Cyber Tools Built for Supremacy

Full-Spectrum Reconnaissance

Visualize the entire attack surface. From subdomain scans to WHOIS, CVEs, and port maps, OmniRecon runs full-spectrum intelligence on any target. Includes AI-based risk scoring, alerts, and automated report generation.

Dashboard: Control & Scan Management

Manage your entire reconnaissance workflow from one powerful dashboard. Purchase credits, launch targeted scans, and track your domains in real time. OmniRecon’s intuitive interface lets you monitor subdomains, CVEs, ports, and more — all from a single control panel.

Reports: AI-Powered Intelligence

Dive into actionable threat intelligence with AI-analyzed reports. Each scan generates a detailed, timestamped profile including vulnerabilities, DNS structure, SSL analysis, tech stack, and risk scoring — all visualized for rapid decision-making and exportable in one click.

Monitoring: Continuous Threat Watch

Stay ahead of threats with real-time domain monitoring. Add any domain, configure scan frequency, and let OmniRecon watch for critical changes in subdomains, CVEs, DNS, SSL, and more. Get notified instantly when something shifts — before attackers do.

AI Forensics SIEM + SOAR

LogSentra is a high-performance, AI-driven Cyber Forensics & SOAR platform that converts raw logs into actionable intelligence and automated defense. It follows a streamlined 4-phase lifecycle:

• 🟣 Ingest Seamlessly stream, tail, or batch-upload logs (Apache, NGINX, UFW, SSH, Windows EVTX, Sysmon, JSON). Auto-parse & normalize, deduplicate at wire-speed, on-the-fly compression.
• 🧠 Analyze Isolation Forest, entropy & n-gram scoring, regex/YARA for LFI/SQLi/RCE/XSS/SSRF, seasonal baselines, AI bot fingerprinting.
• 🔍 Enrich Cross-reference in <120 ms: AbuseIPDB, GreyNoise, Shodan, VirusTotal, OTX, WHOIS/ASN, passive DNS, Geo-IP/TOR/cloud flags.
• ⚡ Respond block/temp_block/unblock/whitelist, recon ops (geo, traceroute, DNS, port-scan), log/notify/email/webhook, run_command. All versioned with TTL, rollback, tamper-proof changelog.

Getting Started

• Create a Project: Name it, check Remote Machine to reveal SSH host/port/user and password/private key fields. Define Access + Error logs (Apache, Nginx, IIS, HAProxy, ELB, JSON, Traefik), Firewall logs (UFW, Fortinet, Sophos, Palo Alto, Cisco, pfSense, AWS VPC Flow, Azure NSG, Checkpoint, Juniper), and Auth logs (.json, .log, .csv, plaintext). Click Start Monitoring to begin; the project appears in the dashboard sidebar.
• Add a Firewall (optional): If none is added, LogSentra defaults to UFW on the linked machine. Or configure: name → type (UFW, iptables, Fortinet, Sophos, Palo Alto, Cisco, pfSense, OPNsense, AWS SG, Checkpoint, Juniper, MikroTik, Azure) → API/SSH host/port → credentials → Save Firewall Config. It then appears in the sidebar.
• Rules Engine: After initial scanning, open the project → Rules Engine → pick your firewall from the dropdown → execute manual commands, rules, and playbooks against that firewall.
• Threat Feeds: Dynamically add API keys for AbuseIPDB, VirusTotal, AlienVault OTX, Shodan, GreyNoise, CIRCL MISP, IPQualityScore, IBM, CrowdSec, Kaspersky, Cisco.

Interactive Analyst Dashboards

Each module targets a critical surface for rapid triage and deep forensics.

• Bots – Entropy/behavior signatures to flag crawlers, fuzzers, stealth recon.
• Status Codes – Trend 2xx/3xx/4xx/5xx; catch brute-force & backend issues.
• Methods – Spot risky verbs (DELETE/PUT/TRACE) and API probing.
• Suspicious – Surface SQLi, RCE, LFI, XSS, SSRF via regex + AI inspection.
• Risky IPs – AI score blending entropy, deviation, geo-risk, intel overlaps.
• Daily Activity – Time series of real vs bot traffic and attack surges.
• Persistence – Detect repeated/rotating payloads and APT-like cadence.
• Error Log AI – Cluster app faults from error logs with NLP + anomaly models.
• Firewall Alerts – Visualize blocks, scans, packet floods with TTL history.
• Auth Forensics – SSHD sudo abuse, failed logins, geo/session anomalies.
• Threat Intel – AbuseIPDB, GreyNoise, Shodan, OTX, VT + internal intel.
• Global Map – Live heatmap, hotspots by region/ASN, cumulative attack score.

Rule Engine & Automated Playbooks

Custom Rules combine Path, Method, Status Code, UA markers, CIDR/prefix with actions:

Block · Temp Block (TTL) · Unblock · Whitelist · Geo Locate · Traceroute · DNS Lookup · Port Scan · Run Command

All executions are fully audited with TTL + rollback.

Playbooks chain actions on triggers like High Score, Scanner Detected, Login Failures, Country Block, Rate Limit, Request Surge, Path Regex — executing autonomously with detailed logs.

Air-Gapped by Design — Fully Offline, Fully Private

• Self-Contained: All analytics, ML models, and correlations run locally; no telemetry.
• Offline TI: Preload curated feeds for enrichment without live queries.
• Ideal for: Defense, critical infrastructure, private SOCs, and classified networks.

© 2025 TAN Dev LLC — Built with 💙 for defenders who demand clarity, speed & autonomy

AI Email Counterintelligence & Insider Threat Detection

ShadowMX is an enterprise-grade, AI-powered email surveillance and threat detection system for high-risk environments — government agencies, national SOCs, critical infrastructure, and regulated enterprises. It attaches to a centralized mirror inbox and continuously inspects every internal and external message without touching the production mail flow.

• Passive Mirror Monitoring Connects to an IMAP mirror inbox over SSL, ingesting only unseen emails while leaving the live mail system untouched.
• Content + Context Awareness Inspects headers, bodies, threads, and attachments to understand intent, behavior, and risk.
• On-Prem & Air-Gapped Fully offline deployment with zero outbound cloud calls — suitable for classified, zero-trust networks.
• Forensic-Grade Logging .eml capture, alert logs, and database records for legal, compliance, and long-term investigations.

End-to-End Email Intelligence Pipeline

ShadowMX runs a continuous loop of ingestion, analysis, and archival, turning raw communications into structured, searchable threat intelligence.

• Ingest Poll the mirrored inbox every few seconds, fetch unseen messages via IMAP over SSL, and persist them safely.
• Deconstruct Parse headers, normalize HTML/text, extract attachments (.pdf, .docx, .zip, .exe, .js, etc.), and detect spoofed domains.
• Analyze Send cleaned content to an AI + rule engine for multi-label classification, regex hit detection, and domain heuristics.
• Tag & Score Assign threat tags, 0–100 risk score, and LOW / MEDIUM / HIGH confidence for each message.
• Archive Store .eml, alerts, and metadata in a persistent archive for future audits and replay.

Hybrid AI + Rules Engine

At the heart of ShadowMX is a hybrid detection engine combining transformer-based NLP, multi-label classification, and deterministic regex signatures. This allows it to surface subtle human-language threats and hard-coded indicators in the same workflow.

• Multi-Label Classifier: Uses sentence embeddings and logistic regression heads to assign multiple threat categories per message.
• Regex Rule Engine: Detects credentials, API keys, VPN mentions, crypto wallets, and other sensitive patterns that must never leave internal networks.
• Threat Scoring: Combines AI probabilities and rule hits into a single risk score with an explicit confidence band.
• Rich Tagging: Emails can be tagged as data exfiltration, phishing/spoofing, insider collusion, financial fraud/crypto, policy violation, malware distribution, and more.

ShadowMX’s hybrid model is fully retrainable and extensible, allowing organizations to evolve detection logic as new social engineering and insider threat patterns emerge.

Analyst Dashboard, Conversation Tracing & RBAC

ShadowMX ships with a secure, cinematic Flask-based dashboard designed for SOC teams, CERTs, and compliance auditors working in sensitive environments.

• Overview Panels: Total emails processed, suspicious hits, foreign-origin traffic, and daily trends at a glance.
• Suspicious Alerts View: Time-ordered list of flagged emails with sender/recipient, threat tags, score, and drill-down actions.
• Conversation Tracing: Follow an actor’s communication thread across time to identify collusion, exfiltration planning, or coordinated phishing.
• Archive & EML Access: Search, filter, and download .eml and alert logs for forensic review and legal workflows.
• Role-Based Access Control: Admin, Analyst, and Viewer roles enforced with hashed passwords, session tokens, CSRF protection, and guarded routes.

ShadowMX is intended for deployment on authorized organizational mail infrastructure only. Unauthorized interception or monitoring of third-party communications is strictly prohibited.

TRI — Tactical Reconnaissance Interface

TRI is a next-generation, AI-enhanced covert command-and-control (C2) simulator built for ethical red teaming, cyber warfare training, and advanced counter-terrorism exercises in controlled environments. It lets teams emulate post-exploitation operations across Windows, macOS, and Linux clients with full auditability.

• Command Orchestrate fleets of simulated “compromised” clients from a single, operator-grade dashboard.
• Control Trigger surveillance, recon, payload, webcam and microphone capture modules on demand for deep post-exploit training.
• Remote Motion Sensing Use TRI’s experimental Wi-Fi motion-sensing module to infer physical movement and device state inside enclosed areas where no cameras can reach, by analyzing radio-wave disturbances.
• Counter Rehearse how defenses respond to real attacker TTPs, then refine playbooks using live telemetry and full session logs.

TRI is designed as a lawful training and research platform — not a weapon. It is intended only for authorized labs, classrooms, and sanctioned operations.

Stealth Command & Control with Full Session Forensics

TRI models how modern implants maintain contact while avoiding detection, but wraps that behavior in strict authentication, encryption, and logging.

• Polling-Based C2: Clients use a connect-poll-disconnect cycle over TLS instead of persistent listeners, reducing network fingerprints.
• Client Ownership Isolation: Each client is permanently bound to the first operator who registers it, preventing hijacking across users.
• Surveillance Modules: Optional keylogging, screenshots, webcam snapshots, microphone recording, and traffic sniffing — all tied to explicit operator actions and session logs.
• Remote Motion Sensing: A dedicated Wi-Fi radio-based motion-sensing pipeline that learns the baseline signal environment and flags changes in physical movement or device presence inside enclosed spaces.
• State Controls: Blacklist, reset, or self-destruct clients to simulate containment, clean-up, or loss of access.
• TLS Everywhere: All server–client traffic is protected with modern TLS, with optional PSK or certificate-based trust bootstrapping.

Reconnaissance, Enumeration & Payload Lab

TRI gives red teams and students a safe place to practice everything that happens after “initial access” — from recon to credential harvesting — without touching production systems.

• System Enumeration: Discover OS version, hostname, uptime, logged-in users, privileges, and hardware characteristics.
• Network Mapping: Perform internal ARP sweeps and ping scans to map nearby assets and lateral-movement paths.
• Credential Harvesting Lab: Simulate extraction of Wi-Fi keys, browser-stored logins, and in-memory secrets under controlled conditions.
• File Implants: Upload decoys, scripts, or training payloads and execute them via secure, logged triggers.
• Custom Command Console: Send OS-native commands (bash, PowerShell, cmd) and capture outputs with timestamped, hashed logs.

Operator Dashboard & Security Architecture

The TRI dashboard is the central command hub for live operations, giving operators an at-a-glance view of every client, mission, and payload.

• Client List Panel: See all registered clients with OS, IP, status (Online / Offline / Blacklisted), and quick actions.
• Interaction Panel: View recent logs, payload states, and snapshots for any selected client.
• Payload Deck: One-click controls for keylogger, sniffer, mic recording, webcam shot, screenshots, system audits, and network scans.
• Command Terminal: Sandbox for sending and receiving shell commands with real-time, scrollable logs.
• Global Map: World map visualization plotting client geo-locations with hoverable metadata for situational awareness.

Under the hood, TRI uses TLS-encrypted channels, forward secrecy via ephemeral keys, per-user access control, SHA256-hashed audit logs, and a self-destruct routine to keep training operations safe, traceable, and reversible. Unauthorized deployment against systems you do not own or administer is strictly forbidden.

Tor-Routed P2P Messenger

TanMesh is a free, Tor-routed peer-to-peer messenger for people who actually care about threat models. Every node is its own Tor v3 onion service — there is no central server, no proprietary cloud backend, and no account system for an attacker to target or subpoena.

• Tor-Native Each TanMesh node exposes a Tor v3 onion service and speaks over SOCKS, keeping IP addresses and routing paths hidden by default.
• Zero Central Metadata Messages go directly peer-to-peer over Tor; there is no global directory, no login backend, and no message archive in the cloud.
• Identity Keys Static X25519 identity keys define who you are in the network, with node IDs derived from public keys for easy verification.
• Forward Secrecy Sessions use ephemeral X25519, HKDF-SHA256, and per-message AES-GCM ratchets so past messages remain safe even if a future key leaks.

TanMesh is provided for legitimate, lawful use only. You are responsible for complying with local laws and regulations in your jurisdiction.

Identity-Bound Contacts & Safe Dialing

TanMesh is built around the idea that your “friends list” is cryptographic, not just cosmetic. The contacts pane binds human-readable aliases to strong identities.

• Contacts Panel: Store peers as alias + node ID + onion address so you always know exactly who you’re talking to.
• Mis-Dial Protection: Node IDs are derived from public keys and shown inline, making it harder to accidentally connect to the wrong onion.
• One-Click Connect: Select a contact and hit Connect to spin up a fully encrypted session through Tor in a single step.
• Broadcast vs Direct: Choose between targeted 1-to-1 messages and broadcast messages to all connected peers.
• Lab & Field Friendly: Perfect for red-team labs, research groups, and small cells that need a controlled, closed communications mesh.

Your Node, Your Identity

The Account view turns your machine into an addressable node on the TanMesh network, with everything you need to safely share your identity and receive connections.

• Node Summary: View your node name, hashed node ID, and live listening address at a glance.
• Onion Sharing: Copy your onion service address with one click and share it over any out-of-band channel you trust.
• Direct Connect: Quickly dial another node by pasting their onion or IP and port — ideal for ad-hoc, no-contact-list sessions.
• Hardened Deployments: Because TanMesh runs locally, it layers cleanly with hardened OSes, sandboxing, VPN-over-Tor chains, and air-gapped workflows.
• No Cloud Lock-In: All state (keys, contacts, logs) lives locally under your control. There is nothing for a third party to remotely disable.

Integrated AI & Cybersecurity Ecosystem Training

TanDev Academy is the education wing of TAN Dev LLC — a full-stack AI and cybersecurity academy built around real products like OmniRecon, LogSentra, TanMesh, TRI, EdgeSentra and more. The flagship Integrated Ecosystem Track combines AI + LLMs + cloud + offensive/defensive cyber into one continuous, lab-driven program.

• Tool-Centric Every module is anchored to live tools — students don’t just learn concepts, they operate the same platforms used by enterprises.
• End-to-End From Linux & networking to LLMs, from reconnaissance to SIEM & WAF defense, everything lives in a single integrated storyline.
• Industry-Aligned Designed with hiring managers and partner organizations to map directly to real job roles and project expectations.
• Flexible Delivery Can run as a campus program, partner-led bootcamp, or hybrid weekend track for working professionals.

Curriculum & Learning Path

The combined Track I + Track X “Integrated AI & Cybersecurity Ecosystem” is structured as a progression from core foundations to advanced, tool-based practice.

• Stage 1 – Foundations: Computer science basics, Linux, networking, Python, Git, shell, and command-line literacy.
• Stage 2 – AI & GenAI: Machine learning fundamentals, deep learning, LLM concepts, prompt engineering, RAG, and practical use of open-source models.
• Stage 3 – Cybersecurity: Network security, web app security, cryptography basics, threat modeling, hands-on recon and exploitation labs.
• Stage 4 – Platforms & SOC Skills: Operating OmniRecon, LogSentra, AIWAF-X-style WAF concepts, and using TanMesh/TRI safely inside controlled cyber ranges.
• Stage 5 – Capstone & Portfolio: Students build an end-to-end project (e.g., monitored lab network, AI-powered SOC dashboard, or recon + defense pipeline) to showcase to employers.

The program can be customized for universities, training partners, or corporate upskilling cohorts, while keeping the same “real tools, real labs, real outcomes” philosophy.

Outcomes, Partners & Who It’s For

TanDev Academy is built for students and professionals who want to go beyond theory and work with production-grade security and AI systems from day one.

• For Learners: Build a portfolio of lab artifacts, capstone projects, and real platform experience that maps to roles like SOC analyst, junior threat hunter, AI engineer, and security engineer.
• For Universities: Plug an industry-grade track into existing degree programs as an honours or specialization path, backed by real tools and joint branding.
• For Training Partners: Run TanDev Academy tracks as a white-labeled or co-branded program integrated into your skilling offerings.
• For Employers: Hire from cohorts who already know how to use tools like OmniRecon, LogSentra, and TanMesh in realistic, team-based workflows.

TanDev Academy is focused on high-integrity, high-impact skilling — closing the gap between academic syllabi and what modern SOCs, AI labs, and cyber teams actually use in the field.

Axis — Autonomous Execution Interface

Axis is TAN Dev’s command-line AI operations console — a terminal-first interface that turns large language models into goal-driven operators for research, coding, OSINT, and security workflows. Instead of “just chat”, Axis lets you define goals and orchestrates tools, models, and steps to move towards them.

• CLI-First UX Designed to live in tmux panes and terminals, with clear prompts, status lines, and logs.
• Model-Agnostic Works with open-source and hosted models; you choose the backend that fits your threat model and budget.
• Goal-Oriented You describe the objective; Axis plans sub-tasks, uses tools where allowed, and returns structured outputs.
• Human-in-the-Loop No “run away” agents — every sensitive tool call can be confirmed or edited before execution.

Multi-Tool, Multi-Step Workflows

Axis is built as a thin orchestration layer that connects language models with a curated set of tools and workflows, while keeping everything auditable and file-based.

• Tooling Layer: Shell commands, HTTP requests, file I/O, code execution, and structured note-taking are all exposed as tools the model can call.
• Run Logs: Every session can be saved as a “run” with prompts, tool calls, outputs, and files, making it easy to reproduce or audit work.
• Composable Modes: Quick chat mode, deep “goal” mode for multi-step tasks, and lab-style experimentation modes for building new workflows.
• Safe Defaults: Axis is conservative about side effects — it prefers reading, summarizing, and drafting before executing commands that change state.

Where Axis Fits in the TAN|Dev Stack

Axis is the “brain and hands” layer that pairs naturally with other TAN Dev systems, letting you script and automate investigations and research around them.

• Research & Writing: Long-form technical reports, proposal drafts, dataset cards, and documentation, all kept versioned in your repo.
• Security & OSINT: Use Axis as a guided assistant for scanning public docs, generating recon plans, and correlating findings from tools like OmniRecon.
• Developer Copilot: Refactor scripts, generate tests, review diffs, and prototype new modules with a model that can inspect your codebase under your supervision.
• Academy Labs: Give students a safe, inspectable “AI copilot” that can write code, suggest commands, and explain concepts while still requiring human review.

Axis is intentionally transparent — configs are plain text, runs are files on disk, and the model’s decisions are visible. It’s an AI assistant you can actually reason about, not a black box SaaS bot.