HADES

Hidden Artifact Detection & EXIF Scanner - Enterprise Metadata Forensics Engine

PRODUCTION-READY | v1.0.0 GA

Court-ready metadata forensics for security teams, incident responders, and SOC operations. Zero-execution analysis — never runs target files.

2,200+ Tests Passing

100% Detection Rate

51+ MITRE Techniques

41 YARA Rules

200+ File Formats

HADES is a metadata forensics engine built for security teams and incident responders. It analyzes hidden and malformed metadata across images, documents, archives, and firmware to identify threats — without executing target files. Multi-layer detection combines YARA rules, ML ensemble models, behavioral analysis, and deep format parsing with court-ready evidence handling and automated response playbooks.

Install from PyPI View on GitHub

Get Started in 5 Minutes

Python 3.8+ and ExifTool required. Optional dependencies unlock enterprise features.

$ pip install hades-scanner # Core engine

$ pip install "hades-scanner[enterprise]" # + PostgreSQL, Redis, RBAC, SSO

$ pip install "hades-scanner[full]" # Everything

$ hades scan suspicious_file.jpg # Scan a file

$ hades scan -r /path/to/evidence/ # Recursive directory scan

$ hades serve --port 8666 # Start API server + dashboard

Python 3.8+ — CPython on Linux, macOS, or Windows
ExifTool — Phil Harvey's ExifTool on PATH for metadata extraction
Optional: PostgreSQL, Redis, YARA, scikit-learn, Docker — installed via dependency groups

Capabilities

Metadata Forensics & Deep Format Analysis

Core scanning engine — extracts metadata from 200+ formats, deep-parses PDF/Office/SVG internals, detects polyglot files, identifies steganography patterns, and analyzes firmware for boot-level threats.

Detection Layers:

ExifTool + native parsers (pikepdf, olefile)
GPS/timestamp forensics, camera fingerprinting
Polyglot detection (JPEG+ZIP, PDF+JS, PNG+HTML)
Firmware analysis (UEFI, SPI flash, BadUSB, wiper malware)
41 YARA rules purpose-built for metadata threats

$ hades scan -r /evidence --format json

ML Ensemble & Behavioral Analysis

Multi-model machine learning ensemble (Isolation Forest + Random Forest + optional XGBoost) with 25 statistical features including Shannon entropy and byte frequency analysis. Behavioral engine detects coordinated attack campaigns through IOC correlation and metadata pattern similarity.

Analysis Capabilities:

Weighted multi-model voting with labeled data management
Campaign detection via shared IOC correlation (union-find)
Metadata similarity scoring (Jaccard) and temporal clustering
GPS forensics with impossible travel detection
Auto-retraining on labeled datasets with CSV import/export

MITRE ATT&CK Mapping

Automatic mapping of detection findings to 51+ MITRE ATT&CK techniques across 11 tactics. Every finding is classified with technique IDs, tactic categories, and severity scores — ready for compliance reporting and threat intelligence correlation.

Coverage:

51+ techniques: script injection, backdoors, steganography, polyglot, macros, encoding
11 tactics: Initial Access through Impact
52+ finding-to-technique mappings
API endpoint for technique lookup and tactic queries

Evidence Chain & Case Management

Forensic-grade evidence handling — SHA-256 hash-chained immutable audit log, case management with analyst notes, and self-verifying evidence export packages with HMAC-SHA256 signatures. Built for court-admissible forensics.

Forensic Features:

Append-only hash-chained audit log with tamper detection
Case CRUD with scan linking and analyst notes
Evidence export as self-verifying ZIP (includes verify script)
Chain of custody timeline

$ hades case create "IR-2026-001" $ hades case export CASE_ID

Automated Response Playbooks

Event-driven response automation with 10+ built-in playbooks covering phishing triage, malware analysis, BEC detection, ransomware response, and insider threat workflows. Actions include case creation, SIEM forwarding, Slack/Teams notification, evidence export, and file quarantine.

Playbook Engine:

Trigger conditions: threat score, YARA match, finding type, file extension, sender domain
Priority ordering with retry and exponential backoff
Per-action status tracking and execution history
Quarantine manager with audit trail
WebSocket broadcast for real-time dashboard updates

REST API, Dashboard & SDK

FastAPI server with authenticated endpoints, WebSocket live updates, and a 16-view browser-based dashboard. Python SDK with retry logic, webhook subscriptions, and SSE streaming for programmatic integration.

Interface Options:

FastAPI with async endpoints, Pydantic models, Swagger UI at /docs
16-view dashboard: Scan, Monitor, Cases, Audit, MITRE, Rules, Playbooks, Alerts, Analytics, SIEM Connectors, Quarantine, and more
Python SDK: pip install hades-sdk
X-API-Key auth, rate limiting, CORS, WebSocket

$ hades serve --port 8666

Enterprise Security & Observability

Role-based access control with admin/analyst/viewer roles, SSO via OIDC and SAML, AES-256-GCM field-level encryption at rest, multi-tenant isolation, and full observability with Prometheus metrics and four pre-built Grafana dashboards.

Enterprise Features:

RBAC with permission matrix and API key rotation
SSO: OIDC JWT validation, SAML AuthnRequest, JIT user provisioning
AES-256-GCM encrypted storage with key management
Multi-tenant isolation with API key to tenant mapping
Prometheus metrics (20+), Grafana dashboards (4), Alertmanager

SIEM & Platform Integrations

Native SIEM connectors for Splunk HEC, Elasticsearch, and Microsoft Sentinel with batching, retry, and health checks. Format-based output in Syslog, CEF, STIX, LEEF, and ECS. Plus cloud storage scanning (S3, GCS, Azure), network sensors (Zeek, Suricata), email gateway, CI/CD pipelines, and Slack/Teams bots.

Integration Points:

Native SIEM: Splunk HEC, Elasticsearch bulk API, Sentinel Log Analytics
Cloud: AWS S3, Google Cloud Storage, Azure Blob Storage
Network: Zeek connector, Suricata connector, SMTP email gateway
DevOps: CI/CD scanning with SARIF output, GitHub/GitLab integration
Chat: Slack bot with Block Kit, Teams bot with Adaptive Cards

Deployment & Scaling

Deploy anywhere — standalone CLI, Docker containers, or Kubernetes with Helm charts and horizontal pod autoscaling. Async scan pipeline with persistent ExifTool process pool, distributed worker pool with Redis task queues, and two-tier scan caching.

Deployment Options:

PyPI: pip install hades-scanner with 4 dependency groups
Docker: multi-stage production image, Docker Compose stacks
Kubernetes: Helm chart with HPA, ServiceMonitor, Kustomize overlays
Distributed workers with Redis task queues and heartbeat monitoring
Two-tier cache (in-memory LRU + Redis), pipeline profiler

$ docker run -p 8666:8666 hades-scanner:1.0.0 $ helm install hades ./kubernetes/helm/hades/

Pricing

HADES is a proprietary platform with a free Community tier. Paid tiers are unlocked via license key activation.

Community

$0/mo

CLI file scanning & REST API
YARA rule detection (41 built-in rules)
ML anomaly detection
Evidence chain & case management
Real-time file monitoring
Plugin system
SIEM export (Syslog, CEF, STIX, LEEF, ECS)
MITRE ATT&CK mapping
Playbook automation
Scan analytics
Health check endpoints

Install Free

Professional

$299/mo

Everything in Community, plus:
Native SIEM connectors (Splunk HEC, Elasticsearch, Sentinel)
Cloud threat intelligence (VirusTotal, AbuseIPDB, OTX)
Identity forensics
Plugin marketplace

Elite

$2,500/mo

Everything in Professional, plus:
RBAC (admin/analyst/viewer roles)
SSO (OIDC + SAML)
Cloud scanning (S3, GCS, Azure)
CI/CD pipeline integration
Slack & Teams bots
AES-256-GCM encrypted storage

Enterprise

Everything in Elite, plus:
Multi-tenant isolation
SOAR integration
Kafka/NATS streaming
Dedicated support & custom SLA

Contact Sales

Contact sales@darkhorseinfosec.com for annual pricing and volume discounts.

Frequently Asked Questions

Is HADES free to use?

Yes. The Community tier is completely free and includes ML detection, evidence chain, MITRE ATT&CK mapping, playbook automation, SIEM export, and more. Professional ($299/mo), Elite ($2,500/mo), and Enterprise tiers add native SIEM connectors, cloud scanning, RBAC, SSO, and multi-tenant isolation.

Does HADES execute the files it scans?

No. HADES performs purely forensic analysis of file metadata and structure. It never executes, opens, or renders target files. This makes it safe to use on suspected malware without risk of detonation.

What are the system requirements?

Python 3.8+ and Phil Harvey's ExifTool installed on PATH. Optional dependencies (PostgreSQL, Redis, YARA, scikit-learn) are installed via pip dependency groups. HADES runs on Linux, macOS, and Windows.

Can HADES run in an air-gapped environment?

Yes. HADES has zero required network dependencies. Cloud threat intelligence, SIEM connectors, and other network features are optional. The core engine, YARA rules, and ML models all run locally.

What file types does HADES support?

200+ file formats including images (JPEG, PNG, GIF, TIFF, WebP), documents (PDF, DOCX, XLSX, PPTX), video (MP4, AVI, MOV), audio (MP3, WAV, FLAC), archives (ZIP, TAR, 7Z, RAR), web files (SVG, HTML), and firmware images (UEFI, SPI flash, BIOS).

How does HADES differ from ExifTool alone?

ExifTool extracts metadata — HADES analyzes it for threats. HADES adds YARA-based threat detection, ML ensemble anomaly scoring, deep format analysis (PDF JavaScript, Office macros, polyglot files), behavioral campaign detection, MITRE ATT&CK mapping, court-ready evidence handling, and automated response playbooks on top of ExifTool's extraction capabilities.

Does HADES integrate with my existing SIEM?

Yes. HADES includes native API connectors for Splunk HEC, Elasticsearch, and Microsoft Sentinel, plus format-based export in Syslog (RFC 5424), CEF (ArcSight), STIX 2.1, LEEF (QRadar), and ECS (Elastic). All connectors support batching, retry with exponential backoff, and health checking.

Ready to detect hidden threats in your file metadata?

Install from PyPI GitHub Contact Us