Shadow Obsidian

The average security team runs eight separate tools to answer one question: "is anything weird happening on our network right now?" One console that puts packet capture, behavioural baselines, OSINT investigation, dark-web search, and offensive tooling on the same database and the same UI replaces all eight. It runs on the operator's own hardware, sees every device on the LAN in real time, and never ships telemetry to a third-party cloud.

The problem it solves

The 2024 IBM Cost of a Data Breach report puts the average breach at $4.88M, and shows the median time to detect and contain a breach is 277 days. The same report finds 68% of breaches still involve a human element. The reason is not a shortage of products — the typical security team juggles ten to fifteen separate tools across three or four dashboards. Detection is delayed because no single operator can mentally correlate Nmap scans, Wireshark output, breach-database lookups, honeypot logs, and dark-web mentions across that many UIs in real time.

Replacing that fragmented stack with an enterprise NDR product means $50K-$200K per year per site, a cloud dependency you cannot undo, and a vendor that owns your packet metadata. For an SME or a government department running on a $100K total annual security budget — never mind a defense customer that legally cannot ship telemetry to a US-based cloud — that path is closed. The market gap is the operator who needs Darktrace-class capability without the Darktrace bill and without the cloud.

Who needs this most

• CISOs at 50-500-person companies running on a $250K-$1M security budget who get asked "are we owned right now?" by the board every quarter, and who cannot afford a six-figure NDR contract to answer it.
• MSP and MSSP owners managing 5-30 client networks who need a defensible monthly report and a single console their analysts can live in across every client, not a different vendor for each.
• Government, defense, and regulated-industry teams (MilTech, GovTech, sovereign-jurisdiction FinTech regulators) that legally or politically cannot put network telemetry into a US-based SaaS, but still need real-time NDR, breach correlation, and deception infrastructure.
• Solo security operators and pentest consultancies running multi-week engagements who want one workspace for reconnaissance, scanning, breach lookup, and reporting — not a desktop full of terminal tabs.

The moment of pain: 9 AM on the Monday after a weekend incident, when the operator has four hours to assemble what actually happened from logs scattered across eight systems, with an executive briefing scheduled at noon.

The solution — in plain terms

Shadow Obsidian is a security operations console for teams that want serious visibility without an enterprise contract. It runs on a single Linux server, watches every device on the network, investigates suspicious actors with the same OSINT tools a forensic analyst would reach for, and runs honeypots and stress tests so a team can verify its defenses — all from one browser tab. Everything that happens, happens on the operator's hardware. Nothing leaves the network unless the operator chooses.

The platform is structured around three vectors. NET is real-time network intelligence — live packet capture via Scapy, ARP-resolved device inventory, TLS SNI extraction, DNS tunneling detection via Shannon entropy, traffic geolocation, and a Shadow Map that classifies every device on the LAN by category (computers, phones, IoT, servers, network gear). OSINT is investigation tooling — thirteen live engines including Sherlock, Maigret, Holehe, breach lookups via XposedOrNot, dark-web search across seven engines routed through a built-in Tor SOCKS proxy, and a knowledge-base layer that links persons, organizations, domains, and IPs into a single connected graph. OFFSEC is the offensive and defensive toolkit — Nmap port scanning, Nikto and Dirb web audits, an NVD 2.0-backed CVE lookup, an Exploit-DB index of roughly 47,000 entries, a Cowrie SSH honeypot sidecar, canary tokens with real beacon URLs, and a lab-mode phishing simulator that produces campaigns but never auto-sends.

Every event in one vector pivots into the next. A new attacker IP hitting the SSH honeypot raises an alert in NET and offers a one-click OSINT lookup on that IP. A breach record found in OSINT can be attached to a person record in the knowledge base. An Nmap scan result feeds the CVE lookup with the exact service versions detected. The whole thing replaces the Wireshark + Nmap + Sherlock + Have-I-Been-Pwned + Cowrie + Nikto + custom-Slack-bot stack that most teams accrete over years.

Value delivered — what you get

• Cut the security tool stack from eight-to-fifteen products to one console — packet capture, device inventory, OSINT, breach lookup, vulnerability scanning, honeypots, canary tokens, and PDF reporting share one database and one UI.
• Replace $50K-$200K per year in NDR licensing — the platform self-hosts on a single Linux server with no per-seat fee, no per-device meter, no cloud telemetry tax.
• Cut breach investigation from days to a single afternoon — when an IP hits the honeypot, OSINT lookup, breach search, and CVE correlation are one click away from the alert, not three tools and four logins.
• Detect DNS tunneling, SNI-leak exfiltration, and shadow-IT with deterministic math — Shannon entropy analysis on DNS subdomains and traffic patterns finds covert channels that signature-based IDS miss entirely.
• Investigate persons and organizations with thirteen OSINT engines from one search bar — Sherlock and Maigret cover 400+ platforms, Holehe checks email registration, XposedOrNot pulls breach history, dark-web search routes through a built-in Tor proxy.
• Run defensible deception infrastructure that pivots straight into investigation — Cowrie SSH honeypot and canary token hits create alerts in NET and pre-fill an OSINT investigation on the attacker IP.
• Generate audit-grade PDF reports from live data — the OUT vector aggregates real alerts, scans, honeypot events, canary hits, and OSINT searches into a board-ready PDF per case or per timeframe.
• Keep telemetry on your own hardware — runs offline, runs air-gapped, runs in a sovereign jurisdiction; no SaaS dependency anywhere in the data path.

Where it delivers outsized value

• SMEs and 50-500-person companies with a real security budget but no Darktrace-class spend, where one CISO has to defend the network and report to the board with the same tool.
• Managed security providers (MSP / MSSP) with 5-30 client networks who need a single console across every client and a defensible white-label PDF report at the end of every month.
• Government, defense, and regulated FinTech where a US-based cloud is legally or politically off-limits, and where the operator needs full sovereignty over packet metadata, breach lookups, and investigation records.
• Solo operators and boutique consultancies running multi-week pentest or DFIR engagements who would otherwise scatter findings across ten terminal tabs and a Google Doc.

Distinctive features — why this over the alternatives

• PROBE / TRAP / DRILL / OUT operational grouping in OFFSEC — tools that need written target authorization (PROBE) live separately from tools that run continuously on the operator's own infrastructure (TRAP) and from tools that need a per-run legal scope (DRILL). Safety rails are baked into the architecture, not bolted on as policy.
• Cross-vector glue baked into the data model — a single attacker IP hits the Cowrie honeypot, raises an OFFSEC alert, surfaces in NET's alert feed, and offers a one-click OSINT IP-intel pivot. Three vectors, one investigation thread.
• Real-time packet pipeline with deterministic detection — Scapy capture feeds DNS sniffing, SNI extraction from TLS ClientHello, ARP-based device inventory, and Shannon-entropy-based DNS tunneling detection. Detection rules are explainable math, not opaque ML scores.
• Built-in Tor proxy plus seven-engine dark-web search — Ahmia, Paste, Gist, Wayback, Doxbin, Telegram-channel leaks, and IntelX queried from one search bar, with .onion result fetches routed through a sidecar Tor SOCKS proxy.
• OSINT knowledge base with structured cross-linking — persons, organizations, domains, and IPs are first-class records with typed links (employee_of, owns_domain, resolves_to). The polygon-layout investigation graph compares 3-7 entities side-by-side and surfaces shared platforms, emails, and breaches automatically.
• Privacy-mode kill switch — one click drops a full-screen overlay over every panel so a screen-share in a meeting does not leak live OSINT data, customer names, or investigation findings.

Under the hood — built to last

The platform runs on boring, well-supported foundations. FastAPI on Python 3.12 for the backend, PostgreSQL 16 for the durable store, Redis 7 for the cache layer, React 18 with TypeScript 5.6 and Vite on the frontend. The whole stack ships as a Docker Compose file with seven services — backend, frontend, Postgres, Redis, a SearxNG meta-search sidecar with 26 search engines configured, a Tor SOCKS proxy for dark-web fetches, and a Cowrie SSH honeypot — and stands up on a single VPS or air-gapped on-premise server with one command. Packet capture uses Scapy via libpcap; OSINT engines integrate Sherlock, Maigret, and Holehe as supported upstream tools rather than custom forks. No SaaS in the data path, no telemetry phoned home, no license server to call out to.

Current maturity

Active development since 2026-03-04, last activity 2026-04-27. The codebase is roughly 50,200 LOC across 240 source files — 25,100 LOC of Python in the backend (163 modules) and 25,100 LOC of TypeScript and TSX in the frontend (77 modules) — backed by 21 SQLAlchemy models, 30+ API routers, and 7 Docker services. The NET vector is 100% real: packet capture, device inventory, DNS sniffing, alerts, and dashboards all serve live data with no mock paths anywhere. The OFFSEC vector reached 100% real at the end of Session 12 — all eleven tabs hit real services (Nmap, Nikto, Dirb, John, the NVD 2.0 API, an Exploit-DB index of roughly 47,000 entries, the Cowrie sidecar, canary beacons, lab-mode phishing). The OSINT vector is 90% real with thirteen live engines across the person, domain, IP, breach, and dark-web tabs; the remaining surface (Repo Audit, advanced monitoring scheduling, API-key management UI) is the next milestone. The product runs in operator environments today; it is not yet packaged for one-click commercial deployment.

Roadmap — what's next

The near-term path lifts Shadow Obsidian from operator-grade dev tool to a packaged product. The first revenue line is a self-hosted Pro tier for solo operators and small consultancies — license-key activation, official Docker images, and the OSINT vector closing to 100% real. The second is a Team and MSP tier with multi-tenant isolation, white-label PDF reporting, and a multi-site aggregation view, aimed directly at managed-service providers running 5-30 client networks. The third is a sovereign-deployment package for government, defense, and regulated FinTech customers — air-gap install media, formal compliance documentation, and a contracted support SLA.

Beyond that, the longer-arc work is a user-defined alert-rules engine, NetFlow and sFlow ingestion from routers, and SIEM integrations (Splunk, ELK, Sentinel) that let Shadow Obsidian act as the operator console on top of an existing telemetry stack. Each of those lines is grounded in a real customer ask, not speculative scope.

Working with the architect

Three engagement modes apply to this project. A company that wants a SIEM/XDR built on this architecture — tuned to a specific industry, integrated with specific telemetry sources, or rebranded for an MSP product — can commission a custom build on the existing codebase. A team that already runs its own security platform can extend their stack with the cross-vector glue, the OSINT knowledge base, or the real-time packet pipeline as a module. And a CISO or government client building an equivalent internal capability can engage in strategic advisory on architecture, OSINT methodology, or operator-console UX. Reach out via sintegrium.io or LinkedIn for a 30-minute scoping call.

---

Built by Yurii Staryk · Solution Ecosystem Architect