TraceLock is a defensive FIND EVIL! build: a read-only incident-response agent harness that turns case events into evidence-backed findings, catches weak claims, and re-runs a focused second pass when the first analysis leaves gaps.
It is intentionally small, reproducible, and audit-heavy. Every finding has:
- a source event id,
- a tool name,
- a confidence level,
- a SHA-256 evidence hash,
- a self-check note,
- and a final status of confirmed, needs-corroboration, or rejected.
Public support demo: https://voiddo.com/devpost/find-evil/ Public repository: https://github.com/voidd0/tracelock-find-evil
FIND EVIL! asks for autonomous defensive analysis that behaves more like a senior analyst and less like a chatbot. TraceLock focuses on three qualities:
- Evidence integrity: the harness never writes into the case file and logs every tool result with a hash.
- Self-correction: if a finding lacks a corroborating event, the agent launches a targeted second pass instead of pretending the first answer is enough.
- Audit trail quality: the output can be traced from summary to finding to exact input event.
python3 tracelock.py --case cases/demo_case.json --out output/latest.jsonThen open index.html or serve it:
python3 -m http.server 8098This first package uses structured demo case data and a deterministic local agent loop. The next required FIND EVIL step is to run against SIFT/Protocol SIFT case material and attach terminal video evidence.
The splunk-ops/ subdirectory extends TraceLock for Splunk teams.
TraceLock Ops takes a Splunk-style alert bundle (ESCU notable + raw events) and produces:
- evidence-linked findings, each citing exact event IDs and SHA-256 hashes
- contradictions and missing-proof warnings surfaced explicitly
- next SPL/MCP search proposals as planned actions, not executed ones
- a responder-ready handoff summary
Three-case accuracy suite (all perfect):
- Account takeover — P=1.0, R=1.0
- Ransomware staging — P=1.0, R=1.0
- Insider exfiltration — P=1.0, R=1.0
Public demo: https://voiddo.com/devpost/splunk-agentic-ops/
cd splunk-ops
python3 run_suite.py # runs all 3 cases, writes output/accuracy_report.jsonMCP integration: when SPLUNK_URL and SPLUNK_TOKEN are set, splunk_mcp.py calls the official Splunk MCP Server for live searches. Without credentials, responses are marked stub_no_auth instead of silently faking success.
Built by vøiddo — a small studio shipping AI-flavoured products, free dev tools, Chrome extensions and weird browser games.