Skip to main content
Ghost-hunter

Agentic AI FinOps
Investigator

Finds what others miss. Reads a CSV. Never touches your cloud.

Read the launch story
live investigation · paranoid mode tracing
Step 1
Anomaly detected
running
Compute spend, last 24h+312% spike
Confidence92%
Step 2
Scope the impact
running
Route53 Hosted Zone
example.com
Confidence88%
Step 3
Correlate & investigate
running
High QPSRandom subdomainsLow TTL
Confidence81%
Step 4
Deep dive
running
$ dig @203.0.113.53 chaos txt version.bind
Confidence77%
Step 5
Hypothesis validated
running
BIND 9.16.23 (Ubuntu)
Confidence93%
Step 6
Root cause found
root cause
External DNS amplification via open resolver
Recommendation: Block 203.0.113.53 at firewall or WAF
Confidence95%
The status quo

MostFinOpstoolswantadminkeys,genericrecommendations,and5%savings.

Ghost-hunter does the opposite. Reads a CSV, investigates root cause, you stay in control.

Architecture

Two models. Different jobs.

One reasons. One verifies. The split makes the tool harder to jailbreak and faster to run than a single-prompt agent.

Reasoner

Claude Opus, reasons

Reads the billing slice, forms hypotheses, and proposes the next investigative move. Nothing it produces touches your cloud directly, every command flows through the validator.

  • Generates falsifiable hypotheses, not vague advice
  • Cites the row + column it's reasoning from
  • Stops when budget or confidence floor is reached
Validator

Claude Sonnet, validates & executes

Every proposed command passes a 7-layer code validator before a smaller, faster model gets a final semantic say. Only then does anything run, in a sandbox you control.

  • Code-first checks; prompts can't override them
  • Sub-second validation per step
  • Refuses, doesn't soften, on policy hits

The split makes the tool harder to jailbreak and faster to run than a single-prompt agent.

Defense in depth

Security in code, not in prompts.

Seven independent layers. A model that disagrees with the rules can argue all it wants, the rules don't read prompts.

01

Fast reject

No shell injection, characters and operators are screened before the LLM ever sees the line.

02

Allowlist

Only read-only patterns are eligible. Mutating verbs are out, full stop.

03

Pipe validation

If a pipe is used, every target must independently pass, no Trojan tail commands.

04

Safety checks

Length cap, no encoding tricks, no smuggled escapes.

05

Budget limits

Hard caps: 15 commands, $1, 10 minutes per investigation.

06

Sonnet semantic check

A smaller model gets the final pass, does this command match the stated intent?

07

Sandboxed execution

Provider-scoped env. No long-lived creds, no network beyond the documented allowlist.

→ swipe
Default mode

Paranoid mode
is the default.

Reads your billing CSV. Prints commands you run yourself. Zero blast radius. Active mode runs commands directly using your read-only credentials, but only on a sandboxed account, never production. Demo mode replays bundled scenarios end-to-end with no API calls, try it without any setup.

Read-only inputs
CSV in, hypotheses out
You run commands
We just suggest them
No telemetry
Nothing leaves your laptop
MIT licensed
Read every line yourself
~/investigations · paranoid
 ghosthunter investigate billing-2025-10.csv --paranoid
› reading 184,221 line items · 0 cloud calls
[1/6] anomaly detected · +312% vs 30d baseline
[2/6] scope · Route53 / example.com · 92% confidence
[3/6] correlate · high QPS, random subdomains, low TTL
[4/6] propose: dig @203.0.113.53 chaos txt version.bind · awaiting your run
$ dig @203.0.113.53 chaos txt version.bind
› BIND 9.16.23 (Ubuntu)
[5/6] hypothesis validated · 93%
[6/6] root cause: external DNS amplification via open resolver
  recommend · block 203.0.113.53 at firewall or WAF
Install

Try it in 30 seconds

Replays a real-shape investigation, no API calls, no cloud access required.

shell
$
$
Limited cohort

Looking for the first 10 adopters.

Run paranoid mode on a real billing export. I'll run the tool with my own API key, walk through the investigation alongside you, hand you concrete actions to fix what we find, no charge, NDA available.

Email avinash@matrixgard.com
Reply within one business day.
Frequently asked

Questions before the install.

Will Ghost-hunter touch my cloud?
Not in the default paranoid mode. It reads a billing CSV you export and prints suggested commands for you to run. No keys, no API calls, no IAM role.
How is this different from FinOps SaaS?
Most FinOps SaaS asks for admin-grade access, returns generic right-sizing advice, and keeps your data on their servers. Ghost-hunter runs locally, reads only what you hand it, and goes after root cause.
Why open source?
Security tools you can't read are security theatre. MIT licensed so you can audit every validator rule, vendor it into your repo, or fork it tomorrow.
Do you store my billing data?
No. There's no server. No telemetry, no analytics, no phone-home. The CSV stays on your machine; logs are local files you control.
What clouds are supported?
GCP and AWS today. Azure is on the roadmap. The investigator works on whatever the CSV columns describe, the cloud-specific bits are pluggable schemas.
Can I use my own Anthropic API key?
Yes, bring your own key. Spend is capped per investigation ($1 default, configurable down) so a runaway loop can't burn through your budget.
How fast is the first investigation?
On a typical month-of-billing CSV, a full paranoid-mode investigation finishes in under three minutes and well under a dollar. The demo scenario runs offline in seconds.
How do I report a security issue?
Email info@matrixgard.com with details and a repro. Reproducible issues in the validator get a same-week patch and a credit in the changelog.