https://narfindustries.com/ Confluence page: https://confluence.il4.dso.mil/display/IRONBANK/NARF+Industries **Contacts:** * Michael L'Ocasto - michael.locasto@narfindustries.com * Stuart Nagy-Kato - stuart.nagykato@narfindustries.com * Andrew Hughes - ah@narfindustries.com * Byron Roche - bryon.roche@narfindustries.com * Chris Wheeler - chris.wheeler@narfindustries.com * Greg R - gr@narfindustries.com ## Project: Contributor Pattern scans API: https://deputy-api-stage.scancloud.narf.sh/swagger-ui Company Overview Narf Industries is a boutique cybersecurity firm specializing in advanced security research, vulnerability discovery, and custom tool development. They work with both government agencies (notably DARPA) and large enterprises, offering tailored solutions for complex security challenges. Key Services Vulnerability Research & Penetration Testing Deep analysis to find security flaws in software, hardware, and networks. Penetration testing with a strong track record (claiming a 100% success rate). Reverse Engineering Expertise in analyzing software, firmware, and hardware—even without source code. Used for malware analysis, embedded device assessment, and more. Custom Tool Development Creation of specialized tools for vulnerability detection, forensics, and security automation. Notable for contributions to DARPA’s Cyber Grand Challenge and digital forensics projects. Security Architecture & Consulting Designing and implementing secure systems for both commercial and government clients. Includes threat modeling, code review, and secure development practices. IoT and Embedded Device Security Specialized services for Internet of Things (IoT) devices and embedded systems. Exclusive licensee of Tactical Network Solutions’ Embedded Device Exploitation (EDE) course in Japan. Forensics & Incident Response Digital forensics investigations, including mobile device analysis and anti-forensics. Collaboration on well-known tools like Autopsy and The Sleuth Kit (TSK). Custom Clang/LLVM Plugins Development of custom code checkers to enforce security rules specific to a client’s environment. Notable Tools and Products Ranger System (from attached document): An analytics engine that processes software container dependencies to assess risk and generate reports. Infiltrator Pattern Scan (from attached document): An API endpoint that analyzes container dependencies for vulnerabilities, supporting integration with CI/CD pipelines. Symbolic Firewall: A patented technology for advanced network security. Custom Clang Checkers: Tools to automate code security checks in C/C++ development environments. Unique Features Government-Grade Expertise: Multiple DARPA research projects and patents. IoT and Embedded Security: Deep experience with hardware and firmware. Forensics Leadership: Contributions to major open-source forensics tools. Japanese Market Presence: Fluent/native Japanese speakers and exclusive training offerings. Key Competitors Narf Industries operates in a niche market, but comparable firms include: Trail of Bits – Security research, code review, and tool development. GrammaTech – Software analysis and binary security tools. NCC Group – Broad security consulting and research. IOActive – Advanced vulnerability research and consulting. Mandiant (Google Cloud) – Incident response and threat intelligence. Summary Table Service/Product Description Vulnerability Research Finding and fixing software/hardware security flaws Penetration Testing Simulated attacks to test defenses Reverse Engineering Analyzing software/hardware without source code Ranger System Container analytics for risk assessment Infiltrator Pattern Scan Automated container dependency vulnerability scan Symbolic Firewall Advanced network security technology (patented) Forensics & Incident Response Digital investigations and anti-forensics Custom Clang Checkers Automated code security checks for C/C++ IoT/Embedded Security Specialized services for connected devices In short: Narf Industries is a highly technical, hands-on security firm known for advanced research, custom tool development, and deep expertise in software, hardware, and IoT security. They stand out for their government work, forensics contributions, and ability to tackle unique, complex security problems. Their main competitors are other boutique security research and consulting firms with strong technical pedigrees. https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/73162164/c706b0e3-4bd3-4205-993b-10cf33c83609/Narf-Integration-Q-A-DataOps-Initial-Thoughts.docx https://narfindustries.com ## Product Overview Providing a library of queries (some using AI/ML modeling) to derive trustworthiness metrics for OSS repos available via a REST API; also provides role derivation and profiling for who is providing which packages; an example use is looking into orphaned/abandoned projects in an attempt to identify influence campaigns and seek out vulnerability hotspots, provides data to enable justifications for pivoting. Utilize AI/ML to assess the trustworthiness of OSS repositories and identify vulnerabilities, especially in neglected projects. The initial integration plan for enabling IronBank’s CI infrastructure to call Narf’s Ranger API. This API permits IronBank to retrieve detailed reports and supporting evidence about several aspects of the maintenance trustworthiness of the dependency webs (“depweb”) underlying the software library, application, or project described by each of IronBank’s containers, with a particular focus in the early stages of work on supporting IronBank’s prioritized Community Core Containers. Ranger continuously ingests raw public information about software projects that make up each of these overlapping dependency webs and runs periodic scans for different kinds of socio-technical threats to the integrity of the projects (and therefore, the containers themselves). If successful, this integration plan would enable IronBank to include Narf’s Ranger service as a key part of the “SocialCyber” pillar within the Body of Evidence concept. The information Ranger returns will enable IronBank to issue determinations of container maintenance trustworthiness. **Ranger:** Provides a web UI for interpreting socio-technical information about software package maintenance. **Deputy:** Utilizes the same data and provides CI for automatic interpretation of results. Capabilities:  Both systems enable comprehensive inspection of software package dependencies. Evaluating project health, developer engagement, and risk of abandonment. Assessing contributor influence, communication patterns, and dependency structures. Task 1 Milestones: 1. Gather data on exemplar packages (both good and poor); identify test set 2. Define structure and components of the model 3. Create and document REST API endpoint available to IB for emitting a Narf MaintenanceTrustScore for a given container or set of packages 4. For a selected subset of IB containers, produce a brief comparative assessment between current ORA score weighting for those containers and a re-balanced ORA score reflecting a greater weight on the ‘software maintenance’ component Deliverables: A brief report describing the derived trustworthiness model Exit Criteria: Reports submitted to Iron Bank via Confluence for further comments and feedback **Task 2** Milestones: 1. Allocate and set up the necessary runtime environments within the IB test environment to host all Deputy and Ranger components and required data. 2. Conduct needed data ingest to bootstrap Ranger’s databases 3. Define the environment and set of containers to scan based on discussion with IB personnel 4. Analyze results of scans and calculate trustworthiness scores according to the model from Task 1; analysis report should include documentation of any observed errors due to missing data or packages, timeouts, etc. Deliverables: 5. An experience report detailing the results of the conducted set of scans 6. An instantiation of the Ranger/Deputy system within the IB test environment in an acceptable format (e.g., disk image or container(s)). Exit Criteria: 7. Upload experience report to the Platform 1 Confluence for feedback **Task 3** Milestones: 1. Implement a small set of additional queries from our existing backlog, including the necessary data ingest for both breadth (the full set of IB package dependencies) and depth (the full history of activity for each dependency) 2. New configuration UI for selecting subsets of queries and expressing weights on either a per-package or per-container basis Deliverables: 3. Add queries to the Ranger/Deputy codebase 4. Implement queries in the Platform1 test environment Exit Criteria: 5. Queries added to the Narf Ranger/Deputy GitHub codebase 6. Demonstrate execution of new queries on test set of containers from Task 2 **Task 4** Milestones: 1. Identify and wrap a subset of Ranger query results and analytics that can be supplied to Tidelift’s API to enhance their SBOM and VEX information and reports 2. Conduct an operational summary of data findings over real-world data and share with CDAO personnel for further study 3. Generate LLM–based summaries of Ranger reports on IB Container trustworthiness and share with CDAO personnel as an exemplar use case of AI/ML in the context of IB as a data source Deliverables: 4. Brief experience report containing a log of data sharing success with Tidelift’s API 5. A small set of generated and annotated reports from the basic LLM summarization agent; necessary code modifications to support this capability Exit Criteria: 6. Upload experience reports to IB Confluence wiki ## Documents XZ analysis from Narf Industries SocioTech Pattern Scan - Narf Industries LLC (1).pdf NARF-IB Q&A Narf - Integration Q&A - DataOps Initial Thoughts.docx CI Integration Plan Narf Onboarding \_ CI Integration Plan.pdf