pip install cognis-ewcorr
ewcorr scan . # → prioritized findings in secondsReal, reproducible output from the tool — runs offline:
$ ewcorr-emit --version
ewcorr 0.1.0$ ewcorr-emit --help
usage: ewcorr [-h] [--version] [--format {table,json}] {correlate} ...
Correlate passive EW/ELINT event logs into candidate emitter clusters
(defensive analysis / monitoring only).
positional arguments:
{correlate}
correlate cluster an observation log into emitters
options:
-h, --help show this help message and exit
--version show program's version number and exit
--format {table,json}
output format (default: table)Blocks above are real
ewcorroutput — reproduce them from a clone.
Sample result format (illustrative values — run on your own data for real findings):
{
"timestamp": "2023-02-16T14:30:00Z",
"platform": {
"type": "STIX",
"url": "https://example.com/stix",
"token": "my_stix_token"
},
"findings": [
{
"id": "1",
"name": "Suspicious DNS Query",
"description": "DNS query for suspicious domain",
"indicators": [
{
"type": "dns",
"value": "example.com"
}
]
},
{
"id": "2",
"name": "Malware Detection",
"description": "Detection of malware on system",
"indicators": [
{
"type": "file",
"value": "/path/to/malware.exe"
}
]
}
]
-
Install the CLI:
pipx install "git+https://github.com/cognis-digital/ewcorr.git" -
Correlate an observation log into distinct emitters (primary command). Pass a CSV path or
-for stdin:ewcorr correlate detections.csv cat detections.csv | ewcorr correlate - -
Tune the clustering — link detections within a time window, frequency tolerance, and bearing tolerance:
ewcorr correlate detections.csv \ --time-window 45 --freq-tol 0.25 --bearing-tol 3
-
Read the output — table by default, or JSON for downstream tools; drop sparse emitters with
--min-hits:ewcorr --format json correlate detections.csv --min-hits 3 > emitters.json -
Automate in a pipeline — count correlated emitters from a feed:
ewcorr --format json correlate feed.csv | jq 'length'
- Why ewcorr? · Features · Quick start · Example · Architecture · AI stack · How it compares · Integrations · Install anywhere · Related · Contributing
Correlate electronic-warfare event logs by time/frequency/bearing to cluster emitters. — without standing up heavyweight infrastructure.
ewcorr is single-purpose, scriptable, and self-hostable: point it at a target, get prioritized results in the format your workflow already speaks (table · JSON · SARIF), gate CI on it, and let agents drive it over MCP.
- ✅ Parse Observations
- ✅ Correlate
- ✅ Summarize
- ✅ Runs on Linux/macOS/Windows · Docker · devcontainer
- ✅ Ports in Python, JavaScript, Go, and Rust (
ports/)
pip install cognis-ewcorr
ewcorr --version
ewcorr scan . # scan current project
ewcorr scan . --format json # machine-readable
ewcorr scan . --fail-on high # CI gate (non-zero exit)$ ewcorr scan .
[HIGH ] EWC-001 example finding (./src/app.py)
[MEDIUM ] EWC-002 another signal (./config.yaml)
2 findings · risk score 5 · 38ms
flowchart LR
IN[input] --> P[ewcorr<br/>analyze + score]
P --> OUT[report]
ewcorr is interoperable with every popular way of using AI:
- MCP server —
ewcorr mcp(Claude Desktop, Cursor, Cognis.Studio, uncensored-fleet) - OpenAI-compatible / JSON — pipe
ewcorr scan . --format jsoninto any agent or LLM - LangChain · CrewAI · AutoGen · LlamaIndex — wrap the CLI/JSON as a tool in one line
- CI / scripts — exit codes + SARIF for non-AI pipelines
| Cognis ewcorr | typical tools | |
|---|---|---|
| Self-hostable, no account | ✅ | varies |
| Single command, zero config | ✅ | |
| JSON + SARIF for CI | ✅ | varies |
| MCP-native (AI agents) | ✅ | ❌ |
| Polyglot ports (JS/Go/Rust) | ✅ | ❌ |
| Open license | ✅ COCL | varies |
Pipes into your stack: SARIF for code-scanning, JSON for anything, an MCP server (ewcorr mcp) for AI agents, and a webhook forwarder for SIEM/Slack/Jira. See docs/INTEGRATIONS.md.
pip install "git+https://github.com/cognis-digital/ewcorr.git" # pip (works today)
pipx install "git+https://github.com/cognis-digital/ewcorr.git" # isolated CLI
uv tool install "git+https://github.com/cognis-digital/ewcorr.git" # uv
pip install cognis-ewcorr # PyPI (when published)
docker run --rm ghcr.io/cognis-digital/ewcorr:latest --help # Docker
brew install cognis-digital/tap/ewcorr # Homebrew tap
curl -fsSL https://raw.githubusercontent.com/cognis-digital/ewcorr/main/install.sh | sh| Linux | macOS | Windows | Docker | Cloud |
|---|---|---|---|---|
scripts/setup-linux.sh |
scripts/setup-macos.sh |
scripts/setup-windows.ps1 |
docker run ghcr.io/cognis-digital/ewcorr |
DEPLOY.md (AWS/Azure/GCP/k8s) |
Explore the suite → 🗂️ all 170+ tools · ⭐ awesome-cognis · 🔗 cognis-sources · 🤖 uncensored-fleet · 🧠 engram
PRs, new rules, and demo scenarios are welcome under the collaboration-pull model — see CONTRIBUTING.md and SECURITY.md.
{} composes with the 300+ tool Cognis suite — JSON in/out and a shared
OpenAI-compatible /v1 backbone. See INTEROP.md for the
suite map, composition patterns, and reference stacks.
Source-available under the Cognis Open Collaboration License (COCL) v1.0 — free for personal, internal-evaluation, research, and educational use; commercial / production use requires a license (licensing@cognis.digital). See LICENSE.