Try It Out

VERITAS runs on a SANS SIFT workstation against mounted Windows disk images. There is no hosted demo — the tool calls real forensic binaries (vol.py, fls, rip.pl, grep) directly against evidence files. That’s the point.


Live Investigation Reports

Four fully validated pipeline runs. Every Auditor challenge, tool call, and verdict is interactive and browsable.

View nfury Investigation Report View tdungan Investigation Report View nromanoff Investigation Report View rocba Investigation Report

nfury: 19 detected · 15 confirmed · 4 refuted · 16 min · $14
tdungan (campaign mode): 17 detected · 13 confirmed · 4 refuted · 15 min · $14
nromanoff: 7 detected · 3 confirmed · 4 refuted · 15 min · $14
rocba (attacker C2 node): 5 detected · 1 confirmed · 4 refuted · 23 min · ~$14
Total: 32 confirmed across 48 detected · 16 correctly refuted · exactly 4 refutals per host


Setup

# SANS SIFT workstation (Ubuntu) recommended
python3 -m venv ~/adversa-env && source ~/adversa-env/bin/activate
pip install anthropic mcp matplotlib numpy

export ANTHROPIC_API_KEY="sk-ant-..."

Requires a Windows disk image mounted read-only at a path like /mnt/hostname.


Full adversarial pipeline

# Terminal 1
python3 custom-agent/sift_server.py

# Terminal 2
python3 custom-agent/investigate.py /mnt/hostname

Runs Triage → Auditor → HTML report.

Campaign mode — declare prior hosts explicitly to propagate confirmed IOCs:

python3 custom-agent/investigate.py --case ~/cases/nfury
python3 custom-agent/investigate.py --case ~/cases/tdungan nfury
python3 custom-agent/investigate.py --case ~/cases/controller nfury tdungan

Host names resolve to reports/<host>-iocs.json. Explicit declaration required — IOCs are never injected automatically, preventing cross-campaign contamination.


Rebuild signal weights

# Recalibrate corpus weights from MalwareBazaar + HybridAnalysis
MB_API_KEY=your_key HA_API_KEY=your_key python3 custom-agent/build_corpus.py --limit 100
python3 custom-agent/compute_weights.py       # → data/calibrated_weights.json

# Retrain Sysmon ASL (requires Mordor datasets — see DATASET.md)
python3 custom-agent/brain.py                 # ~30 min, 3000 iterations
python3 custom-agent/export_patterns.py       # → operational_rules.json

Output files

File What it contains
reports/hostname-report.html Full investigation report — exec summary, IOC table, Auditor transcript
reports/hostname-investigation.json Confirmed / inconclusive / refuted techniques, adjusted score
reports/hostname-auditor-transcript.json Every Auditor challenge, round-by-round, with tool output and reasoning
reports/operational_rules.json Sysmon ASL operational rules — ships with the repo, no training required to use
reports/sigma_rules/*.yml Sigma detection rules, adversarially validated

SANS FIND EVIL! Hackathon 2026  ·  Custom MCP Server + Multi-Agent Adversarial Pipeline  ·  MIT License