Windows security systems and research tooling.

A catalog of TITAN projects spanning endpoint telemetry, malware analysis, binary reconnaissance, defensive validation, syscall research, and supporting operator tooling.

GitHub Org GitHub Profile

Capability Index

Blackbird

TITAN's primary Windows analysis platform: a kernel-backed malware analysis and DFIR environment built around driver telemetry, usermode instrumentation, ETW, memory and process inspection, detection-chain correlation, capture review, exportable evidence, and an operator interface for deep session analysis.

Mission: Kernel-backed endpoint visibility for malware analysis, DFIR triage, detection engineering, and session evidence production
Surface: KMDF driver, usermode sensor, controller, runner, analyst interface, and AES validation suite
Output: Event timelines, API and ETW telemetry, memory/process views, detection chains, audit artifacts, captures, and exports

Showcase Docs Repository

RESX

Windows binary analysis workbench that compresses a mini-disassembler, dumpbin-style PE and export inspection, symbol lookup, CFG recovery, pseudo-C reconstruction, API reference discovery, syscall stub review, scan workflows, and JSON automation output into one focused toolkit.

Mission: Turn first-look reversing into a repeatable workflow: inspect PE structure, disassemble targets, resolve symbols, recover CFG, and surface API relationships
Surface: Rust CLI, VS Code binary viewer, command palette workflows, scan commands, and documented JSON schemas
Output: Function dumps, PE metadata, export and symbol maps, API reference views, CFG records, reconstructed pseudo-C, scan rankings, and machine-readable reports

Repository CLI Docs VS Code Docs

ActiveBreach direct syscall execution diagram

ActiveBreach Engine

Controlled Windows syscall research framework for authorized adversary emulation, detection validation, and telemetry-fidelity work at the user-to-kernel execution boundary.

Mission: Evaluate monitoring assumptions around API hooks, syscall dispatch, and EDR-visible behavior
Surface: C, C++, and Rust trims with a Rust SDK, C ABI, static and dynamic library integration paths
Output: Controlled syscall execution primitives, feature modes, exported symbols, and integration examples

Repository Usage Research Note

Vigil

Focused Windows telemetry utility for watching protected filesystem access through ETW, giving defenders a compact way to observe untrusted process activity around sensitive resources.

Mission: Surface suspicious protected-resource access without turning a narrow sensor into a full endpoint platform
Surface: Windows ETW collection, protected-path observation, process context, and lightweight operator review
Output: Filesystem access events, process identifiers, resource context, and focused telemetry for blue-team review

Repository

Vesuki

Rust control-flow hardening and anti-analysis research that uses proc-macro transforms to reshape function execution into dispatcher-style paths with randomized structural noise.

Mission: Raise the cost of static analysis and reversing for selected Rust functions through repeatable compile-time transforms
Surface: Rust proc macros, control-flow flattening, dispatcher generation, randomized noise blocks, and anti-analysis experiments
Output: Transformed Rust functions, obfuscated control flow, harder static traces, and research-ready implementation examples

Repository

Regera

Rust string-protection utility that encrypts literals at compile time, emits encrypted blobs during the build, and provides compact runtime decrypt shims for controlled exposure.

Mission: Reduce static string exposure in Rust binaries while keeping integration small and repeatable
Surface: Proc-macro integration, multiple string encryption engines, compile-time blob generation, and runtime decrypt helpers
Output: Encrypted string data, generated decrypt shims, lower plain-text string presence, and build-time protection workflows

Repository

CCGT-Packer

Post-build Windows packing research utility for protecting eligible strings, storing metadata in a PE section, and decrypting selected literals on demand at runtime.

Mission: Experiment with post-build payload protection and static string reduction in Windows binaries
Surface: PE rewriting, string selection, encryption metadata sections, runtime decrypt support, and protected payload testing
Output: Packed binaries, encrypted literal storage, metadata-backed recovery paths, and repeatable packing research artifacts

Repository