Corvus is an intelligent, fully local security agent that runs as a background service on your machine. It combines 19 autonomous monitoring modules with an LLM-powered reasoning engine to detect, analyze, explain, and respond to security threats. Unlike traditional security applications that rely on static rules, Corvus reasons about threats contextually — correlating events across modules, explaining risks in plain language, and learning your baseline to reduce false positives over time.
Everything runs on your machine. The LLM is a reasoning tool the agent consults — never a controller. No remote code execution, no downloaded plugins, no central heartbeat server.
- 19 monitoring modules — network traffic, camera/mic access, file system changes, process behavior, USB devices, DNS, ARP spoofing, ransomware, clipboard hijacking, and more
- LLM-powered threat reasoning — correlates events across modules, explains threats in natural language, recommends specific actions
- 5-layer ransomware detection — catches encryption at 1-3 files using entropy analysis, magic byte verification, and per-process correlation
- Decision Cache — learns from every LLM analysis. By month two, 90%+ of events are handled locally with zero cloud API calls
- Data Minimization Layer — the LLM never sees file paths, usernames, IP addresses, or any PII. Only sanitized metadata.
- Encrypted storage — AES-256-GCM with keys stored in macOS Keychain
- SCTN threat network — anonymous, threshold-based threat indicator sharing between Corvus agents worldwide
- Conversational interface — ask your agent "what happened on my network while I was sleeping?"
git clone https://github.com/AnalogMutations/Corvus.git
cd Corvus
python3 -m venv .venv && source .venv/bin/activate
pip install -e .
corvus setup
corvus runThe setup wizard walks you through module selection, LLM provider choice, and SCTN opt-in.
| Category | Module | What it detects |
|---|---|---|
| File | File System Watcher | File changes, ransomware bulk encryption |
| File | Ransomware Shield | 5-layer detection: extension anomalies, magic bytes, entropy, ransom notes, process correlation |
| File | Wallet File Guard | Unauthorized cryptocurrency wallet access |
| Network | Network Traffic | Connections to malicious IPs/domains via threat intel |
| Network | ARP Spoofing | ARP poisoning and MITM attacks |
| Network | DNS Monitor | DGA domains, DNS tunneling, NXDOMAIN floods |
| Network | Rogue Device Scanner | Unknown devices on your network |
| Network | TLS Certificate Checker | Expired, self-signed, and MITM certificates |
| Network | Beaconing Detector | C2 callback patterns with jitter analysis |
| Network | Bandwidth Anomaly | Data exfiltration and upload spikes |
| System | Camera/Mic Monitor | Unauthorized camera/microphone access with TCC verification |
| System | Process Behavior | Code signing verification, parent chain analysis, baseline tracking |
| System | USB Watchdog | BadUSB and mass storage device detection |
| System | Keylogger Detector | Keyboard hook and input API monitoring |
| System | Scheduled Task Auditor | LaunchAgents, cron, systemd persistence |
| System | Screen Capture Detector | Unauthorized screen recording |
| System | Self-Integrity Monitor | Corvus file tampering detection |
| Privacy | Clipboard Guard | Crypto address clipboard hijacking |
| Privacy | Bluetooth Monitor | Unknown device and pairing detection |
Monitoring Modules (19) → Event Bus → Data Minimization Layer → LLM Brain
↓ ↓
Encrypted SQLite Decision Cache
↓ ↓
Alert Dispatcher ← Structured Assessment ← ↵
↓
Desktop Notification / Dashboard / Chat
The Data Minimization Layer ensures the LLM only sees sanitized metadata:
| Your machine sees | The LLM sees |
|---|---|
/Users/you/Downloads/report.app/helper |
helper (unsigned), downloads_directory |
185.234.xx.xx:8443 |
THREAT_INTEL_MATCH (category: c2) |
--callback https://185.234.xx.xx/beacon |
(stripped entirely) |
Corvus agents optionally share threat indicators anonymously:
- Push: When your agent detects a malicious IP, it publishes the indicator with a one-time cryptographic signature — no identity attached
- Threshold: Only when 10+ independent agents confirm the same indicator does it become actionable
- Subscribe: Your agent receives corroborated indicators and matches them against live traffic
- Zero identity: No accounts, no profiles, no IP logging on the relay
SCTN is off by default. Enable with corvus setup or in config.
python -m pytest tests/ -v # 442 tests, 0 failuresMIT
Built by Analog Mutations — Nothing gets past the crow.