Project Blacklight: An Agentic Defense Layer for the Open-Source Linux Stack
Abstract
In March 2026, an unauthenticated RCE dropped on every version of Magento 2. Sansec named it PolyShell. No vendor patch existed at disclosure. None exists today. Mass exploitation began within forty-eight hours. The lesson from that incident response was not 'AI helps with incident response.' The lesson was: the agent doesn't belong in a chat window. It belongs in the shell, on the host, holding the investigation collateral across days, acting on the tools and primitives we already have and trust.
This is the pitch I gave for the Cerebral Valley Built with 4.7 hackathon. Most defensive teams aren't on Charlotte or Sentinel. They're running ModSecurity, Apache, iptables, the open-source Linux defensive stack the industry has built since 2002. They don't have an EDR contract. They don't have a dedicated security team. And neither of those gets solved fast enough when vulnerabilities are exploitable in hours.
Blacklight is the alternative: an agentic defense layer that uses what you already have, with a shell script and an API key. Three primitives made it possible in 2026 — Opus 4.7 with a million-token context window, Anthropic Managed Agents for a curator session that survives across operators and hosts, and the skills-native pattern for description-routed lazy-loaded behavior. The model choice is the system design.
Key Takeaways
- The agent belongs in the shell, not the chat window. Long-horizon investigations need to act on the same tools the operator does.
- The case persists across operators and hosts. The host doesn't. Anthropic Managed Agents made this concrete: three days later, different operator, different host, reattach and the ledger is right there.
- Million-token context turns 'fits in a retriever' into 'fits in the model.' Apache logs, ModSec audits, the curator's reasoning chain, no retriever to drop the one record that mattered.
- Skills-native pattern beats prompt stuffing. Twenty-three skill directories, six routing skills, eight workspace corpora. Description-routed and lazy-loaded.
- Honest about limits: model-bounded today, even on Opus 4.7. Operates at the edge of what's possible across roughly a five-system incident. That covers over 80% of real-world cases.
- Built on what operators already trust: Linux Malware Detect as the post-scan trigger, ModSecurity and Apache logs as evidence, iptables as the response surface. A shell script and an API key.