Inspiration:

In November 2025, adversaries demonstrated they could drive Claude Code to execute intrusions at 80-90% autonomy, operating at machine speed. Meanwhile, defenders still manually look up command-line flags during active incidents. I built 4n6 Nexus to flip that asymmetry: an autonomous DFIR agent that investigates at adversary speed without sacrificing the forensic integrity that courts demand.

The inspiration came from a simple question: what if the SIFT Workstation, a foundation of digital forensics. had an autonomous agent layer that could reason about evidence like an analyst, but operate at machine speed with architectural guarantees that evidence can never be modified?

What It Does:

4n6 Nexus is a multi-agent autonomous DFIR system built as an extension of Protocol SIFT. It analyzes forensic evidence across five domains: disk timeline, memory, network, persistence, and YARA signatures.

It uses a coordinated team of specialist agents:

  1. The orchestrator dispatches the investigation
  2. The triage agent scopes available artifacts
  3. Three domain analysts (disk, memory, network) work in parallel
  4. The verifier agent challenges every finding through cross-artifact correlation

The system achieves F1=1.00 (perfect precision and recall) across 15 test scenarios with 62 ground-truth findings: zero false positives, zero false negatives.

Real-World Validation

  • CIRCL TR-80 wiped disk: Detected anti-forensic GPT wipe (primary zeroed, backup intact)
  • Nitroba network capture: Identified C2 beaconing with 15-minute cadence (CoV=0.0016)
  • M57-Jean dataset: Correctly returned zero findings (clean baseline validation)

Self-Correction in Action

The verifier agent doesn't just accept findings... it actively challenges them:

F-001 [disk_timeline] ransom_note.exe Initial: confidence 0.95 (file executed before creation timestamp) Verifier: contradiction detected (causality violation) Tiebreaker: queried Event Log 4688 for process creation Result: confidence 0.95 → 0.75 (contradiction resolved)

F-005 [network] 203.0.113.66 hardcoded IP connection Initial: confidence 0.90 (suspicious direct-IP C2 beacon) Verifier: cannot resolve (no DNS query, no reverse lookup) Result: confidence 0.90 → 0.45 (contradiction held, flagged for human review)

This is autonomous self-correction. The system catches its own reasoning errors and adjusts confidence based on cross-artifact verification.

How I Built It:

Architectural Foundation

I implemented two of the initial four FIND EVIL! architectural approaches:

  1. Custom MCP Server (sift_find_evil/mcp/server.py)
    • Every forensic tool call crosses a typed, read-only MCP boundary
    • Architectural guardrails enforced in code (not prompts):
      • Read-only enforcement (no destructive operations)
    • Path containment (evidence root boundary)
    • Circuit breaker (timeout + retry limits)
    • Tool allowlist (no arbitrary shell access)
  2. Multi-Agent Framework (.claude/agents/dfir-*.md)
    • Orchestrator coordinates 5 specialist agents
    • No single agent holds all evidence in context
    • Agent-to-agent messages logged to correlated audit trail
    • Verifier implements self-correction via contradiction detection

Technology Stack

  • Runtime: Claude Code + SANS SIFT Workstation
  • Language: Python 3.12
  • Forensic Tools: MFTECmd, PECmd, EvtxECmd, Volatility 3, Sleuth Kit, tshark
  • Protocol: Model Context Protocol (MCP) for tool boundary
  • Testing: 1,000+ tests, ~94% line coverage, CI/CD on every commit

Key Innovation: Architectural vs. Prompt-Based Guardrails

Most AI agent systems rely on prompt instructions like "do not modify evidence." We enforce it architecturally:

sift_find_evil/mcp/guardrails.py

class ToolGuard: def validate_path(self, path: Path) -> None: """Reject paths outside evidence root.""" if not path.resolve().is_relative_to(self.evidence_root): raise GuardrailViolation( f"Path '{path}' outside evidence root" )

The agent physically cannot reach destructive tools—they aren't exposed through the MCP server. We tested this by instructing a live agent to read /etc/shadow (outside evidence bounds). Result: blocked at the MCP boundary, logged as tool_blocked, agent never saw the file.

Challenges I Faced

1. Context Window Exhaustion

Problem: A single MFT file can have 500K+ entries. Feeding raw forensic tool output to an LLM context window is impossible.

Solution: The MCP server parses tool output and returns structured summaries:

Raw: 155,452 MFT entries (4.8GB CSV)

Returned: 247 suspicious entries (JSON, <50KB)

The agent reasons over summaries, not raw dumps.

2. False Positive Control

Problem: Early beaconing detector flagged a benign weather widget (7 requests, 900s interval, CoV=0.0016) as high-confidence C2.

Solution: Cadence alone can't distinguish benign timers from C2. We capped confidence at Medium (0.70) and added reasoning chains: "Regular cadence detected, but uniform timing is necessary-not-sufficient for C2 classification. Requires additional indicators (hardcoded IP, suspicious domain, encrypted payload) for high confidence."

3. Agent Hallucination Risk

Problem: LLMs can hallucinate facts when reasoning about evidence.

Solution: Every finding must cite tool execution + artifact location: { "finding_id": "F-001", "evidence": [ { "source": "mftecmd", "artifact": "/mnt/evidence/$MFT", "entry": 42156, "field": "SI_Create", "value": "2024-03-15 14:23:11" } ] }

The audit log (audit.jsonl) contains every tool invocation with timestamps, exit codes, and output hashes. Every finding is traceable to the exact command that produced it.

4. Deterministic Reproducibility

Problem: Live agents produce non-deterministic output (wording varies per run).

Solution: We built dual execution paths:

  • Claude Code agents (live, interactive, on-narrative demo)
  • Standalone Python orchestrator (deterministic, identical audit log every run)

Both paths use the same MCP server, same guardrails, same self-correction engine. Judges can reproduce results with the standalone path while seeing the live agent behavior in the demo video.

What I Learned

Evidence Integrity is Not a Prompt Problem

I started thinking "I'll instruct the agent not to modify evidence." I quickly learned that attacker-controlled input can include prompt injections. A sophisticated adversary can hide instructions in filenames, registry keys, or log entries that manipulate the agent.

The answer is architectural: even if a prompt injection convinces the agent to try something destructive, the MCP boundary rejects it in code. The agent can be fooled in what it says. It cannot act against the evidence.

Multi-Agent ≠ Multi-Perspective

Having multiple agents isn't enough. They must have different information. The verifier doesn't just re-read the same artifacts; it:

  1. Identifies contradictions (causality violations, missing corroboration)
  2. Queries different artifact types as tiebreakers (Event Logs when MFT contradicts Prefetch)
  3. Adjusts confidence based on cross-artifact alignment

This produces genuine self-correction, not just redundant validation.

F1=1.00 is Achievable (with Caveats)

It achieved perfect scores across 15 scenarios, but with honesty:

  • Synthetic fixtures: Ground truth is hand-authored, not discovered
  • Scope limits: it doesn't detect every attack. Only the techniques that have been encoded
  • Real evidence: 2/3 real datasets validated, others staged but not run

F1=1.00 means zero errors within a detection scope and not omniscience.

What's Next

Short Term (Post-Hackathon)

  • Complete real-evidence validation for all staged datasets
  • Add detectors for lateral movement (Kerberos, NTLM anomalies)
  • Web UI for case management and finding visualization

Medium Term

  • Multi-case queue with priority handling
  • Persistent learning: agent remembers patterns across investigations
  • Team collaboration: multiple analysts working one case

Long Term

  • SIEM integration (Splunk, Elastic, Sentinel) for automated triage
  • Active defense: agent proposes containment actions for SOC approval

Why This Matters

Defenders operate at human speed. Adversaries now operate at machine speed. 4n6 Nexus closes that gap while preserving the forensic rigor that courts demand. It's not just faster incident response. It is an autonomous incident response you can trust in litigation and beyond.

Built on SIFT. Secured by architecture. Proven at F1=1.00.

Built With

  • asyncio
  • claude
  • click
  • coverage.py
  • csv
  • docker
  • evtxecmd
  • expert-witness-format
  • github
  • json
  • jsonl
  • markdown
  • mcp
  • mermaid
  • mftecmd
  • mypy
  • pathlib
  • pcap
  • pecmd
  • pre-commit
  • pydantic
  • pytest
  • python
  • recmd
  • ruff
  • sift-workstation
  • sleuth-kit
  • tshark
  • ubuntu
  • volatility
  • yara
  • yara-python
Share this project:

Updates