-
Notifications
You must be signed in to change notification settings - Fork 5
About the name
That's the literal expansion. But the codename was chosen with deliberate room to grow.
Agentic-DART begins as an agentic DFIR assistant — that's the focus of the SANS FIND EVIL! 2026 submission. But the name is intentionally generic so it remains accurate as the project's scope expands.
Senior-analyst reasoning encoded as architecture across forensic artifacts. The typed dart-mcp surface (native pure-Python + SIFT Workstation adapters) covers broad MITRE ATT&CK enterprise tactic coverage. Verified by the bundled test suite (the full test suite passing on a fresh clone) and the bundled IP-KVM and PtH-timestomp case studies.
Once the DFIR loop is solid, the same architecture-first approach extends to:
- Detection-as-code generation — Sigma rule synthesis from observed evidence
- Coverage-gap reasoning — given an environment, what tactics is the current rule set blind to?
- Rule maintenance — what existing rules are now firing on benign behavior, and why?
The MCP surface for Phase 2 will be additive (the existing typed surface stays intact; new functions for detection-engineering tasks are added). The architectural guarantee — read-only, audit-chained, contradiction-aware — stays the same.
Once detection is mature, the project moves into supervised SOC operations:
- Triage — given an alert, what is the minimum set of MCP calls needed to decide if it's worth waking a human?
- Enrichment — given an indicator, what is the agent allowed to look up and how does that integrate with internal threat intelligence?
- Response orchestration — a strict superset of the read-only surface, where some response actions become callable, but only through a separate "armed" MCP server with a different audit chain and human-in-the-loop confirmation.
This is where DART becomes literal: detection AND response.
Once the DR loop works, the same patterns extend to broader agentic security workflows:
- Vulnerability management (which CVEs in this codebase actually exposed?)
- Compliance evidence gathering
- Adversary emulation pre-flight checks
- Tabletop exercise generation
A name like dart-dfir or dart-forensics would have boxed the project into Phase 1. By the time we got to Phase 2, the name would be wrong, and a rename would lose stars, tear up internal references, and break external links.
Agentic-DART is forward-compatible by design.
The "Agentic" prefix is a deliberate signal that this is not a wrapper around an LLM, not a single-shot tool, and not a chatbot. It is:
- Autonomous within a tightly typed boundary
- Iterative with hypothesis revision and confidence tracking
- Auditable end to end via SHA-256 chains
The word "agentic" is industry shorthand for "the agent is the unit of work, not the prompt." That matches what this project is.
- Not a reference to any specific organization's internal team naming
- Not an acronym for anything other than what's stated above
- Not a brand owned by an employer or a sponsor
This project is independent and personal.
Agentic-DART — autonomous DFIR agent · architecture-first, not prompt-first · MIT license · github.com/Juwon1405/agentic-dart
- The Memex bet ⭐ Why this design
- About the name
- Architecture-first vs prompt-first
- Architecture deep dive
- Threat model
- Glossary
- dart-mcp — typed surface (native + SIFT adapters)
- dart-agent — senior-analyst loop
- dart-corr — cross-artifact correlation
- dart-audit — SHA-256 chained log
- dart-playbook — senior-analyst sequencing rules (v3 default)
- MCP function catalog (native + SIFT adapters)
- Comparison with adjacent tools
- FAQ
- Operator guide — distro-agnostic
- Running on SIFT
- Live mode
- Accuracy report
-
Roadmap ⭐ Phase 1 ~95% complete
- Phase 1 — Agentic DFIR ⭐ dedicated page · SANS submission
-
Phase 2 — Detection engineering
- The self-learning loop ⭐ design note
- Phase 3 — Agentic SOC
- Phase 4 — Broader agentic security