Roadmap

The path to Phantom XDR.

A transparent, public roadmap. Each phase must be complete, tested, and stable before the next begins. No skipping steps, no shipping broken foundations.

Active97% Complete · 2025 – 2026

Phase 1

Kernel Driver Restoration & Compilation

97%

25/26 done

All kernel modules fully restored and compiled clean with zero errors and zero warnings — 380K lines of production kernel code. Coverity static analysis: 0.25 defects per KLoC. Driver Verifier passes cleanly across all test modes (pool tracking, IRQL enforcement, deadlock detection). FilterConnectPort handshake with user-mode confirmed. Callback integration tests and load/unload stress cycles passed. Driver signing is the sole remaining item — pending code-signing certificate acquisition.

Minifilter core — DriverEntry, FLT_REGISTRATION restored & reviewed

File system callbacks — Pre/PostCreate, PreWrite, PreSetInfo restored

Process / Thread / Image notify callbacks — restored & reviewed

Object callbacks (ObRegisterCallbacks) — ProcessProtection, ThreadProtection restored

Registry callback (CmRegisterCallbackEx) — restored

ELAM driver — boot policy, BootDriverVerify restored

Syscall monitor — DirectSyscallDetector, HeavensGate, NtdllIntegrity restored

Memory monitor — VadTracker, InjectionDetector, ShellcodeDetector, ROPDetector restored

Behavioral Engine — RuleEngine, MITREMapper, ThreatScoring restored

Self-protection — AntiUnload, IntegrityMonitor, AntiDebug, FirmwareIntegrity restored

Network kernel filter — C2Detection, DnsMonitor, SSLInspection restored

ETW infrastructure — provider / consumer / manifest restored

Communication layer — CommPort, MessageQueue, ScanBridge, TelemetryBuffer restored

ALPC port monitor — restored

KTM / Transactional NTFS monitor — restored

Performance subsystem — LookasideLists, BatchProcessing, ResourceThrottling restored

Sync primitives — kernel ThreadPool, DPC helpers, TimerManager restored

Scan cache & exclusion manager — restored

Filter contexts (InstanceContext, StreamContext) — restored

Kernel-wide security audit — eliminate memory safety violations

Full kernel compilation — zero errors, zero warnings

Driver Verifier — clean pass (pool tracking, IRQL, deadlock detection)

Driver signing — pending code-signing certificate

FilterConnectPort handshake — kernel ↔ user-mode communication test

Callback firing integration tests (automated)

Load / unload / power-cycle stress testing

ActiveIn Progress · 2025 – 2026

Phase 2

User-Space Detection Engines

76%

14/24 done

76% complete, now in security audit phase. 12 modules security-audited. The data store layer (ThreatIntel, SignatureStore, HashStore, PatternStore), full Utils library, PEParser, FuzzyHasher, whitelist store, anti-evasion engine, ExploitPrevention, BehaviorBlocker, AccessControlManager, FileProtection, RegistryProtection, and SelfProtection are complete. The remaining work is the core scan engines, Windows service layer, and end-to-end integration.

ThreatIntel pipeline — B+tree index, bloom filter, STIX/TAXII ingestion, IOC management

SignatureStore — B+tree, YARA rule store, COW updates, batch importer

HashStore — bloom filter, memory-mapped DB, NSRL/VT import/export

PatternStore — Aho-Corasick, Boyer-Moore, SSE4.2/AVX2 SIMD matching

Utils library — CryptoUtils (AES/RSA/ECDSA), NetworkUtils, ThreadPool, Logger

Utils library — PE signature verification, RegistryUtils, ProcessUtils, CertUtils

PEParser — PE32/PE32+ safe parser, import/export table analysis

FuzzyHasher — custom approximate hash engine, DigestComparer, RollingHash

Whitelist store — BloomFilter-backed allowlist, WhiteListStore

Anti-evasion engine — VM, debugger, sandbox, packer, environment detection (x64 ASM)

Core scan engine — parallel pipeline, YARA, ML inference, heuristics, emulation

Process analysis engine — injection, hollowing, reflective DLL, atom bombing

Exploit protection — ROP, JIT spray, stack pivot, kernel exploit detection

Ransomware protection — honeypot, shadow copy guard, entropy analysis

Real-time protection coordinator — BehaviorBlocker, FileIntegrityMonitor, ZeroHour

Script engine scanner — AMSI integration, PowerShell, JS, macro detection

IPC & alert system — FilterConnection (user-mode), IPCManager, AlertSystem

Windows service — SCM lifecycle, ServiceInstaller, ServiceMonitor

Update system — SignatureUpdater, DeltaUpdater, UpdateVerifier, RollbackManager

Security infrastructure — SelfDefense, TamperProtection, DigitalSignatureValidator

Full user-space compilation — zero errors

End-to-end integration: kernel event → IPC → scan engine → verdict → action

Automated integration test suite

AI/ML local inference pipeline — on-device threat classification

Up NextPlanned · 2026 – 2027

Phase 3

Phantom Home & Phantom EDR — Product Split

The shared engine is mature enough to split into two distinct products. This phase defines the repository strategy (monorepo vs. multirepo), extracts the shared core into a common library, and builds product-specific layers on top. Phantom Home targets consumers; Phantom EDR targets enterprise endpoints. Both ship their own agent, UI, and update pipeline.

Monorepo vs. multirepo decision — repository strategy finalized

Shared core extraction — common engine packaged as internal library

Product build matrix — separate CMake targets for Home and EDR

Forensics module — MemoryDumper, ArtifactExtractor, TimelineAnalyzer, NetworkCapture

Phantom Home — consumer agent, system tray UI, notification center

Phantom Home — home-specific module integration (consumer feature set)

Phantom EDR — enterprise agent, local alert queue, policy engine

Phantom EDR — alert management console, MITRE ATT&CK view, drill-down

Phantom EDR — threat hunting query interface, process tree, IOC correlation

Signed auto-update pipeline — delta updates, rollback, staged delivery (both products)

Telemetry export — structured JSON/CEF event stream (EDR)

Performance profiling — CPU / memory impact under real workloads

Security review — pen test of agents and communication channels

Documentation — deployment guides, detection rule authoring, API reference

Phantom Home public beta

Phantom EDR public beta

FuturePlanned · 2027 – 2028

Phase 4

Phantom XDR

Extend detection and response beyond the endpoint — cloud telemetry correlation, identity signals, network gateway integration, and SIEM connectivity. Phantom XDR correlates signals across multiple data sources into unified attack stories.

XDR telemetry correlation engine — cross-source alert stitching

Cloud data pipeline — ingest endpoint telemetry at scale

Identity & access anomaly detection — lateral movement, privilege abuse

Network gateway integration — DNS, proxy, firewall log ingestion

Email gateway threat integration (header + attachment signals)

SIEM connectors — Elastic SIEM, Splunk, Microsoft Sentinel, OpenSearch

Automated response playbooks — SOAR-style orchestration

Threat intelligence platform (TIP) integration — MISP, OpenCTI

Attack graph visualization — kill-chain reconstruction across sources

Multi-tenant management plane — per-organization isolation

Phantom XDR v1.0 production release

Phase 1 (kernel driver) is 97% complete — driver signing is the sole remaining item. Phase 2 (user-space engines) is the active focus — 76% done, enterprise security audit phase underway.

View on GitHub Join Beta