Ghosthunter Core Guide

Ghosthunter is an AI-driven cloud cost investigation tool developed by MatrixGard, designed to address the pain point of root cause analysis for cloud billing anomalies. Its core features include:

• Dual-model Collaboration: Claude Opus (hypothesis reasoning) + Claude Sonnet (command execution/data compression)
• Seven-layer Security Validation: Code-level protection to ensure production environment safety
• Multi-cloud Support: Deep integration with AWS and GCP
• Flexible Modes: Covers scenarios from security-first to automation

This tool helps operation and maintenance teams shift from 'knowing what happened' to 'understanding why it happened', driving the paradigm upgrade of cloud cost management.

Background: Challenges in Cloud Cost Management

Cloud computing elasticity brings convenience, but the root cause of cost anomalies is difficult to locate—traditional tools can only tell 'what happened' but not explain 'why it happened'.

Ghosthunter is positioned as an 'AI Cloud Cost Investigator', with 'Paranoid Mode' enabled by default: zero active resource operations to ensure no risk to the production environment, directly addressing the core pain points of traditional tools.

Technical Core: Architecture and Security

Dual-Model Division of Labor

• Claude Opus: Hypothesis reasoning engine that generates 2-4 competing hypotheses and assigns confidence levels (investigation ends when confidence reaches 85%), following scientific methodology
• Claude Sonnet: Execution layer that runs cloud CLI commands in active mode, and compresses user-provided outputs in paranoid mode

Seven-Layer Security Validation

1. Quick Rejection: Filter dangerous syntax (semicolons, &&, rm, etc.)
2. Allowlist: Only allow read-only commands (e.g., AWS describe-*, GCP gcloud/bq read-only subcommands)
3. Pipeline Validation: Only allow safe tools (head, jq, grep, etc.)
4. Security Checks: Length limits, SQL injection protection (bq only allows SELECT), etc.
5. Disguised Read Interception: Block operations that seem like reads but have side effects (e.g., lambda invoke)
6. Budget Limits: Maximum of 15 commands, $1 cost cap, 10-minute timeout
7. Sonnet Semantic Check: Semantic security assessment as the final defense line

The security mechanism is fully implemented based on code and does not rely on prompt words.

Multi-cloud Integration and Flexible Modes

Multi-cloud Support

• GCP: Supports BigQuery export/CSV data sources; active mode requires google-cloud-bigquery credentials
• AWS: Supports Cost Explorer/CUR/FOCUS CSV; active mode requires AWS credentials; Cost Explorer API calls are transparently charged

Four Working Modes

• Paranoid Mode: Default, zero permissions; users execute commands and paste outputs
• Active Mode: Suitable for sandboxes; directly executes cloud commands (requires read-only credentials)
• Demo Mode: Offline preconfigured scenarios; no credentials needed
• Audit Mode: View historical investigation logs

The system automatically detects the cloud provider without explicit specification.

Application Scenarios and Interaction Process

Typical Anomaly Scenarios

• GCP: Egress cost surge due to DNS cache bypass, NAT gateway traffic out of control, BigQuery full table scan, etc.
• AWS: NAT gateway cost out of control (missing S3 VPC endpoint), missing S3 lifecycle policy

Interactive Investigation Process

1. Load billing data → 2. Anomaly detection →3. Opus generates hypotheses →4. Propose verification commands →5. User executes and pastes outputs →6. Sonnet processes outputs →7. Opus updates confidence → Repeat until conclusion

Users can control the process via commands like /list, /spike, /hypotheses.

Current Limitations and Future Roadmap

Limitations

• No streaming response (each Opus call blocks for 5-15 seconds)
• Does not support CUR Parquet format
• Multi-account AWS Organizations require running one by one
• Does not support Azure or other clouds
• Windows not tested (WSL available)

Future Plans

• Azure support
• Streaming response
• Autonomous mode with strict protection
• Multi-account aggregation
• CUR Parquet support

Summary and Industry Value

Ghosthunter represents an innovation of AI Agents in the FinOps/DevOps field:

• Drives the paradigm shift of cloud cost management from 'monitoring' to 'root cause analysis'
• Provides a security reference for AI tool design in production environments (guaranteed by architecture rather than prompts)

As cloud costs become a focus for enterprises, the value of such intelligent tools will continue to stand out. We look forward to the team's continuous iteration to bring more innovations.