ShadowStrikePhantom
Roadmap

The path to Phantom XDR.

A transparent, public roadmap. Each phase must be complete, tested, and stable before the next begins. No skipping steps, no shipping broken foundations.

ActiveIn Progress · 2025 – 2026
Phase 1

Kernel Driver Restoration & Compilation

42%
11/26 done

All kernel modules exist as written code, but the codebase is in early-draft state. Phase 1 is module-by-module restoration: cleaning up each unit, resolving compilation errors, eliminating kernel-mode security vulnerabilities (pool overflows, use-after-free, null dereferences), and getting the driver to a clean, loadable, Verifier-clean state. Roughly half complete.

Minifilter core — DriverEntry, FLT_REGISTRATION restored & reviewed
File system callbacks — Pre/PostCreate, PreWrite, PreSetInfo restored
Process / Thread / Image notify callbacks — restored & reviewed
Object callbacks (ObRegisterCallbacks) — ProcessProtection, ThreadProtection restored
Registry callback (CmRegisterCallbackEx) — restored
ELAM driver — boot policy, BootDriverVerify restored
Syscall monitor — DirectSyscallDetector, HeavensGate, NtdllIntegrity restored
Memory monitor — VadTracker, InjectionDetector, ShellcodeDetector, ROPDetector restored
Behavioral Engine — RuleEngine, MITREMapper, ThreatScoring restored
Self-protection — AntiUnload, IntegrityMonitor, AntiDebug, FirmwareIntegrity restored
Network kernel filter — C2Detection, DnsMonitor, SSLInspection restored
ETW infrastructure — provider / consumer / manifest restored
Communication layer — CommPort, MessageQueue, ScanBridge, TelemetryBuffer restored
ALPC port monitor — restored
KTM / Transactional NTFS monitor — restored
Performance subsystem — LookasideLists, BatchProcessing, ResourceThrottling restored
Sync primitives — kernel ThreadPool, DPC helpers, TimerManager restored
Scan cache & exclusion manager — restored
Filter contexts (InstanceContext, StreamContext) — restored
Kernel-wide security audit — eliminate memory safety violations
Full kernel compilation — zero errors, zero warnings
Driver Verifier — clean pass (pool tracking, IRQL, deadlock detection)
Driver signing + WDK test environment
FilterConnectPort handshake — kernel ↔ user-mode communication test
Callback firing integration tests (automated)
Load / unload / power-cycle stress testing
ParallelIn Progress · 2025 – 2026
Phase 2

User-Space Detection Engines

26%
6/23 done

Core detection infrastructure modules are fully written and working. The data store layer (ThreatIntel, SignatureStore, HashStore, PatternStore) and full Utils library are complete. The remaining work is restoration and integration of the detection engines and the Windows service layer.

ThreatIntel pipeline — B+tree index, bloom filter, STIX/TAXII ingestion, IOC management
SignatureStore — B+tree, YARA rule store, COW updates, batch importer
HashStore — bloom filter, memory-mapped DB, NSRL/VT import/export
PatternStore — Aho-Corasick, Boyer-Moore, SSE4.2/AVX2 SIMD matching
Utils library — CryptoUtils (AES/RSA/ECDSA), NetworkUtils, ThreadPool, Logger
Utils library — PE signature verification, RegistryUtils, ProcessUtils, CertUtils
PEParser — PE32/PE32+ safe parser, import/export table analysis
FuzzyHasher — custom approximate hash engine, DigestComparer, RollingHash
Whitelist store — BloomFilter-backed allowlist, WhiteListStore
Anti-evasion engine — VM, debugger, sandbox, packer, environment detection (x64 ASM)
Core scan engine — parallel pipeline, YARA, ML inference, heuristics, emulation
Process analysis engine — injection, hollowing, reflective DLL, atom bombing
Exploit protection — ROP, JIT spray, stack pivot, kernel exploit detection
Ransomware protection — honeypot, shadow copy guard, entropy analysis
Real-time protection coordinator — BehaviorBlocker, FileIntegrityMonitor, ZeroHour
Script engine scanner — AMSI integration, PowerShell, JS, macro detection
IPC & alert system — FilterConnection (user-mode), IPCManager, AlertSystem
Windows service — SCM lifecycle, ServiceInstaller, ServiceMonitor
Update system — SignatureUpdater, DeltaUpdater, UpdateVerifier, RollbackManager
Security infrastructure — SelfDefense, TamperProtection, DigitalSignatureValidator
Full user-space compilation — zero errors
End-to-end integration: kernel event → IPC → scan engine → verdict → action
Automated integration test suite
Up NextPlanned · 2026 – 2027
Phase 3

Phantom Home & Phantom EDR — Product Split

The shared engine is mature enough to split into two distinct products. This phase defines the repository strategy (monorepo vs. multirepo), extracts the shared core into a common library, and builds product-specific layers on top. Phantom Home targets consumers; Phantom EDR targets enterprise endpoints. Both ship their own agent, UI, and update pipeline.

Monorepo vs. multirepo decision — repository strategy finalized
Shared core extraction — common engine packaged as internal library
Product build matrix — separate CMake targets for Home and EDR
Forensics module — MemoryDumper, ArtifactExtractor, TimelineAnalyzer, NetworkCapture
Phantom Home — consumer agent, system tray UI, notification center
Phantom Home — home-specific module integration (consumer feature set)
Phantom EDR — enterprise agent, local alert queue, policy engine
Phantom EDR — alert management console, MITRE ATT&CK view, drill-down
Phantom EDR — threat hunting query interface, process tree, IOC correlation
Signed auto-update pipeline — delta updates, rollback, staged delivery (both products)
Telemetry export — structured JSON/CEF event stream (EDR)
Performance profiling — CPU / memory impact under real workloads
Security review — pen test of agents and communication channels
Documentation — deployment guides, detection rule authoring, API reference
Phantom Home public beta
Phantom EDR public beta
FuturePlanned · 2027 – 2028
Phase 4

Phantom XDR

Extend detection and response beyond the endpoint — cloud telemetry correlation, identity signals, network gateway integration, and SIEM connectivity. Phantom XDR correlates signals across multiple data sources into unified attack stories.

XDR telemetry correlation engine — cross-source alert stitching
Cloud data pipeline — ingest endpoint telemetry at scale
Identity & access anomaly detection — lateral movement, privilege abuse
Network gateway integration — DNS, proxy, firewall log ingestion
Email gateway threat integration (header + attachment signals)
SIEM connectors — Elastic SIEM, Splunk, Microsoft Sentinel, OpenSearch
Automated response playbooks — SOAR-style orchestration
Threat intelligence platform (TIP) integration — MISP, OpenCTI
Attack graph visualization — kill-chain reconstruction across sources
Multi-tenant management plane — per-organization isolation
Phantom XDR v1.0 production release

Phases 1 and 2 are running in parallel. Kernel restoration and user-space data stores are both active.