--- halo: classification: INTERNAL confidence: HIGH front: "17_Project_CerberusLantern" custodian: "The Architect" created: 2026-03-27 updated: 2026-03-28 wing: NOT_READY containment: "Bounty board for CerberusLantern three-head security project" --- # BOUNTY BOARD — Project CerberusLantern > **Current Tier: Zenodo** | **Orthodox Cultivator:** Windows Defender / commercial EDR | **Target: Consensus** > **FORM question:** Can a three-headed gate outperform signature-based detection? **Our answer:** Instruction disassembly + DGA entropy + system baseline + stego detection. > Three heads. One gate. Nothing enters or leaves without being seen. --- ## OPEN ### O1 — KETER tripwire live monitoring **Status:** PARTIAL (2026-03-28) — [keter_tripwire.py](engine/keter_tripwire.py) logs JSONL; optional `KETER_TRIPWIRE_WEBHOOK_URL` POSTs each event. Email / Technomancer fan-out still optional. ### O2 — Recursive PE unpacker for nested installers WeChat autopsy showed hundreds of embedded PEs inside one installer. Build an unpacker that extracts each embedded PE and runs Chimera + Hunter on each individually. This is Phase 2 of the Meridian kill chain. ### O3 — VM promotion playbook automation MERIDIAN_DEEP_CLEAN.md is a manual checklist. Build `promote.py` that automates the promotion gate: take snapshot → install in VM → run Cerberus → score → auto-decide promote/quarantine. ### O4 — Egress policy comparison (FORM proof drill #4) Run untrusted binary in VM, capture all DNS/HTTP/socket connections attempted, compare against host allow-list. Shadow of Sight has the tools but no orchestrated drill exists yet. ### O5 — Wire Colossus driver audit into EYE-Lantern baseline diff **Status:** IMPLEMENTED (2026-03-28) — `eye_lantern.collect_drivers` + `diff_snapshots` → `deviations.drivers`; `PromotionGate` **RING0_DRIVER_CHANGE** / **RING0_DRIVER_REMOVED**. See [CORPSE_OF_THE_COLOSSUS.md](CORPSE_OF_THE_COLOSSUS.md). ### O6 — International risk registry — vendor provenance database **Status:** IMPLEMENTED (skeleton) — [engine/vendor_registry.json](engine/vendor_registry.json) + `match_vendor_registry()` in [cerberus.py](engine/cerberus.py). Populate with real `sha256_prefix` rows for your lab. ### O7 — ShadowsOfSight integration — HMAC seals + Cerberus tripwires **Status:** IMPLEMENTED (2026-03-28) — `shadow_verify.verify_integrity()` + `cerberus_bridge.verify_all` runs `colossus.full_integrity_check()` on seal/manifest failure. ### O8 — Complete FORM sections F (Global Survey) and G (Adoption Priority) Survey international anti-malware tools: ClamAV, YARA, Ghidra, Radare2, Cuckoo Sandbox, ANY.RUN, VirusTotal, Joe Sandbox. Map adoption priority for CerberusLantern. ### O9 — Physical lane / workstation baseline **Weakness:** PromotionGate is only as honest as the host OS and firmware. **Fix:** Document “clean bench” prerequisites (BitLocker, Secure Boot, no sideloaded root certs); optional air-gapped signing step for Apollyon key ceremonies; cross-link Daemon physical ops if any. ### O10 — Jules / automated agent on KETER paths **Weakness:** Staging-elevated or mis-scoped agents could copy binaries or keys off Lantern. **Fix:** Align with [RED_TEAM_PROTOCOL](../08_Project_Astronomicon/u_os_dev/RED_TEAM_PROTOCOL.md) and Constellation O2; never mount host vault + staging WRITE_TOKEN in one profile; log agent scope decisions in WORLDLINE. ### O11 — Evidence chain for quarantine runs **Weakness:** VM autopsy artifacts are persuasive but not tamper-evident across months. **Fix:** SHA-256 manifest of reports + store alongside Bioship or Orthodox seal; optional upload to read-only bucket with object lock. ### O12 — Lantern ↔ Shadow key continuity **Weakness:** Cerberus integrates Shadow verify, but fleet `.shadow_key` lifecycle is separate from Meridian promotion logs. **Fix:** Single calendar for rotation (Shadow O5 + vault O5); webhook on `KETER_TRIPWIRE` includes manifest id when verify fails (extends O1 partial). ### O13 — FORM orthodox sandbox control matrix **Scope:** Extend [FORM_ANTIMALWARE_SUITE.md](FORM_ANTIMALWARE_SUITE.md) / [CERBERUS_SUITE_AND_TOTEM.md](CERBERUS_SUITE_AND_TOTEM.md) with **one** additional **control-run** column: a commercial-grade or open sandbox (e.g. Cuckoo-class self-host or hosted sandbox **within ToS**) vs existing Cerberus VM lane — **benign fixtures only**; table row + limits (latency, artifacts, cloud-only). Survey cite bar: [16_Project_Constellation/FORM_ORTHODOX_APEX_TOOLING.md](../16_Project_Constellation/FORM_ORTHODOX_APEX_TOOLING.md) Chapter 17 §F. **Functional cluster:** behavioral coverage vs commercial EDR baselines; align expectations with vault **[O9](../BOUNTY_BOARD.md)** (integrity stack vs kernel adversary). --- ## SOLVED ### S1 — Three-head engine suite **Tier:** IMPLEMENTED Built all three heads: Meridian (Chimera + Hunter), Shadow of Sight (shadow_sentinel.py), Corpse of the Colossus (colossus_auditor.py + eye_lantern.py). Unified daemon cerberus.py with PromotionGate. ### S2 — Cloud quarantine analysis pipeline **Tier:** DEMONSTRATED GCE VM `cerberus-quarantine` spun up, Chimera uploaded, WeChat.exe downloaded and analyzed inside VM, 36K-line autopsy report captured, VM destroyed. Binary never touched local machine. ### S3 — System baseline profiler **Tier:** IMPLEMENTED EYE-Lantern with 9 collectors (processes, services, connections, listeners, autoruns, certificates, scheduled tasks, DNS cache, hosts file). Snapshot/diff/watch modes. ### S4 — Instruction-level binary predator **Tier:** IMPLEMENTED Cerberus Hunter with Capstone disassembly, 16 virus signatures, 30+ API threat mappings, 5-phase analysis. Tested on notepad.exe (48K instructions, 7 hits, verdict: SUSPICIOUS).