A modern, AI-assisted intrusion against a 12-person Canadian roofing company — old techniques (phishing, reverse shell, ransomware) accelerated by new tooling (an LLM writing the lure, polymorphic payloads, automated lateral movement). Walk the kill chain and watch the four Guardian products feed one correlated incident in the dashboard on the right. Every detection below is the same code that ships in the capstone agents — the attacker is scripted; the defence is real.
The same attack, run past each defence. "Maybe" = depends on signatures/config and usually fires late.
| Attack stage | Technique | GuardEndDev Suite | Antivirus only | MDM only | Rule-only OSS |
|---|---|---|---|---|---|
| Website recon (SQLi / vuln scan) | T1190 | Blocked · Web WAF | Missed | Missed | Maybe |
| AI-written phishing SMS → owner's phone | T1660 | Caught · Mobile | Missed | Maybe | Missed |
| Malicious attachment spawns a shell | T1566 | Caught · Desktop | Maybe | Missed | Maybe |
| Reverse shell to attacker host | T1059 | Caught · Desktop | Missed | Missed | Maybe |
| Privilege escalation (rogue SUID) | T1548 | Caught · Desktop | Missed | Missed | Maybe |
| Polymorphic payload (no known signature) | AI-EDR | Caught · IsolationForest | Missed | Missed | Missed |
| Lateral move touches a decoy host | Honeypot | Caught · Sentry | Missed | Missed | Missed |
| Ransomware encryption begins | T1486 | Detected <10s · Canary | Maybe (late) | Missed | Maybe |
| Tied into ONE incident | Correlation | Yes · rule engine | No | No | No |
A security tool has to be precise about which parts are AI. Here is ours, verified against the code.
| Component | What it is | AI? |
|---|---|---|
| The 7 MITRE rules | Deterministic detectors (process trees, network, SUID, ransom precursors) | No — rules |
| AI-EDR classifier | IsolationForest anomaly model (ADR-007) — scores novelty of process behaviour; catches payloads no signature knows | Yes — ML |
| PhishGuard (Mobile) | On-device heuristic ships today (weighted scam signals); a TFLite model is roadmap (ADR-021) | Heuristic now |
| Incident correlation | Deterministic per-tenant rule: thread alerts on the same device within a 60-min window (lib/correlation.ts) | No — rules |
| AI-IR assistant | An LLM that explains the incident in plain English — read-only tools, Zod-validated output, prompt-injection canary, every call audited (packages/ai) | Yes — LLM |
| AI-IR making block/isolate decisions | It cannot. The assistant reads and recommends; it never acts. Containment is a separate, opt-in, default-OFF control (ADR-036) | By design |
"Endpoint" spans more than laptops. Here is every device class GuardEndDev targets, what protects it, and its honest status for the capstone.
What "endpoint" means here. The management brain (Dashboard) and the out-of-band alerter (Sentry, over LoRa when the internet is down) mean a device is covered even when it can't phone home. Everything marked ROADMAP is named in the enterprise vision and is deliberately not claimed as built — the capstone ships Linux + Android + the Pi 5 sensor, correlated in one dashboard.
Two things get provisioned: endpoint agents (report in) and the dashboard (where you watch). The demo runs entirely in mock mode at $0 — no live keys, no customer data.
The owner or an admin logs in at the product URL with Auth0 + MFA. Analysts get a read-only role; only owner/admin can enrol devices or change billing.
From Admin, enrol a device. The server mints a device JWT — a signed token carrying tenant_id, site_id, device_id. It's returned once and is the only credential the agent stores. Every enrolment writes an audit row.
Ships as a signed .deb (ADR-017) with a hardened systemd unit — NoNewPrivileges, ProtectSystem=strict, capability bounding. For the demo it runs on mock telemetry with no host access at all.
A Raspberry Pi 5 running the honeypot (fake SMB "BACKUP_2024", fake SSH/RDP) plus Wi-Fi/RF sensing. A Pico 2 W gives a physical LCD alert and a LoRa out-of-band channel. Sentry authenticates by HMAC (not a session), verified constant-time.
On-device scam-SMS detection. Message content never leaves the phone — only a verdict event syncs to the dashboard. The heuristic scorer ships today; a TFLite model is on the roadmap.
Trigger the scripted GHOSTSHELL attack (tab ①). Alerts from phone, workstation, and sensor stream into the feed; the correlation engine threads them into a single INC-…; AI-IR narrates it and hands you a timeline for your insurer.
Every alert takes this exact path (verified against /api/edr/alerts and reporter.py).
Scope honesty. This is a demo-day simulation built from Guardian's real defensive code — the seven MITRE rules, the IsolationForest AI-EDR, the canary-mesh tripwire, the Sentry honeypot, and the deterministic correlation engine — run against a scripted attacker. The attacker infrastructure and the AI it uses are simulated; the defender-side logic is the same code that ships in the capstone agents. Numbers shown (entropy 7.98 b/byte, 9-second detection) reflect the real thresholds in t1486_canary_ransomware.py (encryption-grade entropy floor 7.5). Cross-platform stages (Windows / macOS / Active Directory) from the enterprise vision are post-capstone roadmap, labelled as such throughout. Detection ≠ prevention: Guardian detects fast and can recommend isolation; it does not claim to prevent every stage.