:::det
    end

    subgraph SW["Swarm โ€” 13 SwarmAgent classes"]
        AGENTS["7 specialists + 6 ATT&CK detectors<br/>agents/ ยท detectors/"]:::det
        BB[("Blackboard<br/>(agent, Finding) registry<br/>correlations() at quorum")]:::anchor
    end

    subgraph MCP["MCP boundary โ€” the enforcement spine"]
        TOOLS["73 MCP tools<br/>traced ยท rate-limited ยท Thymus-gated"]:::det
        BIN["SIFT binaries<br/>vol3 / plaso / tsk / yara / EZ-Tools"]:::leak
    end

    LLM -- "args_hash + raw_output cross the boundary" --> ARCH
    ARCH -- "ordered plan" --> AGENTS
    AGENTS -- "publish Finding" --> BB
    AGENTS -- "tools/call" --> TOOLS
    TOOLS --> BIN
    BB --> CRIT
    CRIT -- "stable_agents (next iteration)" --> ARCH

๐Ÿ“ Rendered as a high-resolution PNG so it displays crisply on GitHub and GitLab โ€” Open as SVG (vector, zoomable).

  • One tool surface, two consumers. The same @app.tool() functions the swarm calls are also exposed to an LLM client; the server is built by _build_app() / FastMCP("agentropix-sift") (mcp_server/fastmcp_app.py). Console scripts differ by distribution: the vendored MCP-server wheel (Path A, pip install ./agentropix_mcp) installs agentropix-mcp only; the full engine (Path B) installs agentropix-sift (triage CLI) and agentropix-sift-mcp (the MCP server). An LLM connects to the MCP-server script; the CLI bypasses it and drives the engine directly. See The FastMCP Server.

  • Two transports. The MCP server speaks stdio (default โ€” paired with a Claude Desktop / Claude Code mcp.json entry) or HTTP+SSE under /mcp (tailnet-only, Bearer-gated, default port 8765). Both funnel into the same tool core. See Connect a Client.

  • The LLM proposes, never authors. The args_hash + bounded raw_output snapshot is captured at the MCP boundary, so a sealed report can prove the LLM phrased a request three ways but never authored โ€” or touched โ€” a fact. Agents are pure async coroutines over the MCP boundary, with no LLM coupling (agents/_base.py).

"Agent" means two different things here. The runtime DFIR swarm agent (a SwarmAgent subclass that investigates evidence) is unrelated to the build-time BMAD dev-crew persona. Section 10 disambiguates them โ€” read The Agentic Architecture first whenever the word is ambiguous.


What you get โ€” capability highlights

Capability

The one-line value

Canonical figure

Source-code home

Trinity Loop

Deterministic Architect โ†’ Swarm โ†’ Critic control loop; halts on a convergence fingerprint, never on an LLM self-rating

Critic halt default 0.85

trinity/architect.py, trinity/critic.py, orchestrator.py

73 MCP tools

One FastMCP server exposes 73 distinct forensic tools over stdio + HTTP

73 tools

mcp_server/fastmcp_app.py

16 SIFT wrappers

Hardened drivers (timeout, memory ceiling, retry, stderr capture, tracing) around the 16 trusted SIFT binaries

16 wrappers

mcp_server/wrappers/

7-agent Swarm + ATT&CK detectors

Memory, Timeline, Filesystem, Artifact, Discovery, Mail, Hunt specialists + 6 deterministic MITRE ATT&CK detectors

7 specialists (13 SWARM classes)

agents/, detectors/

Quorum Blackboard

An observation is promoted to a Correlation only when enough agents corroborate the same token

quorum default 2

agents/_blackboard.py

Thymus read-only policy

Every mcp_* call is checked against a path allowlist before any subprocess spawns โ€” evidence is structurally read-only (no write tool exists)

deny-by-default

mcp_server/thymus_policy.py

Courtroom seal

SHA-256 evidence byte-binding + HMAC-SHA256 report/audit-log seal โ†’ a report a judge can independently verify

mode-0600 session key

courtroom.py

Provenance & grounding

Every Finding._source names the tool that produced it; inference_constraint = high; per-row HMAC chain validation

3 grounding layers

agents/_base.py, provenance/validate.py

Approval sidecar (HITL)

Optional HMAC examiner sign-off: PBKDF2 key (600k iters) + nonce + append-only approval hash chain + browser form

2 MCP tools

approval_sidecar/

Wazuh SIEM push

Promote findings/IOCs into Wazuh behind default-deny kill switches + active-response CIDR guard

5 Wazuh tools

wazuh/

Chaos-tested resilience

Fault-injection tests prove graceful degradation: a missing tool skips an agent, not the run

chaos test marker

tests/chaos/

Full capability matrix: What You Get.


Architecture

The shape: one deterministic loop over one tool server, with a safety spine.

A DFIR examiner drives Agentropix-SIFT from the CLI on a local SIFT host. The engine never reaches outside that host except for the optional Wazuh push of already-APPROVED findings.

Diagram โ€” rendered at high resolution

flowchart TB
    classDef actor fill:#d0bfff,stroke:#7048e8,color:#2b1a52,stroke-width:2px
    classDef core fill:#b2f2bb,stroke:#2f9e44,color:#15391f,stroke-width:2px
    classDef ext fill:#e9ecef,stroke:#495057,color:#212529,stroke-width:1px
    classDef sink fill:#ffec99,stroke:#f08c00,color:#5c4400,stroke-width:1.5px

    Examiner(["DFIR Examiner<br/>runs triage ยท reviews ยท approves findings"]):::actor

    subgraph Host["SANS SIFT Workstation โ€” local host"]
        Agentropix["Agentropix-SIFT<br/>Trinity Loop engine + FastMCP server (73 tools)"]:::core
        Toolchain["SIFT Forensic Toolchain<br/>Volatility3 ยท Plaso ยท Sleuth Kit ยท EVTX ยท YARA ยท โ€ฆ (16 tools)"]:::ext
        Evidence[("Evidence Store<br/>E01 / raw / memory โ€” read-only")]:::ext
    end

    Wazuh["Wazuh / SIEM<br/>optional alert sink for APPROVED findings"]:::sink

    Examiner -->|"agentropix-sift run / review / approve"| Agentropix
    Agentropix -->|"invokes deterministic binaries (read-only)"| Toolchain
    Agentropix -->|"reads + SHA-256 fingerprints, never mutates"| Evidence
    Agentropix -->|"pushes APPROVED findings (optional)"| Wazuh

    style Host fill:#f1f3f5,stroke:#868e96,color:#212529

๐Ÿ“ Rendered as a high-resolution PNG so it displays crisply on GitHub and GitLab โ€” Open as SVG (vector, zoomable).

Internally, the Architect proposes which agents to spawn (by default it returns the canonical SWARM tuple in priority order; a default-on Reflexion-lite step drops agents the Critic marked stable). The 7-agent Swarm invokes the 16 wrapped SIFT forensic tools through the FastMCP server's 73-tool surface, writing Findings to a shared Blackboard; cross-agent agreement at a quorum of 2 becomes a Correlation. The Critic scores the accumulated findings with a closed-form rule โ€” score = min(1.0, max_confidence + 0.25 ยท len(correlations)) โ€” and halts deterministically when the findings stop changing (a convergence fingerprint), bounded by a hard max_iterations budget, never on an LLM's self-assessed confidence. The Thymus read-only policy and the pre/post SHA-256 evidence invariant sit between every tool and the evidence store. Finally the Courtroom seals the audit log with HMAC-SHA256 and validates the provenance chain.

๐Ÿ“ The validated architecture diagram โ€” one page, source-verified

The complete picture lives in Main Architectural Agentropix Design โ€” one validated diagram covering the agent layer โ†’ MCP server โ†’ SIFT Workstation tools โ†’ data sources โ†’ output pipeline, the architectural-pattern verdict (Custom MCP Server โ€” and why it is not a Direct Agent Extension, Multi-Agent Framework, or Agentic IDE), and the full ARCHITECTURAL vs PROMPT-BASED guardrail split with every row cited to its enforcing source file. Every component was contrasted against the oracle source code; every documentation-vs-source disagreement is called out on the page.

๐Ÿ“• Full document as high-quality PDF (the complete design document โ€” diagram, component narrative, pattern verdict, guardrail table) ยท ๐Ÿ“„ Diagram-only HD PDF (vector) ยท ๐Ÿ–ผ๏ธ PNG ยท ๐Ÿ” SVG

For the deeper layers: System Context & Containers ยท Component Architecture & Layer Map ยท The Trinity Loop ยท Sequence Diagrams.

Key design decisions (the decision contract)

The architecture is contracted in immutable Architecture Decision Records mirrored from the oracle. The load-bearing ones for newcomers:

ADR

Decision

ADR-002 โ€” Execution engine

The deterministic Trinity Loop as the execution model.

ADR-008 โ€” Safety architecture

The deny-by-default Thymus boundary + evidence read-only invariant.

ADR-011 โ€” Evidence gates

Pre/post SHA-256 evidence-integrity gates.

ADR-016 โ€” Courtroom audit / ADR-022 โ€” Audit-log seal

HMAC-SHA256 tamper-evident chain of custody.

ADR-017 โ€” Tailnet MCP exposure

HTTP transport is tailnet-only + Bearer-gated.

ADR-018 โ€” Wazuh IOC push / ADR-019 โ€” AR confirmation gate

Default-deny SIEM push + active-response confirmation.

Read the status column literally (Proposed โ‡’ not shipped; Deferred โ‡’ documented, not implemented). Full index: ADR Index ยท Section 11 โ€” ADRs ยท rationale narratives in Design Decisions.


๐Ÿš€ One prompt. Six guarded stages. A sealed, court-ready report.

You don't need to memorise a single flag. Connect the Agentropix MCP to Claude, then say what you want in plain English โ€” "open a case for this disk image and run the full SIFT triage" โ€” and the session routes your words to real forensic tools. The six stages below run the same whether an expert types the command or a non-technical examiner just asks. Adapt Agentropix to the user, not the user to Agentropix.

๐Ÿ“‹ Copy-paste, end-to-end: paste one of the two blocks below into a Claude session with the Agentropix MCP connected โ€” it runs the entire six-stage flow on a real case and returns every result, stopping only at the human approval gate. Full guide, step-by-step tool map, and flow diagrams: Try it end-to-end โ€” one prompt, a full investigation.

You are my DFIR analyst, and you have the Agentropix-SIFT MCP server connected. Investigate ONE
case end-to-end and show me every result. Work autonomously โ€” don't ask me questions โ€” and stop
only at the human approval gate.

THE CASE
- Name: CFReDS "Hacking Case" (Greg Schardt / "Mr. Evil")
- Case ID: CFREDS-HACKING-CASE-4DELL  (examiner: victor.galvan, severity: high)
- Evidence (disk, EWF): /cases/cfreds-fresh/4Dell-Latitude-CPi.E01   (the .E02 segment is read automatically)
- It is a Windows XP disk image. There is NO memory dump โ€” do NOT use any memory/Volatility tools
  (no pslist / netscan / malfind / svcscan / process_tree).

PER-CASE RULES (follow exactly โ€” they matter):
- The NTFS volume starts at sector offset 63. Pass offset 63 to file-listing and file-extraction.
  Confirm the partition layout first.
- Windows XP event logs are ".evt" โ†’ use the .evt event-log tool (get_evt), NOT the Vista+ .evtx one.
  Skip Amcache (it is Windows 7+ only).
- Put any carving output dir under /tmp/agentropix-sift-  (e.g. /tmp/agentropix-sift-cfreds-be).

DO THIS IN ORDER, AND SHOW ME EACH RESULT:
0. Pre-flight + custody: confirm the forensic environment is ready, then verify the image integrity
   and show me who acquired it and what OS it is. (Expect stored MD5 == aee4fcd9301c03b3b054623ca261959a.)
1-3. Open case CFREDS-HACKING-CASE-4DELL (high severity, examiner victor.galvan, evidence in
   /cases/cfreds-fresh), make it the active case, and confirm it's active and the indexer is reachable.
4. Register the E01 as evidence and give me its SHA-256 chain-of-custody hash.
5. Analyze the disk and report each result:
   a. Partition layout โ€” confirm NTFS at offset 63.
   b. List all files (offset 63, recursive); then list just the deleted files.
   c. Carve indicators (emails, domains, IPs, URLs) into /tmp/agentropix-sift-cfreds-be.
   d. Run a YARA smoke-scan (0 matches is a clean pass, not a failure).
   e. Lift the registry hives (offset 63) and pull execution/persistence artifacts: registry,
      shimcache, prefetch, and the XP .evt event logs.
6. Record what you found as findings (they will be saved as DRAFT โ€” that is expected; you cannot
   self-approve evidence).
7. STOP at the approval gate: list exactly which findings are waiting for MY approval, with their IDs,
   and tell me how to approve them (the human HMAC examiner portal). Do NOT approve them yourself.
8. Generate the case report and give me the report ID + section counts. (Approved-finding count will
   be 0 until I approve in step 7 โ€” that is correct.)

FINALLY, give me a concise summary: the custody SHA-256, the partition offset, the file + deleted-file
counts, the IOCs carved, the artifacts found, the DRAFT findings (with IDs), and the report ID โ€” plus
any honest negatives (tools that found nothing or were skipped, and why).
You are my DFIR analyst with the Agentropix-SIFT MCP connected. Investigate ONE memory case end-to-end
and show me every result. Work autonomously; stop only at the human approval gate.

THE CASE
- Case ID: MEMDUMP-2014  (examiner: victor.galvan, severity: medium)
- Evidence (raw memory dump): /cases/memdump/memdump.mem

MEMORY RULES (follow exactly):
- Do NOT run get_image_info on a raw memory dump โ€” it reads EWF/E01 metadata and returns empty on .mem.
- get_pslist is the OS/profile confirm step: Volatility auto-detects the kernel symbol table on the first
  windows.* plugin. A populated process list confirms the profile matched; an empty list with a
  symbol-table error is an HONEST NEGATIVE (no profile resolved) โ€” report it as such, don't invent results.
- This is memory only โ€” do NOT use disk tools (no partitions/fls/extract_files/registry-from-disk).

DO THIS IN ORDER, AND SHOW ME EACH RESULT:
0. Confirm the environment is ready and register the dump as evidence (give me its SHA-256).
1-3. Open case MEMDUMP-2014, make it active, confirm active + indexer reachable.
4. Process list (this also confirms the OS/profile). If it's empty with a symbol-table error, tell me
   plainly that no profile resolved and stop the memory chain.
5. Network connections, injected/suspicious code, services, and the process tree (PPID forest, LOLBin flags).
6. Record what you found as DRAFT findings (you cannot self-approve).
7. STOP at the approval gate: list the DRAFT findings + IDs and how I approve them. Do NOT approve them.
8. Generate the report; give me the report ID + section counts.

FINALLY: a concise summary โ€” custody SHA-256, process/network/injection highlights, the DRAFT findings
(with IDs), the report ID, and any honest negatives.

Stage 1 doctor Stage 2 run Stage 3 review Stage 4 approve Stage 5 seal Stage 6 escalate

Animated: the six guarded stages light up in sequence โ€” doctor pre-flight, run triage, examiner review, the human HMAC approval gate, the courtroom seal, and the SIEM escalation โ€” ending on โ€œSEALED ยท HMAC-SHA256 ยท court-readyโ€

๐ŸŽฌ The banner above is a live animation (Animotion MCP; deck source) โ€” watch the stages light up, the human gate hold the line, and the seal close. Want the full detail graph instead? *Static diagram (PNG) ยท SVG (full size, zoomable).

The vivid lane below is the load-bearing part: each stage shows both ways to reach the same result โ€” the ๐Ÿ–ฅ๏ธ expert command and the ๐Ÿ’ฌ plain-language prompt a non-technical examiner types into a Claude session that has the Agentropix MCP connected. Every prompt maps to a real MCP tool (verify against the Tool Capability Map).


๐ŸŸฃ โ‘  doctor โ€” pre-flight the toolchain

๐Ÿ–ฅ๏ธ Expert (command):

uv run agentropix-sift doctor

๐Ÿ’ฌ End-user (prompt): "Check that my Agentropix forensic environment is ready โ€” are all the SIFT tools installed and on PATH?" โ†’ routes to doctor / health.

Confirms the 16 SIFT forensic binaries resolve before you spend time on an image. Missing tools degrade gracefully (the agent is skipped, not the run) โ€” but recall drops, so always start here.

๐Ÿ”ต โ‘ก run โ€” Trinity Loop triages the image end-to-end

๐Ÿ–ฅ๏ธ Expert (command):

uv run agentropix-sift run /cases/INC-0605/disk.E01 -o report.json

๐Ÿ’ฌ End-user (prompt): "Open a high-severity case for the image at /cases/INC-0605/disk.E01, register it as evidence, and run the full SIFT triage end-to-end โ€” acquisition โ†’ examination โ†’ analysis โ†’ findings โ€” staging everything as DRAFT." โ†’ routes to case_init โ†’ case_activate โ†’ evidence_register โ†’ the forensic tool chain โ†’ record_finding.

The Architect proposes which agents to run โ†’ the 7-agent Swarm drives deterministic tools โ†’ the Critic scores findings and halts on a convergence fingerprint, never on an LLM self-rating.

๐ŸŸ  โ‘ข review โ€” the examiner verifies every finding

๐Ÿ’ฌ End-user (prompt): "Show me the findings so far, and for each one tell me which exact tool produced it and the artifact path / raw_stdout_sha256 so I can verify it myself." โ†’ routes to case_status / record_finding inspection.

A human reads the findings and checks them against the underlying artifacts. The LLM proposes and narrates โ€” you remain the examiner of record.

๐ŸŸข โ‘ฃ approve (optional HITL gate) โ€” DRAFT โ†’ APPROVED

๐Ÿ–ฅ๏ธ Expert (command): promote DRAFT โ†’ APPROVED in the Approval Portal (HMAC examiner sign-off). ๐Ÿ’ฌ End-user (prompt): "Show me the findings waiting for review so I can approve them." โ†’ the approval is a human HMAC hard-stop (approve_finding); the examiner signs off in the browser form.

Findings stay in DRAFT until a human approves them. This is the one place a person โ€” not a model โ€” must act before anything is sealed or escalated.

๐Ÿ”ด โ‘ค seal โ€” Courtroom emits the audit seal

๐Ÿ’ฌ End-user (prompt): "Generate the full report for this case and seal it โ€” then confirm the seal hasn't been tampered with." โ†’ routes to report_generate โ†’ the HMAC-SHA256 audit seal + provenance-chain validation (report_export for the shareable artifact).

A tamper-evident chain of custody a judge can independently verify.

๐ŸŸฆ โ‘ฅ escalate (optional) โ€” push to the SIEM

๐Ÿ–ฅ๏ธ Expert (command): push APPROVED findings/IOCs to Wazuh behind default-deny kill switches. ๐Ÿ’ฌ End-user (prompt): "Dry-run the Wazuh push of the approved IOCs and tell me what would be sent before anything goes out." โ†’ routes to wazuh_index_findings / wazuh_publish_iocs (default-deny, dry-run first).


๐Ÿ’ฌ Drive the entire investigation with a single prompt

Paste this into a Claude Desktop / Claude CLI session that has the Agentropix MCP attached โ€” the agent runs the whole sequence itself, handling OS quirks (e.g. Windows XP has no Amcache / .evtx):

"You are a DFIR analyst with the Agentropix MCP. Investigate case <case_id> on image <path>. Run the full SIFT sequence โ€” acquisition โ†’ examination โ†’ analysis โ†’ findings โ€” staging findings as DRAFT. For memory images, pull processes, network connections, injected code and services. Do not approve findings (a human owns that gate). Finish by generating the full report and summarising the attack chain."

๐Ÿ–ฅ๏ธ Expert note: the same prompt works in claude --print for a one-shot headless run. The full validated end-to-end runbook โ€” both clients (CLI ยท Desktop), both lanes (manual ยท autonomous) โ€” is the User Guide โ€” Complete Operator Runbook.

Each step is a worked use case: Disk triage ยท Memory triage ยท Approval gate ยท Wazuh push.


Installation / Quickstart

Path A โ€” 60-second start (runs from this repo, today). Install the packaged MCP server โ€” this repo vendors its source and wheel at agentropix_mcp/ โ€” and connect a Claude client:

# 1. Install the v0.3.0 MCP-server wheel  (or, from this checkout: pip install ./agentropix_mcp)
pip install https://github.com/galvangabriel-web/agentropix-mcp/releases/download/v0.3.0/agentropix_mcp-0.3.0-py3-none-any.whl

# 2. Start the server โ€” boot is fail-closed: it refuses to start without an auth token
AGENTROPIX_MCP_AUTH_TOKEN="$(openssl rand -base64 32)" agentropix-mcp --transport http --port 8765

# 3. Point Claude Code at it (use the token from step 2)
claude mcp add --transport http agentropix-sift "http://127.0.0.1:8765/mcp" \
  --header "Authorization: Bearer <token-from-step-2>"

Connecting to the operator's already-running tailnet server instead? Skip steps 1โ€“2 โ€” Client Setup is the 5-minute join-and-connect guide (Claude Code CLI and Claude Desktop via the mcp-remote shim).

Path B โ€” self-host the full triage engine (agentropix-sift CLI: Trinity Loop, doctor, sealed runs). These commands run from a checkout of the full agentropix-sift engine distribution โ€” not from this documentation portal:

uv sync                                                          # 1. install the orchestration layer
uv run agentropix-sift doctor                                   # 2. pre-flight โ€” all 16 SIFT tools OK
uv run agentropix-sift run "/cases/study case/2020JimmyWilson.E01" -o report.json   # 3. triage

This exact sequence was executed live and recorded against the Jimmy Wilson study case:

Step

Result

uv sync

dependencies resolved

doctor

All tools available โ€” the 16 SIFT binaries (vol, fls/mmls/icat, ewfinfo, evtx_dump, yara, bulk_extractor, rip.pl, EZ-Tools, โ€ฆ) resolve on PATH

run

129 findings ยท 86 tool calls ยท 5 iterations, sealed report.json (HMAC) + audit-log, evidence SHA-256 6c18f662โ€ฆ, status budget_exhausted, critic_score 1.0

The full proof โ€” recorded video, sealed reports, raw logs of three reproducible runs, and the agent-execution trace โ€” is published at case-activation/runs/jimmy-wilson-poc/. The evaluator-facing Agent Execution Logs gold report โ€” two further engine runs (the SRL-2018 domain controller + Challenge_NotchItUp) with timestamped agent-to-agent handoff chains, full tool sequences, and the raw sealed evidence incl. live run.log + Thymus audit trails โ€” is at docs/12-CASES-REPORTS/srl-2018-report/submission/, with its ๐ŸŽจ Visual Atlas โ€” thirteen color diagrams (agent-communication graph, end-to-end timestamp chain with a 217-microsecond correlation-burst zoom, self-correction funnels, Thymus ALLOW/REJECT pies, and the HMAC seal cross-binding chain) generated from and verified against the raw run data โ€” and its ๐ŸŽฌ 108-second animated walkthrough (plays directly in your browser): the same topics in motion โ€” the 91-minute wait drawn to scale, the 61-shield REJECT storm, the microsecond burst, and the self-correcting plan โ€” animated with the Animotion MCP and rendered deterministically from the committed deck source. The multi-host edition scales the same discipline to SRL-2015 โ€” 4 hosts ร— disk+memory, 8 sealed runs, 2,233 findings, 15-iteration loops, and the cross-host spinlock.exe โ†’ Domain-Controller correlation: ๐Ÿ“„ report ยท ๐ŸŽฌ 2 min 24 s animated walkthrough (auto-plays). The requirement-8 bundle for the ROCBA Windows-10 insider-IP-theft case is a real live-MCP triage โ€” timestamped tool sequence, server HTTP audit, Thymus decisions, a grounded DRAFT finding, and the honest negatives kept on record: case-activation/runs/rocba/EXECUTION-LOG.md. The same case's Trinity-engine run captures the backend agent โ†” blackboard communication โ€” 21 blackboard publishes across 13 agents (the hunt agent fusing 14 cross-source correlations), 351 findings / 509 tool calls, and the iteration-over-iteration plan shrink (13 agents โ†’ just [discovery, mail] once the Critic marks 11 stable): case-activation/runs/rocba/engine-run/AGENT-BLACKBOARD.md (+ the derived blackboard-events.jsonl). A sibling agent-execution-log run covers the Windows XP laptop (2005) case at WINXP-LAPTOP-2005 โ€” ๐ŸŽฌ 3 min 19 s animated walkthrough (auto-plays): a 13-scene deterministic deck correlated from its logs (297 records ยท 64 tool calls ยท 14 errors, all recovered), grounded in the correlation report. The CFReDS "Hacking Case" sealed case report (CFREDS-HACKING-CASE-4DELL โ€” the public NIST single-host Windows XP disk image of Greg Schardt / "Mr. Evil", a standalone unauthorized wireless interception case โ€” no memory image, no enterprise lateral movement) keeps its own agent execution log alongside the full report: a single Claude-Code agent (claude-opus-4-8[1m]) plus one embedded multi-agent forensic workflow, 400 tool calls, 35 examiner-approved findings (2 critical / 15 high), 24 timeline events, 93 IOCs staged, sealed/approved by victor.galvan 2026-06-14 over 4Dell-Latitude-CPi.E01 (MD5 aee4fcd9301c03b3b054623ca261959a): docs/12-CASES-REPORTS/cfreds-hacking-case-report/ (executive ยท analyst ยท attack graph). The wider case-activation/ folder holds a per-case Activation Guide for every evidence set on this host plus the captured executed runs (case-activation/runs/).

Honest scope note. The engine repo ships the pyproject.toml, uv.lock, src/agentropix_sift/, and a synthetic samples/sample.dd fixture for a first smoke run (that earliest sealed record is also published: case-activation/runs/engine-smoke-sample-dd/). It is a separate, currently private distribution โ€” request access from the operator. This docs portal intentionally vendors only the MCP-server package, so Path B does not run from this checkout; the case images under /cases/ live on the operator's host.

The engine installs two console scripts โ€” agentropix-sift (the triage CLI) and agentropix-sift-mcp (the MCP server). The full step-by-step for both paths, including example doctor output, is in the Quickstart. Every CLI command and flag is enumerated in the CLI Reference.

Deployment & requirements

Requirement

Detail

Python

3.12+ (pyproject.toml: requires-python = ">=3.12"). Stock SIFT ships 3.10 โ€” provide 3.12 via uv, pyenv, or the deadsnakes PPA.

Host

A SANS SIFT Workstation (or Ubuntu host with the GIFT PPA toolchain). Runs fully local โ€” no API keys, no cloud dependency for the forensic path.

Toolchain on PATH

The 16 SIFT forensic binaries: Volatility3, log2timeline, Sleuth Kit (fls/icat/mmls), ewf-tools, YARA, bulk_extractor, RegRipper, EVTX, EZ-Tools, mail parsers. Agentropix-SIFT drives these โ€” it does not ship them.

Degradation

Missing tools degrade gracefully (the agent is skipped, not the run) โ€” but recall drops, so run doctor first.

See Deployment for SIFT install + tailnet exposure, and Recovery & Resilience for the failure-mode catalogue.


Two Paths: Operator (Expert) and End-User

The same triage capability is reachable two ways โ€” the expert command, or the plain-language prompt a non-technical examiner types into Claude (with the Agentropix MCP connected), which routes to a real MCP tool. Every operational page in the portal documents both lanes side by side.

๐Ÿ–ฅ๏ธ Operator / Expert (command)

๐Ÿ’ฌ End-user (prompt)

Pre-flight

uv run agentropix-sift doctor

"Check that my SIFT forensic tools are installed and ready."

Run a triage

uv run agentropix-sift run /cases/INC-0605/disk.E01 -o report.json

"Open a case for the image at /cases/INC-0605/disk.E01, register it as evidence, run the full SIFT triage, and save the report."

List memory processes

MCP tool get_pslist

"List the processes in the memory image and flag anything suspicious."

Approve a finding

promote DRAFT โ†’ APPROVED in the Approval Portal

"Show me the findings waiting for review so I can approve them."

The ๐Ÿ–ฅ๏ธ uv run agentropix-sift โ€ฆ commands run from a full engine checkout (Path B above); the ๐Ÿ’ฌ prompts need only a Claude client connected to the MCP server (Path A โ€” wheel install or the live tailnet server). End-user prompts map to real MCP tools (verify against the Tool Capability Map). The gold-standard treatment of both lanes โ€” manual โ†” autonomous ร— expert โ†” non-expert โ€” is the User Guide.


MCP surface

Agentropix-SIFT exposes 73 distinct MCP tools over a single FastMCP server (verified live via tools/list and health.tool_count; see Canonical Facts). Of these, 16 are SIFT forensic tools โ€” deterministic binaries wrapped under mcp_server/wrappers/ so each call captures the binary's raw stdout and fingerprints it with SHA-256. The remainder cover case lifecycle, finding records, reporting, provenance, approval, executable-artifact registry, and Wazuh.

Family

Examples

Reference

Forensic wrappers (16 SIFT tools)

get_pslist, fls, get_evtx, yara_scan, get_partitions, get_evt

Tool Reference

Case & finding lifecycle

record_finding, delete_finding, case_status, generate_report

Tool Reference

Provenance & approval

retract_approval, IOC promotion (promote_iocs)

Provenance

Executable-artifact registry

build_executable_registry, promote_executable_registry, exec_registry_get, exec_registry_search

Tool Reference

Wazuh integration

wazuh_hunt_ioc (+ wrappers)

Wazuh push ยท Operator's guide

Full enumeration: MCP Tool Reference ยท who calls what: Tools by Agent ยท per-tool breakdown: Tool List.

Response envelope (example)

Every tool returns a typed Pydantic model serialized with model_dump() โ€” never a free-form dict. A successful get_pslist against a memory image:

{
  "image_path": "/cases/INC-2026-0605/mem.raw",
  "process_count": 2,
  "processes": [
    { "pid": 4732, "ppid": 624, "name": "powershell.exe" },
    { "pid": 624,  "ppid": 4,   "name": "services.exe" }
  ],
  "tool": "volatility3.windows.pslist.PsList",
  "raw_stdout_sha256": "9f2cโ€ฆ<64 hex>โ€ฆ1ab0",
  "tool_available": true,
  "skipped_reason": "",
  "status": "ok"
}

The load-bearing field is raw_stdout_sha256 โ€” the SHA-256 of the binary's raw stdout bytes, the provenance fingerprint that ties the finding back to the exact tool output. Soft failures return the same model with tool_available: false and a skipped_reason; handled errors return a structured ToolError. Full field tables: Response Envelope.


Safety & anti-hallucination

Agentropix-SIFT is engineered so that the LLM cannot become the source of a forensic claim:

  • Deterministic-tools-only findings โ€” a finding may only be recorded from the output of a deterministic forensic binary; the LLM narrates and proposes but never authors evidence.

  • No LLM self-rating โ€” the Critic halts on a deterministic convergence fingerprint (default threshold 0.85, trinity/critic.py), not on a model's self-assessed confidence.

  • Pre/post SHA-256 evidence invariant โ€” evidence is hashed at session start and re-verified in tests; immutability is enforced structurally (Thymus + no write tool exists), per the 2026-06-11 source audit below. The engine reads but never alters the image.

  • Thymus read-only policy โ€” deny-by-default boundary (mcp_server/thymus_policy.py) blocking write/exec paths before a tool executes; no write tool exists in the surface.

  • Courtroom HMAC-SHA256 seal โ€” the audit log (JSONL) is sealed and the provenance chain validated (courtroom.py, provenance/), giving a tamper-evident chain of custody.

  • Human-in-the-loop โ€” the optional approval sidecar (approval_sidecar/) holds findings in DRAFT until an examiner APPROVES them.

๐ŸŽž๏ธ The six guarantees, proven on screen

Animated: each of the six safety guarantees with real cited proof from the sealed Agent Execution Logs โ€” the 204,884-entry fls walk, the critic pinned at 1.0 across 10 runs, 10 distinct evidence SHA-256, the 61 Thymus REJECTs, the byte-identical seal cross-bind, and the 17+12 examiner-approved findings

๐ŸŽฌ Auto-playing proof reel (73 s loop; deck source) โ€” each scene shows the cited evidence plus a plain-language "๐Ÿ’ก What you're seeing" explainer. Every value is real, from the SRL-2015 and SRL-2018 Agent Execution Logs: the 204,884-entry fls walk, critic pinned at 1.0 across all 10 runs, 10 distinct evidence SHA-256, the 61 live REJECT_OUTSIDE_ALLOWLIST denials, the byte-identical seal cross-bind, and the 17 + 12 examiner-approved findings.

๐Ÿ”’ Source-traced invariant audit (2026-06-11)

The six guarantees above were audited against the source, file:line by file:line โ€” no prompt-only claims accepted. Headline: 5 of 6 invariants Enforced; #3 Partially Enforced โ€” the literal per-tool abort-on-delta mechanism does not exist, but the evidence-immutability goal is met by a stronger structural design (no write tool + deny-by-default Thymus). The audit's Unified Compliance Matrix, verbatim:

#

Invariant

Status

Primary enforcement site(s)

Key lines

1

Deterministic-tools-only findings

โœ… Enforced

agents/_base.py (Finding model + sole publish path); orchestrator.py (report built from Blackboard)

_base.py:40-92, 130-149; orchestrator.py:69, 277-284

2

No LLM self-rating (Critic)

โœ… Enforced

trinity/critic.py (arithmetic score, threshold halt)

critic.py:120-122, 180-206; threshold clamp 76-81

3

Pre/post SHA-256 evidence invariant

โš ๏ธ Partially Enforced

courtroom.py (session-start hash); immutability via Thymus + no-write-tools; tested pre/post

courtroom.py:89-142; orchestrator.py:292, 311; thymus_policy.py:362-369 โ€” no runtime sys.exit() on delta

4

Thymus read-only policy

โœ… Enforced

mcp_server/thymus_policy.py (deny-by-default allowlist; writes always reject)

thymus_policy.py:264-267, 289-308, 325-330, 362-369

5

Courtroom HMAC-SHA256 seal

โœ… Enforced

courtroom.py (seal + cross-bound audit seal); hash_chain.py (per-entry chain); provenance/validate.py (external validator, non-zero exit)

courtroom.py:161-182, 341-397; hash_chain.py:73-101; validate.py:90, 278-363

6

Human-in-the-loop sidecar

โœ… Enforced

approval_sidecar/ (DRAFT default, signed promotion, 409 precondition, APPROVED-only export)

models.py:15; app.py:222, 225-259, 379; reports/transformers.py:157, markdown.py:82

Each invariant in the full document carries its implementation verification, deterministic mechanics, an adversarial forensic test case, and the auditor's hardening recommendations (e.g. a session-end re-hash tripwire to close #3's literal gap). Complete text: SECURITY-INVARIANT-AUDIT-2026-06-11.md.

Deep dives: Anti-Hallucination ยท Provenance & Grounding ยท Audit & Courtroom Seal ยท Security Model.


Engineering & evaluation (SDLC depth)

For the advanced engineer and the evaluator/judge. The SDLC + quality spine: how the system is tested, deployed, hardened, kept resilient, scored, and how its decisions are contracted. Every number tracks Canonical Facts.

Quick links: Testing ยท Recall corpus ยท Eval scorecard ยท Security model ยท Recovery & resilience ยท Deployment ยท Implementation ยท ADR index

  • Testing โ€” 4687 collected tests (pytest --collect-only -q) in two tiers. Fast / always-run (mock-based, CI + pre-commit): tests/unit/, chaos/, provenance/, evidence_gate/, approval_sidecar/, secrets_gate/, wazuh/. Host-gated (skip-with-reason when the fixture is absent): integration/ (SIFT binaries + a staged E01), wazuh_live, real_corpus. A missing E01 or unreachable Wazuh is a skip naming every searched path โ€” never a false failure.

  • Correctness gates wired into CI: pytest-cov, basedpyright strict typing as a correctness gate (not a lint), ruff selectors E,F,W,I,UP,B,SIM, and asyncio_mode = "auto" (fitting โ€” every agent is an async coroutine over the MCP boundary).

  • Forward-drift gate (for evaluators): the test count is CI-enforced โ€” a doc quoting the count without citing the canonical fact file fails the build, and known-stale literals are actively rejected. See Canonical Facts.

  • Ground-truth recall you can audit: 72/72 (100%) disk recall (regression) and 108/118 (91.5%) combined memory recall. Methodology, including the post-hoc ground-truth caveat: Dataset Recall ยท scoring rubric: Evaluation Scorecard.


SWOT โ€” strategic assessment

A structured strategic assessment for evaluators, engineers, and adopters. Each cell is grounded in the repository corpus (docs/COMPETITIVE-DFIR.md oracle, Canonical Facts, Competitive Positioning).

Helpful

Harmful

Internal

Strengths โ€” Structural evidence safety, not a policy promise: agents have no write tool; the Thymus policy refuses every write call before the subprocess spawns. Real SANS DFIR tools driven inside the agent loop (16/16 wrappers, 73 MCP tools) โ€” rivals explain JSON after collection. Deterministic, auditable execution: a fingerprint no-progress detector halts the Trinity Loop with no LLM in the halt path, backed by a hash-chained decision ledger.

Weaknesses โ€” A triage engine, not a case-management product: no HTML report generator, no commercial case-file UX (vs Magnet AXIOM, CADO); output is JSON + the audit ledger. Read-only consumer, no host-collection ecosystem (vs Velociraptor's agent fleet) โ€” caps it at post-collection triage. Memory-forensics recall (108/118) trails disk (72/72) and is the active improvement front.

External

Opportunities โ€” The MCP consumer model means any MCP-speaking LLM client becomes a forensic front-end with zero retraining. Default-local, no-API-key posture fits air-gapped / sovereign SOCs. The ATT&CK detector lane is extensible โ€” deferred detectors (W051/W052/W054) are wired and unit-tested, ready to promote into live recall.

Threats โ€” Forensic admissibility scrutiny of any AI-assisted pipeline raises the documentation bar (mitigated by the courtroom seal + provenance chain). Upstream SIFT tool drift (binary flags / output format) can silently shift wrapper parsing โ€” covered by host-gated integration tests. Commercial incumbents move fast on AI features.

Full competitive analysis: Competitive Positioning.


๐Ÿ—บ๏ธ Project Roadmap

Where the project is and the concrete path to GA โ€” the full document is PROJECT-ROADMAP-2026-06-11.md (development Gantt, system-lifecycle state machine, milestones, technical specifications, risk register).

Development Gantt โ€” release trajectory & critical path

Phase

Status

What it delivered / delivers

1 โ€” Foundation

โœ… Complete

The bio-agentic stack (RalphEngine substrate, StemCell lifecycle, Thymus immune gate, Metabolic Ledger, Oncologist monitor) + the 16 governed MCP forensic wrappers (timeout / memory ceiling / retry / stderr capture each).

2 โ€” Orchestration

โœ… Complete

The Trinity Loop (Architect โ†’ Swarm โ†’ Critic โ†’ Router), the 7 forensic bio-agents, the quorum Blackboard, the Hippocampus inheritance bridge, and the deterministic Critic halt gate (score โ‰ฅ 0.85 or idempotence).

3 โ€” Scale & GA

๐Ÿ”ต Current โ†’ Upcoming

GA hardening, not feature invention: land W-082 raw_stdout_sha256 (tamper-evident raw tool output) and wire gitleaks into CI โ€” the critical path โ€” mitigate W-071 plaso ordering jitter, finish packaging (pipx/wheel, ADR-023/024 polish), then the GA-readiness doc + QA/Security/Product sign-offs โ†’ v0.1.0 GA tag. Future scale: credential lifecycle + two-person rule, SPIRE cloud identities, multi-tenant alerting, audit-log seal hardening.

The roadmap also carries the system-lifecycle state machine (orchestration, thread taxonomy, apoptosis โ€” how a run is born, governed, and dies) and a 7-row risk register (R1โ€“R7: loop non-convergence, ATP exhaustion, plaso non-determinism, evidence mutation, secret leakage, context bleed, doc/code drift โ€” each with its concrete mitigation). Read it alongside the SWOT above and the Architecture chapter.

๐Ÿ”ฎ The Future of Agentropix

(operator addition, 2026-06-11 โ€” forward-looking, not yet scheduled)

Beyond the Scale items already on the Gantt, three directions define the next horizon:

  1. ๐Ÿ›ฐ๏ธ Threat-intelligence platform integration (CrowdStrike + Wazuh). Integrate commercial TI platforms such as CrowdStrike to gather richer insight about IOCs surfaced by a triage run, and complement that response with the existing open-source Wazuh solution โ€” commercial enrichment and open-source response working the same indicator set.

  2. ๐Ÿงญ Agent scheduler with auditable agent-to-agent messaging. Optimize the Agentropix engine with an agent scheduler that independently manages all agent-to-agent communication and tracks every inter-agent message โ€” making the swarm's internal traffic itself auditable and troubleshootable, the same discipline the tool-call trace already applies at the wrapper boundary.

  3. ๐Ÿงช Binary-analysis pipeline with a dedicated sandbox. Integrate a pipeline that lets Agentropix analyze recovered binaries using open-source solutions and a dedicated sandbox for detonation โ€” testing and analyzing behaviors safely, then feeding the verdicts back into the case's findings and IOC exports.

Full context: PROJECT-ROADMAP-2026-06-11.md โ†’ The Future of Agentropix.


Configuration

Behavior is tuned through the AGENTROPIX_* environment surface โ€” Critic halt threshold, Blackboard quorum, status taxonomy, tool-path overrides, and more โ€” with safe defaults so the engine runs out of the box. See Configuration and the env-var table.


Canonical facts

Single source of truth for every numeric claim โ€” never state a number that contradicts it.

Fact

Value

MCP tools

73 distinct tool functions

SIFT forensic wrappers

16

Tests collected

4687

Disk recall (regression)

72/72 (100%)

Memory recall (combined)

108/118 (91.5%)

Core swarm specialists

7 (Memory, Timeline, Filesystem, Artifact, Discovery, Mail, Hunt)

SWARM classes (incl. ATT&CK detectors)

13

Critic halt threshold (default)

0.85

Blackboard quorum (default)

2

Python

3.12+

Full table with per-row sources and verification dates: Canonical Facts.


Documentation map

Start at the routed master table of contents, which maps every chapter to its audience and the question it answers. For a file-by-file map of the whole repository โ€” the MCP-server package internals, every docs section, and the case folders, each with a one-line description โ€” see the Project Structure section below. The portal is organized into twelve numbered sections under docs/, plus the case-activation/ operational annex:

#

Section

What it contains

1

Overview

What Agentropix-SIFT is and why, the capability matrix, the 3-command Quickstart, the complete operator User Guide, and how it compares to alternatives.

2

Architecture

How the engine is built โ€” the validated architecture diagram (pattern + guardrails, HD PDF), system context, internal components, the Trinity Loop, the Swarm + Blackboard, the FastMCP server (and the Thymus boundary), sequence diagrams, the ๐Ÿ—บ๏ธ Strategic Project Roadmap (Gantt/critical path, lifecycle state machine, GA milestones, risks), the ๐Ÿ”’ Security Invariant Audit (6 invariants source-traced), and the ๐ŸŽ›๏ธ Tunable Features Catalog (252 documented knobs).

3

Data

The data model โ€” case/finding/report schemas, the data dictionary, the entity-relationship view, and what gets persisted to disk.

4

MCP Tools

The 73-tool MCP surface โ€” the full tool reference, the typed Response Envelope, which agent invokes which tool, and the capability map.

5

Safety & Forensics

Why you can trust the output โ€” anti-hallucination guarantees, provenance grounding, the Courtroom audit seal, the human-in-the-loop gate, the Approval Portal, and the AI disclosure.

6

Use Cases

End-to-end worked runs โ€” disk triage, memory triage, the approval gate, the Wazuh push, a guided demo walkthrough, and per-case attack-chain hypotheses.

7

SDLC & Operations

How to build, run, and operate it โ€” implementation, testing, configuration, deployment, the security model, recovery/resilience, recall methodology, and the evaluation scorecard.

8

Reference

Look-up material โ€” the full CLI reference, the glossary, the ADR index, and the design-decision rationale.

9

Integrations

Connecting to external systems โ€” the Wazuh/SOC portal operator's guide and how to connect a remote client to a live internal MCP server.

10

Agents

What "agent" means here โ€” the agentic architecture, the build-time delegation model, the FastMCP tool-execution path, and the canonical runtime swarm roster.

11

ADRs

The decision contract โ€” the immutable Architecture Decision Records mirrored from the oracle (001โ€“024 + milestone/defer records). Read the status column literally.

12

Cases Reports

Sealed DFIR case reports โ€” one folder per investigated case (forensic report, technical appendix, Wazuh IOC gallery, diagrams, recorded-session video).

โ€”

case-activation/

The operational annex โ€” a per-case Activation Guide for every evidence set (real paths, sizes, custody hashes) and runs/: captured executed runs (raw MCP step outputs, sealed engine PoC reports, videos).

The portal's documentation-QA working notes (render audits, case-guide sweeps) live under docs/issues/ โ€” maintainer-facing, not reader chapters.

Project Structure

This is the reader-facing documentation portal for Agentropix-SIFT, packaged together with the installable agentropix_mcp MCP-server (the governed read-only DFIR engine) and a set of sealed DFIR case reports. The portal docs explain the system across 12 numbered sections; the agentropix_mcp/ package is the actual shippable code (src layout, console script, wheels on GitHub releases); the case folders hold real, sealed investigations.

How to read this tree: top-down by area โ€” root files first, then the MCP-server package (core modules, then each subpackage), then the docs/ sections, then case-activation/ runs and the sealed case reports. Each โ† comment says what the file/dir actually does; only key files per area are shown.

agentropix-mcp/
โ”‚
โ”‚  โ”€โ”€ Root files: landing, index, evaluator routing, audits, LLM context โ”€โ”€
โ”œโ”€โ”€ README.md                     โ† Landing page โ€” evaluator letter, 60-sec connect, workflow
โ”œโ”€โ”€ INDEX.md                      โ† Routed master TOC โ€” audience + question-it-answers per page
โ”œโ”€โ”€ EVALUATION-MAP.md             โ† Judge router โ€” 8 submission requirements to evidence
โ”œโ”€โ”€ CLAUDE.md                     โ† Portal working conventions + canonical/accuracy rules
โ”œโ”€โ”€ DOCUMENTATION-PLAN.md         โ† Build plan โ€” oracle source, portal layout, sections
โ”œโ”€โ”€ AUDIT-COVERAGE.md             โ† Per-section index-coverage audit โ€” 0 broken/orphan links
โ”œโ”€โ”€ ACCURACY_REPORT.md            โ† Code/QA accuracy audit โ€” benchmarks, recall, thresholds
โ”œโ”€โ”€ EVIDENCE_DATASET_DOCS.md      โ† Evidence-dataset inventory โ€” provenance, SHA-256, ingestion
โ”œโ”€โ”€ llms.txt                      โ† Curated LLM index โ€” one-paragraph system summary
โ”œโ”€โ”€ llms-full.txt                 โ† Expanded LLM context โ€” inlines 19 core docs
โ”œโ”€โ”€ LICENSE                       โ† MIT License (galvangabriel-web, 2026)
โ”œโ”€โ”€ .gitignore                    โ† Excludes local-only: evaluation*/, video archives, dist
โ”œโ”€โ”€ .nojekyll                     โ† Empty marker โ€” disables Jekyll for GitHub Pages
โ”‚
โ”‚  โ”€โ”€ agentropix_mcp/ : the installable MCP-server PACKAGE (src layout) โ”€โ”€
โ”œโ”€โ”€ agentropix_mcp/
โ”‚   โ”œโ”€โ”€ pyproject.toml             โ† Package metadata โ€” deps + extras [forensics]/[reports]/[engine], console script
โ”‚   โ”œโ”€โ”€ README.md                 โ† Package README โ€” install, MCP client config, tool surface
โ”‚   โ”œโ”€โ”€ dist/                      โ† Built wheel + sdist (gitignored; attached to GitHub releases)
โ”‚   โ”œโ”€โ”€ tests/                     โ† Package test suite for the MCP server surface
โ”‚   โ””โ”€โ”€ src/agentropix_mcp/
โ”‚       โ”‚  โ”€โ”€ Core modules โ”€โ”€
โ”‚       โ”œโ”€โ”€ __init__.py            โ† Package init โ€” version 0.3.0, governed-DFIR-MCP summary
โ”‚       โ”œโ”€โ”€ fastmcp_app.py         โ† FastMCP stdio surface โ€” entrypoint main(), thin routes over server.py
โ”‚       โ”œโ”€โ”€ server.py              โ† Inner MCP tool implementations โ€” enforcement boundary (read-only)
โ”‚       โ”œโ”€โ”€ thymus_policy.py       โ† Thymus read-only path policy + JSONL audit ring at MCP boundary
โ”‚       โ”œโ”€โ”€ courtroom.py           โ† Chain-of-custody โ€” image SHA-256 + HMAC-sealed report/audit envelopes
โ”‚       โ”œโ”€โ”€ config.py              โ† Config loader โ€” file/env settings, policy + tool defaults
โ”‚       โ”œโ”€โ”€ audit_analyzer.py      โ† Summarizes Thymus JSONL audit logs for security review
โ”‚       โ”œโ”€โ”€ secrets.py             โ† Telegram-token resolver + logging-safe secret redactor
โ”‚       โ”œโ”€โ”€ _env.py                โ† AGENTROPIX_* env-var helpers โ€” clamped int/float tunables
โ”‚       โ”œโ”€โ”€ _trace.py              โ† Per-tool tracing โ€” contextvar buffer, @traced, args_hash
โ”‚       โ”œโ”€โ”€ _tool_pins.py          โ† Startup SHA-256 pin-check of external forensic binaries
โ”‚       โ”œโ”€โ”€ _startup_banner.py     โ† Logs effective AGENTROPIX_* env config banner at startup
โ”‚       โ”‚
โ”‚       โ”‚  โ”€โ”€ Subpackages โ”€โ”€
โ”‚       โ”œโ”€โ”€ agents/                โ† 7-agent DFIR SwarmAgent specialists + shared blackboard
โ”‚       โ”‚   โ”œโ”€โ”€ _base.py           โ† Base SwarmAgent contract โ€” pure, no LLM coupling
โ”‚       โ”‚   โ”œโ”€โ”€ _blackboard.py     โ† Shared blackboard โ€” cross-agent aggregation + quorum
โ”‚       โ”‚   โ”œโ”€โ”€ hunt.py            โ† HuntAgent โ€” cross-source correlation specialist
โ”‚       โ”‚   โ””โ”€โ”€ memory.py          โ† MemoryAgent โ€” volatile-evidence specialist
โ”‚       โ”‚                            (also: discovery, mail, timeline, artifact, filesystem)
โ”‚       โ”œโ”€โ”€ wrappers/              โ† Forensic tool wrappers (Volatility/TSK/YARA/Plaso/registry/case)
โ”‚       โ”‚   โ”œโ”€โ”€ volatility.py      โ† Volatility3 memory-forensics wrappers (pslist etc.)
โ”‚       โ”‚   โ”œโ”€โ”€ tsk.py             โ† Sleuth Kit โ€” filesystem listing via fls
โ”‚       โ”‚   โ”œโ”€โ”€ correlation.py     โ† W-150 deterministic cross-artifact correlation
โ”‚       โ”‚   โ””โ”€โ”€ _safe_tool.py      โ† Decorator so tool exceptions never escape
โ”‚       โ”œโ”€โ”€ wazuh/                 โ† Wazuh SIEM integration โ€” IOC push, alerts, registrars
โ”‚       โ”‚   โ”œโ”€โ”€ client.py          โ† WazuhClient โ€” sole owner of httpx async client
โ”‚       โ”‚   โ”œโ”€โ”€ orchestrator.py    โ† push_iocs() orchestrator โ€” IOC-push entry point
โ”‚       โ”‚   โ”œโ”€โ”€ finding_to_alert.py โ† Maps Agentropix findings to Wazuh alerts
โ”‚       โ”‚   โ”œโ”€โ”€ evidence_gate.py   โ† Mutation-token verification for Wazuh writes
โ”‚       โ”‚   โ””โ”€โ”€ seal.py            โ† Courtroom seal for the IOC-push integration
โ”‚       โ”œโ”€โ”€ evidence_gate/         โ† Step-2 mutation-token gate โ€” registry + CLI
โ”‚       โ”‚   โ”œโ”€โ”€ registry.py        โ† SQLite-backed token registry
โ”‚       โ”‚   โ”œโ”€โ”€ cli.py             โ† CLI for the Step-2 evidence gate
โ”‚       โ”‚   โ””โ”€โ”€ errors.py          โ† Exception hierarchy for the gate
โ”‚       โ”œโ”€โ”€ detectors/             โ† ATT&CK technique detectors (4 T-codes) + YARA hunt
โ”‚       โ”‚   โ”œโ”€โ”€ injection_detector.py โ† Vol-driven in-memory process-injection detection
โ”‚       โ”‚   โ”œโ”€โ”€ yara_hunt.py       โ† YARAHuntAgent โ€” Cobalt Strike stager detection
โ”‚       โ”‚   โ”œโ”€โ”€ t1059_001_iex_loopback_c2.py โ† T1059.001 IEX loopback-C2 detector
โ”‚       โ”‚   โ””โ”€โ”€ yara_rules/        โ† YARA rule files used by detectors
โ”‚       โ”œโ”€โ”€ reports/               โ† ADR-024 multi-tier report render/export/diagrams
โ”‚       โ”‚   โ”œโ”€โ”€ render.py          โ† Render pipeline โ€” Markdown โ†’ HTML โ†’ PDF (gated)
โ”‚       โ”‚   โ”œโ”€โ”€ export.py          โ† Export orchestration for the three tiers
โ”‚       โ”‚   โ”œโ”€โ”€ diagrams.py        โ† Mermaid builders โ€” kill-chain, ptree, IOC graph
โ”‚       โ”‚   โ””โ”€โ”€ transformers.py    โ† sections dict โ†’ three tier view models
โ”‚       โ”œโ”€โ”€ schema/                โ† Typed tool I/O result schemas + JSON schemas
โ”‚       โ”‚   โ”œโ”€โ”€ report.schema.json โ† JSON schema for report output structure
โ”‚       โ”‚   โ”œโ”€โ”€ master_iocs.schema.json โ† JSON schema for the master-IOC aggregate
โ”‚       โ”‚   โ””โ”€โ”€ extract_archive.py โ† W-095 typed result schema for extract_archive
โ”‚       โ”œโ”€โ”€ security/              โ† Shared credential-redaction layer (W-203)
โ”‚       โ”‚   โ””โ”€โ”€ redact.py          โ† Walks dict/list tree, redacts credential patterns
โ”‚       โ”œโ”€โ”€ trinity/               โ† Trinity loop โ€” Architect โ†’ Swarm โ†’ Critic engine
โ”‚       โ”‚   โ”œโ”€โ”€ architect.py       โ† Architect โ€” picks swarm slice for next iteration
โ”‚       โ”‚   โ””โ”€โ”€ critic.py          โ† Critic โ€” scores pass, decides loop halt
โ”‚       โ””โ”€โ”€ approval_sidecar/      โ† HMAC human-approval sidecar + hash chain (Starlette)
โ”‚           โ”œโ”€โ”€ app.py             โ† Starlette approval-sidecar routes (W-288)
โ”‚           โ”œโ”€โ”€ auth.py            โ† PBKDF2 derivation + HMAC-SHA256 signatures
โ”‚           โ”œโ”€โ”€ hash_chain.py      โ† Hash-chain helpers (tamper-evident approvals)
โ”‚           โ”œโ”€โ”€ writer.py          โ† IndexerClient writer, prev-hash backfill
โ”‚           โ””โ”€โ”€ nonce.py           โ† In-memory TTL nonce store (replay defense)
โ”‚
โ”‚  โ”€โ”€ docs/ : the documentation portal (12 numbered sections + QA logs) โ”€โ”€
โ”œโ”€โ”€ docs/
โ”‚   โ”œโ”€โ”€ 01-overview/               โ† Start-here: what-is, quickstart, gold-standard user-guide
โ”‚   โ”œโ”€โ”€ 02-architecture/           โ† Engine build outside-in: context โ†’ Trinity loop โ†’ swarm โ†’ MCP
โ”‚   โ”œโ”€โ”€ 03-data/                   โ† Data model: Pydantic fields, schema-ER, persisted artifacts, datasets
โ”‚   โ”œโ”€โ”€ 04-mcp-tools/              โ† The 73-tool MCP surface: capability map, reference, envelope
โ”‚   โ”œโ”€โ”€ 05-safety-forensics/       โ† Safety spine: anti-hallucination, provenance, HMAC seal, approval
โ”‚   โ”œโ”€โ”€ 06-use-cases/              โ† Worked dual-audience scenarios + demo walkthrough + hypotheses
โ”‚   โ”œโ”€โ”€ 07-sdlc-ops/               โ† Build/test/secure/deploy/evaluate/maintain + accuracy supplements
โ”‚   โ”œโ”€โ”€ 08-reference/              โ† CLI, glossary, ADR index, design rationale, canonical-facts authority
โ”‚   โ”œโ”€โ”€ 09-integrations/           โ† Wazuh SOC push + remote tailnet client setup
โ”‚   โ”œโ”€โ”€ 10-agents/                 โ† Runtime swarm vs BMAD personas; Trinityโ†”Swarmโ†”MCP model
โ”‚   โ”œโ”€โ”€ 11-ADR/                    โ† 31 Architecture Decision Records (oracle mirror; header = index)
โ”‚   โ”œโ”€โ”€ 12-CASES-REPORTS/          โ† Sealed DFIR case reports โ€” one folder per case, PNG diagrams
โ”‚   โ”‚   โ”œโ”€โ”€ README.md              โ† House-style index โ€” one heading + read-order per case
โ”‚   โ”‚   โ”œโ”€โ”€ srl-2015-report/       โ† SRL-2015: 4-host enterprise APT, USB-over-Ethernet C2, 17 approved
โ”‚   โ”‚   โ”œโ”€โ”€ srl-2018-report/       โ† SRL-2018: network-wide APT / Cobalt Strike-Empire C2, multi-host
โ”‚   โ”‚   โ”œโ”€โ”€ vanko-report/          โ† VANKO: insider IP-theft (zebrafish trade secrets), 10 approved
โ”‚   โ”‚   โ”œโ”€โ”€ cfreds-hacking-case-report/ โ† CFReDS: Mr. Evil wireless interception, XP disk, 35 approved
โ”‚   โ”‚   โ””โ”€โ”€ srl-2018-artifact-inventory.md โ† SRL-2018 inventory (9,578 findings, 29 hosts; oracle mirror)
โ”‚   โ””โ”€โ”€ issues/                    โ† QA logs: diagram/case-guide audits, video-playback troubleshooting
โ”‚
โ”‚  โ”€โ”€ case-activation/ : per-case Activation Guides + executed runs โ”€โ”€
โ”œโ”€โ”€ case-activation/
โ”‚   โ”œโ”€โ”€ README.md                  โ† Folder intro โ€” 8-step template, dual-audience, approval hard-stop
โ”‚   โ”œโ”€โ”€ INDEX.md                   โ† Master index โ€” disk/memory/mixed tables, recorded-runs
โ”‚   โ”œโ”€โ”€ cfreds-hacking-case-4dell.md โ† Guide: NIST CFReDS Hacking Case (Greg Schardt XP disk)
โ”‚   โ”œโ”€โ”€ techhive-chad-lt-laptop.md โ† Guide: TheTechHive Chad_LT โ€” only Windows-on-ARM disk case
โ”‚   โ”œโ”€โ”€ jimmy-wilson-study-case.md โ† Guide: Jimmy Wilson study-case NTFS E01 disk
โ”‚   โ”œโ”€โ”€ dfrws-2005-rodeo-usb.md    โ† Guide: DFRWS 2005 Rodeo RHINOUSB (raw FAT16 dd)
โ”‚   โ”œโ”€โ”€ vanko-abducted-zebrafish.md โ† Guide: VANKO insider IP-theft, 21-segment EWF disk
โ”‚   โ”œโ”€โ”€ amf-memory-samples.md      โ† Guide: Art-of-Memory-Forensics RAM dumps (Win/Linux/Mac)
โ”‚   โ”œโ”€โ”€ challenge-notch-it-up.md   โ† Guide: Challenge "Notch It Up" raw RAM dump
โ”‚   โ”œโ”€โ”€ contact-me-memory.md       โ† Guide: CTF contact_me raw RAM dump
โ”‚   โ”œโ”€โ”€ memdump-mem.md             โ† Guide: generic 512 MiB raw memory dump
โ”‚   โ”œโ”€โ”€ memlabs-dumps.md           โ† Guide: MemLabs CTF memory dumps (6 labs)
โ”‚   โ”œโ”€โ”€ win-xp-laptop-2005.md      โ† Guide: Windows XP 2005 RAM capture (mislabeled disk)
โ”‚   โ”œโ”€โ”€ srl-2015-apt-enterprise.md โ† Guide: SRL-2015 4-host APT (mixed disk+memory)
โ”‚   โ”œโ”€โ”€ srl-2018-compromised-enterprise.md โ† Guide: SRL-2018 compromised enterprise (7 EWF + 22 memory)
โ”‚   โ”œโ”€โ”€ rocba-hackathon-2026.md    โ† Guide: ROCBA 2026 Win10 insider (1 EWF + raw memory)
โ”‚   โ””โ”€โ”€ runs/                      โ† Executed transcripts โ€” captured MCP/engine runs + rendered MP4s
โ”‚       โ”œโ”€โ”€ README.md              โ† Runs index โ€” per-folder kind/evidence/headline table
โ”‚       โ”œโ”€โ”€ contact-me-memory/     โ† MCP full-loop run+video: contact_me RAM, SIMULATED approval
โ”‚       โ”œโ”€โ”€ amf-win-sample001/     โ† MCP full-loop run+video: AMF Windows sample (300s malfind)
โ”‚       โ”œโ”€โ”€ memdump-raw-2014/      โ† MCP full-loop run+video: 2014 raw RAM, windows_info caveat
โ”‚       โ”œโ”€โ”€ challenge-notchitup/   โ† MCP full-loop run+video: Notch It Up pslist/netscan/malfind
โ”‚       โ”œโ”€โ”€ srl-2018-compromised-enterprise/ โ† MCP activation steps 1-6: SRL-2018 DC disk+memory
โ”‚       โ”œโ”€โ”€ vanko-abducted-zebrafish/ โ† MCP activation steps 1-5: VANKO 21-segment EWF
โ”‚       โ”œโ”€โ”€ jimmy-wilson-poc/      โ† Engine triage PoC+video+raw logs: Jimmy Wilson E01
โ”‚       โ”œโ”€โ”€ dfrws-rodeo-poc/       โ† Engine triage PoC+log: DFRWS Rodeo USB, honest negatives
โ”‚       โ”œโ”€โ”€ engine-smoke-sample-dd/ โ† Engine smoke run: synthetic sample.dd, first sealed record
โ”‚       โ”œโ”€โ”€ rocba/                 โ† Live-MCP triage + req-8 agent-execution log + engine-run
โ”‚       โ”‚   โ”œโ”€โ”€ EXECUTION-LOG.md   โ† ROCBA req-8 agent-execution-log doc (findings, honest gotchas)
โ”‚       โ”‚   โ””โ”€โ”€ engine-run/        โ† Trinity-engine agentโ†”blackboard showcase (publishes + plan-shrink)
โ”‚       โ”œโ”€โ”€ WINXP-LAPTOP-2005/     โ† Agent-execution-log run + rendered 3:19 deck video
โ”‚       โ”‚   โ””โ”€โ”€ WINXP-LAPTOP-2005-video/ โ† Rendered execution MP4 + watch.html + correlation/storyboard
โ”‚       โ””โ”€โ”€ _assets/               โ† Shared assets for run pages
โ”‚
โ”‚  โ”€โ”€ Media / supporting assets โ”€โ”€
โ”œโ”€โ”€ assets/                        โ† Shared portal images and SVGs
โ””โ”€โ”€ Final_Video/                   โ† Featured Case Evaluation walkthrough video(s)

Legend / conventions

  • โ† comments describe what each file/dir actually does; only key files per area are listed (subpackages list their most load-bearing modules, not every file).

  • src layout: the package is agentropix_mcp/src/agentropix_mcp/ with a console script agentropix-mcp โ†’ fastmcp_app:main. fastmcp_app.py is the thin FastMCP/stdio protocol surface; server.py holds the real tool logic and the Thymus read-only enforcement boundary. Underscore-prefixed modules (_env, _trace, _tool_pins, _startup_banner) are internal infra.

  • Install extras: [forensics] (Volatility/TSK/YARA/Plaso runtime deps), [reports] (MDโ†’HTMLโ†’PDF render stack), [engine] (the Trinity loop + swarm agents). Built wheels live in the gitignored dist/ and are attached to GitHub releases.

  • Docs โ†” audience mapping: 01-overview/06-use-cases are operator/end-user oriented (dual-audience, prompt + CLI); 02-architecture/03-data/04-mcp-tools/10-agents are reference/architecture; 05-safety-forensics/07-sdlc-ops/08-reference/09-integrations cover the forensic/safety, SDLC-ops, lookup, and integration layers; 11-ADR is the decision record, 12-CASES-REPORTS the sealed investigations.

  • Canonical numbers (73 MCP tools, 31 ADRs, per-case approval counts) come from docs/08-reference/canonical-facts.md; case-report diagrams are committed as PNG (not inline Mermaid) for reliable GitHub rendering, and recovered malware is withheld-by-reference (SHA-256 only).


Acknowledgments

Built on the shoulders of the open-source DFIR ecosystem: the SANS SIFT Workstation and the forensic tools it bundles โ€” Volatility3, Plaso/log2timeline, The Sleuth Kit, python-evtx, YARA, bulk_extractor, RegRipper, the EZ-Tools family, and the mail-parsing libraries (libpff, extract-msg). The MCP surface is served by FastMCP.

License

Released under the MIT License.

A
license - permissive license
-
quality - not tested
A
maintenance

Maintenance

โ€“Maintainers
โ€“Response time
0dRelease cycle
2Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/galvangabriel-web/agentropix-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server