514 security tools. 8 operational modes. One AI that understands them all. Dagda is the cybersecurity command platform that watches, hunts, traps, and fights — with safeguards that cannot be overridden.
The average security team juggles 25–50 separate tools. Different CLIs, different output formats, no shared context. Your nmap scan doesn't know about your Suricata alerts. Your forensics don't inform your hardening. Every context switch is a gap an attacker can exploit.
90% of alerts are noise. Without cross-source correlation, every anomaly looks the same. You're context-switching between dashboards, losing the thread of actual attacks while chasing false positives. The real breach hides in the flood.
Senior analysts are expensive and scarce. Junior analysts need months of mentoring. Offensive skills atrophy without practice environments. Knowledge walks out the door with every resignation. Your team's ceiling is your most experienced member.
"You don't need more tools. You need one platform that makes every tool intelligent."
Named for the Irish god who carried a club that could kill with one end and heal with the other. Dagda doesn't just detect threats — it understands, correlates, responds, and teaches.
Claude API primary, Ollama offline fallback. Not a chatbot — an autonomous agent with 514 tools, a knowledge graph, Bayesian threat networks, and temporal correlation. Distributed Crow agents extend its reach across your fleet. It doesn't just alert you. It defends you.
Bug bounty hunting, purple team training, honeypot operations, and automated incident response — all behind a safeguard system that makes misuse structurally impossible. The same platform for red, blue, and purple.
Ollama local LLM fallback means Dagda works in SCIF environments, classified networks, and air-gapped labs. No cloud dependency. No telemetry. Your data never leaves your machine.
Educational layer with 8 attack anatomies, 5 guided investigation workflows, and an Arena mode that turns real detected attacks into training scenarios. Your team gets better every day without leaving the platform.
Each mode unlocks a different capability set with its own safeguard requirements. Switch modes to match your mission. The AI adapts its tool suggestions, risk tolerance, and operational posture accordingly.
Monitors CPU, memory, disk, network, and processes in real time. Detects brute force attacks, ARP spoofing, rogue DHCP, port scans, and DNS anomalies. Responds autonomously — blocks IPs, kills suspicious processes, quarantines files — then explains exactly why it acted.
SOC Level 1 workflow. Assess alerts quickly, determine severity, escalate or close. Speed and accuracy matter most — don't investigate deeply here. Escalate to INVESTIGATOR for analysis or INCIDENT COMMANDER for response.
OSINT, disk and memory forensics, evidence chain of custody, threat intel correlation. Every artifact is hash-verified, every finding cross-referenced through the Knowledge Graph. Passive by default — observe without disturbing.
Deploy honeypots, canary tokens, fake credentials, breadcrumbs, and decoy files. Track and profile attackers in real time. Extract TTPs, credentials, and payloads. Disruption actions (sinkhole, tarpit) require the counter-intel toggle.
Every packet checked against your target whitelist. Nuclei scanning, SQLi/XSS/LFI/SSTI testing, API security (GraphQL, JWT, OAuth), and web crawling — all with responsible disclosure workflows built in. DNS resolution verified to prevent scope escape.
Full offensive capabilities in network-isolated VMs. 5 pre-built multi-VM scenarios. PvP (red vs blue) and PvT (player vs target) game modes with scoring, leaderboards, and AI coaching. Real attacks detected by Sentinel auto-generate new training scenarios.
Full incident response lifecycle. Case management, evidence collection, containment actions, timeline reconstruction, and response playbook execution. Coordinate from detection through remediation.
Absolute undetectability. Anti-detection layer with timing jitter, SOCKS5 routing, user-agent rotation, and DoH rotation. Cryptographic evidence vault with SHA-256 Merkle trees and Bitcoin timestamp anchoring. Secure session cleanup with multi-pass overwrite.
Five safeguard levels control what the AI can do. Raising safety is instant and unrestricted. Lowering it requires deliberate, auditable escalation. The AI cannot override its own constraints.
Not a wrapper around an LLM. A full cognitive security architecture with a Rust-enforced permission boundary, intelligence fusion engines, and a deep integration ecosystem.
Permission gate, sandbox engine, audit logger, and crypto module — all in Rust via PyO3. Memory-safe, zero-cost abstractions, tamper-resistant. Python fallbacks for cross-platform development.
Not a chatbot wrapper. A full cognitive architecture with persistent memory, probabilistic reasoning, and cross-module intelligence fusion across 13 bridges.
Speaks every protocol. Integrates with the tools your team already uses. Each integration follows the same pattern: detect, health-check, run, parse, ingest.
9-step guided configuration: security assessment, profile selection (Minimal / Standard / Hardened / Paranoid), tool detection for 20 security tools, auto-install missing dependencies, OS optimization, ML model setup.
Sentinel mode activates automatically. Your system is now being monitored. The AI HUD provides real-time interpretations in a bottom panel.
Natural language interaction. Ask questions, request scans, investigate threats. The AI selects the right tools, correlates findings, and builds a persistent knowledge graph.
Add honeypots. Set up bug hunting scope. Train your team in the Arena. Deploy the web dashboard for your SOC. Every feature unlocks deliberately through the safeguard system — never by accident.
nmap, Burp, Suricata, Zeek — they're each great at one thing. Dagda orchestrates all of them through a single AI that maintains context across every tool, correlates findings automatically through a knowledge graph, and builds a persistent model of your environment that gets smarter with every scan.
SIEMs collect and search. Dagda thinks. It runs Bayesian threat assessment, temporal correlation, behavioral fingerprinting — and then acts. It deploys honeypots, hardens systems, and responds to incidents. SIEMs show you dashboards. Dagda defends you.
They wrap an LLM around a few API calls. Dagda has 514 tools, a Rust-enforced permission gate, scope-locked targeting, hash-chained audit logs, and 8 unbreakable guardrails. This isn't AI for security theater. This is AI for professionals who understand the stakes.
AGPL-3.0. Read every line. Audit every decision. Fork it, modify it, contribute to it. The core is free forever.
1069 Python tests + 33 Rust tests. CI/CD with GitHub Actions. We test the safety systems as hard as the features.
Zero data collection. No analytics. No phone-home. Air-gap compatible with Ollama local LLM. Your data never leaves your machine.
Signed releases, threshold signatures, never auto-update. You verify before you deploy. No surprises.
Dagda monitors its own integrity. SHA-256 baseline verification of all source files on startup, CycloneDX SBOM of its own dependencies, and a 10-point self-hardening audit. If critical files are tampered with, Dagda halts before loading.
The Community Edition is genuinely complete — not a crippled trial. Every tool, every mode, every safeguard. Enterprise adds multi-user collaboration and support.
The only question is whether you know about it.