AETHER — Cyber Defence Platform

Platform Architecture

AETHER is a single Python FastAPI backend (port 8900) powering a rich HTML/JS frontend. Every feature lives in a discrete CORE module — no external SaaS dependencies at runtime.

FEATURE	DELIVERED BY	API ENDPOINTS	NOTES
Sentinel Swarm	CORE/orchestrator.pyCORE/telemetry_api.py	/api/sentinel/*	Multi-agent consensus, APEX admission, DEFCON ladder, AWS actions
WiFi Dome	CORE/network_threat_detector.py	/api/network/*	Real-time network threat detection, 5-feed CTI correlation
Bots Training Camp	CORE/detection_bridge.pyCORE/telemetry_api.py	/api/bots/, /api/telemetry/	Bronze→APEX tier progression, ART/Caldera import, MITRE coverage
Kill Chain Engine	CORE/kill_chain_engine.pyCORE/phase_bridges.py	/api/kill-chain/*	6-phase detection with phase correlation across all MITRE TTPs
AI/ML Detection	CORE/detection_bridge.py	/api/detections, /api/training/*	LSTM anomaly, 90+ techniques, synthetic gap injection, z-score baseline
Big Four Defence	CORE/bigfour_defenders.pyCORE/big_four_posture.py	/api/bigfour/*	PRC/Russia/Iran/DPRK 100% posture, automated hardening, override system
SOAR Playbooks	CORE/soar_playbooks.py	/api/soar/*	6 default playbooks, 11 action types, EventBus-driven
CTI Enrichment	CORE/cti_enrichment.py	/api/cti/*	VirusTotal, AbuseIPDB, Shodan, GreyNoise, IP-API composite scoring
Honeytokens	CORE/honeytokens.py	/api/honeytokens/*	6 credential traps + canary URL, FIM integration, zero false positives
Compliance Mapper	CORE/compliance_mapper.py	/api/compliance/*	NIST CSF 2.0, Cyber Essentials+, ISO 27001:2022, DORA automated scoring
Attack Surface Mgmt	CORE/asm_engine.py	/api/asm/*	CT subdomains, DNS audit, Shodan sweep, typosquats, domain expiry
Purple Team Scheduler	CORE/purple_team_scheduler.py	/api/purpleteam/*	7 built-in schedules, 8 exercise types, posture trend analysis
Behavioral Anomaly	CORE/security_hardening.py	/api/security/*	Z-score (3σ) baseline, LSTM anomaly, FIM watchlist, CSRF protection
CTI Feed Aggregation	CORE/threat_intel_feeds.py	/api/feeds/*	Feodo, URLhaus, CISA KEV, Tor exit nodes, EmergingThreats
Validation Pipeline	CORE/validation_importer.py	/api/validation/*	Atomic Red Team + Caldera JSON import, SHA-256 dedup, auto-discovery
Dashboard UI	aether_dashboard.html	—	Single-file HTML dashboard, all panels, live API data binding
AI Assistant	ask_fortress_ai.htmlaskfortress.py	/api/ai/*	Conversational cyber analyst AI, context-aware of AETHER posture

Sentinel Swarm

A consensus-driven network of autonomous AI agents. No single agent can trigger a critical action alone — APEX bots (Level 20+) vote before escalation.

Up to 50+ autonomous AI agents running in parallel — bots vote on threats before acting
APEX admission enforced hard at Level 20 — only graduated bots handle critical actions
AWS-native actions: EC2 isolation, IAM quarantine, SSM memory dump, EBS snapshot
DEFCON escalation ladder: GREEN → YELLOW → ORANGE → RED with full audit trail
Swarm consensus prevents single-agent compromise from triggering false positives
Real-time escalation log at logs/sentinel-escalation-log.jsonl
Live bot roster via GET /api/sentinel/apex-roster

CORE/orchestrator.py CORE/telemetry_api.py LEADS MARKET

WiFi Dome

Intelligent network threat perimeter — continuous passive scanning of all active connections correlated against live threat intelligence feeds.

Real-time monitoring of all TCP/UDP connections via psutil — zero blind spots
IOC correlation against 5 live CTI feeds: Feodo, URLhaus, CISA KEV, Tor exits, EmergingThreats
Geographic threat mapping — country of origin on every suspicious connection
Protocol anomaly detection — DNS tunnelling, HTTPS beaconing, unusual port patterns
Automatic threat priority scoring: CRITICAL → HIGH → MEDIUM → LOW
Zero-config passive mode — no network tap or mirror port required
EventBus integration fires THREAT_DETECTED on every confirmed malicious connection

CORE/network_threat_detector.py INDUSTRY PARITY

Bots Training Camp

A continuous adversarial ML training pipeline. Bots earn XP by correctly detecting MITRE ATT&CK techniques and graduate through 5 tiers to APEX status.

🥉

BRONZE

— bots

🥈

SILVER

— bots

🥇

GOLD

— bots

💎

PLATINUM

— bots

⚡

APEX

— bots

TRAINING ENGINE

90+ MITRE ATT&CK techniques across Enterprise + ICS matrices
Atomic Red Team + Caldera evidence import pipeline
Automated training cycles — bots self-improve 24/7

DETECTION QUALITY

Z-score (3σ) behavioral baseline — 0 false positives on bursty traffic
LSTM anomaly detector for sustained threat patterns
Synthetic gap injection — bots trained on techniques they haven't seen

GRADUATION CRITERIA

Bronze: Level 5 — basic pattern detection
Gold: Level 15 — multi-phase kill chain tracking
APEX: Level 20 — authorized for consensus voting + AWS actions

CORE/detection_bridge.py CORE/validation_importer.py LEADS MARKET

Big Four Nation-State Defence

AETHER achieves and maintains 100% verified posture against all four primary state-sponsored threat actors — the only platform to unify offence simulation and defence hardening in a single tool.

🇨🇳 China (PRC)

Volt Typhoon · Salt Typhoon

100%

DOMINANT

Living-off-the-land defence · SMB signing enforced · No reverse tunnels (frpc/ngrok/chisel) · ScriptBlock logging

🇷🇺 Russia

Sandworm · Fancy Bear

100%

DOMINANT

Wiper target FIM · VSS shadow copies protected · LAN gateway monitoring · Mail spray guard

🇮🇷 Iran

APT33 · Av3ngers

100%

DOMINANT

ICS ports locked (T0xxx) · FIDO2 enforced · Cloud creds rotated · No unmanaged RMM

🇰🇵 DPRK

Lazarus · Chollima

100%

DOMINANT

Supply chain lockfiles · Biometric sentry capable · No SaaS C2 tunnels · Social lure awareness

⚡ Automated Hardening

Single API call POST /api/bigfour/defences/harden registers 12 actor IPs + 16 domains into the IOC engine, extends FIM watchlist with wiper targets, applies PowerShell ScriptBlock logging via registry, configures SMB signing — all idempotent and audit-logged.

🎯 Sparring System

39 unique TTPs across Enterprise + ICS matrices seeded as sparring samples — simulates real nation-state TTPs against AETHER's detection engine. Results feed posture scoring in real-time. Re-run anytime: POST /api/bigfour/sparring/run

CORE/bigfour_defenders.py CORE/big_four_posture.py NO COMPARABLE PRODUCT

Phase 2 — Enterprise Expansion Modules

Six new enterprise-grade modules added in Phase 2 — each independently comparable to dedicated standalone products.

🔬

CTI Enrichment

Real-time IOC enrichment from 5 providers. Composite risk score 0–100. Token-bucket rate limiting. 24h TTL cache. Background async queue.

VirusTotalAbuseIPDBShodanGreyNoiseIP-API

CORE/cti_enrichment.py PARITY: Falcon X

🍯

Honeytokens

6 pre-built credential traps (AWS keys, Azure SP creds, DB passwords, SSH keys) + canary URL. Zero false positives — real users never see these files.

FIM integratedCTI on triggerEventBus CRITICAL

CORE/honeytokens.py LEADS: Attivo

⚙️

SOAR Playbooks

6 default playbooks, 11 action types: Slack, Teams, PagerDuty, email, IP block, host isolation, honeytoken redeploy, custom webhook. Full audit trail.

EventBus drivenCustom rulesTicket system

CORE/soar_playbooks.py PARITY: XSOAR

📋

Compliance Mapper

Maps every AETHER detection to NIST CSF 2.0 (38 controls), Cyber Essentials+ (19), ISO 27001:2022 (25), DORA (11 articles). AUDIT_READY scoring.

NIST CSF 2.0CE+ISO 27001DORA

CORE/compliance_mapper.py LEADS: Mandiant

🌐

Attack Surface Mgmt

Certificate Transparency monitoring, DNS audit, HTTP header audit, Shodan sweep, 300+ typosquat variants checked, domain expiry via RDAP.

crt.shDNS DoHShodan InternetDBRDAP

CORE/asm_engine.py PARITY: Censys

🗓️

Purple Team Scheduler

7 built-in schedules, 8 exercise types. Calendar-based adversary simulation running 24/7. Historical posture trend charting over 30/90 day windows.

Automated BASTrend analysis7 schedules

CORE/purple_team_scheduler.py LEADS: AttackIQ

Kill Chain Engine

End-to-end MITRE-aligned kill chain detection across 6 phases. Each phase has priority technique sets mapped directly to AETHER's swarm and dome modules.

PHASE 1

Recon

T1595 · T1592 · T1590 · T1589 · T1598

PHASE 2

Staging

T1547 · T1546 · T1543 · T1053 · T1078

PHASE 3

Lateral

T1021 · T1110 · T1550 · T1557 · T1199

PHASE 4

Collection

T1082 · T1046 · T1083 · T1087 · T1005

PHASE 5

C2 / Exfil

T1071 · T1573 · T1090 · T1567 · T1048

PHASE 6

Impact/Grid

T1486 · T1490 · T1485 · T0813 · T0836

Phase 6 includes ICS/OT techniques (T0xxx) for Critical National Infrastructure defence — power grids, water systems, industrial control. Unique to AETHER in this price bracket.

Competitive Edge

AETHER leads or matches enterprise platforms costing 10× more — and uniquely combines offence simulation, automated hardening, and compliance in one deployable package.

AETHER

CrowdStrike Falcon

SentinelOne

Darktrace

Palo Alto

AETHER UNIQUE ADVANTAGES

Only platform with automated Big Four nation-state hardening
Bot graduation system — bots improve continuously without human tuning
ICS/OT kill chain coverage (T0xxx) — rare at SME price point
Full source — no vendor lock-in, runs on your own infrastructure
Single deployable package — no multi-product integration required

CAPABILITY	AETHER	CrowdStrike	SentinelOne	Darktrace	Palo Alto
Nation-State Intelligence	✓ 100% automated	✓ Intel only	◑ Partial	✗	◑ Partial
AI/ML Detection Engine	✓ LSTM + z-score	✓	✓	✓ Industry leader	✓
SOAR Automation	✓ Built-in	◑ Add-on cost	◑ Add-on	◑ Limited	✓ XSOAR
Deception / Honeytokens	✓ Built-in	✗	◑ Add-on	✗	✗
Attack Surface Management	✓ Built-in	◑ Recon (premium)	◑ Add-on	✗	◑ Cortex XPANSE
Compliance Mapping	✓ 4 frameworks	◑ Limited	◑ Basic	✗	◑ Prisma
Purple Team / BAS	✓ Automated scheduler	◑ Premium tier	✗	✗	◑ Add-on
ICS / OT Coverage	✓ T0xxx TTPs	◑ Limited	✗	✓	◑ IoT module
Open / Self-hosted	✓ Your infrastructure	✗ SaaS only	✗ SaaS only	✗ SaaS only	✗ SaaS only

Deployment — Single Node or Multi-Node

AETHER ships as a single directory. The installer handles everything — Python, venv, dependencies, service registration, firewall, and health check.

Single Node (60 seconds)

1

Copy UPLOAD_PACKAGE/ to your server or git clone the repo

2

Run the installer: powershell AETHER_INSTALLER.ps1

3

Add API keys to .env (VT, AbuseIPDB, Slack webhook)

4

Open http://localhost:8900 — dashboard live

# Single node install
powershell -ExecutionPolicy Bypass .\AETHER_INSTALLER.ps1

# Multi-node deploy (WinRM)
.\AETHER_INSTALLER.ps1 -Nodes node1,node2,node3

# Install as Windows Service
.\AETHER_INSTALLER.ps1 -AsService

# Update existing installation
.\AETHER_INSTALLER.ps1 -Update

System Requirements

Python	3.11+ (3.14 tested)
OS	Windows 10/11, Windows Server 2019+, Ubuntu 22+
RAM	2GB minimum, 4GB recommended
Disk	500MB + log storage
Port	8900 (configurable via AETHER_PORT)
Network	Outbound HTTPS for CTI feeds (optional)
AWS	boto3 credentials optional (enables EC2/IAM actions)

Multi-Node Architecture

Deploy one AETHER node per site/segment. Each node runs its own swarm and reports to a central dashboard. WinRM-based multi-node push deployment included in AETHER_INSTALLER.ps1 -Nodes.

Feature Fact Sheets

Click any feature to expand full technical specifications, competitive parity ratings, and API reference.

Ready to Deploy?

AETHER installs in under 60 seconds. No SaaS. No per-seat licensing. No vendor lock-in. Your infrastructure, your data, your control.

Start Deployment Full Fact Sheets

🏆 100% Big Four Posture

⚡ 90+ MITRE Techniques

🛡️ 4 Compliance Frameworks

🤖 Multi-agent Swarm

🌐 Full Source Code