Ghost-hunter

Ghost-hunter is a dual-model AI investigator for cloud bills. Claude Opus reasons over hypotheses; Claude Sonnet executes read-only commands and compresses output. A 7-layer command validator enforces safety in code — the LLM cannot run anything the allowlist does not permit.

Supports GCP and AWS today. Azure is on the roadmap.

Three ways to run it

Paranoid (default) — Zero cloud access. Drop a billing CSV, get hypotheses with confidence bars and proposed commands you run yourself.
Active — Read-only GCP or AWS credentials. Ghost-hunter runs gcloud or aws directly. Sandbox / personal accounts only.
Demo — Pre-recorded investigation. No API calls, no credentials. For first-look and screenshots.

Why Ghost-hunter

Most FinOps tools want admin access and auto-optimize. Ghost-hunter does neither. It is an investigator, not an optimizer — built to answer "why did the bill spike?", not "how do I cut 5%?"

	Ghost-hunter	Vantage / CloudHealth / ProsperOps
Access required	None (paranoid mode reads a CSV)	Cross-account IAM role, broad read
Acts on your cloud	Never (read-only by default)	Auto-applies "savings recommendations"
Source code	Open (AGPL-3.0)	Closed SaaS
What it answers	Why did the bill spike?	How can you cut 5%?
Self-hostable	Yes — billing data never leaves your machine in paranoid mode	No

Where to start

60-second quickstart — pip install ghosthunter and run your first investigation.
GCP investigations — BigQuery billing exports, project-level breakdowns, the full GCP path.
AWS investigations — Cost Explorer + CUR, AWS-specific allowlist, paranoid-mode CSV path.
How the validator works — 7 layers of command checking. Why the LLM can't break out.

Looking for adopters. Ghost-hunter shipped v1.0.6 to PyPI on April 27, 2026. It has been hammered against synthetic billing data and a 1,000+ test suite, but has not yet been run against production cloud accounts at scale. Paranoid mode is risk-free by construction. Be one of the first 10 reporters and get a free walkthrough with Nash.