The platform · Ghost Twin

An estate that lives,
logs, and fights back

Ghost Twin stands up complete simulated environments – hosts, identities, services, and the people using them – through a UI and an API. Everything that happens in the world emits the logs a real machine would.

Living environments

A world with a pulse

Logins, file access, backups, patch cycles, service traffic – simulated people and systems go about their day around the clock. That baseline of realistic noise is what makes demos believable and detection results honest: attacks have somewhere to hide.

Native telemetry

Logs as real machines write them

Windows Security Event Log and Sysmon, Linux auditd and syslog, firewall and application logs – emitted in their native source formats, not a sanitized schema. Your real detection rules and pipelines run against them unchanged.

Open-world terminal

Open a shell on any machine

Click any host and get a real terminal – bash on Linux, PowerShell on Windows. Type any command: the world responds, state persists, and the session emits logs like everything else. If an attack dropped a file, you can go find it.

Ground truth

Snapshot, replay, referee

Every run is recorded and can be replayed exactly or re-simulated fresh. And for every action, a built-in referee gives an authoritative verdict on whether it actually landed – so results are evidence, not opinion.

How it works

From nothing to a living estate in three steps

STEP 01

Build

Describe the environment you need – or hand over read-only config from your own estate – and the Environment Builder stands it up in minutes.

STEP 02

Run

Attack scenarios, ambient user and service activity, and hands-on terminal sessions all play out against the same living environment.

STEP 03

Prove

Every action gets an authoritative verdict on whether it landed – and your real detection rules are scored against the logs the environment produced.

Simulates the estate you actually run

From domain controllers to nightly backup jobs – built from a conversation, or from your own config.

Windows & Linux hosts
Users, identities & sessions
Services & processes
Firewalls & network segments
Filesystems & registries
Installed software & scheduled tasks
Personas & daily traffic
Native log sources