Janus analyzes C2 telemetry to surface failure patterns, operator friction, and automation opportunities across engagements.
Requires Docker and the janus-cli binary built for your operating system.
git clone https://github.com/SpecterOps/Janus/ && cd Janus
make cli
cp Config/janus.example.yml Config/janus.yml # set source, redaction settings, etc.
./janus-cli run./janus-cli run # full execution of the ingest, analyze, and report pipeline for the configured source
./janus-cli pull # ingest Mythic, Ghostwriter, or Cobalt Strike logs from sources defined in config
./janus-cli analyze # analyze all previously ingested logs
./janus-cli report # generate an HTML report from latest analysis
./janus-cli analyze --analyzer dwell-time
./janus-cli analyze --events out/complete/operation-chimera_20260306_174521/events.ndjson
./janus-cli report --json out/complete/operation-chimera_20260306_174521/
./janus-cli merge --inputs out/partial/op1/ out/partial/op2/ --output out/merged/
./janus-cli multi-analyze --pattern "out/partial/*/" --output out/combined/
./janus-cli pull --source cobaltstrike
./janus-cli run --source cobaltstrike
./janus-cli status # display the current ingest/analyze/report state
./janus-cli config # print active configurationpull and run include source preflight/auth handling; for provider-specific auth, config precedence, TLS caveats, and Docker networking details, see docs/FAQ.md and docs/architecture.md.
To use the skills in this repo, you should invoke claude or codex CLI in the Janus folder. Once you use / (claude) or $ (codex) for use of a skill, it will be populated there automatically. Two skills come included:
- janus-analyzer-skill: Use this skill for Janus requests that ask what to measure, how to measure it, which analyzer should answer it, or how to implement or adjust source-aware analysis for Mythic or Ghostwriter telemetry.
- janus-insight-interpreter: Use this skill for Janus requests that ask for insights from any Janus artifact, including report HTML, bundles, analyzer outputs, events.ndjson, raw exports, or standalone JSON snippets.
| Analyzer | What it answers |
|---|---|
summary-visualization |
What does the operation look like at a glance across time, volume, and status? |
command-failure-summary |
Which commands fail most, and how often? |
command-retry-success |
Which commands need repeated tuning to succeed? |
command-duration |
How long do commands take, and what's slow? |
outlier-context |
What surrounds unusually slow commands? |
callback-health |
Which implant sessions show failure patterns or crashes? |
av-tracker |
Which commands or callbacks coincided with AV/EDR detections in ps output? |
dwell-time |
Where are operators losing time between tasks? |
parameter-entropy |
Which arguments look structurally anomalous? |
argument-position-profile |
What shows up at a given argument slot? |
tool-dump |
Which registry-defined command/tool subsets should be exported for downstream datasets or pattern mining? |
parameter-entropy works best when you tune Config/analyzer_registry.yml to your own workflows. The current upload tuning reflects our observed data and should be treated as a starting point, not a universal baseline.
Janus runs analysis locally and does not use LLMs or external services for normalized operation data.
Retention policies (output_rule and arguments_rule) control what normalized content is written to disk. See docs/architecture.md — Privacy.
report.html- visual HTML reportbundle.json- versioned JSON metadata for automation and downstream toolingevents.ndjson- normalized event stream for debugging, replay, and testing
For the full normalized event model and architecture notes, see docs below.
