Agentic-DART v1.2.0 — SANS Find Evil! 2026 submission build.
Autonomous DFIR agent on the SANS SIFT Workstation. The language model analyzes evidence in read-only mode and seals every inference into a SHA-256 audit chain. 73 typed, read-only MCP tools (48 native pure-Python + 25 SIFT-tool adapters) — destructive operations are absent from the tool registry and CI-enforced, so even a fully successful prompt injection has no destructive function to call. Architecture-first, not prompt-first.
This release
- Sigma detection pack v2 — 11 rules (DCSync, Golden Ticket, ransomware shadow-copy deletion, web-shell creation, local account creation, Kerberoasting, AS-REP roasting, HID insertion, remote exec, event-log clearing).
- Model-aware authentication — Haiku resolves to an OAuth subscription token; Sonnet/Opus to a metered API key. New
dart-authcommand. - Persistent install aliases —
dart-pull,dart-auth. - Unified per-case ledger — append-only, per-case timestamps.
- case-02 ground-truth fix — Hadi Challenge #1 is Windows XAMPP, not Linux; recall 0% -> 60%.
142 tests passing. Full history in CHANGELOG.md.