▶ AI CLUSTER · 5 AGENTS · PASSIVE DETECTION

GHOST REAPER

// Hunt without footprint. Strike without origin.

Full-spectrum passive threat detection powered by a 5-agent AI cluster. Network anomalies, entropy deviations, behavioral lineage, honeypot triggers — all fused by the Synthesis Oracle into a single, actionable verdict.

Get Started View on GitHub Meet the Agents

ghost-reaper — monitoring

ghost-reaper>

// the cluster

Five Agents. One Mind.

Each agent covers a distinct detection surface. Together they leave no blind spot.

👁️

EYES

Network Sentinel

Watches all active connections. Detects C2 beaconing via interval analysis, suspicious port usage, and abnormal connection counts per process.

BeaconingC2 DetectionPort Analysis

🔬

HANDS

Entropy Detective

Calculates Shannon entropy on files landing in watched directories. High entropy signals encryption, packing, or obfuscation — classic malware hiding.

Shannon EntropyPayload AnalysisObfuscation

🧠

SHADOW

Behavioral Analysis

Tracks process lineage and syscall chains. Catches LOLBin abuse, masquerading system processes, and Office/browser apps spawning shells.

Process LineageLOLBinLateral Movement

🪤

TRAP

Honeypot Overseer

Deploys canary credential files and decoy network listeners. Any access fires an immediate CRITICAL signal — confirms active intruder presence.

Canary TokensDecoy PortsCredential Lures

⚡

BRAIN

Synthesis Oracle

Receives all signals from the 4 agents, enriches with feed intelligence, and calls your LLM to produce a structured verdict: severity, threat type, IOCs, and remediation steps.

LLM FusionIOC ExtractionStructured VerdictAny LLM Provider

// execution flow

The Signal Pipeline

Four detection streams. One synthesis layer. Zero noise.

👁️ Network Sentinel

↓

anomaly flags

↓

🔬 Entropy Detective

🧠 Behavioral Analysis

↓

process lineage

🪤 Honeypot Overseer

↓

trigger events

↓

⚡ Synthesis Oracle

↓

📋 Unified Threat Verdict

// threat intelligence

Pluggable Data Feeds

Bring your own API keys. Every feed is optional — Ghost Reaper degrades gracefully without them. Add custom feeds by dropping a Python file in feeds/.

AbuseIPDB

Community-sourced IP reputation. Abuse confidence score, total reports, ISP, country, Tor status.

▶ Optional · ABUSEIPDB_API_KEY

VirusTotal

Scan IPs, domains, and file hashes across 70+ AV engines. Malicious/suspicious counts and reputation score.

▶ Optional · VIRUSTOTAL_API_KEY

Shodan

Internet-wide scan data for IPs. Open ports, org, ISP, known vulnerabilities, hostnames.

▶ Optional · SHODAN_API_KEY

Custom Feed

Drop any Python file with a FEED_NAME constant and a query(indicator) function into feeds/ — auto-discovered at runtime.

▶ Manual · Bring your own source

// quick start

Deploy in Minutes

Python 3.11+ required. Any LLM API key accepted — OpenAI, DeepSeek, Groq, Anthropic, Mistral, Ollama, or any OpenAI-compatible endpoint.

01 · CLONE & INSTALL

# Clone the repository
git clone https://github.com/Insider77Circle/Ghost-Reaper.git
cd Ghost-Reaper

# Install dependencies
pip install -r requirements.txt

02 · CONFIGURE

# Copy environment template
cp .env.example .env

# Set your LLM provider + key
# Works with OpenAI, DeepSeek, Groq,
# Anthropic, Mistral, Ollama, or any
# OpenAI-compatible endpoint.
LLM_PROVIDER=deepseek
LLM_API_KEY=sk-your-key-here

03 · LAUNCH

# Continuous monitoring mode
python main.py

# Single-pass scan + exit
python main.py --scan-once

# JSON output for pipelines
python main.py --scan-once --json