Pre-Alpha · Active Development

Endpoint protection
built in the open.

ShadowStrike Phantom is an open-source endpoint protection platform for Windows. Kernel-level detection, behavioral analysis, syscall tracing, and full threat intelligence — every line of code auditable, no black boxes.

View on GitHub Join Beta Program

1.5M+

Lines of Code

C/C++/ASM

Core Language

5/day

Commits

2028

Beta Target

PhantomSensor — kernel event stream

LIVE

PhantomSensor v0.1.0-pre · Windows 11 x64 · Kernel 10.0.26100

Detection Capabilities

Everything an endpoint protection platform demands.

PhantomSensor operates at every layer of the Windows security model — from kernel callbacks to user-space behavioral analysis. No telemetry blind spots.

Kernel-Level Monitoring

Minifilter driver hooks file system I/O at altitude 328000. Full read/write/create/delete interception, pre- and post-operation callbacks.

WDKMinifilterELAM

Behavioral Analysis

Attack chain tracker correlates kernel events across process trees. MITRE ATT&CK mapping with real-time threat scoring.

ATT&CKHeuristicsScoring

Memory Inspection

VAD tree traversal, shellcode pattern detection, process hollowing and injection recognition, heap spray analysis, ROP chain tracing.

VADPE injectionROP

Syscall Tracing

Direct syscall detection, Heaven's Gate (WoW64) transition monitoring, NTDLL integrity verification, and call stack origin analysis.

Direct syscallHeaven's GateNTDLL

Network Detection

C2 communication patterns, DNS anomaly detection, data exfiltration monitoring, SSL inspection, and protocol-level analysis.

C2DNSExfiltration

Threat Intelligence

IOC database with bloom filter for O(1) lookups. STIX/TAXII feed support, URL reputation engine, and LRU-cached reputation queries.

STIXIOCBloom filter

Anti-Evasion Engine

Sandbox detection, debugger evasion analysis, VM fingerprinting, packer identification, and metamorphic/polymorphic code analysis.

SandboxAnti-debugPacker

Self-Protection

ObRegisterCallbacks for handle blocking, anti-unload mechanisms, callback protection, and driver integrity monitoring.

ObCallbacksAnti-tamper

Ransomware Detection

Honeypot file monitoring, shadow copy protection, backup integrity, entropy analysis for mass encryption detection.

HoneypotVSSEntropy

Architecture

Four layers, zero blind spots.

PhantomSensor spans from UEFI firmware through the Windows kernel into user-space services. Each layer feeds telemetry upward, decisions propagate downward.

USER SPACE

Phantom Home

Consumer tier

Phantom EDR

Enterprise tier

Phantom XDR

Extended detection

Threat Intel

IOC / STIX / TAXII

SERVICE LAYER

Service Manager

Windows service

Scan Engine

YARA + signatures

Behavioral Engine

Heuristics + ML

Communication Port

FilterConnectPort

KERNEL SPACE

PhantomSensor.sys

Minifilter driver

ELAM Driver

Boot-time protection

SyscallMonitor

Direct syscall / NG

MemoryMonitor

VAD / injection

NetworkFilter

C2 / exfil

SelfProtect

Anti-tamper

HARDWARE / FIRMWARE

Secure Boot

UEFI chain

TPM

Attestation

Firmware Integrity

Monitor

Threat Coverage

MITRE ATT&CK

Known techniques, mapped & tracked. Phantom's kernel driver has T-ID constants for all 403 MITRE ATT&CK techniques across 14 tactics.

Detection grid by tactic.

Highlighted techniques have an active BehaviorEngine rule. The rest have the T-ID defined and ready to be wired up.

403+T-IDs defined

across 14 ATT&CK tactics in kernel header

14 rules active18 pending

Rule active

Pending rule

TA0001

Initial Access

Removable Media

Phishing

Exploit Public App

Supply Chain

TA0002

Execution

Command & Scripting

Native API

Scheduled Task

User Execution

TA0003

Persistence

Boot Autostart

Create/Modify Service

Event Trigger

Hijack Exec Flow

TA0004

Privilege Escalation

Process Injection

Access Token

Abuse Elevation

Exploit Privilege

TA0005

Defense Evasion

Masquerading

Impair Defenses

Process Injection

Obfuscation

TA0006

Credential Access

OS Cred Dumping

Input Capture

Kerberos Tickets

Unsecured Creds

TA0007

Discovery

System Info

File Discovery

Process Discovery

Network Config

TA0011

Command & Control

App Layer Protocol

Non-Std Protocol

Encrypted Channel

Dynamic Resolution

Open Source

Kernel access should be earned through trust.

Every endpoint protection platform runs with the highest privilege on your system. We believe that privilege demands transparency — so we publish everything.

Fully Transparent

Every kernel callback, every detection rule, every heuristic — all source code is publicly auditable on GitHub. No hidden agents, no undisclosed telemetry.

No Black Boxes

Commercial endpoint products run kernel-level code you cannot inspect. Phantom is the alternative: full visibility into what runs with ring-0 access on your machine.

Educational by Design

The codebase is structured to be read. Detailed comments, architectural documentation, and research posts explain how real detection works at each layer.

Community-Driven

Built in public from day one. Security researchers, kernel developers, and detection engineers collaborate openly — no gatekeeping, no NDAs.

Follow the development journey

5 commits daily. Every module built in public. Watch the kernel driver come to life.

View Roadmap Join Beta

Endpoint protectionbuilt in the open.