Press Run scenario to replay a sample detect-and-engage sequence against a simulated attacker.
Extracted intel
0 events
// waiting for attacker activity…
MITRE ATT&CK — techniques
T1046
Network Service Discovery
T1078
Valid Accounts
T1083
File & Directory Discovery
T1114
Email Collection
T1005
Data from Local System
T1567
Exfil over Web Service
⚑
Unknown actor
Likely profile—
Tooling—
Objective—
Sophistication—
Layered PoC architecture. Each block is a component you can build in Claude Code —
described in terms of what it does, not what it's called in code. This scope is realistic to close in 6–8 weeks:
the backbone (honeypots, event queue, dashboard) leans on mature building blocks, and your differentiator — the
AI persona layer — is where most of the work goes.
① Contact surfaceoff-the-shelf
DECOY / HONEYPOTT-Pot · OpenCanary
FAKE ASSETSSMB · SSH · web · lure documents
NETWORKisolated segment / VLAN
SENSORsession + packet capture
② AI persona layer — your differentiator80% of the work
IDENTITY GENERATORClaude API → people, backstories, docs
DIALOGUE ENGINEadaptive attacker engagement
CONSISTENCYpersona memory + vector store
GUARDRAILnothing real ever leaks
③ Analysis enginecore value
EVENT QUEUEinteraction stream (Node.js)
EXTRACTIONIOC · TTP · tool fingerprint
MAPPINGclassify → MITRE ATT&CK
PROFILINGactor profile + confidence
④ Outputwhat the investor sees
DASHBOARDReact · live view (this screen)
ALERTSSOC · webhook · Slack / email
INTEL REPORTSTIX / PDF export
APISIEM / SOAR integration
// BUILD ORDER IN CLAUDE CODE:
1 · dashboard + mocked event stream (this screen already runs on synthetic data — that's where you start)
2 · AI persona layer on Claude API — one persona, one end-to-end scenario first
3 · swap the mock for a real honeypot (OpenCanary)
4 · extraction + MITRE mapping on real logs
5 · loop: a recorded "live" scenario for the investor demo