Glossary

Glossary

DFIR / agent / MCP terms used across the project. Sorted alphabetically.

---

Agentic-DART

This project. DART = Detection And Response Team — deliberately a category name rather than a product name, so the scope can grow from autonomous DFIR (Phase 1) to detection engineering (Phase 2) to agentic SOC (Phase 3) without rebranding.

Architecture-first

Design philosophy: guardrails are encoded in the type system and function surface, not in the LLM prompt. A jailbroken model is still bounded by what functions exist on the wire. Compare prompt-first.

See Architecture-first vs prompt-first.

Audit chain

Append-only JSONL where each entry's entry_hash includes the previous entry's hash. SHA-256. Tampering with any entry breaks the chain at that point and every subsequent point. See dart-audit.

Audit ID

UUID4 randomly generated per audit-chain entry. Findings cite their supporting audit_ids. The serializer refuses to emit findings without them.

Bypass test

tests/test_mcp_bypass.py. Asserts that destructive function names (execute_shell, eval, rm, etc.) are not registered on the surface. The most important test in the repo — if it fails, the architectural guarantee is broken.

Case class

A YAML tag in a playbook that says what kind of case the rules are tuned for: insider_threat_remote_hands, ransomware_response, web_breach, etc. See dart-playbook.

Chain integrity

The property that an audit chain re-validates from scratch: every entry's prev_hash matches the previous entry's entry_hash. The CLI command is python3 -m dart_audit verify <file>.

Contradiction (UNRESOLVED / RESOLVED)

When two artifacts disagree about a fact — e.g. auth log says event happened at T, MFT timestamp says T - 11 seconds. dart-corr flags it as UNRESOLVED and refuses to let the agent emit findings until the hypothesis is revised. Mechanical, not subjective.

dart-agent

The wrapper loop. The only Python package with control flow. Reads a playbook, calls MCP functions, runs dart-corr, writes audit chain, emits findings.

dart-audit

SHA-256 chained audit log. Append-only JSONL. CLI for verify and trace.

dart-corr

Cross-artifact correlation. DuckDB-backed. Surfaces contradictions as UNRESOLVED. The architecture-first claim made concrete.

dart-mcp

The typed MCP server. 35 forensic functions, schema-validated, read-only. The "surface" — anything not here is not callable.

dart-playbook

YAML sequencing rules. Operator-tunable. Decides what the agent calls next given the current state.

Deterministic mode

Run the agent without an external LLM. Uses the playbook policy directly. No ANTHROPIC_API_KEY needed. Suitable for CI and air-gapped runs.

Evidence root

DART_EVIDENCE_ROOT env var. The directory the agent reads from. Mounted read-only by the operator (Layer 3 defense). All MCP functions route file paths through _safe_resolve which canonicalizes and rejects anything outside this root.

Finding

A claim the agent emits in its final report, e.g. "USB Kingston DataTraveler inserted at 14:22:18 UTC". Each finding cites the audit_id of the supporting MCP call. Findings without citations are blocked at write time.

Hypothesis

The agent's current working theory. Versioned (v1, v2, ...) with confidence scoring. Revised on UNRESOLVED contradictions or new evidence.

Live mode

Run the agent connected to a real Claude API instance. Requires ANTHROPIC_API_KEY. Same surface, same architectural guarantees as deterministic mode. See Live-mode.

LOLBin

"Living Off the Land Binary". A signed Microsoft binary with a benign primary purpose that can be repurposed for malicious use (e.g. comsvcs.dll for LSASS dump, regsvr32.exe for code execution). Detected by detect_credential_access and similar functions.

MCP (Model Context Protocol)

Anthropic's open protocol for connecting an LLM to typed external tools. Used by dart-mcp over JSON-RPC stdio. https://modelcontextprotocol.io

MITRE ATT&CK

The framework that maps attacker techniques to a tactic taxonomy (12 enterprise tactics: Initial Access, Execution, ..., Impact). Every detection function in dart-mcp is mapped to one or more T-IDs. https://attack.mitre.org

Playbook

A YAML file that encodes "what should the agent call next given the current state". Operator-tunable, lives in dart-playbook.

Prompt-first

The opposite of architecture-first. Guardrails live in the LLM's system prompt: "do not modify evidence", "do not exfiltrate". Vulnerable to prompt injection, jailbreaks, and prompt erosion over long sessions.

Replay attack (in audit)

An attempt to replay a previously recorded audit entry as if it were a fresh one. Prevented by per-entry random audit_id. The chain integrity check still validates structurally; the random IDs make stitched-together logs detectable.

Senior-analyst loop

The reasoning pattern Agentic-DART implements: form hypothesis → call typed tools → check for contradictions → revise on contradiction → emit findings with citations. Encoded in the dart-playbook YAML, executed by dart-agent.

Sigma

Open YAML-based signature format for security event log detection. Vendor-agnostic. Not directly used in Phase 1 (Phase 2 will add dart-synth for Sigma rule synthesis from audit corpora). https://github.com/SigmaHQ/sigma

Surface

The set of function names callable on the MCP wire. For Agentic-DART v0.4: exactly 35. Asserted as the test test_mcp_surface.py::test_registered_tools_are_exact_set.

_safe_resolve

The path-safety helper in dart_mcp. Canonicalizes any path argument (resolves .., symlinks), and rejects results outside DART_EVIDENCE_ROOT. Layer 2 of the read-only guarantee.

Timestomp

Modifying file timestamps to evade detection. Detected by comparing $SI (Standard Information, user-modifiable) against $FN (File Name, kernel-set) in the MFT. Mismatch = timestomp. T1070.006.

---

See also

• About the name — why "DART"
• Architecture deep dive
• MCP function catalog