NuClide Research
Most recent
navigate open esc close Corpus index built 2026-06-07 23:58 UTC

← Toolchain

Featured Instrument

VisorLog

Bill Rondell, Nick Adams & Dade Murphy — featured instrument — 1 min read — 248 words
Phase
instrument
Language
Go

NuClide findings ledger, append-only, ECS-normalized, lifecycle-tracked

§ Workflow phase

  1. 01 hunt
  2. 02 analyze
  3. 03 enrich
  4. 04 report
  5. 05 instrument

Instrumentation. The lab's own infrastructure.

VisorLog is the NuClide findings ledger. Append-only SQLite store, ECS-normalized, lifecycle-tracked from discovery through remediation. Extends CISA’s Logging Made Easy methodology to AI infrastructure.

What it does

  • Append-only SQLite. Every finding has a stable ID forever; nothing ever gets silently rewritten or lost.
  • ECS normalization. Elastic Common Schema field names so findings drop into Elasticsearch / OpenSearch / Splunk without translation.
  • Lifecycle tracking. discovered → triaged → disclosed → remediated → verified. Every state transition is timestamped and immutable.
  • Web dashboard. Local browser UI at http://localhost:8765, filterable by host, severity, lifecycle state, disclosure status.
  • JSON export. visorlog export --format json for cross-tool integration; --public-safe strips sensitive fields for publication.

Why this exists

Most security tooling drops findings on the ground after the report is written. VisorLog tracks them through to remediation. The report is one snapshot of a ledger that keeps living: when a fix lands six weeks later we log the verification; when the same operator re-exposes the same service we link the new finding to the old.

How we use it

Every NuClide finding goes into VisorLog the moment it’s confirmed:

# Capture a finding
visorlog add --host 192.0.2.10 --port 11434 \
  --service ollama --severity HIGH \
  --tag "no-auth" --tag "campus"

# Browse the ledger
visorlog dashboard --port 8765

# Export a public-safe slice (the snapshot the /lab page renders)
visorlog export --public-safe > public-ledger.json

The full record of NuClide findings lives in VisorLog. Every cross-survey instance, every coordinated disclosure, every confirmed remediation. The Lab page renders a public-safe slice of the current ledger state.

Schema notes

Beyond the ECS core fields, VisorLog adds an nuclide.* namespace for research-specific metadata: tool-of-discovery, methodology insight reference, disclosure thread ID, and the cross-survey window the finding belongs to. Every record is queryable by any combination of fields.

§ Used in

Used in

SURVEYS · 02

FIELD CASES · 06

§ instrument layer

Same phase