HOMUNCULUS

Deception Grid · operator console · concept demo
Dwell time00:00
IOC / TTP0
MITRE0
Confidence

Pipeline

5 stages
1
Reconnaissance
Attacker scans the network segment
2
Decoy contact
Lands on a planted asset
3
AI persona
Engages and extends the interaction
4
Intel extraction
IOCs, TTPs, ATT&CK mapping
5
Profile & alert
Actor profile + SOC notification
Attacker
Decoy / persona layer
Analysis engine / intel

Decoy environment

ready
D
Diane_Whitcombe
AI persona · "Finance Ops"
SYSTEM
Press Run scenario to replay a sample detect-and-engage sequence against a simulated attacker.

Extracted intel

0 events
// waiting for attacker activity…

MITRE ATT&CK — techniques

T1046
Network Service Discovery
T1078
Valid Accounts
T1083
File & Directory Discovery
T1114
Email Collection
T1005
Data from Local System
T1567
Exfil over Web Service
Unknown actor
Likely profile
Tooling
Objective
Sophistication
Layered PoC architecture. Each block is a component you can build in Claude Code — described in terms of what it does, not what it's called in code. This scope is realistic to close in 6–8 weeks: the backbone (honeypots, event queue, dashboard) leans on mature building blocks, and your differentiator — the AI persona layer — is where most of the work goes.
① Contact surfaceoff-the-shelf
DECOY / HONEYPOTT-Pot · OpenCanary
FAKE ASSETSSMB · SSH · web · lure documents
NETWORKisolated segment / VLAN
SENSORsession + packet capture
② AI persona layer — your differentiator80% of the work
IDENTITY GENERATORClaude API → people, backstories, docs
DIALOGUE ENGINEadaptive attacker engagement
CONSISTENCYpersona memory + vector store
GUARDRAILnothing real ever leaks
③ Analysis enginecore value
EVENT QUEUEinteraction stream (Node.js)
EXTRACTIONIOC · TTP · tool fingerprint
MAPPINGclassify → MITRE ATT&CK
PROFILINGactor profile + confidence
④ Outputwhat the investor sees
DASHBOARDReact · live view (this screen)
ALERTSSOC · webhook · Slack / email
INTEL REPORTSTIX / PDF export
APISIEM / SOAR integration
// BUILD ORDER IN CLAUDE CODE:
1 · dashboard + mocked event stream (this screen already runs on synthetic data — that's where you start)
2 · AI persona layer on Claude API — one persona, one end-to-end scenario first
3 · swap the mock for a real honeypot (OpenCanary)
4 · extraction + MITRE mapping on real logs
5 · loop: a recorded "live" scenario for the investor demo