Home
An autonomous DFIR agent that thinks like a senior analyst. Architecture-first, not prompt-first.
This wiki is the long-form companion to the project README. The README is for landing — get a feel for the project in 30 seconds. The wiki is for engineers who want to understand the why, the how, and the parts that don't fit on a single page.
- About the name — what DART means and the four-phase scope expansion
- Architecture-first vs prompt-first — the central design claim
- Threat model — what Agentic-DART defends against, and what it does NOT
- dart-mcp — the typed surface — the 35 forensic functions, schema, bypass tests
- dart-agent — the senior-analyst loop — iteration / hypothesis / confidence
-
dart-corr — cross-artifact correlation — DuckDB joins and
UNRESOLVEDflagging - dart-audit — SHA-256 chained log — tamper-evident audit trail
- dart-playbook — sequencing rules — YAML-driven analyst heuristics
- Running on the SANS SIFT Workstation — install, mount, run
- Running on macOS — lightweight dev mode
- Live mode (real Claude API + MCP stdio) — from Claude Code
- Reproducible accuracy measurement — re-run every dataset
- PtH with timestomp pre-existence — headline self-correction walkthrough
- IP-KVM remote-hands insider — the bundled detection example
- How to write a new case study
- Phase 2 — Detection engineering — Sigma synthesis, coverage-gap reasoning
- Phase 3 — Agentic SOC — triage, enrichment, supervised orchestration
- Phase 4 — Beyond DR — broader agentic security workflows
- Glossary — DFIR + ATT&CK + project-specific terminology
- FAQ — common questions from judges, contributors, and skeptics
- Comparison with adjacent tools — Velociraptor, KAPE, Plaso, Hayabusa
| What you need | Where to look |
|---|---|
| Try it in 30 seconds | README → Quick start |
| Architecture diagram | dart-architecture.png |
| Sample run screenshots | docs/screenshots/ |
| Hackathon submission | SANS FIND EVIL! 2026 — Devpost |
| Full case-study walkthrough | docs/case-pth-timestomp.md |
| Source code | github.com/Juwon1405/agentic-dart |
The README has to be readable in two minutes. That means it can't go deep on:
- the threat model (what attacks are in scope, what aren't)
- the decision log (why the MCP surface is exactly 35 functions, not 28, not 35)
- the comparison with other DFIR tools
- the per-component design notes that engineers actually need to extend the project
This wiki is where that long-form writing lives.
Wiki maintained alongside the main repo. Same MIT license.