Janus analyzes C2 telemetry to surface failure patterns, operator friction, and automation opportunities across engagements.
Requires Docker and the janus-cli binary built for your operating system.
git clone https://github.com/SpecterOps/Janus/ && cd Janus
make cli
cp Config/janus.example.yml Config/janus.yml # set source, redaction settings, etc.
./janus-cli runpull and run include source preflight/auth handling; for provider-specific auth, config precedence, TLS caveats, and Docker networking details, see docs/FAQ.md and docs/architecture.md.
./janus-cli run # full execution of the ingest, analyze, and report pipeline for the configured source
./janus-cli pull # ingest Mythic, Ghostwriter, Cobalt Strike, or Outflank logs from sources defined in config
./janus-cli analyze # analyze all previously ingested logs
./janus-cli report # generate an HTML report from latest analysis
./janus-cli analyze --analyzer dwell-time
./janus-cli analyze --events out/complete/operation-chimera_20260306_174521/events.ndjson
./janus-cli report --json out/complete/operation-chimera_20260306_174521/
./janus-cli merge --inputs out/partial/op1/ out/partial/op2/ --output out/merged/
./janus-cli multi-analyze --pattern "out/partial/*/" --output out/combined/
./janus-cli pull --source cobaltstrike
./janus-cli run --source cobaltstrike
./janus-cli run --source outflank --log-path out/input/TSO8IEAB.json
./janus-cli run --source mythic --response-page-size 100 # lower Mythic response pagination for huge output rows
./janus-cli status # display the current ingest/analyze/report state
./janus-cli config # print active configuration
| Analyzer | What it answers |
|---|---|
summary-visualization |
What does the operation look like at a glance across time, volume, and status? |
command-failure-summary |
Which commands fail most, and how often? |
command-retry-success |
Which commands need repeated tuning to succeed? |
command-duration |
How long do commands take, and what's slow? |
outlier-context |
What surrounds unusually slow commands? |
callback-health |
Which implant sessions show failure patterns or crashes? |
av-tracker |
Which commands or callbacks coincided with AV/EDR detections in ps output? |
dwell-time |
Where are operators losing time between tasks? |
friction-score |
Which commands create the most operational friction across failures, retries, duration, callback health, and argument anomalies? |
parameter-entropy |
Which arguments look structurally anomalous? |
argument-position-profile |
What shows up at a given argument slot? |
tool-dump |
Which registry-defined command/tool subsets should be exported for downstream datasets or pattern mining? |
friction-score combines findings from the other command analyzers into ranked operational friction candidates. Tune scoring weights and confidence thresholds in Config/analyzer_registry.yml, and tune recommendation actions in Config/friction_score_registry.yml.
parameter-entropy works best when you tune Config/analyzer_registry.yml to your own workflows. The current upload tuning reflects our observed data and should be treated as a starting point, not a universal baseline.
Use repo-local skills/commands by running claude or codex from the Janus folder, then invoking the command or skill with / or $.
- janus-analyzer-skill: Use for Janus measurement, analyzer-selection, and source-aware implementation requests across Janus-supported C2 telemetry.
- janus-ingestor-creation: Use for adding or adjusting Janus live API and local-file source ingestors while preserving the normalized event model.
- janus-insight-interpreter: Use for evidence-based interpretation of Janus artifacts across Janus-supported C2 telemetry.
- Claude command equivalents live under .claude/commands, including
janus-ingestor.
Janus runs analysis locally and does not use LLMs or external services for normalized operation data.
Retention policies (output_rule and arguments_rule) control what normalized content is written to disk. See docs/architecture.md — Privacy.
report.html- visual HTML report, including a Data Quality section with source/parser confidence warningsbundle.json- versioned JSON metadata for automation and downstream tooling, including structureddata_qualityevents.ndjson- normalized event stream for debugging, replay, and testing
Analyzer outputs include friction-score.json when the friction score analyzer is enabled. The HTML report surfaces the top friction candidates and their recommendation metadata.
For the full normalized event model and architecture notes, see docs below.
- Thanks to @IC3-512 for providing OC2 logs that helped make the OC2 ingestion work possible.