TL;DR
AEGIS is a 9-layer autonomous cyber defense system that moves targets, detects anomalies, and signs every decision with ML-DSA-87 (NIST FIPS 204 post-quantum cryptography). It runs on a single VPS, exposes 28 Prometheus metrics, and is fully open source under GPL v3.
GitHub: https://github.com/conchaestradamiguelangel-droid/aegis
The problem
Traditional cyber defense is static. Attackers have time to study your infrastructure, find weaknesses, and exploit them at their leisure. Once they know your attack surface, the game is half over.
I wanted to flip this: make the defender move faster than the attacker can map.
What is AMTD?
Autonomous Moving Target Defense (AMTD) is the idea of continuously changing system parameters to make the attack surface unpredictable. Instead of hardening a fixed surface, you make it move.
AEGIS implements AMTD as one of its 9 defense layers.
The 9-layer architecture
| Layer | Name | What it does |
|---|---|---|
| 1 | Threat Intelligence | Aggregates external threat feeds |
| 2 | Behavioral Analysis | ML-based anomaly detection on traffic patterns |
| 3 | AMTD | Autonomous Moving Target Defense - rotates ports and configs |
| 4 | Deception | Honeypots and decoy services |
| 5 | Isolation | Dynamic network segmentation |
| 6 | Response | Automated incident response playbooks |
| 7 | Forensics | Evidence collection and chain-of-custody |
| 8 | Recovery | Automated rollback and restoration |
| 9 | Audit | Post-quantum signed audit trail |
Each layer runs independently and feeds signals to the others. The system degrades gracefully - losing one layer does not stop the rest.
Post-quantum signing with ML-DSA-87
Every decision AEGIS makes - every block, every configuration change, every alert - is signed using ML-DSA-87 (CRYSTALS-Dilithium), standardized as NIST FIPS 204.
Why this matters:
- RSA and ECDSA signatures will be broken by quantum computers running Shor's algorithm
- ML-DSA-87 is quantum-resistant and already standardized by NIST
- The audit trail in AEGIS cannot be forged or tampered with, even by a quantum adversary
from dilithium_py.dilithium import Dilithium5
# Generate post-quantum keypair
pk, sk = Dilithium5.keygen()
# Sign a defense decision
message = b"BLOCK: 192.168.1.100 - anomaly score 0.94"
signature = Dilithium5.sign(sk, message)
# Verify (any node can verify without the private key)
valid = Dilithium5.verify(pk, message, signature)
28 Prometheus metrics
AEGIS exposes a /metrics endpoint with 28 metrics covering:
- Threats detected and blocked per layer
- AMTD rotation count and frequency
- Anomaly scores by source IP
- Response times per playbook
- Signature verification latency
Drop-in compatible with any Grafana dashboard.
Getting started
git clone https://github.com/conchaestradamiguelangel-droid/aegis
cd aegis
pip install -r requirements.txt
cp .env.example .env
# Edit .env with your config
python aegis.py
All 9 layers start automatically. Prometheus metrics available at :8080/metrics by default.
Current status
- GPL v3, fully open source
- Runs on a single VPS (tested on Hetzner CX21)
- 28 Prometheus metrics
- ML-DSA-87 signing on every decision
- AMTD layer operational
Looking for feedback from the security community, especially on the AMTD implementation and the post-quantum audit trail design.
GitHub: https://github.com/conchaestradamiguelangel-droid/aegis
Top comments (0)