Roadmap

The path to Phantom XDR.

A transparent, public roadmap. Each phase must be complete, tested, and stable before the next begins. No skipping steps, no shipping broken foundations.

ActiveIn Progress · 2025 – 2026

Phase 1

Kernel Driver Restoration & Compilation

42%

11/26 done

All kernel modules exist as written code, but the codebase is in early-draft state. Phase 1 is module-by-module restoration: cleaning up each unit, resolving compilation errors, eliminating kernel-mode security vulnerabilities (pool overflows, use-after-free, null dereferences), and getting the driver to a clean, loadable, Verifier-clean state. Roughly half complete.

Minifilter core — DriverEntry, FLT_REGISTRATION restored & reviewed

File system callbacks — Pre/PostCreate, PreWrite, PreSetInfo restored

Process / Thread / Image notify callbacks — restored & reviewed

Object callbacks (ObRegisterCallbacks) — ProcessProtection, ThreadProtection restored

Registry callback (CmRegisterCallbackEx) — restored

ELAM driver — boot policy, BootDriverVerify restored

Syscall monitor — DirectSyscallDetector, HeavensGate, NtdllIntegrity restored

Memory monitor — VadTracker, InjectionDetector, ShellcodeDetector, ROPDetector restored

Behavioral Engine — RuleEngine, MITREMapper, ThreatScoring restored

Self-protection — AntiUnload, IntegrityMonitor, AntiDebug, FirmwareIntegrity restored

Network kernel filter — C2Detection, DnsMonitor, SSLInspection restored

ETW infrastructure — provider / consumer / manifest restored

Communication layer — CommPort, MessageQueue, ScanBridge, TelemetryBuffer restored

ALPC port monitor — restored

KTM / Transactional NTFS monitor — restored

Performance subsystem — LookasideLists, BatchProcessing, ResourceThrottling restored

Sync primitives — kernel ThreadPool, DPC helpers, TimerManager restored

Scan cache & exclusion manager — restored

Filter contexts (InstanceContext, StreamContext) — restored

Kernel-wide security audit — eliminate memory safety violations

Full kernel compilation — zero errors, zero warnings

Driver Verifier — clean pass (pool tracking, IRQL, deadlock detection)

Driver signing + WDK test environment

FilterConnectPort handshake — kernel ↔ user-mode communication test

Callback firing integration tests (automated)

Load / unload / power-cycle stress testing

ParallelIn Progress · 2025 – 2026

Phase 2

User-Space Detection Engines

26%

6/23 done

Core detection infrastructure modules are fully written and working. The data store layer (ThreatIntel, SignatureStore, HashStore, PatternStore) and full Utils library are complete. The remaining work is restoration and integration of the detection engines and the Windows service layer.

ThreatIntel pipeline — B+tree index, bloom filter, STIX/TAXII ingestion, IOC management

SignatureStore — B+tree, YARA rule store, COW updates, batch importer

HashStore — bloom filter, memory-mapped DB, NSRL/VT import/export

PatternStore — Aho-Corasick, Boyer-Moore, SSE4.2/AVX2 SIMD matching

Utils library — CryptoUtils (AES/RSA/ECDSA), NetworkUtils, ThreadPool, Logger

Utils library — PE signature verification, RegistryUtils, ProcessUtils, CertUtils

PEParser — PE32/PE32+ safe parser, import/export table analysis

FuzzyHasher — custom approximate hash engine, DigestComparer, RollingHash

Whitelist store — BloomFilter-backed allowlist, WhiteListStore

Anti-evasion engine — VM, debugger, sandbox, packer, environment detection (x64 ASM)

Core scan engine — parallel pipeline, YARA, ML inference, heuristics, emulation

Process analysis engine — injection, hollowing, reflective DLL, atom bombing

Exploit protection — ROP, JIT spray, stack pivot, kernel exploit detection

Ransomware protection — honeypot, shadow copy guard, entropy analysis

Real-time protection coordinator — BehaviorBlocker, FileIntegrityMonitor, ZeroHour

Script engine scanner — AMSI integration, PowerShell, JS, macro detection

IPC & alert system — FilterConnection (user-mode), IPCManager, AlertSystem

Windows service — SCM lifecycle, ServiceInstaller, ServiceMonitor

Update system — SignatureUpdater, DeltaUpdater, UpdateVerifier, RollbackManager

Security infrastructure — SelfDefense, TamperProtection, DigitalSignatureValidator

Full user-space compilation — zero errors

End-to-end integration: kernel event → IPC → scan engine → verdict → action

Automated integration test suite

Up NextPlanned · 2026 – 2027

Phase 3

Phantom Home & Phantom EDR — Product Split

The shared engine is mature enough to split into two distinct products. This phase defines the repository strategy (monorepo vs. multirepo), extracts the shared core into a common library, and builds product-specific layers on top. Phantom Home targets consumers; Phantom EDR targets enterprise endpoints. Both ship their own agent, UI, and update pipeline.

Monorepo vs. multirepo decision — repository strategy finalized

Shared core extraction — common engine packaged as internal library

Product build matrix — separate CMake targets for Home and EDR

Forensics module — MemoryDumper, ArtifactExtractor, TimelineAnalyzer, NetworkCapture

Phantom Home — consumer agent, system tray UI, notification center

Phantom Home — home-specific module integration (consumer feature set)

Phantom EDR — enterprise agent, local alert queue, policy engine

Phantom EDR — alert management console, MITRE ATT&CK view, drill-down

Phantom EDR — threat hunting query interface, process tree, IOC correlation

Signed auto-update pipeline — delta updates, rollback, staged delivery (both products)

Telemetry export — structured JSON/CEF event stream (EDR)

Performance profiling — CPU / memory impact under real workloads

Security review — pen test of agents and communication channels

Documentation — deployment guides, detection rule authoring, API reference

Phantom Home public beta

Phantom EDR public beta

FuturePlanned · 2027 – 2028

Phase 4

Phantom XDR

Extend detection and response beyond the endpoint — cloud telemetry correlation, identity signals, network gateway integration, and SIEM connectivity. Phantom XDR correlates signals across multiple data sources into unified attack stories.

XDR telemetry correlation engine — cross-source alert stitching

Cloud data pipeline — ingest endpoint telemetry at scale

Identity & access anomaly detection — lateral movement, privilege abuse

Network gateway integration — DNS, proxy, firewall log ingestion

Email gateway threat integration (header + attachment signals)

SIEM connectors — Elastic SIEM, Splunk, Microsoft Sentinel, OpenSearch

Automated response playbooks — SOAR-style orchestration

Threat intelligence platform (TIP) integration — MISP, OpenCTI

Attack graph visualization — kill-chain reconstruction across sources

Multi-tenant management plane — per-organization isolation

Phantom XDR v1.0 production release

Phases 1 and 2 are running in parallel. Kernel restoration and user-space data stores are both active.

View on GitHub Join Beta