HADES

Hidden Artifact Detection & EXIF Scanner - Enterprise Metadata Forensics Engine

PRODUCTION-READY | v1.1.0 GA

Court-ready metadata forensics for security teams, incident responders, and SOC operations. Zero-execution analysis — never runs target files.

15,855+ Malware Samples Tested

99.2% Detection Rate

51+ MITRE Techniques

60+ YARA Rules

26 Forensic Analyzers

45+ File Types Covered

HADES is an enterprise metadata forensics engine built for security teams and incident responders. Validated against 15,855+ real-world malware samples with a 99.2% detection rate and zero crashes. Multi-layer detection combines 60+ YARA rules, ML ensemble models, behavioral analysis, 26 dedicated forensic analyzers, and deep format parsing across 45+ file types — without executing target files. Enterprise-grade two-axis scoring (confidence × severity) matches CrowdStrike/Palo Alto patterns, with court-ready evidence handling and automated response playbooks.

Install from Cloudsmith View on GitHub

Get Started in 5 Minutes

Python 3.8+ and ExifTool required. Optional dependencies unlock enterprise features.

$ pip install hades-scanner --index-url https://dl.cloudsmith.io/basic/darkhorse-infosec/hades/python/simple/ # Core engine

$ pip install "hades-scanner[enterprise]" --index-url ... # + PostgreSQL, Redis, RBAC, SSO

$ pip install "hades-scanner[full]" --index-url ... # Everything

$ hades scan suspicious_file.jpg # Scan a file

$ hades scan -r /path/to/evidence/ # Recursive directory scan

$ hades serve --port 8666 # Start API server + dashboard

Python 3.8+ — CPython on Linux, macOS, or Windows
ExifTool — Phil Harvey's ExifTool on PATH for metadata extraction
Optional: PostgreSQL, Redis, YARA, scikit-learn, Docker — installed via dependency groups

Capabilities

Metadata Forensics & Deep Format Analysis

Core scanning engine — extracts metadata from 200+ formats via 19 dedicated forensic analyzers. Deep-parses PDF (shadow attacks, filter chains), Office (macros, DDE, VBA stomping, hidden content), RTF (Equation Editor, template injection), archive structures (Zombie ZIP, RAR5/7z), and analyzes audio, video, email, and web file metadata for embedded threats.

Detection Layers:

19 forensic analyzers: images, documents, archives, audio, video, email, web
Archive forensics: Zombie ZIP, concatenation, bombs, RAR5/7z headers
Document forensics: RTF, LNK, legacy Office, OneNote, VBA stomping
Audio/video: MP3 ID3, WAV, OGG, FLAC, MKV, MP4, AVI metadata
Email/web: phishing detection, CSV formula injection, HTML threats, EPS
Steganography: JPEG DCT analysis, palette stego, EOF data, tool signatures
56 YARA rules + firmware analysis (UEFI, SPI flash, BadUSB, wipers)

$ hades scan -r /evidence --format json

ML Ensemble & Behavioral Analysis

Multi-model machine learning ensemble (Isolation Forest + Random Forest + optional XGBoost) with 25 statistical features including Shannon entropy and byte frequency analysis. Behavioral engine detects coordinated attack campaigns through IOC correlation and metadata pattern similarity.

Analysis Capabilities:

Weighted multi-model voting with labeled data management
Campaign detection via shared IOC correlation (union-find)
Metadata similarity scoring (Jaccard) and temporal clustering
GPS forensics with impossible travel detection
Auto-retraining on labeled datasets with CSV import/export

MITRE ATT&CK Mapping

Automatic mapping of detection findings to 51+ MITRE ATT&CK techniques across 11 tactics. Every finding is classified with technique IDs, tactic categories, and severity scores — ready for compliance reporting and threat intelligence correlation.

Coverage:

51+ techniques: script injection, backdoors, steganography, polyglot, macros, encoding
11 tactics: Initial Access through Impact
52+ finding-to-technique mappings
API endpoint for technique lookup and tactic queries

Evidence Chain & Case Management

Forensic-grade evidence handling — SHA-256 hash-chained immutable audit log, case management with analyst notes, and self-verifying evidence export packages with HMAC-SHA256 signatures. Built for court-admissible forensics.

Forensic Features:

Append-only hash-chained audit log with tamper detection
Case CRUD with scan linking and analyst notes
Evidence export as self-verifying ZIP (includes verify script)
Chain of custody timeline

$ hades case create "IR-2026-001" $ hades case export CASE_ID

Automated Response Playbooks

Event-driven response automation with 10+ built-in playbooks covering phishing triage, malware analysis, BEC detection, ransomware response, and insider threat workflows. Actions include case creation, SIEM forwarding, Slack/Teams notification, evidence export, and file quarantine.

Playbook Engine:

Trigger conditions: threat score, YARA match, finding type, file extension, sender domain
Priority ordering with retry and exponential backoff
Per-action status tracking and execution history
Quarantine manager with audit trail
WebSocket broadcast for real-time dashboard updates

REST API, Dashboard & SDK

FastAPI server with authenticated endpoints, WebSocket live updates, and a 16-view browser-based dashboard. Python SDK with retry logic, webhook subscriptions, and SSE streaming for programmatic integration.

Interface Options:

FastAPI with async endpoints, Pydantic models, Swagger UI at /docs
16-view dashboard: Scan, Monitor, Cases, Audit, MITRE, Rules, Playbooks, Alerts, Analytics, SIEM Connectors, Quarantine, and more
Python SDK: pip install hades-sdk (via Cloudsmith)
X-API-Key auth, rate limiting, CORS, WebSocket

$ hades serve --port 8666

Enterprise Security & Observability

Role-based access control with admin/analyst/viewer roles, SSO via OIDC and SAML, AES-256-GCM field-level encryption at rest, multi-tenant isolation, and full observability with Prometheus metrics and four pre-built Grafana dashboards.

Enterprise Features:

RBAC with permission matrix and API key rotation
SSO: OIDC JWT validation, SAML AuthnRequest, JIT user provisioning
AES-256-GCM encrypted storage with key management
Multi-tenant isolation with API key to tenant mapping
Prometheus metrics (20+), Grafana dashboards (4), Alertmanager

SIEM & Platform Integrations

Native SIEM connectors for Splunk HEC, Elasticsearch, and Microsoft Sentinel with batching, retry, and health checks. Format-based output in Syslog, CEF, STIX, LEEF, and ECS. Plus cloud storage scanning (S3, GCS, Azure), network sensors (Zeek, Suricata), email gateway, CI/CD pipelines, and Slack/Teams bots.

Integration Points:

Native SIEM: Splunk HEC, Elasticsearch bulk API, Sentinel Log Analytics
Cloud: AWS S3, Google Cloud Storage, Azure Blob Storage
Network: Zeek connector, Suricata connector, SMTP email gateway
DevOps: CI/CD scanning with SARIF output, GitHub/GitLab integration
Chat: Slack bot with Block Kit, Teams bot with Adaptive Cards

Deployment & Scaling

Deploy anywhere — standalone CLI, Docker containers, or Kubernetes with Helm charts and horizontal pod autoscaling. Async scan pipeline with persistent ExifTool process pool, distributed worker pool with Redis task queues, and two-tier scan caching.

Deployment Options:

Cloudsmith: pip install hades-scanner with 4 dependency groups (private registry)
Docker: multi-stage production image, Docker Compose stacks
Kubernetes: Helm chart with HPA, ServiceMonitor, Kustomize overlays
Distributed workers with Redis task queues and heartbeat monitoring
Two-tier cache (in-memory LRU + Redis), pipeline profiler

$ docker run -p 8666:8666 hades-scanner:1.1.0 $ helm install hades ./kubernetes/helm/hades/

Pricing

HADES is a proprietary platform with a free Community tier. Paid tiers are unlocked via license key activation.

Community

Free

10 scans/month
Heuristic & IOC detection
Threat score & severity summary
Evidence chain
10 MB file size limit

Try the Demo

Professional

$99/mo

$799/yr (save 33%)

5,000 scans/month
60+ YARA rules & ML ensemble detection
All 26 forensic analyzers
Full findings, MITRE ATT&CK mapping
Batch scanning & SIEM export
Threat intelligence feeds
100 MB file size limit
Priority email support

Monthly Annual (save 33%)

Team

$299/mo

$2,499/yr (save 30%)

50,000 scans/month
Everything in Professional, plus:
RBAC (admin/analyst/viewer roles)
SSO (OIDC + SAML)
Cloud scanning (S3, GCS, Azure)
CI/CD pipeline integration
Slack & Teams bots
AES-256-GCM encrypted storage
500 MB file size limit

Monthly Annual (save 30%)

Enterprise

Custom

Annual contract

Unlimited scans
Everything in Team, plus:
Multi-tenant isolation
SOAR integration
Kafka/NATS streaming
Unlimited file size
Dedicated support & custom SLA

Contact Sales

All paid plans include a 14-day free trial. Annual plans save up to 33%. Contact sales@darkhorseinfosec.com for volume discounts.

Frequently Asked Questions

Is HADES free to use?

Yes. The Community tier is completely free and includes ML detection, evidence chain, MITRE ATT&CK mapping, playbook automation, SIEM export, and more. Professional ($99/mo), Team ($249/mo), and Enterprise ($499/mo) tiers add cloud threat intelligence, RBAC, SSO, cloud scanning, and multi-tenant isolation. Annual plans save 17%.

Does HADES execute the files it scans?

No. HADES performs purely forensic analysis of file metadata and structure. It never executes, opens, or renders target files. This makes it safe to use on suspected malware without risk of detonation.

What are the system requirements?

Python 3.8+ and Phil Harvey's ExifTool installed on PATH. Optional dependencies (PostgreSQL, Redis, YARA, scikit-learn) are installed via pip dependency groups. HADES runs on Linux, macOS, and Windows.

Can HADES run in an air-gapped environment?

Yes. HADES has zero required network dependencies. Cloud threat intelligence, SIEM connectors, and other network features are optional. The core engine, YARA rules, and ML models all run locally.

What file types does HADES support?

HADES analyzes metadata across all major file format families: images (JPEG, PNG, GIF, BMP, TIFF, WebP, HEIF, SVG), documents (PDF, DOCX/XLSX/PPTX, RTF, legacy .doc/.xls/.ppt, OneNote), archives (ZIP, RAR, 7z with deep structural forensics), audio (MP3, WAV, OGG, FLAC, M4A), video (MKV, MP4, AVI, FLV), email (.eml, .msg), web files (HTML, CSV, EPS/PostScript), shortcuts (.lnk), fonts (TTF, OTF, WOFF), installers (MSI), Java/Android (JAR, APK), and firmware (UEFI, SPI flash, BIOS). Each format has a dedicated forensic analyzer with format-specific threat detection.

How does HADES differ from ExifTool alone?

ExifTool extracts metadata — HADES analyzes it for threats. HADES adds YARA-based threat detection, ML ensemble anomaly scoring, deep format analysis (PDF JavaScript, Office macros, polyglot files, Zombie ZIP attacks, VBA stomping, RTF exploits, LNK payloads, audio/video metadata threats, email phishing, CSV formula injection, HTML credential harvesting), behavioral campaign detection, MITRE ATT&CK mapping, court-ready evidence handling, and automated response playbooks on top of ExifTool's extraction capabilities.

What specific threats can HADES detect in file metadata?

HADES detects 44+ threat categories including: Zombie ZIP attacks (compression method mismatch), PDF shadow attacks (incremental update abuse), VBA stomping (source/p-code mismatch), RTF Equation Editor exploits (CVE-2017-11882), weaponized LNK shortcuts (PowerShell payloads, icon harvesting), OneNote embedded executables, CSV formula injection (=CMD, DDE), HTML credential harvesting and phishing, steganography (JPEG DCT analysis, palette manipulation), image decompression bombs, timestamp stomping (anti-forensic detection), archive bombs (ZIP, RAR, 7z), and many more. Every finding is mapped to MITRE ATT&CK techniques.

Does HADES integrate with my existing SIEM?

Yes. HADES includes native API connectors for Splunk HEC, Elasticsearch, and Microsoft Sentinel, plus format-based export in Syslog (RFC 5424), CEF (ArcSight), STIX 2.1, LEEF (QRadar), and ECS (Elastic). All connectors support batching, retry with exponential backoff, and health checking.

Ready to detect hidden threats in your file metadata?

Install from Cloudsmith GitHub Book a Demo