VK AI Sensor
Voight-Kampff: an AI attack sensor that detects AI-driven threats and malicious actors.
vk-ai-sensor is a local-first endpoint sensor that watches a Windows host for indicators
of compromise and the emerging class of AI-driven threats: autonomous malicious agents, AI-generated
malware, and actors using AI to probe or impersonate legitimate systems. Detection runs entirely on the
machine. An optional AI layer can explain, triage, and reason about what the sensor finds, but it is
never required for the core to work.
The name is a nod to the Voight-Kampff machine from Blade Runner — the device built to tell a human from a machine pretending to be one. That's the job here too.
Design principles
- Local-first, always on. Core detection runs with zero network access and zero API keys. If the AI layer is offline, mis-keyed, or rate-limited, detection is unaffected.
- AI is augmentation, not the engine. The optional AI layer analyzes alerts after the fact — explaining them, ranking what matters, and flagging likely false positives. It's an opinion-giver, never in the critical path.
- Bring your own provider. AI access sits behind an abstraction, so it can point at a cloud model or a fully local model. "AI help" can itself stay 100% on-box.
- Explicit opt-in for data leaving the machine. Every feature that phones home is disabled by default and clearly documented.
- Secrets stored properly. API keys are encrypted at rest using Windows DPAPI. No plaintext keys in config files — ever.
At a glance
- Runs as a Windows Service, elevated, using an ETW kernel session for detection.
- Ships a separate, unelevated Blazor Server activity browser for reviewing what the sensor has seen.
- Built on .NET 10, targeting Windows 10 / Server 2016 and later.
- Dual-licensed: AGPL-3.0, with a commercial license available.