ShadowStrikePhantom
Alpha · Active DevelopmentAI-Enhanced Detection · Planned

Endpoint protection
built in the open.

ShadowStrike Phantom is an open-source endpoint protection platform for Windows. Kernel-level telemetry, behavioral analysis, threat intelligence, and AI-assisted scoring — built to handle sophisticated attacks. Every component auditable, no black boxes.

View on GitHubJoin Beta Program
1.5M+
Lines of Code
C/C++/ASM
Core Language
5/day
Commits
Early 2027
Beta Target
Phantom Sensor — kernel event stream
LIVE
Phantom Sensor v0.9.0-alpha · Windows 11 x64 · Kernel 10.0.26100
Detection Capabilities

Everything an endpoint protection platform demands.

Phantom Sensor operates at every layer of the Windows security model — from kernel callbacks to user-space behavioral analysis. No telemetry gaps between detection stages.

Kernel-Level Monitoring

Minifilter driver hooks file system I/O at altitude 385210. Full read/write/create/delete interception, pre- and post-operation callbacks.

WDKMinifilterELAM

Behavioral Analysis

Attack chain tracker correlates kernel events across process trees. MITRE ATT&CK mapping with real-time threat scoring.

ATT&CKHeuristicsScoring

Memory Inspection

VAD tree traversal, shellcode pattern detection, process hollowing and injection recognition, heap spray analysis, ROP chain tracing.

VADPE injectionROP

Syscall Tracing

Direct syscall detection, Heaven's Gate (WoW64) transition monitoring, NTDLL integrity verification, and call stack origin analysis.

Direct syscallHeaven's GateNTDLL

Network Detection

C2 communication patterns, DNS anomaly detection, data exfiltration monitoring, SSL inspection, and protocol-level analysis.

C2DNSExfiltration

Threat Intelligence

IOC database with bloom filter for O(1) lookups. STIX/TAXII feed support, URL reputation engine, and LRU-cached reputation queries.

STIXIOCBloom filter

Anti-Evasion Engine

Sandbox detection, debugger evasion analysis, VM fingerprinting, packer identification, and metamorphic/polymorphic code analysis.

SandboxAnti-debugPacker

Self-Protection

ObRegisterCallbacks for handle blocking, anti-unload mechanisms, callback protection, and driver integrity monitoring.

ObCallbacksAnti-tamper

Ransomware Detection

Honeypot file monitoring, shadow copy protection, backup integrity, entropy analysis for mass encryption detection.

HoneypotVSSEntropy

AI-Powered Detection

ML model inference integrated into the scan pipeline. Multi-signal anomaly fusion, zero-day classification, and adaptive scoring to identify threats without prior signatures.

MLZero-DayAnomaly
Architecture

Four layers, zero blind spots.

Phantom Sensor spans from UEFI firmware through the Windows kernel into user-space services. Each layer feeds telemetry upward, decisions propagate downward.

USER SPACE
Phantom Home
Consumer tier
Phantom EDR
Enterprise tier
Phantom XDR
Extended detection
Threat Intel
IOC / STIX / TAXII
SERVICE LAYER
Service Manager
Windows service
Scan Engine
YARA + signatures
Behavioral Engine
Heuristics + ML
Communication Port
FilterConnectPort
KERNEL SPACE
PhantomSensor.sys
Minifilter driver
ELAM Driver
Boot-time protection
SyscallMonitor
Direct syscall / NG
MemoryMonitor
VAD / injection
NetworkFilter
C2 / exfil
SelfProtect
Anti-tamper
HARDWARE / FIRMWARE
Secure Boot
UEFI chain
TPM
Attestation
Firmware Integrity
Monitor
Threat Intelligence

Being engineered to intercept
sophisticated cyber attacks in real time.

Modern adversaries operate at kernel depth, abuse legitimate system tooling, and maintain persistence for months before acting. Phantom correlates telemetry across every layer — so threats surface at the behavioral stage, not the damage stage.

Nation-State APTs

State-sponsored operators with custom implants and months-long dwell time. Kernel-level telemetry exposes lateral movement and C2 callbacks before exfiltration begins.

Ransomware-as-a-Service

Affiliate-model operators disable defenses and stage payloads using legitimate tooling. Entropy analysis, shadow copy protection, and behavioral correlation break the chain before encryption starts.

Living Off the Land

LOLBin abuse — certutil, mshta, regsvr32, WMIC — blends into legitimate activity. Behavioral scoring and syscall tracing expose malicious intent regardless of the binary.

Supply Chain Attacks

Trojanized updates, compromised build pipelines, and signed malware. PE signature validation, hash store verification, and ELAM boot-time scanning catch tampering at load.

Zero-Day Exploitation

Weaponized CVEs deployed before patches exist. ROP chain detection, heap spray analysis, and anomaly scoring identify exploit behavior independent of signatures.

Every detection maps to a MITRE ATT&CK technique ID — from initial access to impact.

Threat Coverage

MITRE ATT&CK

Every technique has a T-ID. Every T-ID has a rule slot. Phantom's kernel header maps all 550+ MITRE ATT&CK techniques across all 14 tactics — giving each detection a precise adversary attribution from the moment it fires.

Detection grid by tactic.

Highlighted techniques have an active BehaviorEngine rule firing in the kernel right now. The rest have a T-ID constant defined — awaiting rule authoring as each subsystem completes.

550+T-IDs defined
across 14 ATT&CK tactics in kernel header
14 rules active18 pending
Rule active
Pending rule
TA0001
Initial Access
Removable Media
Phishing
Exploit Public App
Supply Chain
TA0002
Execution
Command & Scripting
Native API
Scheduled Task
User Execution
TA0003
Persistence
Boot Autostart
Create/Modify Service
Event Trigger
Hijack Exec Flow
TA0004
Privilege Escalation
Process Injection
Access Token
Abuse Elevation
Exploit Privilege
TA0005
Defense Evasion
Masquerading
Impair Defenses
Process Injection
Obfuscation
TA0006
Credential Access
OS Cred Dumping
Input Capture
Kerberos Tickets
Unsecured Creds
TA0007
Discovery
System Info
File Discovery
Process Discovery
Network Config
TA0011
Command & Control
App Layer Protocol
Non-Std Protocol
Encrypted Channel
Dynamic Resolution
Open Source

Kernel access should be earned through trust.

Every endpoint protection platform runs with the highest privilege on your system. We believe that privilege demands transparency — so we publish everything.

Fully Transparent

Every kernel callback, every detection rule, every heuristic — all source code is publicly auditable on GitHub. No hidden agents, no undisclosed telemetry.

No Black Boxes

Commercial endpoint products run kernel-level code you cannot inspect. Phantom is the alternative: full visibility into what runs with ring-0 access on your machine.

Educational by Design

The codebase is structured to be read. Detailed comments, architectural documentation, and research posts explain how real detection works at each layer.

Independently Maintained

Single-team ownership with a clear engineering roadmap. Every commit reviewed, every module tested, every release signed — no shortcuts, no committee delays.

Follow the development journey

5 commits daily. Every module built in public. Watch the kernel driver come to life.

View RoadmapJoin Beta