Skip to main content
rfxn
BLGPL v2v0.7.0Since 2026
7

Blacklight

Agentic defense layer for the open-source Linux stack

LandingVisit the Blacklight landing page

Blacklight turns the open-source Linux defensive stack into a system that can investigate and respond to incidents on its own. It uses Linux Malware Detect as the post-scan trigger, ModSecurity and Apache logs as evidence, and iptables as the response surface. No new agents on the host. No EDR contract. A shell script and an API key.

The system is built around three primitives that only became viable in 2026: Opus 4.7 with a million-token context window, Anthropic Managed Agents for a curator session that survives across operators and hosts, and the skills-native pattern for description-routed lazy-loaded behavior. The model choice is the system design.

Blacklight is model-bounded today. It operates at the edge of what's possible across roughly a five-system incident, which covers over 80% of real-world cases. It works now, and it improves as the limits move. The dedicated landing page at /blacklight is the canonical home: architecture, walkthrough, skills, roadmap, build timeline, and the closing love letter to operators.

GitHubDocs
Stars

7

Forks

2

Last Push

Apr 29, 2026

Latest Release
v0.7.0

Features

Detection & Response

  • Post-scan hook fires from Linux Malware Detect into a Blacklight forensic case
  • Read-only kill-chain extraction: Apache transfer log + matching ModSecurity audit transactions
  • Curator emits a defense action into the memstore with full reasoning trace
  • ModSec rule lands behind an atomic symlink with Apache config test passing
  • Known bad actor IPs go straight into the live iptables chain on the running firewall

Case Persistence

  • Anthropic Managed Agents curator session, resumable across a 30-day checkpoint window
  • The case persists across operators and hosts; the host doesn't
  • Three days later, different operator, different host: reattach and the ledger is right there
  • Description-routed, lazy-loaded skills (six routing skills, eight workspace corpora)

Substrate & Model

  • Opus 4.7 with a million-token context window holds the whole investigation in-window
  • No retriever drops the one record that mattered
  • Skills-native pattern: twenty-three skill directories, operator-voice behavior
  • Weaponizes the open-source stack, doesn't replace it: maldet, ModSecurity, Apache, iptables

Honest Limits

  • Model-bounded today, even on Opus 4.7
  • Operates at the edge of what's possible across roughly a five-system incident
  • That window covers over 80% of real-world cases
  • Improves as the model context and reasoning limits move

Installation

bash
$ git clone https://github.com/rfxn/blacklight.git
$ cd blacklight
$ sudo ./install.sh

Downloads & Resources

Documentation

Usage guides and configuration

Issue Tracker

Report bugs and request features

More from R-fx Networks

LMDLinux Malware DetectAPFAdvanced Policy FirewallBFDBrute Force DetectionIRSYNCIncremental RsyncLESLinux Environment Security