Point Horus at your infrastructure. Every morning you get 1-3 things that actually need your attention — not 400 alerts. Eight AI agents work the other 23 hours.
Eight specialized agents scan your infrastructure, correlate threat intelligence, debate every finding and deliver a prioritized report. Every night. For less than one analyst.
Waiting for pipeline trigger… AI-generated phishing, automated credential attacks and AI-assisted malware are outpacing manual security operations. Meanwhile your scanner still outputs 400 "critical" findings a week, and your team still triages them by hand.
Define your assets, set a schedule, connect your integrations. Horus takes it from there. Every night, every week, indefinitely.
Point Horus at domains, CIDR ranges, or individual hosts. Discovery agents map subdomains via CT logs and internal IPs via ping sweep, automatically, on schedule.
Recon → Analyst → Threat Intel → Red/Blue debate → Validation → SSVC Risk Manager → Reporter. Each run produces a prioritized findings list and executive summary.
SSVC:Act findings trigger PagerDuty P1. Watchtower KEV matches alert the same day. SSVC:Track findings accumulate silently. You open your inbox to signal, not noise.
Most scanners tell you what is vulnerable. Horus tells you whether an attacker can actually use it, with two adversarial AI agents arguing every ambiguous finding.
Generates a credible attack narrative per finding: exploit path, threat actor motive, blast radius. Context-aware, not boilerplate CVSS descriptions.
Argues the defensive side: compensating controls, network segmentation, non-exploitable conditions. Catches false positives before they waste a sprint.
A third LLM call weighs both sides and calibrates a confidence score. The verdict is stored. Future scans inherit it without re-debating.
Beyond individual findings: run Red Team cycles simulating DNS spoofing, certificate attacks, exposed paths, credential exposure: all against live infrastructure.
Stack-based overflow in X.509 cert parsing. Attacker controls a cert in the TLS chain → code execution plausible. Internet-facing on port 443.
OpenSSL 3.0.7 patches this. Banner shows 3.0.7-1ubuntu1. WAF terminates TLS before OpenSSL processes it. NVD exploitability: none.
Horus runs AI-personalized phishing campaigns against your own team, using your real asset inventory to craft credible lures: IT impersonation, VPN resets, internal portal alerts.
PhishingAgent reads your asset inventory. If you run nginx and Jira, the email is about a Jira security update affecting your nginx version. Not a generic reset link.
Full credential lure with fake MFA prompt. Captures who entered credentials, who just clicked, who reported it as suspicious. Three distinct risk tiers.
Employees who click see an immediate security awareness screen. The teachable moment is in the same session, not in a training email three weeks later.
Click rate per employee and department over time. See who improved after training and who remains a persistent insider risk.
Watchtower runs nightly after CISA publishes that day's KEV additions. If any entry matches something in your asset inventory, you get alerted. No re-scan needed.
Inventory is persisted from past scans. Watchtower re-correlates it, not your network.
When a CVE's exploit probability jumps 20+ points overnight, often before KEV. Watchtower catches it first.
ThreatFox and URLhaus feeds checked against your domains daily. Ransomware victim lists cross-referenced against your industry.
cisa_kev sync complete · +4 new entries
epss_daily sync · 338k scores updated
→ cross-referencing 847 inventory entries
⚡ kev match: activemq/5.15.14
CVE-2023-46604 · EPSS 0.97 · RCE
asset: 10.0.1.15 (internal broker)
→ epss spike: spring-webmvc/5.3.27
CVE-2023-20861 · 0.03 → 0.34 (+0.31)
→ SSVC: ACT · activemq finding
→ incident #43 opened · PagerDuty P1
run complete · 2 exposures · 0 false positives
Iris is a tiny Rust daemon on every host. It taps the systemd journal and the kernel's audit subsystem — logins, privilege use, file tampering, suspicious exec and outbound connections — then streams events to Horus, where AI triage decides what is routine and what becomes an incident.
Iris idle · monitors armed… A single ~5 MB Rust daemon reads journalctl -f -o json, filtering security units (sshd, sudo, su, useradd) at priority ≤ 3, and tails /var/log/audit/audit.log, grouping records by serial until EOE. The installer drops minimal horus.rules: exec in /tmp, FIM on /etc & /root, outbound connect.
Iris batches events and ships them on an interval. A cheap periodic triage pass classifies the noise and only spins up the full eight-agent pipeline when it correlates something into real risk. Routine events never cost a full run.
If the server is unreachable, events queue to local disk and retry with backoff. On reconnect Iris flushes the backlog first. Host telemetry survives outages, restarts and network blips, end to end.
Everything we hear before someone deploys.
ollama instance and nothing leaves your network.ollama / vLLM server. You set one environment variable. Swapping models takes 30 seconds.docker compose up, and you have the complete 8-agent pipeline. No usage limits, no phoning home.All tiers run the same pipeline. You choose where your data lives.
See full feature comparison →The demo is pre-loaded with 30 days of posture history, real CVE findings, Red/Blue debate transcripts, and phishing campaign results.