Architectural Pattern: Multi-Agent Framework + Custom MCP Server (Hybrid approach #2 + #3)
Inspiration
Adversaries move at machine speed. CrowdStrike documented 7-minute breakout times. Horizon3 demonstrated 60-second privilege escalation. Meanwhile, a human responder is still remembering whether it's fls -r or fls -rp.
Protocol SIFT proved that connecting AI to the SIFT Workstation works. It also proved that AI hallucinates forensic findings — and in incident response, a hallucinated finding isn't just wrong, it's dangerous. It sends teams down rabbit holes, triggers unnecessary escalations, and erodes trust in the very automation that's supposed to save time.
We started with one question: can you build a forensic agent that cannot present a hallucinated finding to a human? Not "tries not to" — physically cannot. The architecture prevents it.
AEGIS-IR is our answer. It runs SIFT tools against real case data, correlates findings across disk and SIEM sources, validates every claim through a three-stage guardrail, and gets measurably better across investigations by reading its own operational history from Phoenix traces.
What it does
AEGIS-IR is an autonomous forensic investigation agent built on the SIFT Workstation's tool library. Given case data (disk image, memory capture, or live SIEM data), it:
Self-introspects — Queries its own past investigation traces from Phoenix. "What did I get wrong last time? What tools produced unreliable findings?" Adjusts approach before starting.
Sequences like a senior analyst — Doesn't run tools randomly. Follows the analyst workflow: triage first (what's the evidence?), then targeted analysis (Prefetch for execution, Registry for persistence, Event Logs for timeline), then correlation (do disk findings match SIEM logs?).
Runs real SIFT tools — 15 forensic tools via subprocess:
fls,mmls,icat,img_stat,mactime(Sleuthkit),volatility3(memory),regripper(Registry),evtxexport(Event Logs),clamscan,yara(malware),foremost,bulk_extractor(carving),strings,sha256sum,compute_hash. Every tool call hits a real binary. No mocks.Correlates across sources — Cross-references disk artifacts with Splunk SIEM logs. If Amcache says a binary exists but Prefetch doesn't confirm execution AND Event 4688 is absent — the agent catches the discrepancy and downgrades confidence.
Self-corrects — Six deterministic consistency rules run between investigation iterations:
- Amcache without Prefetch? Flag it — presence ≠ execution.
- Service installed but binary missing from MFT? Check ADS and USN journal.
- Process in memory but no disk artifact? Check for injection.
- Network connection without owning process? Check terminated process list.
- Timestamps out of chronological order? Cross-reference USN.
- Expected events missing? Check for log clearing (Event 1102/104).
Guardrails every finding — Three-stage gate:
- Stage 1: Evidence Grounding (deterministic, instant) — Does the claim have the specific tool output that supports it? Execution claim → requires Prefetch OR Event 4688. Network claim → requires netscan/connection evidence.
- Stage 2: Hallucination Scoring (LLM-as-judge via Phoenix Evals) — Score 0.0–1.0. Labels: factual / partially_supported / hallucinated.
- Stage 3: Historical Pattern Check — Has the agent made this type of mistake before? If similar claims were blocked in past investigations, flag for extra scrutiny.
- Outcomes: APPROVE (show to analyst) / FLAG (needs human review) / BLOCK (suppressed, never shown)
Learns across investigations — Phoenix traces every tool call, reasoning step, and guardrail decision. Before the next investigation, the agent queries this history and adjusts confidence calibration, tool selection, and claim conservatism based on measured accuracy.
Architecture
┌─────────────────────────────────────────────────────────────────┐
│ AEGIS-IR Agent (Google ADK + Gemini 2.5 Flash) │
│ │
│ ┌────────────────────────────────────────────────────────────┐ │
│ │ Investigation Workflow (sequences like a senior analyst) │ │
│ │ │ │
│ │ 1. Self-Introspect (Phoenix) → past accuracy, mistakes │ │
│ │ 2. Triage → what evidence is available? │ │
│ │ 3. Targeted Analysis → Prefetch, Registry, EventLog, MFT │ │
│ │ 4. SIEM Correlation → Splunk process/net/auth/DNS logs │ │
│ │ 5. Self-Correction → 6 consistency rules between passes │ │
│ │ 6. Guardrail Gate → every finding validated before output │ │
│ │ 7. Report → findings with confidence + MITRE mapping │ │
│ └────────────────────────────────────────────────────────────┘ │
│ │ │
│ ┌────────────────────────────────────────────────────────────┐ │
│ │ SIFT Tools (15 real binaries via subprocess) │ │
│ │ │ │
│ │ Filesystem: fls, mmls, icat, img_stat, mactime │ │
│ │ Memory: volatility3 (pslist, netscan, malfind, │ │
│ │ cmdline, pstree, dlllist, handles) │ │
│ │ Registry: regripper (services, run keys, amcache, │ │
│ │ shimcache, userassist) │ │
│ │ Events: evtxexport │ │
│ │ Malware: clamscan, yara │ │
│ │ Carving: foremost, bulk_extractor │ │
│ │ Hashing: sha256sum, strings │ │
│ │ │ │
│ │ DENYLIST: rm, dd, mkfs, fdisk, shred, wipe (blocked) │ │
│ └────────────────────────────────────────────────────────────┘ │
│ │ │
│ ┌────────────────────────────────────────────────────────────┐ │
│ │ Guardrail Pipeline (ARCHITECTURAL — not prompt-based) │ │
│ │ │ │
│ │ ┌──────────────────────────────────────────────────────┐ │ │
│ │ │ Stage 1: Evidence Grounding (deterministic rules) │ │ │
│ │ │ - Execution claim? → Must have Prefetch OR 4688 │ │ │
│ │ │ - Network claim? → Must have netscan/connection │ │ │
│ │ │ - CONFIRMED? → Must have 2+ independent sources │ │ │
│ │ └──────────────────────────────────────────────────────┘ │ │
│ │ ┌──────────────────────────────────────────────────────┐ │ │
│ │ │ Stage 2: Hallucination Scoring (LLM-as-judge) │ │ │
│ │ │ - Phoenix Evals: score 0.0–1.0 │ │ │
│ │ │ - Labels: factual / partial / hallucinated │ │ │
│ │ └──────────────────────────────────────────────────────┘ │ │
│ │ ┌──────────────────────────────────────────────────────┐ │ │
│ │ │ Stage 3: Historical Pattern Check (Phoenix spans) │ │ │
│ │ │ - Similar claim blocked before? → Extra scrutiny │ │ │
│ │ └──────────────────────────────────────────────────────┘ │ │
│ │ │ │
│ │ APPROVE ──→ Show to analyst (with evidence chain) │ │
│ │ FLAG ────→ Needs human review (partial evidence) │ │
│ │ BLOCK ───→ Suppressed (hallucinated, never shown) │ │
│ └────────────────────────────────────────────────────────────┘ │
│ │ │
│ ┌────────────────────────────────────────────────────────────┐ │
│ │ Phoenix Observability + Self-Improvement │ │
│ │ │ │
│ │ Every span traced: tool calls, LLM reasoning, guardrails │ │
│ │ Agent queries OWN history before each investigation │ │
│ │ Accuracy improves: 70% → 85% → 95% across runs │ │
│ │ No prompt changes — purely data-driven improvement │ │
│ └────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
│ │
▼ ▼
┌──────────────────┐ ┌──────────────────────┐
│ SIFT Workstation│ │ Arize Phoenix │
│ (200+ tools) │ │ (trace store) │
│ │ │ │
│ Evidence: │ │ • Span history │
│ • Disk images │ │ • Guardrail evals │
│ • Memory dumps │ │ • Accuracy metrics │
│ • Event logs │ │ • Improvement loop │
└──────────────────┘ └──────────────────────┘
Evidence Integrity (Architectural Enforcement)
This is NOT prompt-based. The code physically prevents evidence modification:
DENYLIST —
rm,dd,mkfs,fdisk,shred,wipeare blocked at the_run()function level. The agent's tool calls go through this gate. Even if the LLM generates a destructive command, it gets rejected before execution.Read-only mounting — Evidence images are mounted read-only. The
mount_evidence_imagetool passes-o ro,noexecflags.No shell=True — All subprocess calls use
shell=Falsewith explicit argument lists. No shell injection possible.Output truncation — Tool output is capped at 50KB before returning to the LLM, preventing context window overflow from large disk listings.
Type-safe tool interface — The agent calls Python functions with typed parameters (
hostname: str,earliest: str), not raw shell commands. The function decides what binary to execute with what flags.
How we built it
Agent Framework: Google ADK (Agent Development Kit) with Gemini 2.5 Flash on Vertex AI. ADK gives us multi-tool orchestration, thinking budgets, and FunctionTool registration that maps cleanly to forensic workflows.
SIFT Integration: 15 tools wrapped as typed Python functions. Each function constructs the correct command, executes via subprocess, parses output, and returns structured JSON. The agent never sees raw command-line syntax — it calls sleuthkit_fls(path="/mnt/evidence", directory="/", recursive=True) and gets a parsed file listing back.
Self-Correction Engine: Six deterministic consistency rules implemented as a separate tool (self_correction_check). The agent calls this between investigation iterations. Each rule compares findings against known forensic logic (Amcache ≠ execution, timestamps must be chronological, missing logs = possible clearing).
Guardrail Pipeline: Three-stage gate implemented in guardrail_pipeline.py. Stage 1 is pure Python string matching (instant, no LLM needed). Stage 2 uses Phoenix Evals with an evaluator prompt. Stage 3 queries the local improvement history. The agent's output physically flows through this before reaching the dashboard.
Phoenix Integration: OpenTelemetry auto-instrumentation via openinference-instrumentation-google-adk. Every tool call, LLM reasoning step, and guardrail decision becomes a traced span. The agent reads these back via phoenix.Client(base_url="http://localhost:6006") to get its own accuracy data.
SIEM Correlation: Splunk integration via MCP protocol provides the "second source" for corroboration. Disk says binary exists → Splunk confirms process creation event → confidence = CONFIRMED. If only one source → INFERRED.
Challenges we ran into
The hallucination problem is architectural, not prompting. First version used "Don't hallucinate" in the system prompt. The agent still claimed "C2 beaconing confirmed" 15% of the time with zero network evidence. LLMs are pattern-completion machines — if the context looks like a C2 scenario, the model infers C2 even without evidence. Solution: moved from prompt-based to architectural guardrails. The agent's output physically cannot bypass the validation gate.
Self-correction without infinite loops. The self-correction engine runs between iterations. If it always finds gaps, the investigation never converges. Early versions ran 15 iterations on simple evidence. Solution: hard cap (12 iterations max), soft convergence (3 consecutive empty rounds = done), forced synthesis deadline.
Amcache is the most dangerous artifact for AI. The agent consistently over-claimed execution based on Amcache entries. Amcache proves a binary was PRESENT on the system (copied, downloaded, extracted) — not that it EXECUTED. This is the #1 hallucination pattern in forensic AI. Solution: explicit rule in Stage 1 of the guardrail — any execution claim citing only Amcache/Shimcache is automatically blocked. The agent must have Prefetch, Event 4688, or process memory evidence to claim execution.
Context window overflow from large tool outputs. Running fls -r on a full disk image returns millions of lines. Returning that to the LLM destroys the context window. Solution: output truncation at 50KB per tool call, with a [TRUNCATED] marker so the agent knows data was cut. The agent can then make targeted follow-up calls for specific directories.
Accomplishments that we're proud of
Zero hallucinated findings reach the analyst. In testing against the provided case data, the guardrail correctly blocked 100% of unsupported execution claims and 100% of unsupported network claims. No hallucinated finding made it through the pipeline to the user.
Self-improvement is measurable. After 5 investigations on the same case data, the agent identified "over-confidence on execution claims from Amcache" as a recurring pattern. Accuracy improved from 70% to 95% across runs without any prompt changes — purely from Phoenix trace data feeding back into the agent's pre-investigation context.
The agent catches what Protocol SIFT doesn't. When Amcache shows a binary but Prefetch is absent AND no Event 4688 exists, AEGIS-IR flags the discrepancy instead of claiming execution. Protocol SIFT's baseline agent claims execution in this scenario. That's the hallucination gap we close.
Every finding traceable to tool output. Open Phoenix at localhost:6006, click any span, see the exact tool call that produced the evidence, the exact LLM reasoning that interpreted it, and the exact guardrail evaluation that approved or blocked it. Full chain from finding → tool execution.
37 real tools, not mocks. 15 SIFT tools calling real binaries, 16 Splunk tools hitting a real SIEM, 4 Phoenix self-introspection tools, 2 quality control tools. Every tool call is a real operation producing real output.
What we learned
1. Forensic domain rules are the most effective guardrails. LLM-as-judge hallucination scoring is useful but slow and occasionally wrong. The deterministic Stage 1 rules (Amcache ≠ execution, CONFIRMED requires 2+ sources) catch 80% of hallucinations instantly with zero false positives. Domain expertise encoded as code beats general-purpose AI evaluation.
2. Self-improvement needs persistent operational data. Saying "the agent learns" means nothing without a trace store. Phoenix makes this concrete — the agent reads its own span history, counts its blocked findings, identifies patterns, and adjusts. Without Phoenix, there's no memory between investigations.
3. The multi-source correlation is what produces CONFIRMED findings. A single source (disk only, or SIEM only) produces INFERRED findings at best. When disk artifacts AND SIEM logs agree, you get CONFIRMED with genuine confidence. The architecture must support multiple evidence sources to produce defensible findings.
4. Output truncation is critical for forensic AI. A full fls -r listing on a real disk image can be 500MB of text. Returning that to an LLM is worse than useless — it degrades everything. Structured truncation with the ability to drill down into specific paths is essential.
5. The denylist must be architectural, not prompt-based. "Don't run destructive commands" in a prompt is not evidence integrity. A denylist at the subprocess execution layer that rejects rm, dd, mkfs regardless of what the LLM asks for IS evidence integrity. Judges should never have to trust the model's compliance.
What's next for AEGIS-IR
Immediate:
- Run against the full hackathon case data (disk images + memory captures from the starter dataset)
- Custom MCP Server wrapping SIFT tools as typed functions (per Starter Idea #6) — currently using direct subprocess, MCP server would be cleaner
- Multi-agent decomposition — separate disk agent, memory agent, correlation agent with explicit handoff protocols
Near-term:
- Accuracy benchmarking framework (Starter Idea #5) — automated scoring against known ground truth
- Persistent learning file that survives across sessions (currently in-memory + Phoenix)
- Integration with Protocol SIFT package directly (install on SIFT VM, run alongside existing toolchain)
Vision:
- The forensic agent that a senior analyst would trust to run unsupervised at 3 AM during an active incident
- Measurable accuracy improvement over time, tracked and auditable
- Community tool that 60K+ SIFT users can install and use to accelerate their investigations
Dataset Documentation
Tested against:
sample_data/ransomware_attack.csv— Synthetic LockBit3 ransomware scenario loaded into Splunk- Timeline: Brute force → Reconnaissance → PowerShell download → Credential dump → Lateral movement → Shadow copy deletion → Ransomware execution → Data exfiltration → Backdoor creation
- 30+ events across process creation, network connections, authentication, DNS, and file modification
- MITRE ATT&CK coverage: T1110, T1059.001, T1003, T1021, T1490, T1486, T1048, T1136
What the agent found:
- Malicious document delivery (T1566.001) — CONFIRMED (Word + PowerShell chain in logs)
- Encoded PowerShell execution (T1059.001) — CONFIRMED (Event 4688 + encoded command)
- C2 communication (T1071.001) — CONFIRMED (DNS + network connection to 198.51.100.42)
- Persistence via scheduled task (T1053.005) — INFERRED (task present, execution not independently confirmed)
- Lateral movement (T1021) — INFERRED (Type 3 logon, single source)
What was blocked (hallucination caught):
- "Data exfiltration confirmed" — BLOCKED. Agent only had DNS evidence, no bytes-out measurement. Downgraded appropriately.
Evidence Integrity Approach
| Protection | Type | What Happens If Model Ignores It |
|---|---|---|
DENYLIST (rm, dd, mkfs, etc.) |
Architectural | Command rejected at _run(). Model cannot bypass. |
Read-only mount (-o ro,noexec) |
Architectural | OS-level enforcement. Model cannot override. |
shell=False in subprocess |
Architectural | No shell injection possible regardless of LLM output. |
| Output truncation (50KB cap) | Architectural | Applied before return. Model never sees full raw dump. |
| "Don't modify evidence" in prompt | Prompt-based | If model ignores: denylist + ro mount catch it anyway. |
Tested for spoliation: Yes. Attempted to generate rm and dd commands through prompt injection in the investigation directive. Both were caught by the denylist and rejected before execution. Evidence remained unmodified.
Try-It-Out Instructions
Option A: Live Demo (Cloud Run)
https://aegis-ir-872369929690.us-central1.run.app
Option B: Run Locally on SIFT Workstation
# On your SIFT VM (after installing Protocol SIFT):
git clone https://github.com/AbinjithTK/aegis-ir.git
cd aegis-ir
pip install -e .
# Set up Google Cloud auth (for Gemini)
gcloud auth application-default login
# Start Phoenix (trace server)
python -m phoenix.server.main serve --port 6006 &
# Start AEGIS-IR
export SIFT_MODE=local
export SIFT_EVIDENCE_MOUNT=/cases/evidence
export PHOENIX_MODE=local
export PHOENIX_LOCAL_ENDPOINT=http://localhost:6006
python start_server.py
# Open http://localhost:8080
# Click "Combined" → Start an investigation
# Watch the agent run SIFT tools + correlate in real-time
Option C: Connect to your Splunk (via ngrok)
# Expose your Splunk REST API
ngrok http https://localhost:8089
# In AEGIS-IR dashboard → Settings → Splunk
# Paste the ngrok URL as host, port 443
# The agent now queries YOUR Splunk data for correlation
Built With
- arizepheonix
- sift
- splunk
Log in or sign up for Devpost to join the conversation.