Sagittarius¶
Under active development.
Sagittarius is a standalone defensive platform — a headless, distributed threat hunting and detection system. Where ARCHER is a domain-agnostic agent platform (currently validated with penetration testing skill packs), Sagittarius is the sensing and analysis infrastructure on the defensive side: edge sensors capture network and host telemetry; a core node ingests, stores, and drives hypothesis generation through an AI Navigator.
The system applies the same Human-First, centaur philosophy as ARCHER: the AI Navigator assists and augments the human analyst; the human drives every consequential decision. CLI-based, low-resource, and local-first for data sovereignty.
Key capabilities (planned): - Distributed edge/core architecture — sensing at the edge, computing at the core - Ingest PCAP, Zeek/Suricata logs, EVTX, NetFlow, Osquery endpoint metadata, and more - AI Navigator (employing ARCHER's Threat Hunting Module) for hypothesis generation, playbook execution, and hunt assistance - CLI-driven hunting — SSH-viable for remote operations - Case management, playbook recording, hunt metrics - ZincSearch for scalable log storage; Vector for data transport; Suricata/Zeek for analysis
Relationship to ARCHER: ARCHER's threat hunting skill packs connect to Sagittarius's data stores (ZincSearch, Suricata EVE JSON) as their data backend — the same way ARCHER's pentest domain uses the GOAD lab as its target range. The two projects are complementary but independent.
The project is in early design and planning. Documentation will be published here as the work matures.
Follow the build journal for updates as development progresses.