GuardEndDev Suite · Demo-day simulation

Operation GHOSTSHELL — an AI-driven attack, caught as one incident

A modern, AI-assisted intrusion against a 12-person Canadian roofing company — old techniques (phishing, reverse shell, ransomware) accelerated by new tooling (an LLM writing the lure, polymorphic payloads, automated lateral movement). Walk the kill chain and watch the four Guardian products feed one correlated incident in the dashboard on the right. Every detection below is the same code that ships in the capstone agents — the attacker is scripted; the defence is real.

✓ Guardian Web WAF/IDS — live ✓ 7 MITRE rules — live ✓ AI-EDR IsolationForest — live ✓ Canary-mesh tripwire — live ✓ Sentry honeypot — live ✓ Prompt-injection canary — live ◙ Windows / macOS / AD — roadmap
Read the right rail as you click. Left = the attacker's steps. Right = exactly what the business owner sees at geds.neuralciberguard.org/dashboard: alerts stream into one feed, the correlation engine threads them into a single INC-… incident (not ten separate pages), and AI-IR narrates it. That threading is the whole product — siloed tools show ten alerts and leave you to connect them.

Coverage vs. siloed tools

The same attack, run past each defence. "Maybe" = depends on signatures/config and usually fires late.

Attack stageTechniqueGuardEndDev SuiteAntivirus onlyMDM onlyRule-only OSS
Website recon (SQLi / vuln scan)T1190Blocked · Web WAFMissedMissedMaybe
AI-written phishing SMS → owner's phoneT1660Caught · MobileMissedMaybeMissed
Malicious attachment spawns a shellT1566Caught · DesktopMaybeMissedMaybe
Reverse shell to attacker hostT1059Caught · DesktopMissedMissedMaybe
Privilege escalation (rogue SUID)T1548Caught · DesktopMissedMissedMaybe
Polymorphic payload (no known signature)AI-EDRCaught · IsolationForestMissedMissedMissed
Lateral move touches a decoy hostHoneypotCaught · SentryMissedMissedMissed
Ransomware encryption beginsT1486Detected <10s · CanaryMaybe (late)MissedMaybe
Tied into ONE incidentCorrelationYes · rule engineNoNoNo

Where the "AI" actually is — honest split

A security tool has to be precise about which parts are AI. Here is ours, verified against the code.

ComponentWhat it isAI?
The 7 MITRE rulesDeterministic detectors (process trees, network, SUID, ransom precursors)No — rules
AI-EDR classifierIsolationForest anomaly model (ADR-007) — scores novelty of process behaviour; catches payloads no signature knowsYes — ML
PhishGuard (Mobile)On-device heuristic ships today (weighted scam signals); a TFLite model is roadmap (ADR-021)Heuristic now
Incident correlationDeterministic per-tenant rule: thread alerts on the same device within a 60-min window (lib/correlation.ts)No — rules
AI-IR assistantAn LLM that explains the incident in plain English — read-only tools, Zod-validated output, prompt-injection canary, every call audited (packages/ai)Yes — LLM
AI-IR making block/isolate decisionsIt cannot. The assistant reads and recommends; it never acts. Containment is a separate, opt-in, default-OFF control (ADR-036)By design
The AI attacks; our AI explains — humans and rules decide. The attacker uses an LLM to write the lure and polymorph the payload. We answer that with an anomaly model (for the unsignatured payload) and an LLM that only ever describes — the actual defensive decisions are deterministic rules and a human clicking "isolate." That boundary is the safety property, and it is enforced in packages/ai by a CI gate.

Protecting endpoint devices — the full surface

"Endpoint" spans more than laptops. Here is every device class GuardEndDev targets, what protects it, and its honest status for the capstone.

Laptops / Desktops
Linux workstations — the Guardian Desktop agent: 7 MITRE rules + AI-EDR + canary mesh
SHIPS · Linux
Servers
Same Linux agent; signed .deb + hardened systemd unit (ADR-017, designed)
Linux agent · pkg designed
Mobile
Android — PhishGuard on-device scam-SMS detection + SIM-swap alerts
SHIPS · Android
Network nodes
Guardian Sentry — honeypot tripwire + Wi-Fi/RF sensing on the LAN
SHIPS · Pi 5
IoT devices
Watched indirectly: Sentry sees rogue devices & lateral movement they can't defend themselves
via Sentry
Peripherals
Anomalous USB / device events surface through host EDR telemetry
via host EDR
Windows
Windows endpoint agent — the largest SMB surface
ROADMAP
macOS / iOS
Evaluation stage in the enterprise vision
ROADMAP

What "endpoint" means here. The management brain (Dashboard) and the out-of-band alerter (Sentry, over LoRa when the internet is down) mean a device is covered even when it can't phone home. Everything marked ROADMAP is named in the enterprise vision and is deliberately not claimed as built — the capstone ships Linux + Android + the Pi 5 sensor, correlated in one dashboard.

From setup to attack — what you install and what you'll see

Two things get provisioned: endpoint agents (report in) and the dashboard (where you watch). The demo runs entirely in mock mode at $0 — no live keys, no customer data.

Sign in to the dashboard

The owner or an admin logs in at the product URL with Auth0 + MFA. Analysts get a read-only role; only owner/admin can enrol devices or change billing.

https://geds.neuralciberguard.org/dashboard
You'll see: the Overview page — sidebar with Overview · Alerts · Sites · AI-IR · Sentry · Training · Billing · Admin · Settings. Empty state until an agent reports.

Enrol an endpoint (issues its identity)

From Admin, enrol a device. The server mints a device JWT — a signed token carrying tenant_id, site_id, device_id. It's returned once and is the only credential the agent stores. Every enrolment writes an audit row.

POST /api/devices/enroll (Auth0 session · role owner|admin) → returns device JWT (the agent's bearer token)
You'll see: the new device appear under its Site, status "awaiting first report."

Install the Guardian Desktop agent on the endpoint

Ships as a signed .deb (ADR-017) with a hardened systemd unit — NoNewPrivileges, ProtectSystem=strict, capability bounding. For the demo it runs on mock telemetry with no host access at all.

sudo apt install ./guardian-edr_*.deb sudo systemctl start guardian-edr # reads its device JWT, begins reporting
You'll see: the device flips to "healthy · reporting." Verified: the agent's own test suite runs green in mock mode.

Place the Guardian Sentry sensor on the LAN

A Raspberry Pi 5 running the honeypot (fake SMB "BACKUP_2024", fake SSH/RDP) plus Wi-Fi/RF sensing. A Pico 2 W gives a physical LCD alert and a LoRa out-of-band channel. Sentry authenticates by HMAC (not a session), verified constant-time.

pi5-host → POST /api/sentry/alerts (HMAC-signed, per-device key)
You'll see: the Sentry tile on Overview go green; any honeypot touch later lights it red.

Install PhishGuard on the owner's Android phone

On-device scam-SMS detection. Message content never leaves the phone — only a verdict event syncs to the dashboard. The heuristic scorer ships today; a TFLite model is on the roadmap.

You'll see: the phone listed as a Mobile endpoint; a flagged scam later appears in the same feed as the server alerts.

Run the attack — watch one incident form

Trigger the scripted GHOSTSHELL attack (tab ①). Alerts from phone, workstation, and sensor stream into the feed; the correlation engine threads them into a single INC-…; AI-IR narrates it and hands you a timeline for your insurer.

You'll see: the Alerts feed fill, the incident counter climb to one number (not ten), and the AI-IR verdict update at each stage — exactly the right-rail simulation in tab ①.

The alert's journey — endpoint to dashboard

Every alert takes this exact path (verified against /api/edr/alerts and reporter.py).

1. Detect — a rule or the AI-EDR model fires on the endpoint.
2. Batch & sign — the agent batches (≤100) and posts with its device JWT.
3. Verify — the dashboard checks the JWT signature against its JWKS. tenant/site/device come from the signed token, never the body.
4. Scope — every write goes through withTenant() so Postgres Row-Level Security isolates it to that customer.
5. CorrelatecorrelateTenantAlerts() attaches the alert to an open incident on the same device within 60 minutes, or opens a new one.
6. Display — it appears in the Alerts feed and on the incident.
7. Explain — ask AI-IR in plain English; it answers from these alerts only, read-only, Zod-validated, audit-logged.
8. Respond — a human may isolate the host. Auto-isolate is opt-in and OFF by default (ADR-036).

Scope honesty. This is a demo-day simulation built from Guardian's real defensive code — the seven MITRE rules, the IsolationForest AI-EDR, the canary-mesh tripwire, the Sentry honeypot, and the deterministic correlation engine — run against a scripted attacker. The attacker infrastructure and the AI it uses are simulated; the defender-side logic is the same code that ships in the capstone agents. Numbers shown (entropy 7.98 b/byte, 9-second detection) reflect the real thresholds in t1486_canary_ransomware.py (encryption-grade entropy floor 7.5). Cross-platform stages (Windows / macOS / Active Directory) from the enterprise vision are post-capstone roadmap, labelled as such throughout. Detection ≠ prevention: Guardian detects fast and can recommend isolation; it does not claim to prevent every stage.